certfr_avis - certfr-2025-avi-0723

Vendor	Product	Description
SUSE	SUSE Linux Enterprise High Performance Computing	SUSE Linux Enterprise High Performance Computing 15 SP5
SUSE	SUSE Linux Enterprise High Availability Extension	SUSE Linux Enterprise High Availability Extension 15 SP4
SUSE	SUSE Linux Enterprise Server	SUSE Linux Enterprise Server 15 SP3 LTSS
SUSE	Confidential Computing Module	Confidential Computing Module 15-SP6
SUSE	openSUSE Leap	openSUSE Leap 15.5
SUSE	SUSE Linux Enterprise Live Patching	SUSE Linux Enterprise Live Patching 15-SP5
SUSE	SUSE Linux Enterprise Server	SUSE Linux Enterprise Server 12 SP5 LTSS
SUSE	SUSE Linux Enterprise Real Time	SUSE Linux Enterprise Real Time 15 SP7
SUSE	SUSE Manager Retail Branch Server	SUSE Manager Retail Branch Server 4.2
SUSE	openSUSE Leap	openSUSE Leap 15.3
SUSE	SUSE Linux Enterprise Server	SUSE Linux Enterprise Server for SAP Applications 15 SP6
SUSE	SUSE Linux Enterprise High Performance Computing	SUSE Linux Enterprise High Performance Computing 12 SP5
SUSE	SUSE Linux Enterprise High Performance Computing	SUSE Linux Enterprise High Performance Computing 15 SP4
SUSE	SUSE Manager Proxy	SUSE Manager Proxy 4.2
SUSE	SUSE Manager Retail Branch Server	SUSE Manager Retail Branch Server 4.3
SUSE	SUSE Linux Enterprise Live Patching	SUSE Linux Enterprise Live Patching 12-SP5
SUSE	SUSE Linux Enterprise Server	SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security
SUSE	openSUSE Leap	openSUSE Leap 15.4
SUSE	SUSE Manager Server	SUSE Manager Server 4.3 LTS
SUSE	SUSE Linux Enterprise Live Patching	SUSE Linux Enterprise Live Patching 15-SP6
SUSE	SUSE Linux Enterprise Server	SUSE Linux Enterprise Server for SAP Applications 12 SP5
SUSE	SUSE Linux Enterprise Live Patching	SUSE Linux Enterprise Live Patching 15-SP7
SUSE	SUSE Linux Enterprise High Performance Computing	SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
SUSE	SUSE Linux Enterprise Server	SUSE Linux Enterprise Server 12 SP5
SUSE	SUSE Linux Enterprise Micro	SUSE Linux Enterprise Micro 5.2
SUSE	SUSE Manager Server	SUSE Manager Server 4.2
SUSE	SUSE Linux Enterprise Server	SUSE Linux Enterprise Server 15 SP4 LTSS
SUSE	SUSE Linux Enterprise High Availability Extension	SUSE Linux Enterprise High Availability Extension 15 SP3
SUSE	SUSE Linux Enterprise Server	SUSE Linux Enterprise Server 15 SP5
SUSE	SUSE Linux Enterprise Server	SUSE Linux Enterprise Server for SAP Applications 15 SP3
SUSE	SUSE Linux Enterprise Micro	SUSE Linux Enterprise Micro 5.1
SUSE	SUSE Linux Enterprise Micro	SUSE Linux Enterprise Micro for Rancher 5.4
SUSE	SUSE Linux Enterprise High Performance Computing	SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
SUSE	SUSE Enterprise Storage	SUSE Enterprise Storage 7.1
SUSE	SUSE Linux Enterprise Server	SUSE Linux Enterprise Server for SAP Applications 15 SP5
SUSE	openSUSE Leap	openSUSE Leap 15.6
SUSE	SUSE Linux Enterprise Micro	SUSE Linux Enterprise Micro 5.3
SUSE	SUSE Manager Proxy	SUSE Manager Proxy 4.3 LTS
SUSE	SUSE Linux Enterprise Real Time	SUSE Linux Enterprise Real Time 15 SP5
SUSE	SUSE Linux Enterprise Micro	SUSE Linux Enterprise Micro for Rancher 5.3
SUSE	SUSE Linux Enterprise Server	SUSE Linux Enterprise Server 15 SP6
SUSE	SUSE Linux Enterprise Real Time	SUSE Linux Enterprise Real Time 15 SP4
SUSE	SUSE Manager Proxy	SUSE Manager Proxy 4.3
SUSE	SUSE Linux Enterprise Live Patching	SUSE Linux Enterprise Live Patching 15-SP3
SUSE	SUSE Linux Enterprise Server	SUSE Linux Enterprise Server for SAP Applications 15 SP7
SUSE	SUSE Linux Enterprise Micro	SUSE Linux Enterprise Micro for Rancher 5.2
SUSE	SUSE Linux Enterprise Server	SUSE Linux Enterprise Server 11 SP4
SUSE	SUSE Linux Enterprise Server	SUSE Linux Enterprise Server for SAP Applications 15 SP4
SUSE	SUSE Linux Enterprise High Performance Computing	SUSE Linux Enterprise High Performance Computing 15 SP3
SUSE	SUSE Linux Enterprise Micro	SUSE Linux Enterprise Micro 5.5
SUSE	SUSE Linux Enterprise Server	SUSE Linux Enterprise Server 15 SP4
SUSE	SUSE Linux Enterprise Real Time	SUSE Linux Enterprise Real Time 15 SP6
SUSE	SUSE Manager Retail Branch Server	SUSE Manager Retail Branch Server 4.3 LTS
SUSE	SUSE Linux Enterprise Server	SUSE Linux Enterprise Server 15 SP7
SUSE	SUSE Manager Server	SUSE Manager Server 4.3
SUSE	SUSE Linux Enterprise Server	SUSE Linux Enterprise Server 15 SP3 Business Critical Linux
SUSE	SUSE Real Time Module	SUSE Real Time Module 15-SP7
SUSE	SUSE Linux Enterprise Server	SUSE Linux Enterprise Server 15 SP3
SUSE	SUSE Linux Enterprise Micro	SUSE Linux Enterprise Micro 5.4
SUSE	SUSE Linux Enterprise Live Patching	SUSE Linux Enterprise Live Patching 15-SP4
SUSE	SUSE Linux Enterprise Server	SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE

CVE-2024-53164 (GCVE-0-2024-53164)

Vulnerability from cvelistv5

Published

2024-12-27 13:38

Modified

2025-11-03 20:46

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net: sched: fix ordering of qlen adjustment Changes to sch->q.qlen around qdisc_tree_reduce_backlog() need to happen _before_ a call to said function because otherwise it may fail to notify parent qdiscs when the child is about to become empty.

References

URL

Tags

	https://git.kernel.org/stable/c/44782565e1e6174c94bddfa72ac7267cd09c1648
	https://git.kernel.org/stable/c/5e473f462a16f1a34e49ea4289a667d2e4f35b52
	https://git.kernel.org/stable/c/33db36b3c53d0fda2699ea39ba72bee4de8336e8
	https://git.kernel.org/stable/c/489422e2befff88a1de52b2acebe7b333bded025
	https://git.kernel.org/stable/c/97e13434b5da8e91bdf965352fad2141d13d72d3
	https://git.kernel.org/stable/c/e3e54ad9eff8bdaa70f897e5342e34b76109497f
	https://git.kernel.org/stable/c/5eb7de8cd58e73851cd37ff8d0666517d9926948

Impacted products

Vendor

Product

Version

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:46:55.582Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_cake.c",
            "net/sched/sch_choke.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "44782565e1e6174c94bddfa72ac7267cd09c1648",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "5e473f462a16f1a34e49ea4289a667d2e4f35b52",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "33db36b3c53d0fda2699ea39ba72bee4de8336e8",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "489422e2befff88a1de52b2acebe7b333bded025",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "97e13434b5da8e91bdf965352fad2141d13d72d3",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "e3e54ad9eff8bdaa70f897e5342e34b76109497f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "5eb7de8cd58e73851cd37ff8d0666517d9926948",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_cake.c",
            "net/sched/sch_choke.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.289",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.233",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.176",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.122",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.68",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.289",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.233",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.176",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.122",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.68",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: fix ordering of qlen adjustment\n\nChanges to sch-\u003eq.qlen around qdisc_tree_reduce_backlog() need to happen\n_before_ a call to said function because otherwise it may fail to notify\nparent qdiscs when the child is about to become empty."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:54:38.982Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/44782565e1e6174c94bddfa72ac7267cd09c1648"
        },
        {
          "url": "https://git.kernel.org/stable/c/5e473f462a16f1a34e49ea4289a667d2e4f35b52"
        },
        {
          "url": "https://git.kernel.org/stable/c/33db36b3c53d0fda2699ea39ba72bee4de8336e8"
        },
        {
          "url": "https://git.kernel.org/stable/c/489422e2befff88a1de52b2acebe7b333bded025"
        },
        {
          "url": "https://git.kernel.org/stable/c/97e13434b5da8e91bdf965352fad2141d13d72d3"
        },
        {
          "url": "https://git.kernel.org/stable/c/e3e54ad9eff8bdaa70f897e5342e34b76109497f"
        },
        {
          "url": "https://git.kernel.org/stable/c/5eb7de8cd58e73851cd37ff8d0666517d9926948"
        }
      ],
      "title": "net: sched: fix ordering of qlen adjustment",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-53164",
    "datePublished": "2024-12-27T13:38:43.407Z",
    "dateReserved": "2024-11-19T17:17:25.004Z",
    "dateUpdated": "2025-11-03T20:46:55.582Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37987 (GCVE-0-2025-37987)

Vulnerability from cvelistv5

Published

2025-05-20 17:09

Modified

2025-06-04 12:57

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: pds_core: Prevent possible adminq overflow/stuck condition The pds_core's adminq is protected by the adminq_lock, which prevents more than 1 command to be posted onto it at any one time. This makes it so the client drivers cannot simultaneously post adminq commands. However, the completions happen in a different context, which means multiple adminq commands can be posted sequentially and all waiting on completion. On the FW side, the backing adminq request queue is only 16 entries long and the retry mechanism and/or overflow/stuck prevention is lacking. This can cause the adminq to get stuck, so commands are no longer processed and completions are no longer sent by the FW. As an initial fix, prevent more than 16 outstanding adminq commands so there's no way to cause the adminq from getting stuck. This works because the backing adminq request queue will never have more than 16 pending adminq commands, so it will never overflow. This is done by reducing the adminq depth to 16.

References

URL

Tags

	https://git.kernel.org/stable/c/517f928cc0c133472618cbba18382b46f5f71ba3
	https://git.kernel.org/stable/c/2982e07ad72b48eb12c29a87a3f2126ea552688c
	https://git.kernel.org/stable/c/5e3dc65675faad846420d24762e4faadc12d9392
	https://git.kernel.org/stable/c/d9e2f070d8af60f2c8c02b2ddf0a9e90b4e9220c

Impacted products

Vendor

Product

Version

Linux

Version: 45d76f492938cdc27ddadc16e1e75103f4cfbf56
Version: 45d76f492938cdc27ddadc16e1e75103f4cfbf56
Version: 45d76f492938cdc27ddadc16e1e75103f4cfbf56
Version: 45d76f492938cdc27ddadc16e1e75103f4cfbf56

Linux

Version: 6.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/amd/pds_core/core.c",
            "drivers/net/ethernet/amd/pds_core/core.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "517f928cc0c133472618cbba18382b46f5f71ba3",
              "status": "affected",
              "version": "45d76f492938cdc27ddadc16e1e75103f4cfbf56",
              "versionType": "git"
            },
            {
              "lessThan": "2982e07ad72b48eb12c29a87a3f2126ea552688c",
              "status": "affected",
              "version": "45d76f492938cdc27ddadc16e1e75103f4cfbf56",
              "versionType": "git"
            },
            {
              "lessThan": "5e3dc65675faad846420d24762e4faadc12d9392",
              "status": "affected",
              "version": "45d76f492938cdc27ddadc16e1e75103f4cfbf56",
              "versionType": "git"
            },
            {
              "lessThan": "d9e2f070d8af60f2c8c02b2ddf0a9e90b4e9220c",
              "status": "affected",
              "version": "45d76f492938cdc27ddadc16e1e75103f4cfbf56",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/amd/pds_core/core.c",
            "drivers/net/ethernet/amd/pds_core/core.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.93",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.26",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.93",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.26",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.5",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npds_core: Prevent possible adminq overflow/stuck condition\n\nThe pds_core\u0027s adminq is protected by the adminq_lock, which prevents\nmore than 1 command to be posted onto it at any one time. This makes it\nso the client drivers cannot simultaneously post adminq commands.\nHowever, the completions happen in a different context, which means\nmultiple adminq commands can be posted sequentially and all waiting\non completion.\n\nOn the FW side, the backing adminq request queue is only 16 entries\nlong and the retry mechanism and/or overflow/stuck prevention is\nlacking. This can cause the adminq to get stuck, so commands are no\nlonger processed and completions are no longer sent by the FW.\n\nAs an initial fix, prevent more than 16 outstanding adminq commands so\nthere\u0027s no way to cause the adminq from getting stuck. This works\nbecause the backing adminq request queue will never have more than 16\npending adminq commands, so it will never overflow. This is done by\nreducing the adminq depth to 16."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-04T12:57:38.445Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/517f928cc0c133472618cbba18382b46f5f71ba3"
        },
        {
          "url": "https://git.kernel.org/stable/c/2982e07ad72b48eb12c29a87a3f2126ea552688c"
        },
        {
          "url": "https://git.kernel.org/stable/c/5e3dc65675faad846420d24762e4faadc12d9392"
        },
        {
          "url": "https://git.kernel.org/stable/c/d9e2f070d8af60f2c8c02b2ddf0a9e90b4e9220c"
        }
      ],
      "title": "pds_core: Prevent possible adminq overflow/stuck condition",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37987",
    "datePublished": "2025-05-20T17:09:20.166Z",
    "dateReserved": "2025-04-16T04:51:23.976Z",
    "dateUpdated": "2025-06-04T12:57:38.445Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-22120 (GCVE-0-2025-22120)

Vulnerability from cvelistv5

Published

2025-04-16 14:13

Modified

2025-05-26 05:18

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ext4: goto right label 'out_mmap_sem' in ext4_setattr() Otherwise, if ext4_inode_attach_jinode() fails, a hung task will happen because filemap_invalidate_unlock() isn't called to unlock mapping->invalidate_lock. Like this: EXT4-fs error (device sda) in ext4_setattr:5557: Out of memory INFO: task fsstress:374 blocked for more than 122 seconds. Not tainted 6.14.0-rc1-next-20250206-xfstests-dirty #726 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:fsstress state:D stack:0 pid:374 tgid:374 ppid:373 task_flags:0x440140 flags:0x00000000 Call Trace: <TASK> __schedule+0x2c9/0x7f0 schedule+0x27/0xa0 schedule_preempt_disabled+0x15/0x30 rwsem_down_read_slowpath+0x278/0x4c0 down_read+0x59/0xb0 page_cache_ra_unbounded+0x65/0x1b0 filemap_get_pages+0x124/0x3e0 filemap_read+0x114/0x3d0 vfs_read+0x297/0x360 ksys_read+0x6c/0xe0 do_syscall_64+0x4b/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e

References

URL

Tags

	https://git.kernel.org/stable/c/551667f99bcf04fa58594d7d19aef73c861a1200
	https://git.kernel.org/stable/c/45314999f950321a341033ae8f9ac12dce40669b
	https://git.kernel.org/stable/c/32d872e3905746ff1048078256cb00f946b97d8a
	https://git.kernel.org/stable/c/7e91ae31e2d264155dfd102101afc2de7bd74a64

Impacted products

Vendor

Product

Version

Linux

Version: 93011887013dbaa0e3a0285176ca89be153df651
Version: b6ce2dbe984bcd7fb0c1df15b5e2fa57e1574a8e
Version: c7fc0366c65628fd69bfc310affec4918199aae2
Version: c7fc0366c65628fd69bfc310affec4918199aae2

Linux

Version: 6.13

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "551667f99bcf04fa58594d7d19aef73c861a1200",
              "status": "affected",
              "version": "93011887013dbaa0e3a0285176ca89be153df651",
              "versionType": "git"
            },
            {
              "lessThan": "45314999f950321a341033ae8f9ac12dce40669b",
              "status": "affected",
              "version": "b6ce2dbe984bcd7fb0c1df15b5e2fa57e1574a8e",
              "versionType": "git"
            },
            {
              "lessThan": "32d872e3905746ff1048078256cb00f946b97d8a",
              "status": "affected",
              "version": "c7fc0366c65628fd69bfc310affec4918199aae2",
              "versionType": "git"
            },
            {
              "lessThan": "7e91ae31e2d264155dfd102101afc2de7bd74a64",
              "status": "affected",
              "version": "c7fc0366c65628fd69bfc310affec4918199aae2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.13"
            },
            {
              "lessThan": "6.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.89",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.26",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.89",
                  "versionStartIncluding": "6.6.70",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.26",
                  "versionStartIncluding": "6.12.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: goto right label \u0027out_mmap_sem\u0027 in ext4_setattr()\n\nOtherwise, if ext4_inode_attach_jinode() fails, a hung task will\nhappen because filemap_invalidate_unlock() isn\u0027t called to unlock\nmapping-\u003einvalidate_lock. Like this:\n\nEXT4-fs error (device sda) in ext4_setattr:5557: Out of memory\nINFO: task fsstress:374 blocked for more than 122 seconds.\n      Not tainted 6.14.0-rc1-next-20250206-xfstests-dirty #726\n\"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\ntask:fsstress state:D stack:0     pid:374   tgid:374   ppid:373\n                                  task_flags:0x440140 flags:0x00000000\nCall Trace:\n \u003cTASK\u003e\n __schedule+0x2c9/0x7f0\n schedule+0x27/0xa0\n schedule_preempt_disabled+0x15/0x30\n rwsem_down_read_slowpath+0x278/0x4c0\n down_read+0x59/0xb0\n page_cache_ra_unbounded+0x65/0x1b0\n filemap_get_pages+0x124/0x3e0\n filemap_read+0x114/0x3d0\n vfs_read+0x297/0x360\n ksys_read+0x6c/0xe0\n do_syscall_64+0x4b/0x110\n entry_SYSCALL_64_after_hwframe+0x76/0x7e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:18:54.234Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/551667f99bcf04fa58594d7d19aef73c861a1200"
        },
        {
          "url": "https://git.kernel.org/stable/c/45314999f950321a341033ae8f9ac12dce40669b"
        },
        {
          "url": "https://git.kernel.org/stable/c/32d872e3905746ff1048078256cb00f946b97d8a"
        },
        {
          "url": "https://git.kernel.org/stable/c/7e91ae31e2d264155dfd102101afc2de7bd74a64"
        }
      ],
      "title": "ext4: goto right label \u0027out_mmap_sem\u0027 in ext4_setattr()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22120",
    "datePublished": "2025-04-16T14:13:05.289Z",
    "dateReserved": "2024-12-29T08:45:45.823Z",
    "dateUpdated": "2025-05-26T05:18:54.234Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-37767 (GCVE-0-2025-37767)

Vulnerability from cvelistv5

Published

2025-05-01 13:07

Modified

2025-11-03 19:54

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm: Prevent division by zero The user can set any speed value. If speed is greater than UINT_MAX/8, division by zero is possible. Found by Linux Verification Center (linuxtesting.org) with SVACE.

References

URL

Tags

	https://git.kernel.org/stable/c/f2904fa2b9da943db6bef7c0f8b3fb4fc14acbc4
	https://git.kernel.org/stable/c/8f7b5987e21e003cafac28f0e4d323e6496f83ba
	https://git.kernel.org/stable/c/c3ff73e3bddf1a6c30d7effe4018d12ba0cadd2e
	https://git.kernel.org/stable/c/fb803d4bb9ea0a61c21c4987505e4d4ae18f9fdc
	https://git.kernel.org/stable/c/327107bd7f052f4ee2d0c966c7ae879822f1814f
	https://git.kernel.org/stable/c/f23e9116ebb71b63fe9cec0dcac792aa9af30b0c

Impacted products

Vendor

Product

Version

Linux

Version: c05d1c401572ac63d704183b19db2ce746961412
Version: c05d1c401572ac63d704183b19db2ce746961412
Version: c05d1c401572ac63d704183b19db2ce746961412
Version: c05d1c401572ac63d704183b19db2ce746961412
Version: c05d1c401572ac63d704183b19db2ce746961412
Version: c05d1c401572ac63d704183b19db2ce746961412

Linux

Version: 5.13

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:54:40.168Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f2904fa2b9da943db6bef7c0f8b3fb4fc14acbc4",
              "status": "affected",
              "version": "c05d1c401572ac63d704183b19db2ce746961412",
              "versionType": "git"
            },
            {
              "lessThan": "8f7b5987e21e003cafac28f0e4d323e6496f83ba",
              "status": "affected",
              "version": "c05d1c401572ac63d704183b19db2ce746961412",
              "versionType": "git"
            },
            {
              "lessThan": "c3ff73e3bddf1a6c30d7effe4018d12ba0cadd2e",
              "status": "affected",
              "version": "c05d1c401572ac63d704183b19db2ce746961412",
              "versionType": "git"
            },
            {
              "lessThan": "fb803d4bb9ea0a61c21c4987505e4d4ae18f9fdc",
              "status": "affected",
              "version": "c05d1c401572ac63d704183b19db2ce746961412",
              "versionType": "git"
            },
            {
              "lessThan": "327107bd7f052f4ee2d0c966c7ae879822f1814f",
              "status": "affected",
              "version": "c05d1c401572ac63d704183b19db2ce746961412",
              "versionType": "git"
            },
            {
              "lessThan": "f23e9116ebb71b63fe9cec0dcac792aa9af30b0c",
              "status": "affected",
              "version": "c05d1c401572ac63d704183b19db2ce746961412",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.13"
            },
            {
              "lessThan": "5.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.25",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.25",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.4",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: Prevent division by zero\n\nThe user can set any speed value.\nIf speed is greater than UINT_MAX/8, division by zero is possible.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:20:26.761Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f2904fa2b9da943db6bef7c0f8b3fb4fc14acbc4"
        },
        {
          "url": "https://git.kernel.org/stable/c/8f7b5987e21e003cafac28f0e4d323e6496f83ba"
        },
        {
          "url": "https://git.kernel.org/stable/c/c3ff73e3bddf1a6c30d7effe4018d12ba0cadd2e"
        },
        {
          "url": "https://git.kernel.org/stable/c/fb803d4bb9ea0a61c21c4987505e4d4ae18f9fdc"
        },
        {
          "url": "https://git.kernel.org/stable/c/327107bd7f052f4ee2d0c966c7ae879822f1814f"
        },
        {
          "url": "https://git.kernel.org/stable/c/f23e9116ebb71b63fe9cec0dcac792aa9af30b0c"
        }
      ],
      "title": "drm/amd/pm: Prevent division by zero",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37767",
    "datePublished": "2025-05-01T13:07:07.861Z",
    "dateReserved": "2025-04-16T04:51:23.939Z",
    "dateUpdated": "2025-11-03T19:54:40.168Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38477 (GCVE-0-2025-38477)

Vulnerability from cvelistv5

Published

2025-07-28 11:21

Modified

2025-11-03 17:38

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix race condition on qfq_aggregate A race condition can occur when 'agg' is modified in qfq_change_agg (called during qfq_enqueue) while other threads access it concurrently. For example, qfq_dump_class may trigger a NULL dereference, and qfq_delete_class may cause a use-after-free. This patch addresses the issue by: 1. Moved qfq_destroy_class into the critical section. 2. Added sch_tree_lock protection to qfq_dump_class and qfq_dump_class_stats.

References

URL

Tags

	https://git.kernel.org/stable/c/aa7a22c4d678bf649fd3a1d27debec583563414d
	https://git.kernel.org/stable/c/d841aa5518508ab195b6781ad0d73ee378d713dd
	https://git.kernel.org/stable/c/c6df794000147a3a02f79984aada4ce83f8d0a1e
	https://git.kernel.org/stable/c/466e10194ab81caa2ee6a332d33ba16bcceeeba6
	https://git.kernel.org/stable/c/fbe48f06e64134dfeafa89ad23387f66ebca3527
	https://git.kernel.org/stable/c/a6d735100f602c830c16d69fb6d780eebd8c9ae1
	https://git.kernel.org/stable/c/c000a3a330d97f6c073ace5aa5faf94b9adb4b79
	https://git.kernel.org/stable/c/5e28d5a3f774f118896aec17a3a20a9c5c9dfc64

Impacted products

Vendor

Product

Version

Linux

Version: 462dbc9101acd38e92eda93c0726857517a24bbd
Version: 462dbc9101acd38e92eda93c0726857517a24bbd
Version: 462dbc9101acd38e92eda93c0726857517a24bbd
Version: 462dbc9101acd38e92eda93c0726857517a24bbd
Version: 462dbc9101acd38e92eda93c0726857517a24bbd
Version: 462dbc9101acd38e92eda93c0726857517a24bbd
Version: 462dbc9101acd38e92eda93c0726857517a24bbd
Version: 462dbc9101acd38e92eda93c0726857517a24bbd

Linux

Version: 3.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:38:44.755Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_qfq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "aa7a22c4d678bf649fd3a1d27debec583563414d",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            },
            {
              "lessThan": "d841aa5518508ab195b6781ad0d73ee378d713dd",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            },
            {
              "lessThan": "c6df794000147a3a02f79984aada4ce83f8d0a1e",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            },
            {
              "lessThan": "466e10194ab81caa2ee6a332d33ba16bcceeeba6",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            },
            {
              "lessThan": "fbe48f06e64134dfeafa89ad23387f66ebca3527",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            },
            {
              "lessThan": "a6d735100f602c830c16d69fb6d780eebd8c9ae1",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            },
            {
              "lessThan": "c000a3a330d97f6c073ace5aa5faf94b9adb4b79",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            },
            {
              "lessThan": "5e28d5a3f774f118896aec17a3a20a9c5c9dfc64",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_qfq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.8"
            },
            {
              "lessThan": "3.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.147",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.100",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.40",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.147",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.100",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.40",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.8",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_qfq: Fix race condition on qfq_aggregate\n\nA race condition can occur when \u0027agg\u0027 is modified in qfq_change_agg\n(called during qfq_enqueue) while other threads access it\nconcurrently. For example, qfq_dump_class may trigger a NULL\ndereference, and qfq_delete_class may cause a use-after-free.\n\nThis patch addresses the issue by:\n\n1. Moved qfq_destroy_class into the critical section.\n\n2. Added sch_tree_lock protection to qfq_dump_class and\nqfq_dump_class_stats."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-28T14:43:15.237Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/aa7a22c4d678bf649fd3a1d27debec583563414d"
        },
        {
          "url": "https://git.kernel.org/stable/c/d841aa5518508ab195b6781ad0d73ee378d713dd"
        },
        {
          "url": "https://git.kernel.org/stable/c/c6df794000147a3a02f79984aada4ce83f8d0a1e"
        },
        {
          "url": "https://git.kernel.org/stable/c/466e10194ab81caa2ee6a332d33ba16bcceeeba6"
        },
        {
          "url": "https://git.kernel.org/stable/c/fbe48f06e64134dfeafa89ad23387f66ebca3527"
        },
        {
          "url": "https://git.kernel.org/stable/c/a6d735100f602c830c16d69fb6d780eebd8c9ae1"
        },
        {
          "url": "https://git.kernel.org/stable/c/c000a3a330d97f6c073ace5aa5faf94b9adb4b79"
        },
        {
          "url": "https://git.kernel.org/stable/c/5e28d5a3f774f118896aec17a3a20a9c5c9dfc64"
        }
      ],
      "title": "net/sched: sch_qfq: Fix race condition on qfq_aggregate",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38477",
    "datePublished": "2025-07-28T11:21:38.319Z",
    "dateReserved": "2025-04-16T04:51:24.021Z",
    "dateUpdated": "2025-11-03T17:38:44.755Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-36978 (GCVE-0-2024-36978)

Vulnerability from cvelistv5

Published

2024-06-19 06:20

Modified

2025-11-03 21:55

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net: sched: sch_multiq: fix possible OOB write in multiq_tune() q->bands will be assigned to qopt->bands to execute subsequent code logic after kmalloc. So the old q->bands should not be used in kmalloc. Otherwise, an out-of-bounds write will occur.

References

URL

Tags

	https://git.kernel.org/stable/c/d5d9d241786f49ae7cbc08e7fc95a115e9d80f3d
	https://git.kernel.org/stable/c/52b1aa07cda6a199cd6754d3798c7759023bc70f
	https://git.kernel.org/stable/c/598572c64287aee0b75bbba4e2881496878860f3
	https://git.kernel.org/stable/c/0f208fad86631e005754606c3ec80c0d44a11882
	https://git.kernel.org/stable/c/54c2c171c11a798fe887b3ff72922aa9d1411c1e
	https://git.kernel.org/stable/c/d6fb5110e8722bc00748f22caeb650fe4672f129
	https://git.kernel.org/stable/c/affc18fdc694190ca7575b9a86632a73b9fe043d

Impacted products

Vendor

Product

Version

Linux

Version: c2999f7fb05b87da4060e38150c70fa46794d82b
Version: c2999f7fb05b87da4060e38150c70fa46794d82b
Version: c2999f7fb05b87da4060e38150c70fa46794d82b
Version: c2999f7fb05b87da4060e38150c70fa46794d82b
Version: c2999f7fb05b87da4060e38150c70fa46794d82b
Version: c2999f7fb05b87da4060e38150c70fa46794d82b
Version: c2999f7fb05b87da4060e38150c70fa46794d82b

Linux

Version: 5.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-36978",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-21T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-22T04:55:12.222Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T21:55:30.685Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/d5d9d241786f49ae7cbc08e7fc95a115e9d80f3d"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/52b1aa07cda6a199cd6754d3798c7759023bc70f"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/598572c64287aee0b75bbba4e2881496878860f3"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/0f208fad86631e005754606c3ec80c0d44a11882"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/54c2c171c11a798fe887b3ff72922aa9d1411c1e"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/d6fb5110e8722bc00748f22caeb650fe4672f129"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/affc18fdc694190ca7575b9a86632a73b9fe043d"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_multiq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d5d9d241786f49ae7cbc08e7fc95a115e9d80f3d",
              "status": "affected",
              "version": "c2999f7fb05b87da4060e38150c70fa46794d82b",
              "versionType": "git"
            },
            {
              "lessThan": "52b1aa07cda6a199cd6754d3798c7759023bc70f",
              "status": "affected",
              "version": "c2999f7fb05b87da4060e38150c70fa46794d82b",
              "versionType": "git"
            },
            {
              "lessThan": "598572c64287aee0b75bbba4e2881496878860f3",
              "status": "affected",
              "version": "c2999f7fb05b87da4060e38150c70fa46794d82b",
              "versionType": "git"
            },
            {
              "lessThan": "0f208fad86631e005754606c3ec80c0d44a11882",
              "status": "affected",
              "version": "c2999f7fb05b87da4060e38150c70fa46794d82b",
              "versionType": "git"
            },
            {
              "lessThan": "54c2c171c11a798fe887b3ff72922aa9d1411c1e",
              "status": "affected",
              "version": "c2999f7fb05b87da4060e38150c70fa46794d82b",
              "versionType": "git"
            },
            {
              "lessThan": "d6fb5110e8722bc00748f22caeb650fe4672f129",
              "status": "affected",
              "version": "c2999f7fb05b87da4060e38150c70fa46794d82b",
              "versionType": "git"
            },
            {
              "lessThan": "affc18fdc694190ca7575b9a86632a73b9fe043d",
              "status": "affected",
              "version": "c2999f7fb05b87da4060e38150c70fa46794d82b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_multiq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.4"
            },
            {
              "lessThan": "5.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.279",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.221",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.162",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.9.*",
              "status": "unaffected",
              "version": "6.9.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.10",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.279",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.221",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.162",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.95",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.35",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.9.6",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: sch_multiq: fix possible OOB write in multiq_tune()\n\nq-\u003ebands will be assigned to qopt-\u003ebands to execute subsequent code logic\nafter kmalloc. So the old q-\u003ebands should not be used in kmalloc.\nOtherwise, an out-of-bounds write will occur."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:13:14.643Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d5d9d241786f49ae7cbc08e7fc95a115e9d80f3d"
        },
        {
          "url": "https://git.kernel.org/stable/c/52b1aa07cda6a199cd6754d3798c7759023bc70f"
        },
        {
          "url": "https://git.kernel.org/stable/c/598572c64287aee0b75bbba4e2881496878860f3"
        },
        {
          "url": "https://git.kernel.org/stable/c/0f208fad86631e005754606c3ec80c0d44a11882"
        },
        {
          "url": "https://git.kernel.org/stable/c/54c2c171c11a798fe887b3ff72922aa9d1411c1e"
        },
        {
          "url": "https://git.kernel.org/stable/c/d6fb5110e8722bc00748f22caeb650fe4672f129"
        },
        {
          "url": "https://git.kernel.org/stable/c/affc18fdc694190ca7575b9a86632a73b9fe043d"
        }
      ],
      "title": "net: sched: sch_multiq: fix possible OOB write in multiq_tune()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-36978",
    "datePublished": "2024-06-19T06:20:23.103Z",
    "dateReserved": "2024-05-30T15:25:07.082Z",
    "dateUpdated": "2025-11-03T21:55:30.685Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37771 (GCVE-0-2025-37771)

Vulnerability from cvelistv5

Published

2025-05-01 13:07

Modified

2025-11-03 19:54

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm: Prevent division by zero The user can set any speed value. If speed is greater than UINT_MAX/8, division by zero is possible. Found by Linux Verification Center (linuxtesting.org) with SVACE.

References

URL

Tags

	https://git.kernel.org/stable/c/b7c41df4913789ebfe73cc1e17c6401d4c5eab69
	https://git.kernel.org/stable/c/402964994e8ece29702383b234fabcf04791ff95
	https://git.kernel.org/stable/c/5096174074114f83c700a27869c54362cbb10f3e
	https://git.kernel.org/stable/c/6413fed016208171592c88b5df002af8a1387e24
	https://git.kernel.org/stable/c/baa54adb5e0599299b8f088efb5544d876a3eb62
	https://git.kernel.org/stable/c/7d641c2b83275d3b0424127b2e0d2d0f7dd82aef

Impacted products

Vendor

Product

Version

Linux

Version: b64625a303de727498f80f8cb9833fc615c0a90f
Version: b64625a303de727498f80f8cb9833fc615c0a90f
Version: b64625a303de727498f80f8cb9833fc615c0a90f
Version: b64625a303de727498f80f8cb9833fc615c0a90f
Version: b64625a303de727498f80f8cb9833fc615c0a90f
Version: b64625a303de727498f80f8cb9833fc615c0a90f

Linux

Version: 5.15

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:54:48.572Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b7c41df4913789ebfe73cc1e17c6401d4c5eab69",
              "status": "affected",
              "version": "b64625a303de727498f80f8cb9833fc615c0a90f",
              "versionType": "git"
            },
            {
              "lessThan": "402964994e8ece29702383b234fabcf04791ff95",
              "status": "affected",
              "version": "b64625a303de727498f80f8cb9833fc615c0a90f",
              "versionType": "git"
            },
            {
              "lessThan": "5096174074114f83c700a27869c54362cbb10f3e",
              "status": "affected",
              "version": "b64625a303de727498f80f8cb9833fc615c0a90f",
              "versionType": "git"
            },
            {
              "lessThan": "6413fed016208171592c88b5df002af8a1387e24",
              "status": "affected",
              "version": "b64625a303de727498f80f8cb9833fc615c0a90f",
              "versionType": "git"
            },
            {
              "lessThan": "baa54adb5e0599299b8f088efb5544d876a3eb62",
              "status": "affected",
              "version": "b64625a303de727498f80f8cb9833fc615c0a90f",
              "versionType": "git"
            },
            {
              "lessThan": "7d641c2b83275d3b0424127b2e0d2d0f7dd82aef",
              "status": "affected",
              "version": "b64625a303de727498f80f8cb9833fc615c0a90f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.25",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.25",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.4",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: Prevent division by zero\n\nThe user can set any speed value.\nIf speed is greater than UINT_MAX/8, division by zero is possible.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:20:32.135Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b7c41df4913789ebfe73cc1e17c6401d4c5eab69"
        },
        {
          "url": "https://git.kernel.org/stable/c/402964994e8ece29702383b234fabcf04791ff95"
        },
        {
          "url": "https://git.kernel.org/stable/c/5096174074114f83c700a27869c54362cbb10f3e"
        },
        {
          "url": "https://git.kernel.org/stable/c/6413fed016208171592c88b5df002af8a1387e24"
        },
        {
          "url": "https://git.kernel.org/stable/c/baa54adb5e0599299b8f088efb5544d876a3eb62"
        },
        {
          "url": "https://git.kernel.org/stable/c/7d641c2b83275d3b0424127b2e0d2d0f7dd82aef"
        }
      ],
      "title": "drm/amd/pm: Prevent division by zero",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37771",
    "datePublished": "2025-05-01T13:07:11.517Z",
    "dateReserved": "2025-04-16T04:51:23.939Z",
    "dateUpdated": "2025-11-03T19:54:48.572Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38007 (GCVE-0-2025-38007)

Vulnerability from cvelistv5

Published

2025-06-18 09:28

Modified

2025-11-03 19:58

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: HID: uclogic: Add NULL check in uclogic_input_configured() devm_kasprintf() returns NULL when memory allocation fails. Currently, uclogic_input_configured() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue.

References

URL

Tags

	https://git.kernel.org/stable/c/01b76cc8ca243fc3376b035aa326bbc4f03d384b
	https://git.kernel.org/stable/c/ad6caaf29bc26a48b1241ce82561fcbcf0a75aa9
	https://git.kernel.org/stable/c/94e7272b636a0677082e0604609e4c471e0a2caf
	https://git.kernel.org/stable/c/b616453d719ee1b8bf2ea6f6cc6c6258a572a590
	https://git.kernel.org/stable/c/bd07f751208ba190f9b0db5e5b7f35d5bb4a8a1e

Impacted products

Vendor

Product

Version

Linux

Version: f283805d984343b2f216e2f4c6c7af265b9542ae
Version: dd613a4e45f8d35f49a63a2064e5308fa5619e29
Version: dd613a4e45f8d35f49a63a2064e5308fa5619e29
Version: dd613a4e45f8d35f49a63a2064e5308fa5619e29
Version: dd613a4e45f8d35f49a63a2064e5308fa5619e29
Version: 4c2707dfee5847dc0b5ecfbe512c29c93832fdc4
Version: 58f0d1c0e494a88f301bf455da7df4366f179bbb

Linux

Version: 6.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:58:15.120Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-uclogic-core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "01b76cc8ca243fc3376b035aa326bbc4f03d384b",
              "status": "affected",
              "version": "f283805d984343b2f216e2f4c6c7af265b9542ae",
              "versionType": "git"
            },
            {
              "lessThan": "ad6caaf29bc26a48b1241ce82561fcbcf0a75aa9",
              "status": "affected",
              "version": "dd613a4e45f8d35f49a63a2064e5308fa5619e29",
              "versionType": "git"
            },
            {
              "lessThan": "94e7272b636a0677082e0604609e4c471e0a2caf",
              "status": "affected",
              "version": "dd613a4e45f8d35f49a63a2064e5308fa5619e29",
              "versionType": "git"
            },
            {
              "lessThan": "b616453d719ee1b8bf2ea6f6cc6c6258a572a590",
              "status": "affected",
              "version": "dd613a4e45f8d35f49a63a2064e5308fa5619e29",
              "versionType": "git"
            },
            {
              "lessThan": "bd07f751208ba190f9b0db5e5b7f35d5bb4a8a1e",
              "status": "affected",
              "version": "dd613a4e45f8d35f49a63a2064e5308fa5619e29",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "4c2707dfee5847dc0b5ecfbe512c29c93832fdc4",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "58f0d1c0e494a88f301bf455da7df4366f179bbb",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-uclogic-core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.92",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.140",
                  "versionStartIncluding": "6.1.53",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.92",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.30",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.8",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.5.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: uclogic: Add NULL check in uclogic_input_configured()\n\ndevm_kasprintf() returns NULL when memory allocation fails. Currently,\nuclogic_input_configured() does not check for this case, which results\nin a NULL pointer dereference.\n\nAdd NULL check after devm_kasprintf() to prevent this issue."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-18T09:28:18.735Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/01b76cc8ca243fc3376b035aa326bbc4f03d384b"
        },
        {
          "url": "https://git.kernel.org/stable/c/ad6caaf29bc26a48b1241ce82561fcbcf0a75aa9"
        },
        {
          "url": "https://git.kernel.org/stable/c/94e7272b636a0677082e0604609e4c471e0a2caf"
        },
        {
          "url": "https://git.kernel.org/stable/c/b616453d719ee1b8bf2ea6f6cc6c6258a572a590"
        },
        {
          "url": "https://git.kernel.org/stable/c/bd07f751208ba190f9b0db5e5b7f35d5bb4a8a1e"
        }
      ],
      "title": "HID: uclogic: Add NULL check in uclogic_input_configured()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38007",
    "datePublished": "2025-06-18T09:28:18.735Z",
    "dateReserved": "2025-04-16T04:51:23.977Z",
    "dateUpdated": "2025-11-03T19:58:15.120Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37943 (GCVE-0-2025-37943)

Vulnerability from cvelistv5

Published

2025-05-20 15:58

Modified

2025-05-26 05:24

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Fix invalid data access in ath12k_dp_rx_h_undecap_nwifi In certain cases, hardware might provide packets with a length greater than the maximum native Wi-Fi header length. This can lead to accessing and modifying fields in the header within the ath12k_dp_rx_h_undecap_nwifi function for DP_RX_DECAP_TYPE_NATIVE_WIFI decap type and potentially resulting in invalid data access and memory corruption. Add a sanity check before processing the SKB to prevent invalid data access in the undecap native Wi-Fi function for the DP_RX_DECAP_TYPE_NATIVE_WIFI decap type. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1

References

URL

Tags

	https://git.kernel.org/stable/c/7f1d986da5c6abb75ffe4d0d325fc9b341c41a1c
	https://git.kernel.org/stable/c/3abe15e756481c45f6acba3d476cb3ca4afc3b61
	https://git.kernel.org/stable/c/6ee653194ddb83674913fd2727b8ecfae0597ade
	https://git.kernel.org/stable/c/50be1fb76556e80af9f5da80f28168b6c71bce58
	https://git.kernel.org/stable/c/9a0dddfb30f120db3851627935851d262e4e7acb

Impacted products

Vendor

Product

Version

Linux

Version: d889913205cf7ebda905b1e62c5867ed4e39f6c2
Version: d889913205cf7ebda905b1e62c5867ed4e39f6c2
Version: d889913205cf7ebda905b1e62c5867ed4e39f6c2
Version: d889913205cf7ebda905b1e62c5867ed4e39f6c2
Version: d889913205cf7ebda905b1e62c5867ed4e39f6c2

Linux

Version: 6.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath12k/dp_rx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7f1d986da5c6abb75ffe4d0d325fc9b341c41a1c",
              "status": "affected",
              "version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
              "versionType": "git"
            },
            {
              "lessThan": "3abe15e756481c45f6acba3d476cb3ca4afc3b61",
              "status": "affected",
              "version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
              "versionType": "git"
            },
            {
              "lessThan": "6ee653194ddb83674913fd2727b8ecfae0597ade",
              "status": "affected",
              "version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
              "versionType": "git"
            },
            {
              "lessThan": "50be1fb76556e80af9f5da80f28168b6c71bce58",
              "status": "affected",
              "version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
              "versionType": "git"
            },
            {
              "lessThan": "9a0dddfb30f120db3851627935851d262e4e7acb",
              "status": "affected",
              "version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath12k/dp_rx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.3"
            },
            {
              "lessThan": "6.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.24",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.12",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Fix invalid data access in ath12k_dp_rx_h_undecap_nwifi\n\nIn certain cases, hardware might provide packets with a\nlength greater than the maximum native Wi-Fi header length.\nThis can lead to accessing and modifying fields in the header\nwithin the ath12k_dp_rx_h_undecap_nwifi function for\nDP_RX_DECAP_TYPE_NATIVE_WIFI decap type and\npotentially resulting in invalid data access and memory corruption.\n\nAdd a sanity check before processing the SKB to prevent invalid\ndata access in the undecap native Wi-Fi function for the\nDP_RX_DECAP_TYPE_NATIVE_WIFI decap type.\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:24:13.928Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7f1d986da5c6abb75ffe4d0d325fc9b341c41a1c"
        },
        {
          "url": "https://git.kernel.org/stable/c/3abe15e756481c45f6acba3d476cb3ca4afc3b61"
        },
        {
          "url": "https://git.kernel.org/stable/c/6ee653194ddb83674913fd2727b8ecfae0597ade"
        },
        {
          "url": "https://git.kernel.org/stable/c/50be1fb76556e80af9f5da80f28168b6c71bce58"
        },
        {
          "url": "https://git.kernel.org/stable/c/9a0dddfb30f120db3851627935851d262e4e7acb"
        }
      ],
      "title": "wifi: ath12k: Fix invalid data access in ath12k_dp_rx_h_undecap_nwifi",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37943",
    "datePublished": "2025-05-20T15:58:19.607Z",
    "dateReserved": "2025-04-16T04:51:23.972Z",
    "dateUpdated": "2025-05-26T05:24:13.928Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38463 (GCVE-0-2025-38463)

Vulnerability from cvelistv5

Published

2025-07-25 15:27

Modified

2025-07-28 04:23

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: tcp: Correct signedness in skb remaining space calculation Syzkaller reported a bug [1] where sk->sk_forward_alloc can overflow. When we send data, if an skb exists at the tail of the write queue, the kernel will attempt to append the new data to that skb. However, the code that checks for available space in the skb is flawed: ''' copy = size_goal - skb->len ''' The types of the variables involved are: ''' copy: ssize_t (s64 on 64-bit systems) size_goal: int skb->len: unsigned int ''' Due to C's type promotion rules, the signed size_goal is converted to an unsigned int to match skb->len before the subtraction. The result is an unsigned int. When this unsigned int result is then assigned to the s64 copy variable, it is zero-extended, preserving its non-negative value. Consequently, copy is always >= 0. Assume we are sending 2GB of data and size_goal has been adjusted to a value smaller than skb->len. The subtraction will result in copy holding a very large positive integer. In the subsequent logic, this large value is used to update sk->sk_forward_alloc, which can easily cause it to overflow. The syzkaller reproducer uses TCP_REPAIR to reliably create this condition. However, this can also occur in real-world scenarios. The tcp_bound_to_half_wnd() function can also reduce size_goal to a small value. This would cause the subsequent tcp_wmem_schedule() to set sk->sk_forward_alloc to a value close to INT_MAX. Further memory allocation requests would then cause sk_forward_alloc to wrap around and become negative. [1]: https://syzkaller.appspot.com/bug?extid=de6565462ab540f50e47

References

URL

Tags

	https://git.kernel.org/stable/c/81373cd1d72d87c7d844d4454a526b8f53e72d00
	https://git.kernel.org/stable/c/62e6160cfb5514787bda833d466509edc38fde23
	https://git.kernel.org/stable/c/9f164fa6bb09fbcc60fa5c3ff551ce9eec1befd7
	https://git.kernel.org/stable/c/d3a5f2871adc0c61c61869f37f3e697d97f03d8c

Impacted products

Vendor

Product

Version

Linux

Version: 270a1c3de47e49dd2fc18f48e46b101e48050e78
Version: 270a1c3de47e49dd2fc18f48e46b101e48050e78
Version: 270a1c3de47e49dd2fc18f48e46b101e48050e78
Version: 270a1c3de47e49dd2fc18f48e46b101e48050e78

Linux

Version: 6.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/tcp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "81373cd1d72d87c7d844d4454a526b8f53e72d00",
              "status": "affected",
              "version": "270a1c3de47e49dd2fc18f48e46b101e48050e78",
              "versionType": "git"
            },
            {
              "lessThan": "62e6160cfb5514787bda833d466509edc38fde23",
              "status": "affected",
              "version": "270a1c3de47e49dd2fc18f48e46b101e48050e78",
              "versionType": "git"
            },
            {
              "lessThan": "9f164fa6bb09fbcc60fa5c3ff551ce9eec1befd7",
              "status": "affected",
              "version": "270a1c3de47e49dd2fc18f48e46b101e48050e78",
              "versionType": "git"
            },
            {
              "lessThan": "d3a5f2871adc0c61c61869f37f3e697d97f03d8c",
              "status": "affected",
              "version": "270a1c3de47e49dd2fc18f48e46b101e48050e78",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/tcp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.5"
            },
            {
              "lessThan": "6.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.99",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.99",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.39",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.7",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Correct signedness in skb remaining space calculation\n\nSyzkaller reported a bug [1] where sk-\u003esk_forward_alloc can overflow.\n\nWhen we send data, if an skb exists at the tail of the write queue, the\nkernel will attempt to append the new data to that skb. However, the code\nthat checks for available space in the skb is flawed:\n\u0027\u0027\u0027\ncopy = size_goal - skb-\u003elen\n\u0027\u0027\u0027\n\nThe types of the variables involved are:\n\u0027\u0027\u0027\ncopy: ssize_t (s64 on 64-bit systems)\nsize_goal: int\nskb-\u003elen: unsigned int\n\u0027\u0027\u0027\n\nDue to C\u0027s type promotion rules, the signed size_goal is converted to an\nunsigned int to match skb-\u003elen before the subtraction. The result is an\nunsigned int.\n\nWhen this unsigned int result is then assigned to the s64 copy variable,\nit is zero-extended, preserving its non-negative value. Consequently, copy\nis always \u003e= 0.\n\nAssume we are sending 2GB of data and size_goal has been adjusted to a\nvalue smaller than skb-\u003elen. The subtraction will result in copy holding a\nvery large positive integer. In the subsequent logic, this large value is\nused to update sk-\u003esk_forward_alloc, which can easily cause it to overflow.\n\nThe syzkaller reproducer uses TCP_REPAIR to reliably create this\ncondition. However, this can also occur in real-world scenarios. The\ntcp_bound_to_half_wnd() function can also reduce size_goal to a small\nvalue. This would cause the subsequent tcp_wmem_schedule() to set\nsk-\u003esk_forward_alloc to a value close to INT_MAX. Further memory\nallocation requests would then cause sk_forward_alloc to wrap around and\nbecome negative.\n\n[1]: https://syzkaller.appspot.com/bug?extid=de6565462ab540f50e47"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:23:11.023Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/81373cd1d72d87c7d844d4454a526b8f53e72d00"
        },
        {
          "url": "https://git.kernel.org/stable/c/62e6160cfb5514787bda833d466509edc38fde23"
        },
        {
          "url": "https://git.kernel.org/stable/c/9f164fa6bb09fbcc60fa5c3ff551ce9eec1befd7"
        },
        {
          "url": "https://git.kernel.org/stable/c/d3a5f2871adc0c61c61869f37f3e697d97f03d8c"
        }
      ],
      "title": "tcp: Correct signedness in skb remaining space calculation",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38463",
    "datePublished": "2025-07-25T15:27:45.975Z",
    "dateReserved": "2025-04-16T04:51:24.020Z",
    "dateUpdated": "2025-07-28T04:23:11.023Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-49825 (GCVE-0-2022-49825)

Vulnerability from cvelistv5

Published

2025-05-01 14:09

Modified

2025-05-04 08:46

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ata: libata-transport: fix error handling in ata_tport_add() In ata_tport_add(), the return value of transport_add_device() is not checked. As a result, it causes null-ptr-deref while removing the module, because transport_remove_device() is called to remove the device that was not added. Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d0 CPU: 12 PID: 13605 Comm: rmmod Kdump: loaded Tainted: G W 6.1.0-rc3+ #8 pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : device_del+0x48/0x39c lr : device_del+0x44/0x39c Call trace: device_del+0x48/0x39c attribute_container_class_device_del+0x28/0x40 transport_remove_classdev+0x60/0x7c attribute_container_device_trigger+0x118/0x120 transport_remove_device+0x20/0x30 ata_tport_delete+0x34/0x60 [libata] ata_port_detach+0x148/0x1b0 [libata] ata_pci_remove_one+0x50/0x80 [libata] ahci_remove_one+0x4c/0x8c [ahci] Fix this by checking and handling return value of transport_add_device() in ata_tport_add().

References

URL

Tags

	https://git.kernel.org/stable/c/b5362dc1634d8b8d5f30920f33ac11a3276b7ed9
	https://git.kernel.org/stable/c/e7bb1b7a7bf26f6b7372b7b683daece4a42fda02
	https://git.kernel.org/stable/c/52d9bb0adae9359711a0c5271430afd3754069e7
	https://git.kernel.org/stable/c/3613dbe3909dcc637fe6be00e4dc43b4aa0470ee

Impacted products

Vendor

Product

Version

Linux

Version: d9027470b88631d0956ac37cdadfdeb9cdcf2c99
Version: d9027470b88631d0956ac37cdadfdeb9cdcf2c99
Version: d9027470b88631d0956ac37cdadfdeb9cdcf2c99
Version: d9027470b88631d0956ac37cdadfdeb9cdcf2c99

Linux

Version: 2.6.37

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/ata/libata-transport.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b5362dc1634d8b8d5f30920f33ac11a3276b7ed9",
              "status": "affected",
              "version": "d9027470b88631d0956ac37cdadfdeb9cdcf2c99",
              "versionType": "git"
            },
            {
              "lessThan": "e7bb1b7a7bf26f6b7372b7b683daece4a42fda02",
              "status": "affected",
              "version": "d9027470b88631d0956ac37cdadfdeb9cdcf2c99",
              "versionType": "git"
            },
            {
              "lessThan": "52d9bb0adae9359711a0c5271430afd3754069e7",
              "status": "affected",
              "version": "d9027470b88631d0956ac37cdadfdeb9cdcf2c99",
              "versionType": "git"
            },
            {
              "lessThan": "3613dbe3909dcc637fe6be00e4dc43b4aa0470ee",
              "status": "affected",
              "version": "d9027470b88631d0956ac37cdadfdeb9cdcf2c99",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/ata/libata-transport.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.37"
            },
            {
              "lessThan": "2.6.37",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.156",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.80",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.156",
                  "versionStartIncluding": "2.6.37",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.80",
                  "versionStartIncluding": "2.6.37",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.10",
                  "versionStartIncluding": "2.6.37",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "2.6.37",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nata: libata-transport: fix error handling in ata_tport_add()\n\nIn ata_tport_add(), the return value of transport_add_device() is\nnot checked. As a result, it causes null-ptr-deref while removing\nthe module, because transport_remove_device() is called to remove\nthe device that was not added.\n\nUnable to handle kernel NULL pointer dereference at virtual address 00000000000000d0\nCPU: 12 PID: 13605 Comm: rmmod Kdump: loaded Tainted: G        W          6.1.0-rc3+ #8\npstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : device_del+0x48/0x39c\nlr : device_del+0x44/0x39c\nCall trace:\n device_del+0x48/0x39c\n attribute_container_class_device_del+0x28/0x40\n transport_remove_classdev+0x60/0x7c\n attribute_container_device_trigger+0x118/0x120\n transport_remove_device+0x20/0x30\n ata_tport_delete+0x34/0x60 [libata]\n ata_port_detach+0x148/0x1b0 [libata]\n ata_pci_remove_one+0x50/0x80 [libata]\n ahci_remove_one+0x4c/0x8c [ahci]\n\nFix this by checking and handling return value of transport_add_device()\nin ata_tport_add()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T08:46:14.218Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b5362dc1634d8b8d5f30920f33ac11a3276b7ed9"
        },
        {
          "url": "https://git.kernel.org/stable/c/e7bb1b7a7bf26f6b7372b7b683daece4a42fda02"
        },
        {
          "url": "https://git.kernel.org/stable/c/52d9bb0adae9359711a0c5271430afd3754069e7"
        },
        {
          "url": "https://git.kernel.org/stable/c/3613dbe3909dcc637fe6be00e4dc43b4aa0470ee"
        }
      ],
      "title": "ata: libata-transport: fix error handling in ata_tport_add()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49825",
    "datePublished": "2025-05-01T14:09:45.524Z",
    "dateReserved": "2025-05-01T14:05:17.227Z",
    "dateUpdated": "2025-05-04T08:46:14.218Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-37946 (GCVE-0-2025-37946)

Vulnerability from cvelistv5

Published

2025-05-20 16:01

Modified

2025-05-26 05:24

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: s390/pci: Fix duplicate pci_dev_put() in disable_slot() when PF has child VFs With commit bcb5d6c76903 ("s390/pci: introduce lock to synchronize state of zpci_dev's") the code to ignore power off of a PF that has child VFs was changed from a direct return to a goto to the unlock and pci_dev_put() section. The change however left the existing pci_dev_put() untouched resulting in a doubple put. This can subsequently cause a use after free if the struct pci_dev is released in an unexpected state. Fix this by removing the extra pci_dev_put().

References

URL

Tags

	https://git.kernel.org/stable/c/c488f8b53e156d6dcc0514ef0afa3a33376b8f9e
	https://git.kernel.org/stable/c/957529baef142d95e0d1b1bea786675bd47dbe53
	https://git.kernel.org/stable/c/05a2538f2b48500cf4e8a0a0ce76623cc5bafcf1

Impacted products

Vendor

Product

Version

Linux

Version: bcb5d6c769039c8358a2359e7c3ea5d97ce93108
Version: bcb5d6c769039c8358a2359e7c3ea5d97ce93108
Version: bcb5d6c769039c8358a2359e7c3ea5d97ce93108

Linux

Version: 6.9

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/pci/hotplug/s390_pci_hpc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c488f8b53e156d6dcc0514ef0afa3a33376b8f9e",
              "status": "affected",
              "version": "bcb5d6c769039c8358a2359e7c3ea5d97ce93108",
              "versionType": "git"
            },
            {
              "lessThan": "957529baef142d95e0d1b1bea786675bd47dbe53",
              "status": "affected",
              "version": "bcb5d6c769039c8358a2359e7c3ea5d97ce93108",
              "versionType": "git"
            },
            {
              "lessThan": "05a2538f2b48500cf4e8a0a0ce76623cc5bafcf1",
              "status": "affected",
              "version": "bcb5d6c769039c8358a2359e7c3ea5d97ce93108",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/pci/hotplug/s390_pci_hpc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.9"
            },
            {
              "lessThan": "6.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.29",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.29",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.7",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/pci: Fix duplicate pci_dev_put() in disable_slot() when PF has child VFs\n\nWith commit bcb5d6c76903 (\"s390/pci: introduce lock to synchronize state\nof zpci_dev\u0027s\") the code to ignore power off of a PF that has child VFs\nwas changed from a direct return to a goto to the unlock and\npci_dev_put() section. The change however left the existing pci_dev_put()\nuntouched resulting in a doubple put. This can subsequently cause a use\nafter free if the struct pci_dev is released in an unexpected state.\nFix this by removing the extra pci_dev_put()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:24:17.616Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c488f8b53e156d6dcc0514ef0afa3a33376b8f9e"
        },
        {
          "url": "https://git.kernel.org/stable/c/957529baef142d95e0d1b1bea786675bd47dbe53"
        },
        {
          "url": "https://git.kernel.org/stable/c/05a2538f2b48500cf4e8a0a0ce76623cc5bafcf1"
        }
      ],
      "title": "s390/pci: Fix duplicate pci_dev_put() in disable_slot() when PF has child VFs",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37946",
    "datePublished": "2025-05-20T16:01:43.162Z",
    "dateReserved": "2025-04-16T04:51:23.972Z",
    "dateUpdated": "2025-05-26T05:24:17.616Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38246 (GCVE-0-2025-38246)

Vulnerability from cvelistv5

Published

2025-07-09 10:42

Modified

2025-07-28 04:16

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: bnxt: properly flush XDP redirect lists We encountered following crash when testing a XDP_REDIRECT feature in production: [56251.579676] list_add corruption. next->prev should be prev (ffff93120dd40f30), but was ffffb301ef3a6740. (next=ffff93120dd 40f30). [56251.601413] ------------[ cut here ]------------ [56251.611357] kernel BUG at lib/list_debug.c:29! [56251.621082] Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [56251.632073] CPU: 111 UID: 0 PID: 0 Comm: swapper/111 Kdump: loaded Tainted: P O 6.12.33-cloudflare-2025.6. 3 #1 [56251.653155] Tainted: [P]=PROPRIETARY_MODULE, [O]=OOT_MODULE [56251.663877] Hardware name: MiTAC GC68B-B8032-G11P6-GPU/S8032GM-HE-CFR, BIOS V7.020.B10-sig 01/22/2025 [56251.682626] RIP: 0010:__list_add_valid_or_report+0x4b/0xa0 [56251.693203] Code: 0e 48 c7 c7 68 e7 d9 97 e8 42 16 fe ff 0f 0b 48 8b 52 08 48 39 c2 74 14 48 89 f1 48 c7 c7 90 e7 d9 97 48 89 c6 e8 25 16 fe ff <0f> 0b 4c 8b 02 49 39 f0 74 14 48 89 d1 48 c7 c7 e8 e7 d9 97 4c 89 [56251.725811] RSP: 0018:ffff93120dd40b80 EFLAGS: 00010246 [56251.736094] RAX: 0000000000000075 RBX: ffffb301e6bba9d8 RCX: 0000000000000000 [56251.748260] RDX: 0000000000000000 RSI: ffff9149afda0b80 RDI: ffff9149afda0b80 [56251.760349] RBP: ffff9131e49c8000 R08: 0000000000000000 R09: ffff93120dd40a18 [56251.772382] R10: ffff9159cf2ce1a8 R11: 0000000000000003 R12: ffff911a80850000 [56251.784364] R13: ffff93120fbc7000 R14: 0000000000000010 R15: ffff9139e7510e40 [56251.796278] FS: 0000000000000000(0000) GS:ffff9149afd80000(0000) knlGS:0000000000000000 [56251.809133] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [56251.819561] CR2: 00007f5e85e6f300 CR3: 00000038b85e2006 CR4: 0000000000770ef0 [56251.831365] PKRU: 55555554 [56251.838653] Call Trace: [56251.845560] <IRQ> [56251.851943] cpu_map_enqueue.cold+0x5/0xa [56251.860243] xdp_do_redirect+0x2d9/0x480 [56251.868388] bnxt_rx_xdp+0x1d8/0x4c0 [bnxt_en] [56251.877028] bnxt_rx_pkt+0x5f7/0x19b0 [bnxt_en] [56251.885665] ? cpu_max_write+0x1e/0x100 [56251.893510] ? srso_alias_return_thunk+0x5/0xfbef5 [56251.902276] __bnxt_poll_work+0x190/0x340 [bnxt_en] [56251.911058] bnxt_poll+0xab/0x1b0 [bnxt_en] [56251.919041] ? srso_alias_return_thunk+0x5/0xfbef5 [56251.927568] ? srso_alias_return_thunk+0x5/0xfbef5 [56251.935958] ? srso_alias_return_thunk+0x5/0xfbef5 [56251.944250] __napi_poll+0x2b/0x160 [56251.951155] bpf_trampoline_6442548651+0x79/0x123 [56251.959262] __napi_poll+0x5/0x160 [56251.966037] net_rx_action+0x3d2/0x880 [56251.973133] ? srso_alias_return_thunk+0x5/0xfbef5 [56251.981265] ? srso_alias_return_thunk+0x5/0xfbef5 [56251.989262] ? __hrtimer_run_queues+0x162/0x2a0 [56251.996967] ? srso_alias_return_thunk+0x5/0xfbef5 [56252.004875] ? srso_alias_return_thunk+0x5/0xfbef5 [56252.012673] ? bnxt_msix+0x62/0x70 [bnxt_en] [56252.019903] handle_softirqs+0xcf/0x270 [56252.026650] irq_exit_rcu+0x67/0x90 [56252.032933] common_interrupt+0x85/0xa0 [56252.039498] </IRQ> [56252.044246] <TASK> [56252.048935] asm_common_interrupt+0x26/0x40 [56252.055727] RIP: 0010:cpuidle_enter_state+0xb8/0x420 [56252.063305] Code: dc 01 00 00 e8 f9 79 3b ff e8 64 f7 ff ff 49 89 c5 0f 1f 44 00 00 31 ff e8 a5 32 3a ff 45 84 ff 0f 85 ae 01 00 00 fb 45 85 f6 <0f> 88 88 01 00 00 48 8b 04 24 49 63 ce 4c 89 ea 48 6b f1 68 48 29 [56252.088911] RSP: 0018:ffff93120c97fe98 EFLAGS: 00000202 [56252.096912] RAX: ffff9149afd80000 RBX: ffff9141d3a72800 RCX: 0000000000000000 [56252.106844] RDX: 00003329176c6b98 RSI: ffffffe36db3fdc7 RDI: 0000000000000000 [56252.116733] RBP: 0000000000000002 R08: 0000000000000002 R09: 000000000000004e [56252.126652] R10: ffff9149afdb30c4 R11: 071c71c71c71c71c R12: ffffffff985ff860 [56252.136637] R13: 00003329176c6b98 R14: 0000000000000002 R15: 0000000000000000 [56252.146667] ? cpuidle_enter_state+0xab/0x420 [56252.153909] cpuidle_enter+0x2d/0x40 [56252.160360] do_idle+0x176/0x1c0 [56252.166456 ---truncated---

References

URL

Tags

	https://git.kernel.org/stable/c/16254aa985d14dee050564c4a3936f3dc096e1f7
	https://git.kernel.org/stable/c/c6665b8f0f58082c480ed8627029f44d046ef2c8
	https://git.kernel.org/stable/c/02bf488d56df9db4f5147280b65d9011e1ab88d2
	https://git.kernel.org/stable/c/9caca6ac0e26cd20efd490d8b3b2ffb1c7c00f6f

Impacted products

Vendor

Product

Version

Linux

Version: a7559bc8c17c3f9a91dcbeefe8642ba757fd09e8
Version: a7559bc8c17c3f9a91dcbeefe8642ba757fd09e8
Version: a7559bc8c17c3f9a91dcbeefe8642ba757fd09e8
Version: a7559bc8c17c3f9a91dcbeefe8642ba757fd09e8

Linux

Version: 5.19

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/broadcom/bnxt/bnxt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "16254aa985d14dee050564c4a3936f3dc096e1f7",
              "status": "affected",
              "version": "a7559bc8c17c3f9a91dcbeefe8642ba757fd09e8",
              "versionType": "git"
            },
            {
              "lessThan": "c6665b8f0f58082c480ed8627029f44d046ef2c8",
              "status": "affected",
              "version": "a7559bc8c17c3f9a91dcbeefe8642ba757fd09e8",
              "versionType": "git"
            },
            {
              "lessThan": "02bf488d56df9db4f5147280b65d9011e1ab88d2",
              "status": "affected",
              "version": "a7559bc8c17c3f9a91dcbeefe8642ba757fd09e8",
              "versionType": "git"
            },
            {
              "lessThan": "9caca6ac0e26cd20efd490d8b3b2ffb1c7c00f6f",
              "status": "affected",
              "version": "a7559bc8c17c3f9a91dcbeefe8642ba757fd09e8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/broadcom/bnxt/bnxt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.19"
            },
            {
              "lessThan": "5.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.97",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.36",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.97",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.36",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.5",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt: properly flush XDP redirect lists\n\nWe encountered following crash when testing a XDP_REDIRECT feature\nin production:\n\n[56251.579676] list_add corruption. next-\u003eprev should be prev (ffff93120dd40f30), but was ffffb301ef3a6740. (next=ffff93120dd\n40f30).\n[56251.601413] ------------[ cut here ]------------\n[56251.611357] kernel BUG at lib/list_debug.c:29!\n[56251.621082] Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n[56251.632073] CPU: 111 UID: 0 PID: 0 Comm: swapper/111 Kdump: loaded Tainted: P           O       6.12.33-cloudflare-2025.6.\n3 #1\n[56251.653155] Tainted: [P]=PROPRIETARY_MODULE, [O]=OOT_MODULE\n[56251.663877] Hardware name: MiTAC GC68B-B8032-G11P6-GPU/S8032GM-HE-CFR, BIOS V7.020.B10-sig 01/22/2025\n[56251.682626] RIP: 0010:__list_add_valid_or_report+0x4b/0xa0\n[56251.693203] Code: 0e 48 c7 c7 68 e7 d9 97 e8 42 16 fe ff 0f 0b 48 8b 52 08 48 39 c2 74 14 48 89 f1 48 c7 c7 90 e7 d9 97 48\n 89 c6 e8 25 16 fe ff \u003c0f\u003e 0b 4c 8b 02 49 39 f0 74 14 48 89 d1 48 c7 c7 e8 e7 d9 97 4c 89\n[56251.725811] RSP: 0018:ffff93120dd40b80 EFLAGS: 00010246\n[56251.736094] RAX: 0000000000000075 RBX: ffffb301e6bba9d8 RCX: 0000000000000000\n[56251.748260] RDX: 0000000000000000 RSI: ffff9149afda0b80 RDI: ffff9149afda0b80\n[56251.760349] RBP: ffff9131e49c8000 R08: 0000000000000000 R09: ffff93120dd40a18\n[56251.772382] R10: ffff9159cf2ce1a8 R11: 0000000000000003 R12: ffff911a80850000\n[56251.784364] R13: ffff93120fbc7000 R14: 0000000000000010 R15: ffff9139e7510e40\n[56251.796278] FS:  0000000000000000(0000) GS:ffff9149afd80000(0000) knlGS:0000000000000000\n[56251.809133] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[56251.819561] CR2: 00007f5e85e6f300 CR3: 00000038b85e2006 CR4: 0000000000770ef0\n[56251.831365] PKRU: 55555554\n[56251.838653] Call Trace:\n[56251.845560]  \u003cIRQ\u003e\n[56251.851943]  cpu_map_enqueue.cold+0x5/0xa\n[56251.860243]  xdp_do_redirect+0x2d9/0x480\n[56251.868388]  bnxt_rx_xdp+0x1d8/0x4c0 [bnxt_en]\n[56251.877028]  bnxt_rx_pkt+0x5f7/0x19b0 [bnxt_en]\n[56251.885665]  ? cpu_max_write+0x1e/0x100\n[56251.893510]  ? srso_alias_return_thunk+0x5/0xfbef5\n[56251.902276]  __bnxt_poll_work+0x190/0x340 [bnxt_en]\n[56251.911058]  bnxt_poll+0xab/0x1b0 [bnxt_en]\n[56251.919041]  ? srso_alias_return_thunk+0x5/0xfbef5\n[56251.927568]  ? srso_alias_return_thunk+0x5/0xfbef5\n[56251.935958]  ? srso_alias_return_thunk+0x5/0xfbef5\n[56251.944250]  __napi_poll+0x2b/0x160\n[56251.951155]  bpf_trampoline_6442548651+0x79/0x123\n[56251.959262]  __napi_poll+0x5/0x160\n[56251.966037]  net_rx_action+0x3d2/0x880\n[56251.973133]  ? srso_alias_return_thunk+0x5/0xfbef5\n[56251.981265]  ? srso_alias_return_thunk+0x5/0xfbef5\n[56251.989262]  ? __hrtimer_run_queues+0x162/0x2a0\n[56251.996967]  ? srso_alias_return_thunk+0x5/0xfbef5\n[56252.004875]  ? srso_alias_return_thunk+0x5/0xfbef5\n[56252.012673]  ? bnxt_msix+0x62/0x70 [bnxt_en]\n[56252.019903]  handle_softirqs+0xcf/0x270\n[56252.026650]  irq_exit_rcu+0x67/0x90\n[56252.032933]  common_interrupt+0x85/0xa0\n[56252.039498]  \u003c/IRQ\u003e\n[56252.044246]  \u003cTASK\u003e\n[56252.048935]  asm_common_interrupt+0x26/0x40\n[56252.055727] RIP: 0010:cpuidle_enter_state+0xb8/0x420\n[56252.063305] Code: dc 01 00 00 e8 f9 79 3b ff e8 64 f7 ff ff 49 89 c5 0f 1f 44 00 00 31 ff e8 a5 32 3a ff 45 84 ff 0f 85 ae\n 01 00 00 fb 45 85 f6 \u003c0f\u003e 88 88 01 00 00 48 8b 04 24 49 63 ce 4c 89 ea 48 6b f1 68 48 29\n[56252.088911] RSP: 0018:ffff93120c97fe98 EFLAGS: 00000202\n[56252.096912] RAX: ffff9149afd80000 RBX: ffff9141d3a72800 RCX: 0000000000000000\n[56252.106844] RDX: 00003329176c6b98 RSI: ffffffe36db3fdc7 RDI: 0000000000000000\n[56252.116733] RBP: 0000000000000002 R08: 0000000000000002 R09: 000000000000004e\n[56252.126652] R10: ffff9149afdb30c4 R11: 071c71c71c71c71c R12: ffffffff985ff860\n[56252.136637] R13: 00003329176c6b98 R14: 0000000000000002 R15: 0000000000000000\n[56252.146667]  ? cpuidle_enter_state+0xab/0x420\n[56252.153909]  cpuidle_enter+0x2d/0x40\n[56252.160360]  do_idle+0x176/0x1c0\n[56252.166456\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:16:06.087Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/16254aa985d14dee050564c4a3936f3dc096e1f7"
        },
        {
          "url": "https://git.kernel.org/stable/c/c6665b8f0f58082c480ed8627029f44d046ef2c8"
        },
        {
          "url": "https://git.kernel.org/stable/c/02bf488d56df9db4f5147280b65d9011e1ab88d2"
        },
        {
          "url": "https://git.kernel.org/stable/c/9caca6ac0e26cd20efd490d8b3b2ffb1c7c00f6f"
        }
      ],
      "title": "bnxt: properly flush XDP redirect lists",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38246",
    "datePublished": "2025-07-09T10:42:27.908Z",
    "dateReserved": "2025-04-16T04:51:23.997Z",
    "dateUpdated": "2025-07-28T04:16:06.087Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-22089 (GCVE-0-2025-22089)

Vulnerability from cvelistv5

Published

2025-04-16 14:12

Modified

2025-11-03 19:42

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Don't expose hw_counters outside of init net namespace Commit 467f432a521a ("RDMA/core: Split port and device counter sysfs attributes") accidentally almost exposed hw counters to non-init net namespaces. It didn't expose them fully, as an attempt to read any of those counters leads to a crash like this one: [42021.807566] BUG: kernel NULL pointer dereference, address: 0000000000000028 [42021.814463] #PF: supervisor read access in kernel mode [42021.819549] #PF: error_code(0x0000) - not-present page [42021.824636] PGD 0 P4D 0 [42021.827145] Oops: 0000 [#1] SMP PTI [42021.830598] CPU: 82 PID: 2843922 Comm: switchto-defaul Kdump: loaded Tainted: G S W I XXX [42021.841697] Hardware name: XXX [42021.849619] RIP: 0010:hw_stat_device_show+0x1e/0x40 [ib_core] [42021.855362] Code: 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 49 89 d0 4c 8b 5e 20 48 8b 8f b8 04 00 00 48 81 c7 f0 fa ff ff <48> 8b 41 28 48 29 ce 48 83 c6 d0 48 c1 ee 04 69 d6 ab aa aa aa 48 [42021.873931] RSP: 0018:ffff97fe90f03da0 EFLAGS: 00010287 [42021.879108] RAX: ffff9406988a8c60 RBX: ffff940e1072d438 RCX: 0000000000000000 [42021.886169] RDX: ffff94085f1aa000 RSI: ffff93c6cbbdbcb0 RDI: ffff940c7517aef0 [42021.893230] RBP: ffff97fe90f03e70 R08: ffff94085f1aa000 R09: 0000000000000000 [42021.900294] R10: ffff94085f1aa000 R11: ffffffffc0775680 R12: ffffffff87ca2530 [42021.907355] R13: ffff940651602840 R14: ffff93c6cbbdbcb0 R15: ffff94085f1aa000 [42021.914418] FS: 00007fda1a3b9700(0000) GS:ffff94453fb80000(0000) knlGS:0000000000000000 [42021.922423] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [42021.928130] CR2: 0000000000000028 CR3: 00000042dcfb8003 CR4: 00000000003726f0 [42021.935194] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [42021.942257] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [42021.949324] Call Trace: [42021.951756] <TASK> [42021.953842] [<ffffffff86c58674>] ? show_regs+0x64/0x70 [42021.959030] [<ffffffff86c58468>] ? __die+0x78/0xc0 [42021.963874] [<ffffffff86c9ef75>] ? page_fault_oops+0x2b5/0x3b0 [42021.969749] [<ffffffff87674b92>] ? exc_page_fault+0x1a2/0x3c0 [42021.975549] [<ffffffff87801326>] ? asm_exc_page_fault+0x26/0x30 [42021.981517] [<ffffffffc0775680>] ? __pfx_show_hw_stats+0x10/0x10 [ib_core] [42021.988482] [<ffffffffc077564e>] ? hw_stat_device_show+0x1e/0x40 [ib_core] [42021.995438] [<ffffffff86ac7f8e>] dev_attr_show+0x1e/0x50 [42022.000803] [<ffffffff86a3eeb1>] sysfs_kf_seq_show+0x81/0xe0 [42022.006508] [<ffffffff86a11134>] seq_read_iter+0xf4/0x410 [42022.011954] [<ffffffff869f4b2e>] vfs_read+0x16e/0x2f0 [42022.017058] [<ffffffff869f50ee>] ksys_read+0x6e/0xe0 [42022.022073] [<ffffffff8766f1ca>] do_syscall_64+0x6a/0xa0 [42022.027441] [<ffffffff8780013b>] entry_SYSCALL_64_after_hwframe+0x78/0xe2 The problem can be reproduced using the following steps: ip netns add foo ip netns exec foo bash cat /sys/class/infiniband/mlx4_0/hw_counters/* The panic occurs because of casting the device pointer into an ib_device pointer using container_of() in hw_stat_device_show() is wrong and leads to a memory corruption. However the real problem is that hw counters should never been exposed outside of the non-init net namespace. Fix this by saving the index of the corresponding attribute group (it might be 1 or 2 depending on the presence of driver-specific attributes) and zeroing the pointer to hw_counters group for compat devices during the initialization. With this fix applied hw_counters are not available in a non-init net namespace: find /sys/class/infiniband/mlx4_0/ -name hw_counters /sys/class/infiniband/mlx4_0/ports/1/hw_counters /sys/class/infiniband/mlx4_0/ports/2/hw_counters /sys/class/infiniband/mlx4_0/hw_counters ip netns add foo ip netns exec foo bash find /sys/class/infiniband/mlx4_0/ -name hw_counters

References

URL

Tags

	https://git.kernel.org/stable/c/9a5b7f8842a90a5e6eeff37f9f6d814e61ea3529
	https://git.kernel.org/stable/c/d5212b99649c5740154f307e9e3d7fee9bf62773
	https://git.kernel.org/stable/c/0cf80f924aecb5b2bebd4f4ad11b2efc676a0b78
	https://git.kernel.org/stable/c/df45ae2a4f1cdfda00c032839e12092e1f32c05e
	https://git.kernel.org/stable/c/c14d9704f5d77a7c7fa46e2114b64a4f75b64e17
	https://git.kernel.org/stable/c/6682da5d8fd578a5068531d01633c9d2e4c8f12b
	https://git.kernel.org/stable/c/a1ecb30f90856b0be4168ad51b8875148e285c1f

Impacted products

Vendor

Product

Version

Linux

Version: 467f432a521a284c418e3d521ee51840a5e23424
Version: 467f432a521a284c418e3d521ee51840a5e23424
Version: 467f432a521a284c418e3d521ee51840a5e23424
Version: 467f432a521a284c418e3d521ee51840a5e23424
Version: 467f432a521a284c418e3d521ee51840a5e23424
Version: 467f432a521a284c418e3d521ee51840a5e23424
Version: 467f432a521a284c418e3d521ee51840a5e23424

Linux

Version: 5.14

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:42:08.973Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/core/device.c",
            "drivers/infiniband/core/sysfs.c",
            "include/rdma/ib_verbs.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9a5b7f8842a90a5e6eeff37f9f6d814e61ea3529",
              "status": "affected",
              "version": "467f432a521a284c418e3d521ee51840a5e23424",
              "versionType": "git"
            },
            {
              "lessThan": "d5212b99649c5740154f307e9e3d7fee9bf62773",
              "status": "affected",
              "version": "467f432a521a284c418e3d521ee51840a5e23424",
              "versionType": "git"
            },
            {
              "lessThan": "0cf80f924aecb5b2bebd4f4ad11b2efc676a0b78",
              "status": "affected",
              "version": "467f432a521a284c418e3d521ee51840a5e23424",
              "versionType": "git"
            },
            {
              "lessThan": "df45ae2a4f1cdfda00c032839e12092e1f32c05e",
              "status": "affected",
              "version": "467f432a521a284c418e3d521ee51840a5e23424",
              "versionType": "git"
            },
            {
              "lessThan": "c14d9704f5d77a7c7fa46e2114b64a4f75b64e17",
              "status": "affected",
              "version": "467f432a521a284c418e3d521ee51840a5e23424",
              "versionType": "git"
            },
            {
              "lessThan": "6682da5d8fd578a5068531d01633c9d2e4c8f12b",
              "status": "affected",
              "version": "467f432a521a284c418e3d521ee51840a5e23424",
              "versionType": "git"
            },
            {
              "lessThan": "a1ecb30f90856b0be4168ad51b8875148e285c1f",
              "status": "affected",
              "version": "467f432a521a284c418e3d521ee51840a5e23424",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/core/device.c",
            "drivers/infiniband/core/sysfs.c",
            "include/rdma/ib_verbs.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.14"
            },
            {
              "lessThan": "5.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.180",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.134",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.87",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.180",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.134",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.87",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.23",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.11",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Don\u0027t expose hw_counters outside of init net namespace\n\nCommit 467f432a521a (\"RDMA/core: Split port and device counter sysfs\nattributes\") accidentally almost exposed hw counters to non-init net\nnamespaces. It didn\u0027t expose them fully, as an attempt to read any of\nthose counters leads to a crash like this one:\n\n[42021.807566] BUG: kernel NULL pointer dereference, address: 0000000000000028\n[42021.814463] #PF: supervisor read access in kernel mode\n[42021.819549] #PF: error_code(0x0000) - not-present page\n[42021.824636] PGD 0 P4D 0\n[42021.827145] Oops: 0000 [#1] SMP PTI\n[42021.830598] CPU: 82 PID: 2843922 Comm: switchto-defaul Kdump: loaded Tainted: G S      W I        XXX\n[42021.841697] Hardware name: XXX\n[42021.849619] RIP: 0010:hw_stat_device_show+0x1e/0x40 [ib_core]\n[42021.855362] Code: 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 49 89 d0 4c 8b 5e 20 48 8b 8f b8 04 00 00 48 81 c7 f0 fa ff ff \u003c48\u003e 8b 41 28 48 29 ce 48 83 c6 d0 48 c1 ee 04 69 d6 ab aa aa aa 48\n[42021.873931] RSP: 0018:ffff97fe90f03da0 EFLAGS: 00010287\n[42021.879108] RAX: ffff9406988a8c60 RBX: ffff940e1072d438 RCX: 0000000000000000\n[42021.886169] RDX: ffff94085f1aa000 RSI: ffff93c6cbbdbcb0 RDI: ffff940c7517aef0\n[42021.893230] RBP: ffff97fe90f03e70 R08: ffff94085f1aa000 R09: 0000000000000000\n[42021.900294] R10: ffff94085f1aa000 R11: ffffffffc0775680 R12: ffffffff87ca2530\n[42021.907355] R13: ffff940651602840 R14: ffff93c6cbbdbcb0 R15: ffff94085f1aa000\n[42021.914418] FS:  00007fda1a3b9700(0000) GS:ffff94453fb80000(0000) knlGS:0000000000000000\n[42021.922423] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[42021.928130] CR2: 0000000000000028 CR3: 00000042dcfb8003 CR4: 00000000003726f0\n[42021.935194] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[42021.942257] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[42021.949324] Call Trace:\n[42021.951756]  \u003cTASK\u003e\n[42021.953842]  [\u003cffffffff86c58674\u003e] ? show_regs+0x64/0x70\n[42021.959030]  [\u003cffffffff86c58468\u003e] ? __die+0x78/0xc0\n[42021.963874]  [\u003cffffffff86c9ef75\u003e] ? page_fault_oops+0x2b5/0x3b0\n[42021.969749]  [\u003cffffffff87674b92\u003e] ? exc_page_fault+0x1a2/0x3c0\n[42021.975549]  [\u003cffffffff87801326\u003e] ? asm_exc_page_fault+0x26/0x30\n[42021.981517]  [\u003cffffffffc0775680\u003e] ? __pfx_show_hw_stats+0x10/0x10 [ib_core]\n[42021.988482]  [\u003cffffffffc077564e\u003e] ? hw_stat_device_show+0x1e/0x40 [ib_core]\n[42021.995438]  [\u003cffffffff86ac7f8e\u003e] dev_attr_show+0x1e/0x50\n[42022.000803]  [\u003cffffffff86a3eeb1\u003e] sysfs_kf_seq_show+0x81/0xe0\n[42022.006508]  [\u003cffffffff86a11134\u003e] seq_read_iter+0xf4/0x410\n[42022.011954]  [\u003cffffffff869f4b2e\u003e] vfs_read+0x16e/0x2f0\n[42022.017058]  [\u003cffffffff869f50ee\u003e] ksys_read+0x6e/0xe0\n[42022.022073]  [\u003cffffffff8766f1ca\u003e] do_syscall_64+0x6a/0xa0\n[42022.027441]  [\u003cffffffff8780013b\u003e] entry_SYSCALL_64_after_hwframe+0x78/0xe2\n\nThe problem can be reproduced using the following steps:\n  ip netns add foo\n  ip netns exec foo bash\n  cat /sys/class/infiniband/mlx4_0/hw_counters/*\n\nThe panic occurs because of casting the device pointer into an\nib_device pointer using container_of() in hw_stat_device_show() is\nwrong and leads to a memory corruption.\n\nHowever the real problem is that hw counters should never been exposed\noutside of the non-init net namespace.\n\nFix this by saving the index of the corresponding attribute group\n(it might be 1 or 2 depending on the presence of driver-specific\nattributes) and zeroing the pointer to hw_counters group for compat\ndevices during the initialization.\n\nWith this fix applied hw_counters are not available in a non-init\nnet namespace:\n  find /sys/class/infiniband/mlx4_0/ -name hw_counters\n    /sys/class/infiniband/mlx4_0/ports/1/hw_counters\n    /sys/class/infiniband/mlx4_0/ports/2/hw_counters\n    /sys/class/infiniband/mlx4_0/hw_counters\n\n  ip netns add foo\n  ip netns exec foo bash\n  find /sys/class/infiniband/mlx4_0/ -name hw_counters"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:18:14.244Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9a5b7f8842a90a5e6eeff37f9f6d814e61ea3529"
        },
        {
          "url": "https://git.kernel.org/stable/c/d5212b99649c5740154f307e9e3d7fee9bf62773"
        },
        {
          "url": "https://git.kernel.org/stable/c/0cf80f924aecb5b2bebd4f4ad11b2efc676a0b78"
        },
        {
          "url": "https://git.kernel.org/stable/c/df45ae2a4f1cdfda00c032839e12092e1f32c05e"
        },
        {
          "url": "https://git.kernel.org/stable/c/c14d9704f5d77a7c7fa46e2114b64a4f75b64e17"
        },
        {
          "url": "https://git.kernel.org/stable/c/6682da5d8fd578a5068531d01633c9d2e4c8f12b"
        },
        {
          "url": "https://git.kernel.org/stable/c/a1ecb30f90856b0be4168ad51b8875148e285c1f"
        }
      ],
      "title": "RDMA/core: Don\u0027t expose hw_counters outside of init net namespace",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22089",
    "datePublished": "2025-04-16T14:12:41.732Z",
    "dateReserved": "2024-12-29T08:45:45.817Z",
    "dateUpdated": "2025-11-03T19:42:08.973Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38220 (GCVE-0-2025-38220)

Vulnerability from cvelistv5

Published

2025-07-04 13:37

Modified

2025-07-28 04:15

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ext4: only dirty folios when data journaling regular files fstest generic/388 occasionally reproduces a crash that looks as follows: BUG: kernel NULL pointer dereference, address: 0000000000000000 ... Call Trace: <TASK> ext4_block_zero_page_range+0x30c/0x380 [ext4] ext4_truncate+0x436/0x440 [ext4] ext4_process_orphan+0x5d/0x110 [ext4] ext4_orphan_cleanup+0x124/0x4f0 [ext4] ext4_fill_super+0x262d/0x3110 [ext4] get_tree_bdev_flags+0x132/0x1d0 vfs_get_tree+0x26/0xd0 vfs_cmd_create+0x59/0xe0 __do_sys_fsconfig+0x4ed/0x6b0 do_syscall_64+0x82/0x170 ... This occurs when processing a symlink inode from the orphan list. The partial block zeroing code in the truncate path calls ext4_dirty_journalled_data() -> folio_mark_dirty(). The latter calls mapping->a_ops->dirty_folio(), but symlink inodes are not assigned an a_ops vector in ext4, hence the crash. To avoid this problem, update the ext4_dirty_journalled_data() helper to only mark the folio dirty on regular files (for which a_ops is assigned). This also matches the journaling logic in the ext4_symlink() creation path, where ext4_handle_dirty_metadata() is called directly.

References

URL

Tags

	https://git.kernel.org/stable/c/cf6a4c4ac7b6e3214f25df594c9689a62f1bb456
	https://git.kernel.org/stable/c/be5f3061a6f904e3674257879e71881ceee5b673
	https://git.kernel.org/stable/c/d7af6eee8cd60f55aa8c5fe2b91f11ec0c9a0f27
	https://git.kernel.org/stable/c/e26268ff1dcae5662c1b96c35f18cfa6ab73d9de

Impacted products

Vendor

Product

Version

Linux

Version: d84c9ebdac1e39bc7b036c0c829ee8c1956edabc
Version: d84c9ebdac1e39bc7b036c0c829ee8c1956edabc
Version: d84c9ebdac1e39bc7b036c0c829ee8c1956edabc
Version: d84c9ebdac1e39bc7b036c0c829ee8c1956edabc

Linux

Version: 6.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "cf6a4c4ac7b6e3214f25df594c9689a62f1bb456",
              "status": "affected",
              "version": "d84c9ebdac1e39bc7b036c0c829ee8c1956edabc",
              "versionType": "git"
            },
            {
              "lessThan": "be5f3061a6f904e3674257879e71881ceee5b673",
              "status": "affected",
              "version": "d84c9ebdac1e39bc7b036c0c829ee8c1956edabc",
              "versionType": "git"
            },
            {
              "lessThan": "d7af6eee8cd60f55aa8c5fe2b91f11ec0c9a0f27",
              "status": "affected",
              "version": "d84c9ebdac1e39bc7b036c0c829ee8c1956edabc",
              "versionType": "git"
            },
            {
              "lessThan": "e26268ff1dcae5662c1b96c35f18cfa6ab73d9de",
              "status": "affected",
              "version": "d84c9ebdac1e39bc7b036c0c829ee8c1956edabc",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: only dirty folios when data journaling regular files\n\nfstest generic/388 occasionally reproduces a crash that looks as\nfollows:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n...\nCall Trace:\n \u003cTASK\u003e\n ext4_block_zero_page_range+0x30c/0x380 [ext4]\n ext4_truncate+0x436/0x440 [ext4]\n ext4_process_orphan+0x5d/0x110 [ext4]\n ext4_orphan_cleanup+0x124/0x4f0 [ext4]\n ext4_fill_super+0x262d/0x3110 [ext4]\n get_tree_bdev_flags+0x132/0x1d0\n vfs_get_tree+0x26/0xd0\n vfs_cmd_create+0x59/0xe0\n __do_sys_fsconfig+0x4ed/0x6b0\n do_syscall_64+0x82/0x170\n ...\n\nThis occurs when processing a symlink inode from the orphan list. The\npartial block zeroing code in the truncate path calls\next4_dirty_journalled_data() -\u003e folio_mark_dirty(). The latter calls\nmapping-\u003ea_ops-\u003edirty_folio(), but symlink inodes are not assigned an\na_ops vector in ext4, hence the crash.\n\nTo avoid this problem, update the ext4_dirty_journalled_data() helper to\nonly mark the folio dirty on regular files (for which a_ops is\nassigned). This also matches the journaling logic in the ext4_symlink()\ncreation path, where ext4_handle_dirty_metadata() is called directly."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:15:30.950Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/cf6a4c4ac7b6e3214f25df594c9689a62f1bb456"
        },
        {
          "url": "https://git.kernel.org/stable/c/be5f3061a6f904e3674257879e71881ceee5b673"
        },
        {
          "url": "https://git.kernel.org/stable/c/d7af6eee8cd60f55aa8c5fe2b91f11ec0c9a0f27"
        },
        {
          "url": "https://git.kernel.org/stable/c/e26268ff1dcae5662c1b96c35f18cfa6ab73d9de"
        }
      ],
      "title": "ext4: only dirty folios when data journaling regular files",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38220",
    "datePublished": "2025-07-04T13:37:36.612Z",
    "dateReserved": "2025-04-16T04:51:23.995Z",
    "dateUpdated": "2025-07-28T04:15:30.950Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-37812 (GCVE-0-2025-37812)

Vulnerability from cvelistv5

Published

2025-05-08 06:26

Modified

2025-11-03 19:55

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: Fix deadlock when using NCM gadget The cdns3 driver has the same NCM deadlock as fixed in cdnsp by commit 58f2fcb3a845 ("usb: cdnsp: Fix deadlock issue during using NCM gadget"). Under PREEMPT_RT the deadlock can be readily triggered by heavy network traffic, for example using "iperf --bidir" over NCM ethernet link. The deadlock occurs because the threaded interrupt handler gets preempted by a softirq, but both are protected by the same spinlock. Prevent deadlock by disabling softirq during threaded irq handler.

References

URL

Tags

	https://git.kernel.org/stable/c/eebfb64c624fc738b669100173344fb441c5e719
	https://git.kernel.org/stable/c/59a760e4796a3cd88d8b9d7706e0a638de677751
	https://git.kernel.org/stable/c/b96239582531775f2fdcb14de29bdb6870fd4c8c
	https://git.kernel.org/stable/c/c27db84ed44e50ff90d9e3a2a25fae2e0a0fa015
	https://git.kernel.org/stable/c/48a62deb857f0694f611949015e70ad194d97159
	https://git.kernel.org/stable/c/74cd6e408a4c010e404832f0e4609d29bf1d0c41
	https://git.kernel.org/stable/c/09e90a9689a4aac7a2f726dc2aa472b0b37937b7
	https://git.kernel.org/stable/c/a1059896f2bfdcebcdc7153c3be2307ea319501f

Impacted products

Vendor

Product

Version

Linux

Version: 7733f6c32e36ff9d7adadf40001039bf219b1cbe
Version: 7733f6c32e36ff9d7adadf40001039bf219b1cbe
Version: 7733f6c32e36ff9d7adadf40001039bf219b1cbe
Version: 7733f6c32e36ff9d7adadf40001039bf219b1cbe
Version: 7733f6c32e36ff9d7adadf40001039bf219b1cbe
Version: 7733f6c32e36ff9d7adadf40001039bf219b1cbe
Version: 7733f6c32e36ff9d7adadf40001039bf219b1cbe
Version: 7733f6c32e36ff9d7adadf40001039bf219b1cbe

Linux

Version: 5.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:55:45.167Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/cdns3/cdns3-gadget.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "eebfb64c624fc738b669100173344fb441c5e719",
              "status": "affected",
              "version": "7733f6c32e36ff9d7adadf40001039bf219b1cbe",
              "versionType": "git"
            },
            {
              "lessThan": "59a760e4796a3cd88d8b9d7706e0a638de677751",
              "status": "affected",
              "version": "7733f6c32e36ff9d7adadf40001039bf219b1cbe",
              "versionType": "git"
            },
            {
              "lessThan": "b96239582531775f2fdcb14de29bdb6870fd4c8c",
              "status": "affected",
              "version": "7733f6c32e36ff9d7adadf40001039bf219b1cbe",
              "versionType": "git"
            },
            {
              "lessThan": "c27db84ed44e50ff90d9e3a2a25fae2e0a0fa015",
              "status": "affected",
              "version": "7733f6c32e36ff9d7adadf40001039bf219b1cbe",
              "versionType": "git"
            },
            {
              "lessThan": "48a62deb857f0694f611949015e70ad194d97159",
              "status": "affected",
              "version": "7733f6c32e36ff9d7adadf40001039bf219b1cbe",
              "versionType": "git"
            },
            {
              "lessThan": "74cd6e408a4c010e404832f0e4609d29bf1d0c41",
              "status": "affected",
              "version": "7733f6c32e36ff9d7adadf40001039bf219b1cbe",
              "versionType": "git"
            },
            {
              "lessThan": "09e90a9689a4aac7a2f726dc2aa472b0b37937b7",
              "status": "affected",
              "version": "7733f6c32e36ff9d7adadf40001039bf219b1cbe",
              "versionType": "git"
            },
            {
              "lessThan": "a1059896f2bfdcebcdc7153c3be2307ea319501f",
              "status": "affected",
              "version": "7733f6c32e36ff9d7adadf40001039bf219b1cbe",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/cdns3/cdns3-gadget.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.4"
            },
            {
              "lessThan": "5.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.293",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.136",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.89",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.26",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.293",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.237",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.136",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.89",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.26",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.5",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdns3: Fix deadlock when using NCM gadget\n\nThe cdns3 driver has the same NCM deadlock as fixed in cdnsp by commit\n58f2fcb3a845 (\"usb: cdnsp: Fix deadlock issue during using NCM gadget\").\n\nUnder PREEMPT_RT the deadlock can be readily triggered by heavy network\ntraffic, for example using \"iperf --bidir\" over NCM ethernet link.\n\nThe deadlock occurs because the threaded interrupt handler gets\npreempted by a softirq, but both are protected by the same spinlock.\nPrevent deadlock by disabling softirq during threaded irq handler."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:21:23.561Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/eebfb64c624fc738b669100173344fb441c5e719"
        },
        {
          "url": "https://git.kernel.org/stable/c/59a760e4796a3cd88d8b9d7706e0a638de677751"
        },
        {
          "url": "https://git.kernel.org/stable/c/b96239582531775f2fdcb14de29bdb6870fd4c8c"
        },
        {
          "url": "https://git.kernel.org/stable/c/c27db84ed44e50ff90d9e3a2a25fae2e0a0fa015"
        },
        {
          "url": "https://git.kernel.org/stable/c/48a62deb857f0694f611949015e70ad194d97159"
        },
        {
          "url": "https://git.kernel.org/stable/c/74cd6e408a4c010e404832f0e4609d29bf1d0c41"
        },
        {
          "url": "https://git.kernel.org/stable/c/09e90a9689a4aac7a2f726dc2aa472b0b37937b7"
        },
        {
          "url": "https://git.kernel.org/stable/c/a1059896f2bfdcebcdc7153c3be2307ea319501f"
        }
      ],
      "title": "usb: cdns3: Fix deadlock when using NCM gadget",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37812",
    "datePublished": "2025-05-08T06:26:09.355Z",
    "dateReserved": "2025-04-16T04:51:23.942Z",
    "dateUpdated": "2025-11-03T19:55:45.167Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38448 (GCVE-0-2025-38448)

Vulnerability from cvelistv5

Published

2025-07-25 15:27

Modified

2025-11-03 17:38

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: u_serial: Fix race condition in TTY wakeup A race condition occurs when gs_start_io() calls either gs_start_rx() or gs_start_tx(), as those functions briefly drop the port_lock for usb_ep_queue(). This allows gs_close() and gserial_disconnect() to clear port.tty and port_usb, respectively. Use the null-safe TTY Port helper function to wake up TTY. Example CPU1: CPU2: gserial_connect() // lock gs_close() // await lock gs_start_rx() // unlock usb_ep_queue() gs_close() // lock, reset port.tty and unlock gs_start_rx() // lock tty_wakeup() // NPE

References

URL

Tags

	https://git.kernel.org/stable/c/18d58a467ccf011078352d91b4d6a0108c7318e8
	https://git.kernel.org/stable/c/d43657b59f36e88289a6066f15bc9a80df5014eb
	https://git.kernel.org/stable/c/a5012673d49788f16bb4e375b002d7743eb642d9
	https://git.kernel.org/stable/c/ee8d688e2ba558f3bb8ac225113740be5f335417
	https://git.kernel.org/stable/c/c6eb4a05af3d0ba3bc4e8159287722fb9abc6359
	https://git.kernel.org/stable/c/abf3620cba68e0e51e5c21054ce4f925f75b3661
	https://git.kernel.org/stable/c/c8c80a3a35c2e3488409de2d5376ef7e662a2bf5
	https://git.kernel.org/stable/c/c529c3730bd09115684644e26bf01ecbd7e2c2c9

Impacted products

Vendor

Product

Version

Linux

Version: 35f95fd7f234d2b58803bab6f6ebd6bb988050a2
Version: 35f95fd7f234d2b58803bab6f6ebd6bb988050a2
Version: 35f95fd7f234d2b58803bab6f6ebd6bb988050a2
Version: 35f95fd7f234d2b58803bab6f6ebd6bb988050a2
Version: 35f95fd7f234d2b58803bab6f6ebd6bb988050a2
Version: 35f95fd7f234d2b58803bab6f6ebd6bb988050a2
Version: 35f95fd7f234d2b58803bab6f6ebd6bb988050a2
Version: 35f95fd7f234d2b58803bab6f6ebd6bb988050a2

Linux

Version: 3.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:38:09.442Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/gadget/function/u_serial.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "18d58a467ccf011078352d91b4d6a0108c7318e8",
              "status": "affected",
              "version": "35f95fd7f234d2b58803bab6f6ebd6bb988050a2",
              "versionType": "git"
            },
            {
              "lessThan": "d43657b59f36e88289a6066f15bc9a80df5014eb",
              "status": "affected",
              "version": "35f95fd7f234d2b58803bab6f6ebd6bb988050a2",
              "versionType": "git"
            },
            {
              "lessThan": "a5012673d49788f16bb4e375b002d7743eb642d9",
              "status": "affected",
              "version": "35f95fd7f234d2b58803bab6f6ebd6bb988050a2",
              "versionType": "git"
            },
            {
              "lessThan": "ee8d688e2ba558f3bb8ac225113740be5f335417",
              "status": "affected",
              "version": "35f95fd7f234d2b58803bab6f6ebd6bb988050a2",
              "versionType": "git"
            },
            {
              "lessThan": "c6eb4a05af3d0ba3bc4e8159287722fb9abc6359",
              "status": "affected",
              "version": "35f95fd7f234d2b58803bab6f6ebd6bb988050a2",
              "versionType": "git"
            },
            {
              "lessThan": "abf3620cba68e0e51e5c21054ce4f925f75b3661",
              "status": "affected",
              "version": "35f95fd7f234d2b58803bab6f6ebd6bb988050a2",
              "versionType": "git"
            },
            {
              "lessThan": "c8c80a3a35c2e3488409de2d5376ef7e662a2bf5",
              "status": "affected",
              "version": "35f95fd7f234d2b58803bab6f6ebd6bb988050a2",
              "versionType": "git"
            },
            {
              "lessThan": "c529c3730bd09115684644e26bf01ecbd7e2c2c9",
              "status": "affected",
              "version": "35f95fd7f234d2b58803bab6f6ebd6bb988050a2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/gadget/function/u_serial.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.5"
            },
            {
              "lessThan": "3.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.189",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.146",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.99",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.189",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.146",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.99",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.39",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.7",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: u_serial: Fix race condition in TTY wakeup\n\nA race condition occurs when gs_start_io() calls either gs_start_rx() or\ngs_start_tx(), as those functions briefly drop the port_lock for\nusb_ep_queue(). This allows gs_close() and gserial_disconnect() to clear\nport.tty and port_usb, respectively.\n\nUse the null-safe TTY Port helper function to wake up TTY.\n\nExample\n  CPU1:\t\t\t      CPU2:\n  gserial_connect() // lock\n  \t\t\t      gs_close() // await lock\n  gs_start_rx()     // unlock\n  usb_ep_queue()\n  \t\t\t      gs_close() // lock, reset port.tty and unlock\n  gs_start_rx()     // lock\n  tty_wakeup()      // NPE"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:22:33.351Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/18d58a467ccf011078352d91b4d6a0108c7318e8"
        },
        {
          "url": "https://git.kernel.org/stable/c/d43657b59f36e88289a6066f15bc9a80df5014eb"
        },
        {
          "url": "https://git.kernel.org/stable/c/a5012673d49788f16bb4e375b002d7743eb642d9"
        },
        {
          "url": "https://git.kernel.org/stable/c/ee8d688e2ba558f3bb8ac225113740be5f335417"
        },
        {
          "url": "https://git.kernel.org/stable/c/c6eb4a05af3d0ba3bc4e8159287722fb9abc6359"
        },
        {
          "url": "https://git.kernel.org/stable/c/abf3620cba68e0e51e5c21054ce4f925f75b3661"
        },
        {
          "url": "https://git.kernel.org/stable/c/c8c80a3a35c2e3488409de2d5376ef7e662a2bf5"
        },
        {
          "url": "https://git.kernel.org/stable/c/c529c3730bd09115684644e26bf01ecbd7e2c2c9"
        }
      ],
      "title": "usb: gadget: u_serial: Fix race condition in TTY wakeup",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38448",
    "datePublished": "2025-07-25T15:27:30.040Z",
    "dateReserved": "2025-04-16T04:51:24.018Z",
    "dateUpdated": "2025-11-03T17:38:09.442Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38136 (GCVE-0-2025-38136)

Vulnerability from cvelistv5

Published

2025-07-03 08:35

Modified

2025-11-03 17:34

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: renesas_usbhs: Reorder clock handling and power management in probe Reorder the initialization sequence in `usbhs_probe()` to enable runtime PM before accessing registers, preventing potential crashes due to uninitialized clocks. Currently, in the probe path, registers are accessed before enabling the clocks, leading to a synchronous external abort on the RZ/V2H SoC. The problematic call flow is as follows: usbhs_probe() usbhs_sys_clock_ctrl() usbhs_bset() usbhs_write() iowrite16() <-- Register access before enabling clocks Since `iowrite16()` is performed without ensuring the required clocks are enabled, this can lead to access errors. To fix this, enable PM runtime early in the probe function and ensure clocks are acquired before register access, preventing crashes like the following on RZ/V2H: [13.272640] Internal error: synchronous external abort: 0000000096000010 [#1] PREEMPT SMP [13.280814] Modules linked in: cec renesas_usbhs(+) drm_kms_helper fuse drm backlight ipv6 [13.289088] CPU: 1 UID: 0 PID: 195 Comm: (udev-worker) Not tainted 6.14.0-rc7+ #98 [13.296640] Hardware name: Renesas RZ/V2H EVK Board based on r9a09g057h44 (DT) [13.303834] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [13.310770] pc : usbhs_bset+0x14/0x4c [renesas_usbhs] [13.315831] lr : usbhs_probe+0x2e4/0x5ac [renesas_usbhs] [13.321138] sp : ffff8000827e3850 [13.324438] x29: ffff8000827e3860 x28: 0000000000000000 x27: ffff8000827e3ca0 [13.331554] x26: ffff8000827e3ba0 x25: ffff800081729668 x24: 0000000000000025 [13.338670] x23: ffff0000c0f08000 x22: 0000000000000000 x21: ffff0000c0f08010 [13.345783] x20: 0000000000000000 x19: ffff0000c3b52080 x18: 00000000ffffffff [13.352895] x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000827e36ce [13.360009] x14: 00000000000003d7 x13: 00000000000003d7 x12: 0000000000000000 [13.367122] x11: 0000000000000000 x10: 0000000000000aa0 x9 : ffff8000827e3750 [13.374235] x8 : ffff0000c1850b00 x7 : 0000000003826060 x6 : 000000000000001c [13.381347] x5 : 000000030d5fcc00 x4 : ffff8000825c0000 x3 : 0000000000000000 [13.388459] x2 : 0000000000000400 x1 : 0000000000000000 x0 : ffff0000c3b52080 [13.395574] Call trace: [13.398013] usbhs_bset+0x14/0x4c [renesas_usbhs] (P) [13.403076] platform_probe+0x68/0xdc [13.406738] really_probe+0xbc/0x2c0 [13.410306] __driver_probe_device+0x78/0x120 [13.414653] driver_probe_device+0x3c/0x154 [13.418825] __driver_attach+0x90/0x1a0 [13.422647] bus_for_each_dev+0x7c/0xe0 [13.426470] driver_attach+0x24/0x30 [13.430032] bus_add_driver+0xe4/0x208 [13.433766] driver_register+0x68/0x130 [13.437587] __platform_driver_register+0x24/0x30 [13.442273] renesas_usbhs_driver_init+0x20/0x1000 [renesas_usbhs] [13.448450] do_one_initcall+0x60/0x1d4 [13.452276] do_init_module+0x54/0x1f8 [13.456014] load_module+0x1754/0x1c98 [13.459750] init_module_from_file+0x88/0xcc [13.464004] __arm64_sys_finit_module+0x1c4/0x328 [13.468689] invoke_syscall+0x48/0x104 [13.472426] el0_svc_common.constprop.0+0xc0/0xe0 [13.477113] do_el0_svc+0x1c/0x28 [13.480415] el0_svc+0x30/0xcc [13.483460] el0t_64_sync_handler+0x10c/0x138 [13.487800] el0t_64_sync+0x198/0x19c [13.491453] Code: 2a0103e1 12003c42 12003c63 8b010084 (79400084) [13.497522] ---[ end trace 0000000000000000 ]---

References

URL

Tags

	https://git.kernel.org/stable/c/095cc0b5888acc228f12344e85b17539b9ce9367
	https://git.kernel.org/stable/c/155453ada562c450a4ff5fcf4852b9fa5b6b793a
	https://git.kernel.org/stable/c/0a1e16a6cbf4452b46f20b862d6141a1e90844ee
	https://git.kernel.org/stable/c/1637623ad6205162b17804d07512e6f4cbd2a050
	https://git.kernel.org/stable/c/db96a4fd8614d47c0def265e0e6c996b0ee52a38
	https://git.kernel.org/stable/c/d4c368e4a638ddf4a9d6d687b0ff691aa46cce53
	https://git.kernel.org/stable/c/6bab152e817fd41b9e178fa6b275354795c9703d
	https://git.kernel.org/stable/c/ffb34a60ce86656ba12d46e91f1ccc71dd221251

Impacted products

Vendor

Product

Version

Linux

Version: f1407d5c66240b33d11a7f1a41d55ccf6a9d7647
Version: f1407d5c66240b33d11a7f1a41d55ccf6a9d7647
Version: f1407d5c66240b33d11a7f1a41d55ccf6a9d7647
Version: f1407d5c66240b33d11a7f1a41d55ccf6a9d7647
Version: f1407d5c66240b33d11a7f1a41d55ccf6a9d7647
Version: f1407d5c66240b33d11a7f1a41d55ccf6a9d7647
Version: f1407d5c66240b33d11a7f1a41d55ccf6a9d7647
Version: f1407d5c66240b33d11a7f1a41d55ccf6a9d7647

Linux

Version: 3.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:28.949Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/renesas_usbhs/common.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "095cc0b5888acc228f12344e85b17539b9ce9367",
              "status": "affected",
              "version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647",
              "versionType": "git"
            },
            {
              "lessThan": "155453ada562c450a4ff5fcf4852b9fa5b6b793a",
              "status": "affected",
              "version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647",
              "versionType": "git"
            },
            {
              "lessThan": "0a1e16a6cbf4452b46f20b862d6141a1e90844ee",
              "status": "affected",
              "version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647",
              "versionType": "git"
            },
            {
              "lessThan": "1637623ad6205162b17804d07512e6f4cbd2a050",
              "status": "affected",
              "version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647",
              "versionType": "git"
            },
            {
              "lessThan": "db96a4fd8614d47c0def265e0e6c996b0ee52a38",
              "status": "affected",
              "version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647",
              "versionType": "git"
            },
            {
              "lessThan": "d4c368e4a638ddf4a9d6d687b0ff691aa46cce53",
              "status": "affected",
              "version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647",
              "versionType": "git"
            },
            {
              "lessThan": "6bab152e817fd41b9e178fa6b275354795c9703d",
              "status": "affected",
              "version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647",
              "versionType": "git"
            },
            {
              "lessThan": "ffb34a60ce86656ba12d46e91f1ccc71dd221251",
              "status": "affected",
              "version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/renesas_usbhs/common.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.0"
            },
            {
              "lessThan": "3.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: renesas_usbhs: Reorder clock handling and power management in probe\n\nReorder the initialization sequence in `usbhs_probe()` to enable runtime\nPM before accessing registers, preventing potential crashes due to\nuninitialized clocks.\n\nCurrently, in the probe path, registers are accessed before enabling the\nclocks, leading to a synchronous external abort on the RZ/V2H SoC.\nThe problematic call flow is as follows:\n\n    usbhs_probe()\n        usbhs_sys_clock_ctrl()\n            usbhs_bset()\n                usbhs_write()\n                    iowrite16()  \u003c-- Register access before enabling clocks\n\nSince `iowrite16()` is performed without ensuring the required clocks are\nenabled, this can lead to access errors. To fix this, enable PM runtime\nearly in the probe function and ensure clocks are acquired before register\naccess, preventing crashes like the following on RZ/V2H:\n\n[13.272640] Internal error: synchronous external abort: 0000000096000010 [#1] PREEMPT SMP\n[13.280814] Modules linked in: cec renesas_usbhs(+) drm_kms_helper fuse drm backlight ipv6\n[13.289088] CPU: 1 UID: 0 PID: 195 Comm: (udev-worker) Not tainted 6.14.0-rc7+ #98\n[13.296640] Hardware name: Renesas RZ/V2H EVK Board based on r9a09g057h44 (DT)\n[13.303834] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[13.310770] pc : usbhs_bset+0x14/0x4c [renesas_usbhs]\n[13.315831] lr : usbhs_probe+0x2e4/0x5ac [renesas_usbhs]\n[13.321138] sp : ffff8000827e3850\n[13.324438] x29: ffff8000827e3860 x28: 0000000000000000 x27: ffff8000827e3ca0\n[13.331554] x26: ffff8000827e3ba0 x25: ffff800081729668 x24: 0000000000000025\n[13.338670] x23: ffff0000c0f08000 x22: 0000000000000000 x21: ffff0000c0f08010\n[13.345783] x20: 0000000000000000 x19: ffff0000c3b52080 x18: 00000000ffffffff\n[13.352895] x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000827e36ce\n[13.360009] x14: 00000000000003d7 x13: 00000000000003d7 x12: 0000000000000000\n[13.367122] x11: 0000000000000000 x10: 0000000000000aa0 x9 : ffff8000827e3750\n[13.374235] x8 : ffff0000c1850b00 x7 : 0000000003826060 x6 : 000000000000001c\n[13.381347] x5 : 000000030d5fcc00 x4 : ffff8000825c0000 x3 : 0000000000000000\n[13.388459] x2 : 0000000000000400 x1 : 0000000000000000 x0 : ffff0000c3b52080\n[13.395574] Call trace:\n[13.398013]  usbhs_bset+0x14/0x4c [renesas_usbhs] (P)\n[13.403076]  platform_probe+0x68/0xdc\n[13.406738]  really_probe+0xbc/0x2c0\n[13.410306]  __driver_probe_device+0x78/0x120\n[13.414653]  driver_probe_device+0x3c/0x154\n[13.418825]  __driver_attach+0x90/0x1a0\n[13.422647]  bus_for_each_dev+0x7c/0xe0\n[13.426470]  driver_attach+0x24/0x30\n[13.430032]  bus_add_driver+0xe4/0x208\n[13.433766]  driver_register+0x68/0x130\n[13.437587]  __platform_driver_register+0x24/0x30\n[13.442273]  renesas_usbhs_driver_init+0x20/0x1000 [renesas_usbhs]\n[13.448450]  do_one_initcall+0x60/0x1d4\n[13.452276]  do_init_module+0x54/0x1f8\n[13.456014]  load_module+0x1754/0x1c98\n[13.459750]  init_module_from_file+0x88/0xcc\n[13.464004]  __arm64_sys_finit_module+0x1c4/0x328\n[13.468689]  invoke_syscall+0x48/0x104\n[13.472426]  el0_svc_common.constprop.0+0xc0/0xe0\n[13.477113]  do_el0_svc+0x1c/0x28\n[13.480415]  el0_svc+0x30/0xcc\n[13.483460]  el0t_64_sync_handler+0x10c/0x138\n[13.487800]  el0t_64_sync+0x198/0x19c\n[13.491453] Code: 2a0103e1 12003c42 12003c63 8b010084 (79400084)\n[13.497522] ---[ end trace 0000000000000000 ]---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:13:13.215Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/095cc0b5888acc228f12344e85b17539b9ce9367"
        },
        {
          "url": "https://git.kernel.org/stable/c/155453ada562c450a4ff5fcf4852b9fa5b6b793a"
        },
        {
          "url": "https://git.kernel.org/stable/c/0a1e16a6cbf4452b46f20b862d6141a1e90844ee"
        },
        {
          "url": "https://git.kernel.org/stable/c/1637623ad6205162b17804d07512e6f4cbd2a050"
        },
        {
          "url": "https://git.kernel.org/stable/c/db96a4fd8614d47c0def265e0e6c996b0ee52a38"
        },
        {
          "url": "https://git.kernel.org/stable/c/d4c368e4a638ddf4a9d6d687b0ff691aa46cce53"
        },
        {
          "url": "https://git.kernel.org/stable/c/6bab152e817fd41b9e178fa6b275354795c9703d"
        },
        {
          "url": "https://git.kernel.org/stable/c/ffb34a60ce86656ba12d46e91f1ccc71dd221251"
        }
      ],
      "title": "usb: renesas_usbhs: Reorder clock handling and power management in probe",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38136",
    "datePublished": "2025-07-03T08:35:39.207Z",
    "dateReserved": "2025-04-16T04:51:23.987Z",
    "dateUpdated": "2025-11-03T17:34:28.949Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38334 (GCVE-0-2025-38334)

Vulnerability from cvelistv5

Published

2025-07-10 08:15

Modified

2025-11-03 17:36

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: x86/sgx: Prevent attempts to reclaim poisoned pages TL;DR: SGX page reclaim touches the page to copy its contents to secondary storage. SGX instructions do not gracefully handle machine checks. Despite this, the existing SGX code will try to reclaim pages that it _knows_ are poisoned. Avoid even trying to reclaim poisoned pages. The longer story: Pages used by an enclave only get epc_page->poison set in arch_memory_failure() but they currently stay on sgx_active_page_list until sgx_encl_release(), with the SGX_EPC_PAGE_RECLAIMER_TRACKED flag untouched. epc_page->poison is not checked in the reclaimer logic meaning that, if other conditions are met, an attempt will be made to reclaim an EPC page that was poisoned. This is bad because 1. we don't want that page to end up added to another enclave and 2. it is likely to cause one core to shut down and the kernel to panic. Specifically, reclaiming uses microcode operations including "EWB" which accesses the EPC page contents to encrypt and write them out to non-SGX memory. Those operations cannot handle MCEs in their accesses other than by putting the executing core into a special shutdown state (affecting both threads with HT.) The kernel will subsequently panic on the remaining cores seeing the core didn't enter MCE handler(s) in time. Call sgx_unmark_page_reclaimable() to remove the affected EPC page from sgx_active_page_list on memory error to stop it being considered for reclaiming. Testing epc_page->poison in sgx_reclaim_pages() would also work but I assume it's better to add code in the less likely paths. The affected EPC page is not added to &node->sgx_poison_page_list until later in sgx_encl_release()->sgx_free_epc_page() when it is EREMOVEd. Membership on other lists doesn't change to avoid changing any of the lists' semantics except for sgx_active_page_list. There's a "TBD" comment in arch_memory_failure() about pre-emptive actions, the goal here is not to address everything that it may imply. This also doesn't completely close the time window when a memory error notification will be fatal (for a not previously poisoned EPC page) -- the MCE can happen after sgx_reclaim_pages() has selected its candidates or even *inside* a microcode operation (actually easy to trigger due to the amount of time spent in them.) The spinlock in sgx_unmark_page_reclaimable() is safe because memory_failure() runs in process context and no spinlocks are held, explicitly noted in a mm/memory-failure.c comment.

References

URL

Tags

	https://git.kernel.org/stable/c/00a88e9ea1b170d579c56327c38f7e8cf689df87
	https://git.kernel.org/stable/c/62b62a2a6dc51ed6e8e334861f04220c9cf8106a
	https://git.kernel.org/stable/c/dc5de5bd6deabd327ced2b2b1d0b4f14cd146afe
	https://git.kernel.org/stable/c/31dcbac94bfeabb86bf85b0c36803fdd6536437b
	https://git.kernel.org/stable/c/ed16618c380c32c68c06186d0ccbb0d5e0586e59

Impacted products

Vendor

Product

Version

Linux

Version: 70d3b8ddcd20d3c859676f56c43c7b2360c70266
Version: 70d3b8ddcd20d3c859676f56c43c7b2360c70266
Version: 70d3b8ddcd20d3c859676f56c43c7b2360c70266
Version: 70d3b8ddcd20d3c859676f56c43c7b2360c70266
Version: 70d3b8ddcd20d3c859676f56c43c7b2360c70266

Linux

Version: 5.11

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:36:42.808Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kernel/cpu/sgx/main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "00a88e9ea1b170d579c56327c38f7e8cf689df87",
              "status": "affected",
              "version": "70d3b8ddcd20d3c859676f56c43c7b2360c70266",
              "versionType": "git"
            },
            {
              "lessThan": "62b62a2a6dc51ed6e8e334861f04220c9cf8106a",
              "status": "affected",
              "version": "70d3b8ddcd20d3c859676f56c43c7b2360c70266",
              "versionType": "git"
            },
            {
              "lessThan": "dc5de5bd6deabd327ced2b2b1d0b4f14cd146afe",
              "status": "affected",
              "version": "70d3b8ddcd20d3c859676f56c43c7b2360c70266",
              "versionType": "git"
            },
            {
              "lessThan": "31dcbac94bfeabb86bf85b0c36803fdd6536437b",
              "status": "affected",
              "version": "70d3b8ddcd20d3c859676f56c43c7b2360c70266",
              "versionType": "git"
            },
            {
              "lessThan": "ed16618c380c32c68c06186d0ccbb0d5e0586e59",
              "status": "affected",
              "version": "70d3b8ddcd20d3c859676f56c43c7b2360c70266",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kernel/cpu/sgx/main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.11"
            },
            {
              "lessThan": "5.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/sgx: Prevent attempts to reclaim poisoned pages\n\nTL;DR: SGX page reclaim touches the page to copy its contents to\nsecondary storage. SGX instructions do not gracefully handle machine\nchecks. Despite this, the existing SGX code will try to reclaim pages\nthat it _knows_ are poisoned. Avoid even trying to reclaim poisoned pages.\n\nThe longer story:\n\nPages used by an enclave only get epc_page-\u003epoison set in\narch_memory_failure() but they currently stay on sgx_active_page_list until\nsgx_encl_release(), with the SGX_EPC_PAGE_RECLAIMER_TRACKED flag untouched.\n\nepc_page-\u003epoison is not checked in the reclaimer logic meaning that, if other\nconditions are met, an attempt will be made to reclaim an EPC page that was\npoisoned.  This is bad because 1. we don\u0027t want that page to end up added\nto another enclave and 2. it is likely to cause one core to shut down\nand the kernel to panic.\n\nSpecifically, reclaiming uses microcode operations including \"EWB\" which\naccesses the EPC page contents to encrypt and write them out to non-SGX\nmemory.  Those operations cannot handle MCEs in their accesses other than\nby putting the executing core into a special shutdown state (affecting\nboth threads with HT.)  The kernel will subsequently panic on the\nremaining cores seeing the core didn\u0027t enter MCE handler(s) in time.\n\nCall sgx_unmark_page_reclaimable() to remove the affected EPC page from\nsgx_active_page_list on memory error to stop it being considered for\nreclaiming.\n\nTesting epc_page-\u003epoison in sgx_reclaim_pages() would also work but I assume\nit\u0027s better to add code in the less likely paths.\n\nThe affected EPC page is not added to \u0026node-\u003esgx_poison_page_list until\nlater in sgx_encl_release()-\u003esgx_free_epc_page() when it is EREMOVEd.\nMembership on other lists doesn\u0027t change to avoid changing any of the\nlists\u0027 semantics except for sgx_active_page_list.  There\u0027s a \"TBD\" comment\nin arch_memory_failure() about pre-emptive actions, the goal here is not\nto address everything that it may imply.\n\nThis also doesn\u0027t completely close the time window when a memory error\nnotification will be fatal (for a not previously poisoned EPC page) --\nthe MCE can happen after sgx_reclaim_pages() has selected its candidates\nor even *inside* a microcode operation (actually easy to trigger due to\nthe amount of time spent in them.)\n\nThe spinlock in sgx_unmark_page_reclaimable() is safe because\nmemory_failure() runs in process context and no spinlocks are held,\nexplicitly noted in a mm/memory-failure.c comment."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:19:08.877Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/00a88e9ea1b170d579c56327c38f7e8cf689df87"
        },
        {
          "url": "https://git.kernel.org/stable/c/62b62a2a6dc51ed6e8e334861f04220c9cf8106a"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc5de5bd6deabd327ced2b2b1d0b4f14cd146afe"
        },
        {
          "url": "https://git.kernel.org/stable/c/31dcbac94bfeabb86bf85b0c36803fdd6536437b"
        },
        {
          "url": "https://git.kernel.org/stable/c/ed16618c380c32c68c06186d0ccbb0d5e0586e59"
        }
      ],
      "title": "x86/sgx: Prevent attempts to reclaim poisoned pages",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38334",
    "datePublished": "2025-07-10T08:15:06.380Z",
    "dateReserved": "2025-04-16T04:51:24.005Z",
    "dateUpdated": "2025-11-03T17:36:42.808Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38157 (GCVE-0-2025-38157)

Vulnerability from cvelistv5

Published

2025-07-03 08:35

Modified

2025-11-03 17:34

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k_htc: Abort software beacon handling if disabled A malicious USB device can send a WMI_SWBA_EVENTID event from an ath9k_htc-managed device before beaconing has been enabled. This causes a device-by-zero error in the driver, leading to either a crash or an out of bounds read. Prevent this by aborting the handling in ath9k_htc_swba() if beacons are not enabled.

References

URL

Tags

	https://git.kernel.org/stable/c/e5ce9df1d68094d37360dbd9b09289d42fa21e54
	https://git.kernel.org/stable/c/0281c19074976ec48f0078d50530b406ddae75bc
	https://git.kernel.org/stable/c/7ee3fb6258da8c890a51b514f60d7570dc703605
	https://git.kernel.org/stable/c/40471b23147c86ea3ed97faee79937c618250bd0
	https://git.kernel.org/stable/c/5482ef9875eaa43f0435e14570e1193823de857e
	https://git.kernel.org/stable/c/ee5ee646385f5846dcbc881389f3c44a197c402a
	https://git.kernel.org/stable/c/5a85c21f812e02cb00ca07007d88acdd42d08c46
	https://git.kernel.org/stable/c/ac4e317a95a1092b5da5b9918b7118759342641c

Impacted products

Vendor

Product

Version

Linux

Version: 832f6a18fc2aead14954c081ece03b7a5b425f81
Version: 832f6a18fc2aead14954c081ece03b7a5b425f81
Version: 832f6a18fc2aead14954c081ece03b7a5b425f81
Version: 832f6a18fc2aead14954c081ece03b7a5b425f81
Version: 832f6a18fc2aead14954c081ece03b7a5b425f81
Version: 832f6a18fc2aead14954c081ece03b7a5b425f81
Version: 832f6a18fc2aead14954c081ece03b7a5b425f81
Version: 832f6a18fc2aead14954c081ece03b7a5b425f81

Linux

Version: 3.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:46.332Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath9k/htc_drv_beacon.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e5ce9df1d68094d37360dbd9b09289d42fa21e54",
              "status": "affected",
              "version": "832f6a18fc2aead14954c081ece03b7a5b425f81",
              "versionType": "git"
            },
            {
              "lessThan": "0281c19074976ec48f0078d50530b406ddae75bc",
              "status": "affected",
              "version": "832f6a18fc2aead14954c081ece03b7a5b425f81",
              "versionType": "git"
            },
            {
              "lessThan": "7ee3fb6258da8c890a51b514f60d7570dc703605",
              "status": "affected",
              "version": "832f6a18fc2aead14954c081ece03b7a5b425f81",
              "versionType": "git"
            },
            {
              "lessThan": "40471b23147c86ea3ed97faee79937c618250bd0",
              "status": "affected",
              "version": "832f6a18fc2aead14954c081ece03b7a5b425f81",
              "versionType": "git"
            },
            {
              "lessThan": "5482ef9875eaa43f0435e14570e1193823de857e",
              "status": "affected",
              "version": "832f6a18fc2aead14954c081ece03b7a5b425f81",
              "versionType": "git"
            },
            {
              "lessThan": "ee5ee646385f5846dcbc881389f3c44a197c402a",
              "status": "affected",
              "version": "832f6a18fc2aead14954c081ece03b7a5b425f81",
              "versionType": "git"
            },
            {
              "lessThan": "5a85c21f812e02cb00ca07007d88acdd42d08c46",
              "status": "affected",
              "version": "832f6a18fc2aead14954c081ece03b7a5b425f81",
              "versionType": "git"
            },
            {
              "lessThan": "ac4e317a95a1092b5da5b9918b7118759342641c",
              "status": "affected",
              "version": "832f6a18fc2aead14954c081ece03b7a5b425f81",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath9k/htc_drv_beacon.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.0"
            },
            {
              "lessThan": "3.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k_htc: Abort software beacon handling if disabled\n\nA malicious USB device can send a WMI_SWBA_EVENTID event from an\nath9k_htc-managed device before beaconing has been enabled. This causes\na device-by-zero error in the driver, leading to either a crash or an\nout of bounds read.\n\nPrevent this by aborting the handling in ath9k_htc_swba() if beacons are\nnot enabled."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:13:48.044Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e5ce9df1d68094d37360dbd9b09289d42fa21e54"
        },
        {
          "url": "https://git.kernel.org/stable/c/0281c19074976ec48f0078d50530b406ddae75bc"
        },
        {
          "url": "https://git.kernel.org/stable/c/7ee3fb6258da8c890a51b514f60d7570dc703605"
        },
        {
          "url": "https://git.kernel.org/stable/c/40471b23147c86ea3ed97faee79937c618250bd0"
        },
        {
          "url": "https://git.kernel.org/stable/c/5482ef9875eaa43f0435e14570e1193823de857e"
        },
        {
          "url": "https://git.kernel.org/stable/c/ee5ee646385f5846dcbc881389f3c44a197c402a"
        },
        {
          "url": "https://git.kernel.org/stable/c/5a85c21f812e02cb00ca07007d88acdd42d08c46"
        },
        {
          "url": "https://git.kernel.org/stable/c/ac4e317a95a1092b5da5b9918b7118759342641c"
        }
      ],
      "title": "wifi: ath9k_htc: Abort software beacon handling if disabled",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38157",
    "datePublished": "2025-07-03T08:35:59.734Z",
    "dateReserved": "2025-04-16T04:51:23.990Z",
    "dateUpdated": "2025-11-03T17:34:46.332Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37917 (GCVE-0-2025-37917)

Vulnerability from cvelistv5

Published

2025-05-20 15:21

Modified

2025-11-03 19:57

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx poll Use spin_lock_irqsave and spin_unlock_irqrestore instead of spin_lock and spin_unlock in mtk_star_emac driver to avoid spinlock recursion occurrence that can happen when enabling the DMA interrupts again in rx/tx poll. ``` BUG: spinlock recursion on CPU#0, swapper/0/0 lock: 0xffff00000db9cf20, .magic: dead4ead, .owner: swapper/0/0, .owner_cpu: 0 CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.15.0-rc2-next-20250417-00001-gf6a27738686c-dirty #28 PREEMPT Hardware name: MediaTek MT8365 Open Platform EVK (DT) Call trace: show_stack+0x18/0x24 (C) dump_stack_lvl+0x60/0x80 dump_stack+0x18/0x24 spin_dump+0x78/0x88 do_raw_spin_lock+0x11c/0x120 _raw_spin_lock+0x20/0x2c mtk_star_handle_irq+0xc0/0x22c [mtk_star_emac] __handle_irq_event_percpu+0x48/0x140 handle_irq_event+0x4c/0xb0 handle_fasteoi_irq+0xa0/0x1bc handle_irq_desc+0x34/0x58 generic_handle_domain_irq+0x1c/0x28 gic_handle_irq+0x4c/0x120 do_interrupt_handler+0x50/0x84 el1_interrupt+0x34/0x68 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x6c/0x70 regmap_mmio_read32le+0xc/0x20 (P) _regmap_bus_reg_read+0x6c/0xac _regmap_read+0x60/0xdc regmap_read+0x4c/0x80 mtk_star_rx_poll+0x2f4/0x39c [mtk_star_emac] __napi_poll+0x38/0x188 net_rx_action+0x164/0x2c0 handle_softirqs+0x100/0x244 __do_softirq+0x14/0x20 ____do_softirq+0x10/0x20 call_on_irq_stack+0x24/0x64 do_softirq_own_stack+0x1c/0x40 __irq_exit_rcu+0xd4/0x10c irq_exit_rcu+0x10/0x1c el1_interrupt+0x38/0x68 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x6c/0x70 cpuidle_enter_state+0xac/0x320 (P) cpuidle_enter+0x38/0x50 do_idle+0x1e4/0x260 cpu_startup_entry+0x34/0x3c rest_init+0xdc/0xe0 console_on_rootfs+0x0/0x6c __primary_switched+0x88/0x90 ```

References

URL

Tags

	https://git.kernel.org/stable/c/bedd287fdd3142dffad7ae2ac6ef15f4a2ad0629
	https://git.kernel.org/stable/c/94107259f972d2fd896dbbcaa176b3b2451ff9e5
	https://git.kernel.org/stable/c/7cb10f17bddc415f30fbc00a4e2b490e0d94c462
	https://git.kernel.org/stable/c/8d40bf73fa7f31eac2b0a7c9d85de67df82ee7f3
	https://git.kernel.org/stable/c/d886f8d85494d12b2752fd7c6c32162d982d5dd5
	https://git.kernel.org/stable/c/6fe0866014486736cc3ba1c6fd4606d3dbe55c9c

Impacted products

Vendor

Product

Version

Linux

Version: 97da99868573b8861de83f7126a5981d896c1d6c
Version: 0a8bd81fd6aaace14979152e0540da8ff158a00a
Version: 0a8bd81fd6aaace14979152e0540da8ff158a00a
Version: 0a8bd81fd6aaace14979152e0540da8ff158a00a
Version: 0a8bd81fd6aaace14979152e0540da8ff158a00a
Version: 0a8bd81fd6aaace14979152e0540da8ff158a00a

Linux

Version: 6.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:57:19.232Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mediatek/mtk_star_emac.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "bedd287fdd3142dffad7ae2ac6ef15f4a2ad0629",
              "status": "affected",
              "version": "97da99868573b8861de83f7126a5981d896c1d6c",
              "versionType": "git"
            },
            {
              "lessThan": "94107259f972d2fd896dbbcaa176b3b2451ff9e5",
              "status": "affected",
              "version": "0a8bd81fd6aaace14979152e0540da8ff158a00a",
              "versionType": "git"
            },
            {
              "lessThan": "7cb10f17bddc415f30fbc00a4e2b490e0d94c462",
              "status": "affected",
              "version": "0a8bd81fd6aaace14979152e0540da8ff158a00a",
              "versionType": "git"
            },
            {
              "lessThan": "8d40bf73fa7f31eac2b0a7c9d85de67df82ee7f3",
              "status": "affected",
              "version": "0a8bd81fd6aaace14979152e0540da8ff158a00a",
              "versionType": "git"
            },
            {
              "lessThan": "d886f8d85494d12b2752fd7c6c32162d982d5dd5",
              "status": "affected",
              "version": "0a8bd81fd6aaace14979152e0540da8ff158a00a",
              "versionType": "git"
            },
            {
              "lessThan": "6fe0866014486736cc3ba1c6fd4606d3dbe55c9c",
              "status": "affected",
              "version": "0a8bd81fd6aaace14979152e0540da8ff158a00a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mediatek/mtk_star_emac.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.138",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.90",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.28",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.138",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.90",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.28",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.6",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx poll\n\nUse spin_lock_irqsave and spin_unlock_irqrestore instead of spin_lock\nand spin_unlock in mtk_star_emac driver to avoid spinlock recursion\noccurrence that can happen when enabling the DMA interrupts again in\nrx/tx poll.\n\n```\nBUG: spinlock recursion on CPU#0, swapper/0/0\n lock: 0xffff00000db9cf20, .magic: dead4ead, .owner: swapper/0/0,\n    .owner_cpu: 0\nCPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted\n    6.15.0-rc2-next-20250417-00001-gf6a27738686c-dirty #28 PREEMPT\nHardware name: MediaTek MT8365 Open Platform EVK (DT)\nCall trace:\n show_stack+0x18/0x24 (C)\n dump_stack_lvl+0x60/0x80\n dump_stack+0x18/0x24\n spin_dump+0x78/0x88\n do_raw_spin_lock+0x11c/0x120\n _raw_spin_lock+0x20/0x2c\n mtk_star_handle_irq+0xc0/0x22c [mtk_star_emac]\n __handle_irq_event_percpu+0x48/0x140\n handle_irq_event+0x4c/0xb0\n handle_fasteoi_irq+0xa0/0x1bc\n handle_irq_desc+0x34/0x58\n generic_handle_domain_irq+0x1c/0x28\n gic_handle_irq+0x4c/0x120\n do_interrupt_handler+0x50/0x84\n el1_interrupt+0x34/0x68\n el1h_64_irq_handler+0x18/0x24\n el1h_64_irq+0x6c/0x70\n regmap_mmio_read32le+0xc/0x20 (P)\n _regmap_bus_reg_read+0x6c/0xac\n _regmap_read+0x60/0xdc\n regmap_read+0x4c/0x80\n mtk_star_rx_poll+0x2f4/0x39c [mtk_star_emac]\n __napi_poll+0x38/0x188\n net_rx_action+0x164/0x2c0\n handle_softirqs+0x100/0x244\n __do_softirq+0x14/0x20\n ____do_softirq+0x10/0x20\n call_on_irq_stack+0x24/0x64\n do_softirq_own_stack+0x1c/0x40\n __irq_exit_rcu+0xd4/0x10c\n irq_exit_rcu+0x10/0x1c\n el1_interrupt+0x38/0x68\n el1h_64_irq_handler+0x18/0x24\n el1h_64_irq+0x6c/0x70\n cpuidle_enter_state+0xac/0x320 (P)\n cpuidle_enter+0x38/0x50\n do_idle+0x1e4/0x260\n cpu_startup_entry+0x34/0x3c\n rest_init+0xdc/0xe0\n console_on_rootfs+0x0/0x6c\n __primary_switched+0x88/0x90\n```"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:23:40.307Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/bedd287fdd3142dffad7ae2ac6ef15f4a2ad0629"
        },
        {
          "url": "https://git.kernel.org/stable/c/94107259f972d2fd896dbbcaa176b3b2451ff9e5"
        },
        {
          "url": "https://git.kernel.org/stable/c/7cb10f17bddc415f30fbc00a4e2b490e0d94c462"
        },
        {
          "url": "https://git.kernel.org/stable/c/8d40bf73fa7f31eac2b0a7c9d85de67df82ee7f3"
        },
        {
          "url": "https://git.kernel.org/stable/c/d886f8d85494d12b2752fd7c6c32162d982d5dd5"
        },
        {
          "url": "https://git.kernel.org/stable/c/6fe0866014486736cc3ba1c6fd4606d3dbe55c9c"
        }
      ],
      "title": "net: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx poll",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37917",
    "datePublished": "2025-05-20T15:21:47.703Z",
    "dateReserved": "2025-04-16T04:51:23.967Z",
    "dateUpdated": "2025-11-03T19:57:19.232Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-46713 (GCVE-0-2024-46713)

Vulnerability from cvelistv5

Published

2024-09-13 14:49

Modified

2025-11-03 22:16

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: perf/aux: Fix AUX buffer serialization Ole reported that event->mmap_mutex is strictly insufficient to serialize the AUX buffer, add a per RB mutex to fully serialize it. Note that in the lock order comment the perf_event::mmap_mutex order was already wrong, that is, it nesting under mmap_lock is not new with this patch.

References

URL

Tags

	https://git.kernel.org/stable/c/7882923f1cb88dc1a17f2bf0c81b1fc80d44db82
	https://git.kernel.org/stable/c/52d13d224fdf1299c8b642807fa1ea14d693f5ff
	https://git.kernel.org/stable/c/9dc7ad2b67772cfb94ceb3b0c9c4023c2463215d
	https://git.kernel.org/stable/c/c4b69bee3f4ef76809288fe6827bc14d4ae788ef
	https://git.kernel.org/stable/c/b9b6882e243b653d379abbeaa64a500182aba370
	https://git.kernel.org/stable/c/2ab9d830262c132ab5db2f571003d80850d56b2a

Impacted products

Vendor

Product

Version

Linux

Version: 45bfb2e50471abbbfd83d40d28c986078b0d24ff
Version: 45bfb2e50471abbbfd83d40d28c986078b0d24ff
Version: 45bfb2e50471abbbfd83d40d28c986078b0d24ff
Version: 45bfb2e50471abbbfd83d40d28c986078b0d24ff
Version: 45bfb2e50471abbbfd83d40d28c986078b0d24ff
Version: 45bfb2e50471abbbfd83d40d28c986078b0d24ff

Linux

Version: 4.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-46713",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-29T14:58:57.910208Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-29T14:59:13.207Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T22:16:42.290Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/events/core.c",
            "kernel/events/internal.h",
            "kernel/events/ring_buffer.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7882923f1cb88dc1a17f2bf0c81b1fc80d44db82",
              "status": "affected",
              "version": "45bfb2e50471abbbfd83d40d28c986078b0d24ff",
              "versionType": "git"
            },
            {
              "lessThan": "52d13d224fdf1299c8b642807fa1ea14d693f5ff",
              "status": "affected",
              "version": "45bfb2e50471abbbfd83d40d28c986078b0d24ff",
              "versionType": "git"
            },
            {
              "lessThan": "9dc7ad2b67772cfb94ceb3b0c9c4023c2463215d",
              "status": "affected",
              "version": "45bfb2e50471abbbfd83d40d28c986078b0d24ff",
              "versionType": "git"
            },
            {
              "lessThan": "c4b69bee3f4ef76809288fe6827bc14d4ae788ef",
              "status": "affected",
              "version": "45bfb2e50471abbbfd83d40d28c986078b0d24ff",
              "versionType": "git"
            },
            {
              "lessThan": "b9b6882e243b653d379abbeaa64a500182aba370",
              "status": "affected",
              "version": "45bfb2e50471abbbfd83d40d28c986078b0d24ff",
              "versionType": "git"
            },
            {
              "lessThan": "2ab9d830262c132ab5db2f571003d80850d56b2a",
              "status": "affected",
              "version": "45bfb2e50471abbbfd83d40d28c986078b0d24ff",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/events/core.c",
            "kernel/events/internal.h",
            "kernel/events/ring_buffer.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.1"
            },
            {
              "lessThan": "4.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.226",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.167",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.110",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.51",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.10.*",
              "status": "unaffected",
              "version": "6.10.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.11",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.226",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.167",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.110",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.51",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10.10",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/aux: Fix AUX buffer serialization\n\nOle reported that event-\u003emmap_mutex is strictly insufficient to\nserialize the AUX buffer, add a per RB mutex to fully serialize it.\n\nNote that in the lock order comment the perf_event::mmap_mutex order\nwas already wrong, that is, it nesting under mmap_lock is not new with\nthis patch."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:32:31.367Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7882923f1cb88dc1a17f2bf0c81b1fc80d44db82"
        },
        {
          "url": "https://git.kernel.org/stable/c/52d13d224fdf1299c8b642807fa1ea14d693f5ff"
        },
        {
          "url": "https://git.kernel.org/stable/c/9dc7ad2b67772cfb94ceb3b0c9c4023c2463215d"
        },
        {
          "url": "https://git.kernel.org/stable/c/c4b69bee3f4ef76809288fe6827bc14d4ae788ef"
        },
        {
          "url": "https://git.kernel.org/stable/c/b9b6882e243b653d379abbeaa64a500182aba370"
        },
        {
          "url": "https://git.kernel.org/stable/c/2ab9d830262c132ab5db2f571003d80850d56b2a"
        }
      ],
      "title": "perf/aux: Fix AUX buffer serialization",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-46713",
    "datePublished": "2024-09-13T14:49:13.691Z",
    "dateReserved": "2024-09-11T15:12:18.254Z",
    "dateUpdated": "2025-11-03T22:16:42.290Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-22035 (GCVE-0-2025-22035)

Vulnerability from cvelistv5

Published

2025-04-16 14:11

Modified

2025-11-03 19:41

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: tracing: Fix use-after-free in print_graph_function_flags during tracer switching Kairui reported a UAF issue in print_graph_function_flags() during ftrace stress testing [1]. This issue can be reproduced if puting a 'mdelay(10)' after 'mutex_unlock(&trace_types_lock)' in s_start(), and executing the following script: $ echo function_graph > current_tracer $ cat trace > /dev/null & $ sleep 5 # Ensure the 'cat' reaches the 'mdelay(10)' point $ echo timerlat > current_tracer The root cause lies in the two calls to print_graph_function_flags within print_trace_line during each s_show(): * One through 'iter->trace->print_line()'; * Another through 'event->funcs->trace()', which is hidden in print_trace_fmt() before print_trace_line returns. Tracer switching only updates the former, while the latter continues to use the print_line function of the old tracer, which in the script above is print_graph_function_flags. Moreover, when switching from the 'function_graph' tracer to the 'timerlat' tracer, s_start only calls graph_trace_close of the 'function_graph' tracer to free 'iter->private', but does not set it to NULL. This provides an opportunity for 'event->funcs->trace()' to use an invalid 'iter->private'. To fix this issue, set 'iter->private' to NULL immediately after freeing it in graph_trace_close(), ensuring that an invalid pointer is not passed to other tracers. Additionally, clean up the unnecessary 'iter->private = NULL' during each 'cat trace' when using wakeup and irqsoff tracers. [1] https://lore.kernel.org/all/20231112150030.84609-1-ryncsn@gmail.com/

References

URL

Tags

	https://git.kernel.org/stable/c/42561fe62c3628ea3bc9623f64f047605e98857f
	https://git.kernel.org/stable/c/de7b309139f862a44379ecd96e93c9133c69f813
	https://git.kernel.org/stable/c/81a85b12132c8ffe98f5ddbdc185481790aeaa1b
	https://git.kernel.org/stable/c/a2cce54c1748216535dda02e185d07a084be837e
	https://git.kernel.org/stable/c/099ef3385800828b74933a96c117574637c3fb3a
	https://git.kernel.org/stable/c/c85efe6e13743cac6ba4ccf144cb91f44c86231a
	https://git.kernel.org/stable/c/f14752d66056d0c7bffe5092130409417d3baa70
	https://git.kernel.org/stable/c/70be951bc01e4a0e10d443f3510bb17426f257fb
	https://git.kernel.org/stable/c/7f81f27b1093e4895e87b74143c59c055c3b1906

Impacted products

Vendor

Product

Version

Linux

Version: 05319d707732c728eb721ac616a50e7978eb499a
Version: b8205dfed68183dc1470e83863c5ded6d7fa30a9
Version: ce6e2b14bc094866d9173db6935da2d752f06d8b
Version: 2cb0c037c927db4ec928cc927488e52aa359786e
Version: eecb91b9f98d6427d4af5fdb8f108f52572a39e7
Version: eecb91b9f98d6427d4af5fdb8f108f52572a39e7
Version: eecb91b9f98d6427d4af5fdb8f108f52572a39e7
Version: eecb91b9f98d6427d4af5fdb8f108f52572a39e7
Version: eecb91b9f98d6427d4af5fdb8f108f52572a39e7
Version: d6b35c9a8d51032ed9890431da3ae39fe76c1ae3
Version: 5d433eda76b66ab271f5924b26ddfec063eeb454
Version: 2242640e9bd94e706acf75c60a2ab1d0e150e0fb

Linux

Version: 6.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-22035",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-21T14:57:52.767300Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-21T15:01:46.658Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:41:18.919Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/trace_functions_graph.c",
            "kernel/trace/trace_irqsoff.c",
            "kernel/trace/trace_sched_wakeup.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "42561fe62c3628ea3bc9623f64f047605e98857f",
              "status": "affected",
              "version": "05319d707732c728eb721ac616a50e7978eb499a",
              "versionType": "git"
            },
            {
              "lessThan": "de7b309139f862a44379ecd96e93c9133c69f813",
              "status": "affected",
              "version": "b8205dfed68183dc1470e83863c5ded6d7fa30a9",
              "versionType": "git"
            },
            {
              "lessThan": "81a85b12132c8ffe98f5ddbdc185481790aeaa1b",
              "status": "affected",
              "version": "ce6e2b14bc094866d9173db6935da2d752f06d8b",
              "versionType": "git"
            },
            {
              "lessThan": "a2cce54c1748216535dda02e185d07a084be837e",
              "status": "affected",
              "version": "2cb0c037c927db4ec928cc927488e52aa359786e",
              "versionType": "git"
            },
            {
              "lessThan": "099ef3385800828b74933a96c117574637c3fb3a",
              "status": "affected",
              "version": "eecb91b9f98d6427d4af5fdb8f108f52572a39e7",
              "versionType": "git"
            },
            {
              "lessThan": "c85efe6e13743cac6ba4ccf144cb91f44c86231a",
              "status": "affected",
              "version": "eecb91b9f98d6427d4af5fdb8f108f52572a39e7",
              "versionType": "git"
            },
            {
              "lessThan": "f14752d66056d0c7bffe5092130409417d3baa70",
              "status": "affected",
              "version": "eecb91b9f98d6427d4af5fdb8f108f52572a39e7",
              "versionType": "git"
            },
            {
              "lessThan": "70be951bc01e4a0e10d443f3510bb17426f257fb",
              "status": "affected",
              "version": "eecb91b9f98d6427d4af5fdb8f108f52572a39e7",
              "versionType": "git"
            },
            {
              "lessThan": "7f81f27b1093e4895e87b74143c59c055c3b1906",
              "status": "affected",
              "version": "eecb91b9f98d6427d4af5fdb8f108f52572a39e7",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "d6b35c9a8d51032ed9890431da3ae39fe76c1ae3",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "5d433eda76b66ab271f5924b26ddfec063eeb454",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "2242640e9bd94e706acf75c60a2ab1d0e150e0fb",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/trace_functions_graph.c",
            "kernel/trace/trace_irqsoff.c",
            "kernel/trace/trace_sched_wakeup.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.5"
            },
            {
              "lessThan": "6.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.292",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.236",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.180",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.134",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.87",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.292",
                  "versionStartIncluding": "5.4.255",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.236",
                  "versionStartIncluding": "5.10.193",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.180",
                  "versionStartIncluding": "5.15.129",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.134",
                  "versionStartIncluding": "6.1.50",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.87",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.23",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.11",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.14.324",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.293",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.4.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix use-after-free in print_graph_function_flags during tracer switching\n\nKairui reported a UAF issue in print_graph_function_flags() during\nftrace stress testing [1]. This issue can be reproduced if puting a\n\u0027mdelay(10)\u0027 after \u0027mutex_unlock(\u0026trace_types_lock)\u0027 in s_start(),\nand executing the following script:\n\n  $ echo function_graph \u003e current_tracer\n  $ cat trace \u003e /dev/null \u0026\n  $ sleep 5  # Ensure the \u0027cat\u0027 reaches the \u0027mdelay(10)\u0027 point\n  $ echo timerlat \u003e current_tracer\n\nThe root cause lies in the two calls to print_graph_function_flags\nwithin print_trace_line during each s_show():\n\n  * One through \u0027iter-\u003etrace-\u003eprint_line()\u0027;\n  * Another through \u0027event-\u003efuncs-\u003etrace()\u0027, which is hidden in\n    print_trace_fmt() before print_trace_line returns.\n\nTracer switching only updates the former, while the latter continues\nto use the print_line function of the old tracer, which in the script\nabove is print_graph_function_flags.\n\nMoreover, when switching from the \u0027function_graph\u0027 tracer to the\n\u0027timerlat\u0027 tracer, s_start only calls graph_trace_close of the\n\u0027function_graph\u0027 tracer to free \u0027iter-\u003eprivate\u0027, but does not set\nit to NULL. This provides an opportunity for \u0027event-\u003efuncs-\u003etrace()\u0027\nto use an invalid \u0027iter-\u003eprivate\u0027.\n\nTo fix this issue, set \u0027iter-\u003eprivate\u0027 to NULL immediately after\nfreeing it in graph_trace_close(), ensuring that an invalid pointer\nis not passed to other tracers. Additionally, clean up the unnecessary\n\u0027iter-\u003eprivate = NULL\u0027 during each \u0027cat trace\u0027 when using wakeup and\nirqsoff tracers.\n\n [1] https://lore.kernel.org/all/20231112150030.84609-1-ryncsn@gmail.com/"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:17:03.661Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/42561fe62c3628ea3bc9623f64f047605e98857f"
        },
        {
          "url": "https://git.kernel.org/stable/c/de7b309139f862a44379ecd96e93c9133c69f813"
        },
        {
          "url": "https://git.kernel.org/stable/c/81a85b12132c8ffe98f5ddbdc185481790aeaa1b"
        },
        {
          "url": "https://git.kernel.org/stable/c/a2cce54c1748216535dda02e185d07a084be837e"
        },
        {
          "url": "https://git.kernel.org/stable/c/099ef3385800828b74933a96c117574637c3fb3a"
        },
        {
          "url": "https://git.kernel.org/stable/c/c85efe6e13743cac6ba4ccf144cb91f44c86231a"
        },
        {
          "url": "https://git.kernel.org/stable/c/f14752d66056d0c7bffe5092130409417d3baa70"
        },
        {
          "url": "https://git.kernel.org/stable/c/70be951bc01e4a0e10d443f3510bb17426f257fb"
        },
        {
          "url": "https://git.kernel.org/stable/c/7f81f27b1093e4895e87b74143c59c055c3b1906"
        }
      ],
      "title": "tracing: Fix use-after-free in print_graph_function_flags during tracer switching",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22035",
    "datePublished": "2025-04-16T14:11:53.958Z",
    "dateReserved": "2024-12-29T08:45:45.809Z",
    "dateUpdated": "2025-11-03T19:41:18.919Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37782 (GCVE-0-2025-37782)

Vulnerability from cvelistv5

This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "providerMetadata": {
        "dateUpdated": "2025-06-04T10:21:51.883Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "rejectedReasons": [
        {
          "lang": "en",
          "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37782",
    "datePublished": "2025-05-01T13:07:18.993Z",
    "dateRejected": "2025-06-04T10:21:51.883Z",
    "dateReserved": "2025-04-16T04:51:23.940Z",
    "dateUpdated": "2025-06-04T10:21:51.883Z",
    "state": "REJECTED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38414 (GCVE-0-2025-38414)

Vulnerability from cvelistv5

Published

2025-07-25 13:32

Modified

2025-07-28 04:21

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix GCC_GCC_PCIE_HOT_RST definition for WCN7850 GCC_GCC_PCIE_HOT_RST is wrongly defined for WCN7850, causing kernel crash on some specific platforms. Since this register is divergent for WCN7850 and QCN9274, move it to register table to allow different definitions. Then correct the register address for WCN7850 to fix this issue. Note IPQ5332 is not affected as it is not PCIe based device. Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3

References

URL

Tags

	https://git.kernel.org/stable/c/569972c5bdb839b0eaf8aba6ce76ea0b78e2acf8
	https://git.kernel.org/stable/c/d71ac5694b33c80f1de97d074f6fbdc6c01a9d61
	https://git.kernel.org/stable/c/7588a893cde5385ad308400ff167d29a29913b3a

Impacted products

Vendor

Product

Version

Linux

Version: d889913205cf7ebda905b1e62c5867ed4e39f6c2
Version: d889913205cf7ebda905b1e62c5867ed4e39f6c2
Version: d889913205cf7ebda905b1e62c5867ed4e39f6c2

Linux

Version: 6.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath12k/hw.c",
            "drivers/net/wireless/ath/ath12k/hw.h",
            "drivers/net/wireless/ath/ath12k/pci.c",
            "drivers/net/wireless/ath/ath12k/pci.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "569972c5bdb839b0eaf8aba6ce76ea0b78e2acf8",
              "status": "affected",
              "version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
              "versionType": "git"
            },
            {
              "lessThan": "d71ac5694b33c80f1de97d074f6fbdc6c01a9d61",
              "status": "affected",
              "version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
              "versionType": "git"
            },
            {
              "lessThan": "7588a893cde5385ad308400ff167d29a29913b3a",
              "status": "affected",
              "version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath12k/hw.c",
            "drivers/net/wireless/ath/ath12k/hw.h",
            "drivers/net/wireless/ath/ath12k/pci.c",
            "drivers/net/wireless/ath/ath12k/pci.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.3"
            },
            {
              "lessThan": "6.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix GCC_GCC_PCIE_HOT_RST definition for WCN7850\n\nGCC_GCC_PCIE_HOT_RST is wrongly defined for WCN7850, causing kernel crash\non some specific platforms.\n\nSince this register is divergent for WCN7850 and QCN9274, move it to\nregister table to allow different definitions. Then correct the register\naddress for WCN7850 to fix this issue.\n\nNote IPQ5332 is not affected as it is not PCIe based device.\n\nTested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:21:27.806Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/569972c5bdb839b0eaf8aba6ce76ea0b78e2acf8"
        },
        {
          "url": "https://git.kernel.org/stable/c/d71ac5694b33c80f1de97d074f6fbdc6c01a9d61"
        },
        {
          "url": "https://git.kernel.org/stable/c/7588a893cde5385ad308400ff167d29a29913b3a"
        }
      ],
      "title": "wifi: ath12k: fix GCC_GCC_PCIE_HOT_RST definition for WCN7850",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38414",
    "datePublished": "2025-07-25T13:32:08.777Z",
    "dateReserved": "2025-04-16T04:51:24.013Z",
    "dateUpdated": "2025-07-28T04:21:27.806Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38107 (GCVE-0-2025-38107)

Vulnerability from cvelistv5

Published

2025-07-03 08:35

Modified

2025-11-03 17:34

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net_sched: ets: fix a race in ets_qdisc_change() Gerrard Tai reported a race condition in ETS, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock.

References

URL

Tags

	https://git.kernel.org/stable/c/eb7b74e9754e1ba2088f914ad1f57a778b11894b
	https://git.kernel.org/stable/c/0b479d0aa488cb478eb2e1d8868be946ac8afb4f
	https://git.kernel.org/stable/c/347867cb424edae5fec1622712c8dd0a2c42918f
	https://git.kernel.org/stable/c/0383b25488a545be168744336847549d4a2d3d6c
	https://git.kernel.org/stable/c/073f64c03516bcfaf790f8edc772e0cfb8a84ec3
	https://git.kernel.org/stable/c/fed94bd51d62d2e0e006aa61480e94e5cd0582b0
	https://git.kernel.org/stable/c/d92adacdd8c2960be856e0b82acc5b7c5395fddb

Impacted products

Vendor

Product

Version

Linux

Version: 699d82e9a6db29d509a71f1f2f4316231e6232e6
Version: ce881ddbdc028fb1988b66e40e45ca0529c23b46
Version: b05972f01e7d30419987a1f221b5593668fd6448
Version: b05972f01e7d30419987a1f221b5593668fd6448
Version: b05972f01e7d30419987a1f221b5593668fd6448
Version: b05972f01e7d30419987a1f221b5593668fd6448
Version: b05972f01e7d30419987a1f221b5593668fd6448
Version: fffa19b5e58c34004a0d6f642d9c24b11d213994
Version: fb155f6597cd7bc3aeed668c3bb15fc3b7cb257d

Linux

Version: 6.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:09.673Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_ets.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "eb7b74e9754e1ba2088f914ad1f57a778b11894b",
              "status": "affected",
              "version": "699d82e9a6db29d509a71f1f2f4316231e6232e6",
              "versionType": "git"
            },
            {
              "lessThan": "0b479d0aa488cb478eb2e1d8868be946ac8afb4f",
              "status": "affected",
              "version": "ce881ddbdc028fb1988b66e40e45ca0529c23b46",
              "versionType": "git"
            },
            {
              "lessThan": "347867cb424edae5fec1622712c8dd0a2c42918f",
              "status": "affected",
              "version": "b05972f01e7d30419987a1f221b5593668fd6448",
              "versionType": "git"
            },
            {
              "lessThan": "0383b25488a545be168744336847549d4a2d3d6c",
              "status": "affected",
              "version": "b05972f01e7d30419987a1f221b5593668fd6448",
              "versionType": "git"
            },
            {
              "lessThan": "073f64c03516bcfaf790f8edc772e0cfb8a84ec3",
              "status": "affected",
              "version": "b05972f01e7d30419987a1f221b5593668fd6448",
              "versionType": "git"
            },
            {
              "lessThan": "fed94bd51d62d2e0e006aa61480e94e5cd0582b0",
              "status": "affected",
              "version": "b05972f01e7d30419987a1f221b5593668fd6448",
              "versionType": "git"
            },
            {
              "lessThan": "d92adacdd8c2960be856e0b82acc5b7c5395fddb",
              "status": "affected",
              "version": "b05972f01e7d30419987a1f221b5593668fd6448",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "fffa19b5e58c34004a0d6f642d9c24b11d213994",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "fb155f6597cd7bc3aeed668c3bb15fc3b7cb257d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_ets.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "5.10.142",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "5.15.66",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.4.213",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.19.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: ets: fix a race in ets_qdisc_change()\n\nGerrard Tai reported a race condition in ETS, whenever SFQ perturb timer\nfires at the wrong time.\n\nThe race is as follows:\n\nCPU 0                                 CPU 1\n[1]: lock root\n[2]: qdisc_tree_flush_backlog()\n[3]: unlock root\n |\n |                                    [5]: lock root\n |                                    [6]: rehash\n |                                    [7]: qdisc_tree_reduce_backlog()\n |\n[4]: qdisc_put()\n\nThis can be abused to underflow a parent\u0027s qlen.\n\nCalling qdisc_purge_queue() instead of qdisc_tree_flush_backlog()\nshould fix the race, because all packets will be purged from the qdisc\nbefore releasing the lock."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:12:22.514Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/eb7b74e9754e1ba2088f914ad1f57a778b11894b"
        },
        {
          "url": "https://git.kernel.org/stable/c/0b479d0aa488cb478eb2e1d8868be946ac8afb4f"
        },
        {
          "url": "https://git.kernel.org/stable/c/347867cb424edae5fec1622712c8dd0a2c42918f"
        },
        {
          "url": "https://git.kernel.org/stable/c/0383b25488a545be168744336847549d4a2d3d6c"
        },
        {
          "url": "https://git.kernel.org/stable/c/073f64c03516bcfaf790f8edc772e0cfb8a84ec3"
        },
        {
          "url": "https://git.kernel.org/stable/c/fed94bd51d62d2e0e006aa61480e94e5cd0582b0"
        },
        {
          "url": "https://git.kernel.org/stable/c/d92adacdd8c2960be856e0b82acc5b7c5395fddb"
        }
      ],
      "title": "net_sched: ets: fix a race in ets_qdisc_change()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38107",
    "datePublished": "2025-07-03T08:35:17.487Z",
    "dateReserved": "2025-04-16T04:51:23.985Z",
    "dateUpdated": "2025-11-03T17:34:09.673Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38369 (GCVE-0-2025-38369)

Vulnerability from cvelistv5

Published

2025-07-25 12:47

Modified

2025-07-28 11:16

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Check availability of workqueue allocated by idxd wq driver before using Running IDXD workloads in a container with the /dev directory mounted can trigger a call trace or even a kernel panic when the parent process of the container is terminated. This issue occurs because, under certain configurations, Docker does not properly propagate the mount replica back to the original mount point. In this case, when the user driver detaches, the WQ is destroyed but it still calls destroy_workqueue() attempting to completes all pending work. It's necessary to check wq->wq and skip the drain if it no longer exists.

References

URL

Tags

	https://git.kernel.org/stable/c/e0051a3daa8b2cb318b03b2f9317c3e40855847a
	https://git.kernel.org/stable/c/98fd66c8ba77e3a7137575f610271014bc0e701f
	https://git.kernel.org/stable/c/aee7a7439f8c0884da87694a401930204a57128f
	https://git.kernel.org/stable/c/17502e7d7b7113346296f6758324798d536c31fd

Impacted products

Vendor

Product

Version

Linux

Version: bfe1d56091c1a404b3d4ce7e9809d745fc4453bb
Version: bfe1d56091c1a404b3d4ce7e9809d745fc4453bb
Version: bfe1d56091c1a404b3d4ce7e9809d745fc4453bb
Version: bfe1d56091c1a404b3d4ce7e9809d745fc4453bb

Linux

Version: 5.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/dma/idxd/cdev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e0051a3daa8b2cb318b03b2f9317c3e40855847a",
              "status": "affected",
              "version": "bfe1d56091c1a404b3d4ce7e9809d745fc4453bb",
              "versionType": "git"
            },
            {
              "lessThan": "98fd66c8ba77e3a7137575f610271014bc0e701f",
              "status": "affected",
              "version": "bfe1d56091c1a404b3d4ce7e9809d745fc4453bb",
              "versionType": "git"
            },
            {
              "lessThan": "aee7a7439f8c0884da87694a401930204a57128f",
              "status": "affected",
              "version": "bfe1d56091c1a404b3d4ce7e9809d745fc4453bb",
              "versionType": "git"
            },
            {
              "lessThan": "17502e7d7b7113346296f6758324798d536c31fd",
              "status": "affected",
              "version": "bfe1d56091c1a404b3d4ce7e9809d745fc4453bb",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/dma/idxd/cdev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.6"
            },
            {
              "lessThan": "5.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.96",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.36",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.96",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.36",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.5",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Check availability of workqueue allocated by idxd wq driver before using\n\nRunning IDXD workloads in a container with the /dev directory mounted can\ntrigger a call trace or even a kernel panic when the parent process of the\ncontainer is terminated.\n\nThis issue occurs because, under certain configurations, Docker does not\nproperly propagate the mount replica back to the original mount point.\n\nIn this case, when the user driver detaches, the WQ is destroyed but it\nstill calls destroy_workqueue() attempting to completes all pending work.\nIt\u0027s necessary to check wq-\u003ewq and skip the drain if it no longer exists."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T11:16:50.451Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e0051a3daa8b2cb318b03b2f9317c3e40855847a"
        },
        {
          "url": "https://git.kernel.org/stable/c/98fd66c8ba77e3a7137575f610271014bc0e701f"
        },
        {
          "url": "https://git.kernel.org/stable/c/aee7a7439f8c0884da87694a401930204a57128f"
        },
        {
          "url": "https://git.kernel.org/stable/c/17502e7d7b7113346296f6758324798d536c31fd"
        }
      ],
      "title": "dmaengine: idxd: Check availability of workqueue allocated by idxd wq driver before using",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38369",
    "datePublished": "2025-07-25T12:47:43.583Z",
    "dateReserved": "2025-04-16T04:51:24.009Z",
    "dateUpdated": "2025-07-28T11:16:50.451Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-37754 (GCVE-0-2025-37754)

Vulnerability from cvelistv5

Published

2025-05-01 12:55

Modified

2025-05-26 05:20

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/i915/huc: Fix fence not released on early probe errors HuC delayed loading fence, introduced with commit 27536e03271da ("drm/i915/huc: track delayed HuC load with a fence"), is registered with object tracker early on driver probe but unregistered only from driver remove, which is not called on early probe errors. Since its memory is allocated under devres, then released anyway, it may happen to be allocated again to the fence and reused on future driver probes, resulting in kernel warnings that taint the kernel: <4> [309.731371] ------------[ cut here ]------------ <3> [309.731373] ODEBUG: init destroyed (active state 0) object: ffff88813d7dd2e0 object type: i915_sw_fence hint: sw_fence_dummy_notify+0x0/0x20 [i915] <4> [309.731575] WARNING: CPU: 2 PID: 3161 at lib/debugobjects.c:612 debug_print_object+0x93/0xf0 ... <4> [309.731693] CPU: 2 UID: 0 PID: 3161 Comm: i915_module_loa Tainted: G U 6.14.0-CI_DRM_16362-gf0fd77956987+ #1 ... <4> [309.731700] RIP: 0010:debug_print_object+0x93/0xf0 ... <4> [309.731728] Call Trace: <4> [309.731730] <TASK> ... <4> [309.731949] __debug_object_init+0x17b/0x1c0 <4> [309.731957] debug_object_init+0x34/0x50 <4> [309.732126] __i915_sw_fence_init+0x34/0x60 [i915] <4> [309.732256] intel_huc_init_early+0x4b/0x1d0 [i915] <4> [309.732468] intel_uc_init_early+0x61/0x680 [i915] <4> [309.732667] intel_gt_common_init_early+0x105/0x130 [i915] <4> [309.732804] intel_root_gt_init_early+0x63/0x80 [i915] <4> [309.732938] i915_driver_probe+0x1fa/0xeb0 [i915] <4> [309.733075] i915_pci_probe+0xe6/0x220 [i915] <4> [309.733198] local_pci_probe+0x44/0xb0 <4> [309.733203] pci_device_probe+0xf4/0x270 <4> [309.733209] really_probe+0xee/0x3c0 <4> [309.733215] __driver_probe_device+0x8c/0x180 <4> [309.733219] driver_probe_device+0x24/0xd0 <4> [309.733223] __driver_attach+0x10f/0x220 <4> [309.733230] bus_for_each_dev+0x7d/0xe0 <4> [309.733236] driver_attach+0x1e/0x30 <4> [309.733239] bus_add_driver+0x151/0x290 <4> [309.733244] driver_register+0x5e/0x130 <4> [309.733247] __pci_register_driver+0x7d/0x90 <4> [309.733251] i915_pci_register_driver+0x23/0x30 [i915] <4> [309.733413] i915_init+0x34/0x120 [i915] <4> [309.733655] do_one_initcall+0x62/0x3f0 <4> [309.733667] do_init_module+0x97/0x2a0 <4> [309.733671] load_module+0x25ff/0x2890 <4> [309.733688] init_module_from_file+0x97/0xe0 <4> [309.733701] idempotent_init_module+0x118/0x330 <4> [309.733711] __x64_sys_finit_module+0x77/0x100 <4> [309.733715] x64_sys_call+0x1f37/0x2650 <4> [309.733719] do_syscall_64+0x91/0x180 <4> [309.733763] entry_SYSCALL_64_after_hwframe+0x76/0x7e <4> [309.733792] </TASK> ... <4> [309.733806] ---[ end trace 0000000000000000 ]--- That scenario is most easily reproducible with igt@i915_module_load@reload-with-fault-injection. Fix the issue by moving the cleanup step to driver release path. (cherry picked from commit 795dbde92fe5c6996a02a5b579481de73035e7bf)

References

URL

Tags

	https://git.kernel.org/stable/c/9f5ef4a5eaa61a7a4ed31231da45deb85065397a
	https://git.kernel.org/stable/c/c5a906806162aea62dbe5d327760ce3b7117ca17
	https://git.kernel.org/stable/c/4bd4bf79bcfe101f0385ab81dbabb6e3f7d96c00
	https://git.kernel.org/stable/c/f104ef4db9f8f3923cc06ed1fafb3da38df6006d
	https://git.kernel.org/stable/c/e3ea2eae70692a455e256787e4f54153fb739b90

Impacted products

Vendor

Product

Version

Linux

Version: 27536e03271da3dafcdddf735102041a26ad5bd0
Version: 27536e03271da3dafcdddf735102041a26ad5bd0
Version: 27536e03271da3dafcdddf735102041a26ad5bd0
Version: 27536e03271da3dafcdddf735102041a26ad5bd0
Version: 27536e03271da3dafcdddf735102041a26ad5bd0

Linux

Version: 6.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/i915/gt/uc/intel_huc.c",
            "drivers/gpu/drm/i915/gt/uc/intel_huc.h",
            "drivers/gpu/drm/i915/gt/uc/intel_uc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9f5ef4a5eaa61a7a4ed31231da45deb85065397a",
              "status": "affected",
              "version": "27536e03271da3dafcdddf735102041a26ad5bd0",
              "versionType": "git"
            },
            {
              "lessThan": "c5a906806162aea62dbe5d327760ce3b7117ca17",
              "status": "affected",
              "version": "27536e03271da3dafcdddf735102041a26ad5bd0",
              "versionType": "git"
            },
            {
              "lessThan": "4bd4bf79bcfe101f0385ab81dbabb6e3f7d96c00",
              "status": "affected",
              "version": "27536e03271da3dafcdddf735102041a26ad5bd0",
              "versionType": "git"
            },
            {
              "lessThan": "f104ef4db9f8f3923cc06ed1fafb3da38df6006d",
              "status": "affected",
              "version": "27536e03271da3dafcdddf735102041a26ad5bd0",
              "versionType": "git"
            },
            {
              "lessThan": "e3ea2eae70692a455e256787e4f54153fb739b90",
              "status": "affected",
              "version": "27536e03271da3dafcdddf735102041a26ad5bd0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/i915/gt/uc/intel_huc.c",
            "drivers/gpu/drm/i915/gt/uc/intel_huc.h",
            "drivers/gpu/drm/i915/gt/uc/intel_uc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.24",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.12",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/huc: Fix fence not released on early probe errors\n\nHuC delayed loading fence, introduced with commit 27536e03271da\n(\"drm/i915/huc: track delayed HuC load with a fence\"), is registered with\nobject tracker early on driver probe but unregistered only from driver\nremove, which is not called on early probe errors.  Since its memory is\nallocated under devres, then released anyway, it may happen to be\nallocated again to the fence and reused on future driver probes, resulting\nin kernel warnings that taint the kernel:\n\n\u003c4\u003e [309.731371] ------------[ cut here ]------------\n\u003c3\u003e [309.731373] ODEBUG: init destroyed (active state 0) object: ffff88813d7dd2e0 object type: i915_sw_fence hint: sw_fence_dummy_notify+0x0/0x20 [i915]\n\u003c4\u003e [309.731575] WARNING: CPU: 2 PID: 3161 at lib/debugobjects.c:612 debug_print_object+0x93/0xf0\n...\n\u003c4\u003e [309.731693] CPU: 2 UID: 0 PID: 3161 Comm: i915_module_loa Tainted: G     U             6.14.0-CI_DRM_16362-gf0fd77956987+ #1\n...\n\u003c4\u003e [309.731700] RIP: 0010:debug_print_object+0x93/0xf0\n...\n\u003c4\u003e [309.731728] Call Trace:\n\u003c4\u003e [309.731730]  \u003cTASK\u003e\n...\n\u003c4\u003e [309.731949]  __debug_object_init+0x17b/0x1c0\n\u003c4\u003e [309.731957]  debug_object_init+0x34/0x50\n\u003c4\u003e [309.732126]  __i915_sw_fence_init+0x34/0x60 [i915]\n\u003c4\u003e [309.732256]  intel_huc_init_early+0x4b/0x1d0 [i915]\n\u003c4\u003e [309.732468]  intel_uc_init_early+0x61/0x680 [i915]\n\u003c4\u003e [309.732667]  intel_gt_common_init_early+0x105/0x130 [i915]\n\u003c4\u003e [309.732804]  intel_root_gt_init_early+0x63/0x80 [i915]\n\u003c4\u003e [309.732938]  i915_driver_probe+0x1fa/0xeb0 [i915]\n\u003c4\u003e [309.733075]  i915_pci_probe+0xe6/0x220 [i915]\n\u003c4\u003e [309.733198]  local_pci_probe+0x44/0xb0\n\u003c4\u003e [309.733203]  pci_device_probe+0xf4/0x270\n\u003c4\u003e [309.733209]  really_probe+0xee/0x3c0\n\u003c4\u003e [309.733215]  __driver_probe_device+0x8c/0x180\n\u003c4\u003e [309.733219]  driver_probe_device+0x24/0xd0\n\u003c4\u003e [309.733223]  __driver_attach+0x10f/0x220\n\u003c4\u003e [309.733230]  bus_for_each_dev+0x7d/0xe0\n\u003c4\u003e [309.733236]  driver_attach+0x1e/0x30\n\u003c4\u003e [309.733239]  bus_add_driver+0x151/0x290\n\u003c4\u003e [309.733244]  driver_register+0x5e/0x130\n\u003c4\u003e [309.733247]  __pci_register_driver+0x7d/0x90\n\u003c4\u003e [309.733251]  i915_pci_register_driver+0x23/0x30 [i915]\n\u003c4\u003e [309.733413]  i915_init+0x34/0x120 [i915]\n\u003c4\u003e [309.733655]  do_one_initcall+0x62/0x3f0\n\u003c4\u003e [309.733667]  do_init_module+0x97/0x2a0\n\u003c4\u003e [309.733671]  load_module+0x25ff/0x2890\n\u003c4\u003e [309.733688]  init_module_from_file+0x97/0xe0\n\u003c4\u003e [309.733701]  idempotent_init_module+0x118/0x330\n\u003c4\u003e [309.733711]  __x64_sys_finit_module+0x77/0x100\n\u003c4\u003e [309.733715]  x64_sys_call+0x1f37/0x2650\n\u003c4\u003e [309.733719]  do_syscall_64+0x91/0x180\n\u003c4\u003e [309.733763]  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\u003c4\u003e [309.733792]  \u003c/TASK\u003e\n...\n\u003c4\u003e [309.733806] ---[ end trace 0000000000000000 ]---\n\nThat scenario is most easily reproducible with\nigt@i915_module_load@reload-with-fault-injection.\n\nFix the issue by moving the cleanup step to driver release path.\n\n(cherry picked from commit 795dbde92fe5c6996a02a5b579481de73035e7bf)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:20:09.120Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9f5ef4a5eaa61a7a4ed31231da45deb85065397a"
        },
        {
          "url": "https://git.kernel.org/stable/c/c5a906806162aea62dbe5d327760ce3b7117ca17"
        },
        {
          "url": "https://git.kernel.org/stable/c/4bd4bf79bcfe101f0385ab81dbabb6e3f7d96c00"
        },
        {
          "url": "https://git.kernel.org/stable/c/f104ef4db9f8f3923cc06ed1fafb3da38df6006d"
        },
        {
          "url": "https://git.kernel.org/stable/c/e3ea2eae70692a455e256787e4f54153fb739b90"
        }
      ],
      "title": "drm/i915/huc: Fix fence not released on early probe errors",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37754",
    "datePublished": "2025-05-01T12:55:58.845Z",
    "dateReserved": "2025-04-16T04:51:23.937Z",
    "dateUpdated": "2025-05-26T05:20:09.120Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38106 (GCVE-0-2025-38106)

Vulnerability from cvelistv5

Published

2025-07-03 08:35

Modified

2025-07-28 04:12

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: io_uring: fix use-after-free of sq->thread in __io_uring_show_fdinfo() syzbot reports: BUG: KASAN: slab-use-after-free in getrusage+0x1109/0x1a60 Read of size 8 at addr ffff88810de2d2c8 by task a.out/304 CPU: 0 UID: 0 PID: 304 Comm: a.out Not tainted 6.16.0-rc1 #1 PREEMPT(voluntary) Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x53/0x70 print_report+0xd0/0x670 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 ? getrusage+0x1109/0x1a60 kasan_report+0xce/0x100 ? getrusage+0x1109/0x1a60 getrusage+0x1109/0x1a60 ? __pfx_getrusage+0x10/0x10 __io_uring_show_fdinfo+0x9fe/0x1790 ? ksys_read+0xf7/0x1c0 ? do_syscall_64+0xa4/0x260 ? vsnprintf+0x591/0x1100 ? __pfx___io_uring_show_fdinfo+0x10/0x10 ? __pfx_vsnprintf+0x10/0x10 ? mutex_trylock+0xcf/0x130 ? __pfx_mutex_trylock+0x10/0x10 ? __pfx_show_fd_locks+0x10/0x10 ? io_uring_show_fdinfo+0x57/0x80 io_uring_show_fdinfo+0x57/0x80 seq_show+0x38c/0x690 seq_read_iter+0x3f7/0x1180 ? inode_set_ctime_current+0x160/0x4b0 seq_read+0x271/0x3e0 ? __pfx_seq_read+0x10/0x10 ? __pfx__raw_spin_lock+0x10/0x10 ? __mark_inode_dirty+0x402/0x810 ? selinux_file_permission+0x368/0x500 ? file_update_time+0x10f/0x160 vfs_read+0x177/0xa40 ? __pfx___handle_mm_fault+0x10/0x10 ? __pfx_vfs_read+0x10/0x10 ? mutex_lock+0x81/0xe0 ? __pfx_mutex_lock+0x10/0x10 ? fdget_pos+0x24d/0x4b0 ksys_read+0xf7/0x1c0 ? __pfx_ksys_read+0x10/0x10 ? do_user_addr_fault+0x43b/0x9c0 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f0f74170fc9 Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 8 RSP: 002b:00007fffece049e8 EFLAGS: 00000206 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0f74170fc9 RDX: 0000000000001000 RSI: 00007fffece049f0 RDI: 0000000000000004 RBP: 00007fffece05ad0 R08: 0000000000000000 R09: 00007fffece04d90 R10: 0000000000000000 R11: 0000000000000206 R12: 00005651720a1100 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 </TASK> Allocated by task 298: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_node_noprof+0xe8/0x330 copy_process+0x376/0x5e00 create_io_thread+0xab/0xf0 io_sq_offload_create+0x9ed/0xf20 io_uring_setup+0x12b0/0x1cc0 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 22: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x37/0x50 kmem_cache_free+0xc4/0x360 rcu_core+0x5ff/0x19f0 handle_softirqs+0x18c/0x530 run_ksoftirqd+0x20/0x30 smpboot_thread_fn+0x287/0x6c0 kthread+0x30d/0x630 ret_from_fork+0xef/0x1a0 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x33/0x60 kasan_record_aux_stack+0x8c/0xa0 __call_rcu_common.constprop.0+0x68/0x940 __schedule+0xff2/0x2930 __cond_resched+0x4c/0x80 mutex_lock+0x5c/0xe0 io_uring_del_tctx_node+0xe1/0x2b0 io_uring_clean_tctx+0xb7/0x160 io_uring_cancel_generic+0x34e/0x760 do_exit+0x240/0x2350 do_group_exit+0xab/0x220 __x64_sys_exit_group+0x39/0x40 x64_sys_call+0x1243/0x1840 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88810de2cb00 which belongs to the cache task_struct of size 3712 The buggy address is located 1992 bytes inside of freed 3712-byte region [ffff88810de2cb00, ffff88810de2d980) which is caused by the task_struct pointed to by sq->thread being released while it is being used in the function __io_uring_show_fdinfo(). Holding ctx->uring_lock does not prevent ehre relase or exit of sq->thread. Fix this by assigning and looking up ->thread under RCU, and grabbing a reference to the task_struct. This e ---truncated---

References

URL

Tags

	https://git.kernel.org/stable/c/af8c13f9ee040b9a287ba246cf0055f7c77b7cc8
	https://git.kernel.org/stable/c/d0932758a0a77b38ba1b39564f3b7aba12407061
	https://git.kernel.org/stable/c/ac0b8b327a5677dc6fecdf353d808161525b1ff0

Impacted products

Vendor

Product

Version

Linux

Version: 3fcb9d17206e31630f802a3ab52081d1342b8ed9
Version: 3fcb9d17206e31630f802a3ab52081d1342b8ed9
Version: 3fcb9d17206e31630f802a3ab52081d1342b8ed9

Linux

Version: 6.9

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "io_uring/fdinfo.c",
            "io_uring/sqpoll.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "af8c13f9ee040b9a287ba246cf0055f7c77b7cc8",
              "status": "affected",
              "version": "3fcb9d17206e31630f802a3ab52081d1342b8ed9",
              "versionType": "git"
            },
            {
              "lessThan": "d0932758a0a77b38ba1b39564f3b7aba12407061",
              "status": "affected",
              "version": "3fcb9d17206e31630f802a3ab52081d1342b8ed9",
              "versionType": "git"
            },
            {
              "lessThan": "ac0b8b327a5677dc6fecdf353d808161525b1ff0",
              "status": "affected",
              "version": "3fcb9d17206e31630f802a3ab52081d1342b8ed9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "io_uring/fdinfo.c",
            "io_uring/sqpoll.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.9"
            },
            {
              "lessThan": "6.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix use-after-free of sq-\u003ethread in __io_uring_show_fdinfo()\n\nsyzbot reports:\n\nBUG: KASAN: slab-use-after-free in getrusage+0x1109/0x1a60\nRead of size 8 at addr ffff88810de2d2c8 by task a.out/304\n\nCPU: 0 UID: 0 PID: 304 Comm: a.out Not tainted 6.16.0-rc1 #1 PREEMPT(voluntary)\nHardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x53/0x70\n print_report+0xd0/0x670\n ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n ? getrusage+0x1109/0x1a60\n kasan_report+0xce/0x100\n ? getrusage+0x1109/0x1a60\n getrusage+0x1109/0x1a60\n ? __pfx_getrusage+0x10/0x10\n __io_uring_show_fdinfo+0x9fe/0x1790\n ? ksys_read+0xf7/0x1c0\n ? do_syscall_64+0xa4/0x260\n ? vsnprintf+0x591/0x1100\n ? __pfx___io_uring_show_fdinfo+0x10/0x10\n ? __pfx_vsnprintf+0x10/0x10\n ? mutex_trylock+0xcf/0x130\n ? __pfx_mutex_trylock+0x10/0x10\n ? __pfx_show_fd_locks+0x10/0x10\n ? io_uring_show_fdinfo+0x57/0x80\n io_uring_show_fdinfo+0x57/0x80\n seq_show+0x38c/0x690\n seq_read_iter+0x3f7/0x1180\n ? inode_set_ctime_current+0x160/0x4b0\n seq_read+0x271/0x3e0\n ? __pfx_seq_read+0x10/0x10\n ? __pfx__raw_spin_lock+0x10/0x10\n ? __mark_inode_dirty+0x402/0x810\n ? selinux_file_permission+0x368/0x500\n ? file_update_time+0x10f/0x160\n vfs_read+0x177/0xa40\n ? __pfx___handle_mm_fault+0x10/0x10\n ? __pfx_vfs_read+0x10/0x10\n ? mutex_lock+0x81/0xe0\n ? __pfx_mutex_lock+0x10/0x10\n ? fdget_pos+0x24d/0x4b0\n ksys_read+0xf7/0x1c0\n ? __pfx_ksys_read+0x10/0x10\n ? do_user_addr_fault+0x43b/0x9c0\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f0f74170fc9\nCode: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 8\nRSP: 002b:00007fffece049e8 EFLAGS: 00000206 ORIG_RAX: 0000000000000000\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0f74170fc9\nRDX: 0000000000001000 RSI: 00007fffece049f0 RDI: 0000000000000004\nRBP: 00007fffece05ad0 R08: 0000000000000000 R09: 00007fffece04d90\nR10: 0000000000000000 R11: 0000000000000206 R12: 00005651720a1100\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n \u003c/TASK\u003e\n\nAllocated by task 298:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n __kasan_slab_alloc+0x6e/0x70\n kmem_cache_alloc_node_noprof+0xe8/0x330\n copy_process+0x376/0x5e00\n create_io_thread+0xab/0xf0\n io_sq_offload_create+0x9ed/0xf20\n io_uring_setup+0x12b0/0x1cc0\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 22:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n __kasan_slab_free+0x37/0x50\n kmem_cache_free+0xc4/0x360\n rcu_core+0x5ff/0x19f0\n handle_softirqs+0x18c/0x530\n run_ksoftirqd+0x20/0x30\n smpboot_thread_fn+0x287/0x6c0\n kthread+0x30d/0x630\n ret_from_fork+0xef/0x1a0\n ret_from_fork_asm+0x1a/0x30\n\nLast potentially related work creation:\n kasan_save_stack+0x33/0x60\n kasan_record_aux_stack+0x8c/0xa0\n __call_rcu_common.constprop.0+0x68/0x940\n __schedule+0xff2/0x2930\n __cond_resched+0x4c/0x80\n mutex_lock+0x5c/0xe0\n io_uring_del_tctx_node+0xe1/0x2b0\n io_uring_clean_tctx+0xb7/0x160\n io_uring_cancel_generic+0x34e/0x760\n do_exit+0x240/0x2350\n do_group_exit+0xab/0x220\n __x64_sys_exit_group+0x39/0x40\n x64_sys_call+0x1243/0x1840\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe buggy address belongs to the object at ffff88810de2cb00\n which belongs to the cache task_struct of size 3712\nThe buggy address is located 1992 bytes inside of\n freed 3712-byte region [ffff88810de2cb00, ffff88810de2d980)\n\nwhich is caused by the task_struct pointed to by sq-\u003ethread being\nreleased while it is being used in the function\n__io_uring_show_fdinfo(). Holding ctx-\u003euring_lock does not prevent ehre\nrelase or exit of sq-\u003ethread.\n\nFix this by assigning and looking up -\u003ethread under RCU, and grabbing a\nreference to the task_struct. This e\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:12:21.273Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/af8c13f9ee040b9a287ba246cf0055f7c77b7cc8"
        },
        {
          "url": "https://git.kernel.org/stable/c/d0932758a0a77b38ba1b39564f3b7aba12407061"
        },
        {
          "url": "https://git.kernel.org/stable/c/ac0b8b327a5677dc6fecdf353d808161525b1ff0"
        }
      ],
      "title": "io_uring: fix use-after-free of sq-\u003ethread in __io_uring_show_fdinfo()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38106",
    "datePublished": "2025-07-03T08:35:16.215Z",
    "dateReserved": "2025-04-16T04:51:23.985Z",
    "dateUpdated": "2025-07-28T04:12:21.273Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-52927 (GCVE-0-2023-52927)

Vulnerability from cvelistv5

Published

2025-03-14 14:25

Modified

2025-11-03 19:28

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: netfilter: allow exp not to be removed in nf_ct_find_expectation Currently nf_conntrack_in() calling nf_ct_find_expectation() will remove the exp from the hash table. However, in some scenario, we expect the exp not to be removed when the created ct will not be confirmed, like in OVS and TC conntrack in the following patches. This patch allows exp not to be removed by setting IPS_CONFIRMED in the status of the tmpl.

References

URL

Tags

	https://git.kernel.org/stable/c/3fa58a6fbd1e9e5682d09cdafb08fba004cb12ec
	https://git.kernel.org/stable/c/4914109a8e1e494c6aa9852f9e84ec77a5fc643f
	https://seadragnol.github.io/posts/CVE-2023-52927/

Impacted products

Vendor

Product

Version

Linux

Version: 1bc91a5ddf3eaea0e0ea957cccf3abdcfcace00e
Version: 1bc91a5ddf3eaea0e0ea957cccf3abdcfcace00e

Linux

Version: 5.18

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:28:52.085Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/net/netfilter/nf_conntrack_expect.h",
            "net/netfilter/nf_conntrack_core.c",
            "net/netfilter/nf_conntrack_expect.c",
            "net/netfilter/nft_ct.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3fa58a6fbd1e9e5682d09cdafb08fba004cb12ec",
              "status": "affected",
              "version": "1bc91a5ddf3eaea0e0ea957cccf3abdcfcace00e",
              "versionType": "git"
            },
            {
              "lessThan": "4914109a8e1e494c6aa9852f9e84ec77a5fc643f",
              "status": "affected",
              "version": "1bc91a5ddf3eaea0e0ea957cccf3abdcfcace00e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/net/netfilter/nf_conntrack_expect.h",
            "net/netfilter/nf_conntrack_core.c",
            "net/netfilter/nf_conntrack_expect.c",
            "net/netfilter/nft_ct.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.18"
            },
            {
              "lessThan": "5.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.6",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.130",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: allow exp not to be removed in nf_ct_find_expectation\n\nCurrently nf_conntrack_in() calling nf_ct_find_expectation() will\nremove the exp from the hash table. However, in some scenario, we\nexpect the exp not to be removed when the created ct will not be\nconfirmed, like in OVS and TC conntrack in the following patches.\n\nThis patch allows exp not to be removed by setting IPS_CONFIRMED\nin the status of the tmpl."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-19T16:51:03.074Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3fa58a6fbd1e9e5682d09cdafb08fba004cb12ec"
        },
        {
          "url": "https://git.kernel.org/stable/c/4914109a8e1e494c6aa9852f9e84ec77a5fc643f"
        },
        {
          "url": "https://seadragnol.github.io/posts/CVE-2023-52927/"
        }
      ],
      "title": "netfilter: allow exp not to be removed in nf_ct_find_expectation",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-52927",
    "datePublished": "2025-03-14T14:25:59.166Z",
    "dateReserved": "2024-08-21T06:07:11.018Z",
    "dateUpdated": "2025-11-03T19:28:52.085Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37912 (GCVE-0-2025-37912)

Vulnerability from cvelistv5

Published

2025-05-20 15:21

Modified

2025-11-03 19:57

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr() As mentioned in the commit baeb705fd6a7 ("ice: always check VF VSI pointer values"), we need to perform a null pointer check on the return value of ice_get_vf_vsi() before using it.

References

URL

Tags

	https://git.kernel.org/stable/c/a32dcc3b8293600ddc4024731b4d027d4de061a4
	https://git.kernel.org/stable/c/0561f2e374c3732b90e50f0a244791a4308ec67e
	https://git.kernel.org/stable/c/eae60cfe25d022d7f0321dba4cc23ad8e87ade48
	https://git.kernel.org/stable/c/073791e9cfe6e4a11a6d85816ba87b1aa207493e
	https://git.kernel.org/stable/c/f68237982dc012230550f4ecf7ce286a9c37ddc9
	https://git.kernel.org/stable/c/425c5f266b2edeee0ce16fedd8466410cdcfcfe3

Impacted products

Vendor

Product

Version

Linux

Version: e81b674ead8e2172b2a69e7b45e079239ace4dbc
Version: 8e02cd98a6e24389d476e28436d41e620ed8e559
Version: d62389073a5b937413e2d1bc1da06ccff5103c0c
Version: 6ebbe97a488179f5dc85f2f1e0c89b486e99ee97
Version: 6ebbe97a488179f5dc85f2f1e0c89b486e99ee97
Version: 6ebbe97a488179f5dc85f2f1e0c89b486e99ee97
Version: 292081c4e7f575a79017d5cbe1a0ec042783976f

Linux

Version: 6.11

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:57:13.684Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a32dcc3b8293600ddc4024731b4d027d4de061a4",
              "status": "affected",
              "version": "e81b674ead8e2172b2a69e7b45e079239ace4dbc",
              "versionType": "git"
            },
            {
              "lessThan": "0561f2e374c3732b90e50f0a244791a4308ec67e",
              "status": "affected",
              "version": "8e02cd98a6e24389d476e28436d41e620ed8e559",
              "versionType": "git"
            },
            {
              "lessThan": "eae60cfe25d022d7f0321dba4cc23ad8e87ade48",
              "status": "affected",
              "version": "d62389073a5b937413e2d1bc1da06ccff5103c0c",
              "versionType": "git"
            },
            {
              "lessThan": "073791e9cfe6e4a11a6d85816ba87b1aa207493e",
              "status": "affected",
              "version": "6ebbe97a488179f5dc85f2f1e0c89b486e99ee97",
              "versionType": "git"
            },
            {
              "lessThan": "f68237982dc012230550f4ecf7ce286a9c37ddc9",
              "status": "affected",
              "version": "6ebbe97a488179f5dc85f2f1e0c89b486e99ee97",
              "versionType": "git"
            },
            {
              "lessThan": "425c5f266b2edeee0ce16fedd8466410cdcfcfe3",
              "status": "affected",
              "version": "6ebbe97a488179f5dc85f2f1e0c89b486e99ee97",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "292081c4e7f575a79017d5cbe1a0ec042783976f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.182",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.138",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.90",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.28",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.182",
                  "versionStartIncluding": "5.15.172",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.138",
                  "versionStartIncluding": "6.1.103",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.90",
                  "versionStartIncluding": "6.6.44",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.28",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.6",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.10.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr()\n\nAs mentioned in the commit baeb705fd6a7 (\"ice: always check VF VSI\npointer values\"), we need to perform a null pointer check on the return\nvalue of ice_get_vf_vsi() before using it."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:23:33.931Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a32dcc3b8293600ddc4024731b4d027d4de061a4"
        },
        {
          "url": "https://git.kernel.org/stable/c/0561f2e374c3732b90e50f0a244791a4308ec67e"
        },
        {
          "url": "https://git.kernel.org/stable/c/eae60cfe25d022d7f0321dba4cc23ad8e87ade48"
        },
        {
          "url": "https://git.kernel.org/stable/c/073791e9cfe6e4a11a6d85816ba87b1aa207493e"
        },
        {
          "url": "https://git.kernel.org/stable/c/f68237982dc012230550f4ecf7ce286a9c37ddc9"
        },
        {
          "url": "https://git.kernel.org/stable/c/425c5f266b2edeee0ce16fedd8466410cdcfcfe3"
        }
      ],
      "title": "ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37912",
    "datePublished": "2025-05-20T15:21:44.062Z",
    "dateReserved": "2025-04-16T04:51:23.967Z",
    "dateUpdated": "2025-11-03T19:57:13.684Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38410 (GCVE-0-2025-38410)

Vulnerability from cvelistv5

Published

2025-07-25 13:20

Modified

2025-11-03 17:37

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix a fence leak in submit error path In error paths, we could unref the submit without calling drm_sched_entity_push_job(), so msm_job_free() will never get called. Since drm_sched_job_cleanup() will NULL out the s_fence, we can use that to detect this case. Patchwork: https://patchwork.freedesktop.org/patch/653584/

References

URL

Tags

	https://git.kernel.org/stable/c/5deab0fa6cfd0cd7def17598db15ceb84f950584
	https://git.kernel.org/stable/c/201eba5c9652a900c0b248070263f9acd3735689
	https://git.kernel.org/stable/c/fe2695b2f63bd77e0e03bc0fc779164115bb4699
	https://git.kernel.org/stable/c/0eaa495b3d5710e5ba72051d2e01bb28292c625c
	https://git.kernel.org/stable/c/0dc817f852e5f8ec8501d19ef7dcc01affa181d0
	https://git.kernel.org/stable/c/5d319f75ccf7f0927425a7545aa1a22b3eedc189

Impacted products

Vendor

Product

Version

Linux

Version: 0cf6c71d70d8aa39b8fd0e39c9009602a0e0d300
Version: 0cf6c71d70d8aa39b8fd0e39c9009602a0e0d300
Version: 0cf6c71d70d8aa39b8fd0e39c9009602a0e0d300
Version: 0cf6c71d70d8aa39b8fd0e39c9009602a0e0d300
Version: 0cf6c71d70d8aa39b8fd0e39c9009602a0e0d300
Version: 0cf6c71d70d8aa39b8fd0e39c9009602a0e0d300

Linux

Version: 3.12

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:37:43.099Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/msm/msm_gem_submit.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5deab0fa6cfd0cd7def17598db15ceb84f950584",
              "status": "affected",
              "version": "0cf6c71d70d8aa39b8fd0e39c9009602a0e0d300",
              "versionType": "git"
            },
            {
              "lessThan": "201eba5c9652a900c0b248070263f9acd3735689",
              "status": "affected",
              "version": "0cf6c71d70d8aa39b8fd0e39c9009602a0e0d300",
              "versionType": "git"
            },
            {
              "lessThan": "fe2695b2f63bd77e0e03bc0fc779164115bb4699",
              "status": "affected",
              "version": "0cf6c71d70d8aa39b8fd0e39c9009602a0e0d300",
              "versionType": "git"
            },
            {
              "lessThan": "0eaa495b3d5710e5ba72051d2e01bb28292c625c",
              "status": "affected",
              "version": "0cf6c71d70d8aa39b8fd0e39c9009602a0e0d300",
              "versionType": "git"
            },
            {
              "lessThan": "0dc817f852e5f8ec8501d19ef7dcc01affa181d0",
              "status": "affected",
              "version": "0cf6c71d70d8aa39b8fd0e39c9009602a0e0d300",
              "versionType": "git"
            },
            {
              "lessThan": "5d319f75ccf7f0927425a7545aa1a22b3eedc189",
              "status": "affected",
              "version": "0cf6c71d70d8aa39b8fd0e39c9009602a0e0d300",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/msm/msm_gem_submit.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.12"
            },
            {
              "lessThan": "3.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.187",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.144",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.97",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.37",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.187",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.144",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.97",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.37",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.6",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: Fix a fence leak in submit error path\n\nIn error paths, we could unref the submit without calling\ndrm_sched_entity_push_job(), so msm_job_free() will never get\ncalled.  Since drm_sched_job_cleanup() will NULL out the\ns_fence, we can use that to detect this case.\n\nPatchwork: https://patchwork.freedesktop.org/patch/653584/"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T11:16:54.704Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5deab0fa6cfd0cd7def17598db15ceb84f950584"
        },
        {
          "url": "https://git.kernel.org/stable/c/201eba5c9652a900c0b248070263f9acd3735689"
        },
        {
          "url": "https://git.kernel.org/stable/c/fe2695b2f63bd77e0e03bc0fc779164115bb4699"
        },
        {
          "url": "https://git.kernel.org/stable/c/0eaa495b3d5710e5ba72051d2e01bb28292c625c"
        },
        {
          "url": "https://git.kernel.org/stable/c/0dc817f852e5f8ec8501d19ef7dcc01affa181d0"
        },
        {
          "url": "https://git.kernel.org/stable/c/5d319f75ccf7f0927425a7545aa1a22b3eedc189"
        }
      ],
      "title": "drm/msm: Fix a fence leak in submit error path",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38410",
    "datePublished": "2025-07-25T13:20:15.184Z",
    "dateReserved": "2025-04-16T04:51:24.013Z",
    "dateUpdated": "2025-11-03T17:37:43.099Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38425 (GCVE-0-2025-38425)

Vulnerability from cvelistv5

Published

2025-07-25 14:16

Modified

2025-11-03 17:37

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: i2c: tegra: check msg length in SMBUS block read For SMBUS block read, do not continue to read if the message length passed from the device is '0' or greater than the maximum allowed bytes.

References

URL

Tags

	https://git.kernel.org/stable/c/c39d1a9ae4ad66afcecab124d7789722bfe909fa
	https://git.kernel.org/stable/c/be5f6a65509cd5675362f15eb0440fb28b0f9d64
	https://git.kernel.org/stable/c/75a864f21ceeb8c1e8ce1b7589174fec2c3a039e
	https://git.kernel.org/stable/c/3f03f77ce688d02da284174e1884b6065d6159bd
	https://git.kernel.org/stable/c/a6e04f05ce0b070ab39d5775580e65c7d943da0b

Impacted products

Vendor

Product

Version

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:37:55.331Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/i2c/busses/i2c-tegra.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c39d1a9ae4ad66afcecab124d7789722bfe909fa",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "be5f6a65509cd5675362f15eb0440fb28b0f9d64",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "75a864f21ceeb8c1e8ce1b7589174fec2c3a039e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "3f03f77ce688d02da284174e1884b6065d6159bd",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "a6e04f05ce0b070ab39d5775580e65c7d943da0b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/i2c/busses/i2c-tegra.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: tegra: check msg length in SMBUS block read\n\nFor SMBUS block read, do not continue to read if the message length\npassed from the device is \u00270\u0027 or greater than the maximum allowed bytes."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:21:49.406Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c39d1a9ae4ad66afcecab124d7789722bfe909fa"
        },
        {
          "url": "https://git.kernel.org/stable/c/be5f6a65509cd5675362f15eb0440fb28b0f9d64"
        },
        {
          "url": "https://git.kernel.org/stable/c/75a864f21ceeb8c1e8ce1b7589174fec2c3a039e"
        },
        {
          "url": "https://git.kernel.org/stable/c/3f03f77ce688d02da284174e1884b6065d6159bd"
        },
        {
          "url": "https://git.kernel.org/stable/c/a6e04f05ce0b070ab39d5775580e65c7d943da0b"
        }
      ],
      "title": "i2c: tegra: check msg length in SMBUS block read",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38425",
    "datePublished": "2025-07-25T14:16:45.661Z",
    "dateReserved": "2025-04-16T04:51:24.015Z",
    "dateUpdated": "2025-11-03T17:37:55.331Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50027 (GCVE-0-2022-50027)

Vulnerability from cvelistv5

Published

2025-06-18 11:01

Modified

2025-07-15 15:43

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix possible memory leak when failing to issue CMF WQE There is no corresponding free routine if lpfc_sli4_issue_wqe fails to issue the CMF WQE in lpfc_issue_cmf_sync_wqe. If ret_val is non-zero, then free the iocbq request structure.

References

URL

Tags

	https://git.kernel.org/stable/c/9c8e2e607270a368834a0ef72aa82d970f89c596
	https://git.kernel.org/stable/c/4eb7a1beff03836d3df271cd23b790884e3facb9
	https://git.kernel.org/stable/c/2f67dc7970bce3529edce93a0a14234d88b3fcd5

Impacted products

Vendor

Product

Version

Linux

Version: daebf93fc3a5d12b3bc928aebb168c68e754dda2
Version: daebf93fc3a5d12b3bc928aebb168c68e754dda2
Version: daebf93fc3a5d12b3bc928aebb168c68e754dda2

Linux

Version: 5.15

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/lpfc/lpfc_sli.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9c8e2e607270a368834a0ef72aa82d970f89c596",
              "status": "affected",
              "version": "daebf93fc3a5d12b3bc928aebb168c68e754dda2",
              "versionType": "git"
            },
            {
              "lessThan": "4eb7a1beff03836d3df271cd23b790884e3facb9",
              "status": "affected",
              "version": "daebf93fc3a5d12b3bc928aebb168c68e754dda2",
              "versionType": "git"
            },
            {
              "lessThan": "2f67dc7970bce3529edce93a0a14234d88b3fcd5",
              "status": "affected",
              "version": "daebf93fc3a5d12b3bc928aebb168c68e754dda2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/lpfc/lpfc_sli.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.63",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.63",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.4",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix possible memory leak when failing to issue CMF WQE\n\nThere is no corresponding free routine if lpfc_sli4_issue_wqe fails to\nissue the CMF WQE in lpfc_issue_cmf_sync_wqe.\n\nIf ret_val is non-zero, then free the iocbq request structure."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-15T15:43:44.007Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9c8e2e607270a368834a0ef72aa82d970f89c596"
        },
        {
          "url": "https://git.kernel.org/stable/c/4eb7a1beff03836d3df271cd23b790884e3facb9"
        },
        {
          "url": "https://git.kernel.org/stable/c/2f67dc7970bce3529edce93a0a14234d88b3fcd5"
        }
      ],
      "title": "scsi: lpfc: Fix possible memory leak when failing to issue CMF WQE",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50027",
    "datePublished": "2025-06-18T11:01:30.485Z",
    "dateReserved": "2025-06-18T10:57:27.394Z",
    "dateUpdated": "2025-07-15T15:43:44.007Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38147 (GCVE-0-2025-38147)

Vulnerability from cvelistv5

Published

2025-07-03 08:35

Modified

2025-11-03 17:34

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: calipso: Don't call calipso functions for AF_INET sk. syzkaller reported a null-ptr-deref in txopt_get(). [0] The offset 0x70 was of struct ipv6_txoptions in struct ipv6_pinfo, so struct ipv6_pinfo was NULL there. However, this never happens for IPv6 sockets as inet_sk(sk)->pinet6 is always set in inet6_create(), meaning the socket was not IPv6 one. The root cause is missing validation in netlbl_conn_setattr(). netlbl_conn_setattr() switches branches based on struct sockaddr.sa_family, which is passed from userspace. However, netlbl_conn_setattr() does not check if the address family matches the socket. The syzkaller must have called connect() for an IPv6 address on an IPv4 socket. We have a proper validation in tcp_v[46]_connect(), but security_socket_connect() is called in the earlier stage. Let's copy the validation to netlbl_conn_setattr(). [0]: Oops: general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] CPU: 2 UID: 0 PID: 12928 Comm: syz.9.1677 Not tainted 6.12.0 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:txopt_get include/net/ipv6.h:390 [inline] RIP: 0010: Code: 02 00 00 49 8b ac 24 f8 02 00 00 e8 84 69 2a fd e8 ff 00 16 fd 48 8d 7d 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 53 02 00 00 48 8b 6d 70 48 85 ed 0f 84 ab 01 00 RSP: 0018:ffff88811b8afc48 EFLAGS: 00010212 RAX: dffffc0000000000 RBX: 1ffff11023715f8a RCX: ffffffff841ab00c RDX: 000000000000000e RSI: ffffc90007d9e000 RDI: 0000000000000070 RBP: 0000000000000000 R08: ffffed1023715f9d R09: ffffed1023715f9e R10: ffffed1023715f9d R11: 0000000000000003 R12: ffff888123075f00 R13: ffff88810245bd80 R14: ffff888113646780 R15: ffff888100578a80 FS: 00007f9019bd7640(0000) GS:ffff8882d2d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f901b927bac CR3: 0000000104788003 CR4: 0000000000770ef0 PKRU: 80000000 Call Trace: <TASK> calipso_sock_setattr+0x56/0x80 net/netlabel/netlabel_calipso.c:557 netlbl_conn_setattr+0x10c/0x280 net/netlabel/netlabel_kapi.c:1177 selinux_netlbl_socket_connect_helper+0xd3/0x1b0 security/selinux/netlabel.c:569 selinux_netlbl_socket_connect_locked security/selinux/netlabel.c:597 [inline] selinux_netlbl_socket_connect+0xb6/0x100 security/selinux/netlabel.c:615 selinux_socket_connect+0x5f/0x80 security/selinux/hooks.c:4931 security_socket_connect+0x50/0xa0 security/security.c:4598 __sys_connect_file+0xa4/0x190 net/socket.c:2067 __sys_connect+0x12c/0x170 net/socket.c:2088 __do_sys_connect net/socket.c:2098 [inline] __se_sys_connect net/socket.c:2095 [inline] __x64_sys_connect+0x73/0xb0 net/socket.c:2095 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xaa/0x1b0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f901b61a12d Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f9019bd6fa8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 00007f901b925fa0 RCX: 00007f901b61a12d RDX: 000000000000001c RSI: 0000200000000140 RDI: 0000000000000003 RBP: 00007f901b701505 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f901b5b62a0 R15: 00007f9019bb7000 </TASK> Modules linked in:

References

URL

Tags

	https://git.kernel.org/stable/c/fc2da88411470480b8b7e9177e930cedd893cf56
	https://git.kernel.org/stable/c/0c813dbc851dbf418fdc6dc883fd0592d6c555cd
	https://git.kernel.org/stable/c/26ce90f1ce60b0ff587de8d6aec399aa55cab28e
	https://git.kernel.org/stable/c/c32ebe33626335a536dbbdd09571c06dd9bc1729
	https://git.kernel.org/stable/c/946bfdfcb76ac2bac5b8526447035885ff41c598
	https://git.kernel.org/stable/c/dd8928897594931d6912ef2f7a43e110b4958d3d
	https://git.kernel.org/stable/c/e2ec310c7a50271843c585e27ef14e48c66ce649
	https://git.kernel.org/stable/c/6e9f2df1c550ead7cecb3e450af1105735020c92

Impacted products

Vendor

Product

Version

Linux

Version: ceba1832b1b2da0149c51de62a847c00bca1677a
Version: ceba1832b1b2da0149c51de62a847c00bca1677a
Version: ceba1832b1b2da0149c51de62a847c00bca1677a
Version: ceba1832b1b2da0149c51de62a847c00bca1677a
Version: ceba1832b1b2da0149c51de62a847c00bca1677a
Version: ceba1832b1b2da0149c51de62a847c00bca1677a
Version: ceba1832b1b2da0149c51de62a847c00bca1677a
Version: ceba1832b1b2da0149c51de62a847c00bca1677a

Linux

Version: 4.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:39.593Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netlabel/netlabel_kapi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "fc2da88411470480b8b7e9177e930cedd893cf56",
              "status": "affected",
              "version": "ceba1832b1b2da0149c51de62a847c00bca1677a",
              "versionType": "git"
            },
            {
              "lessThan": "0c813dbc851dbf418fdc6dc883fd0592d6c555cd",
              "status": "affected",
              "version": "ceba1832b1b2da0149c51de62a847c00bca1677a",
              "versionType": "git"
            },
            {
              "lessThan": "26ce90f1ce60b0ff587de8d6aec399aa55cab28e",
              "status": "affected",
              "version": "ceba1832b1b2da0149c51de62a847c00bca1677a",
              "versionType": "git"
            },
            {
              "lessThan": "c32ebe33626335a536dbbdd09571c06dd9bc1729",
              "status": "affected",
              "version": "ceba1832b1b2da0149c51de62a847c00bca1677a",
              "versionType": "git"
            },
            {
              "lessThan": "946bfdfcb76ac2bac5b8526447035885ff41c598",
              "status": "affected",
              "version": "ceba1832b1b2da0149c51de62a847c00bca1677a",
              "versionType": "git"
            },
            {
              "lessThan": "dd8928897594931d6912ef2f7a43e110b4958d3d",
              "status": "affected",
              "version": "ceba1832b1b2da0149c51de62a847c00bca1677a",
              "versionType": "git"
            },
            {
              "lessThan": "e2ec310c7a50271843c585e27ef14e48c66ce649",
              "status": "affected",
              "version": "ceba1832b1b2da0149c51de62a847c00bca1677a",
              "versionType": "git"
            },
            {
              "lessThan": "6e9f2df1c550ead7cecb3e450af1105735020c92",
              "status": "affected",
              "version": "ceba1832b1b2da0149c51de62a847c00bca1677a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netlabel/netlabel_kapi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            },
            {
              "lessThan": "4.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncalipso: Don\u0027t call calipso functions for AF_INET sk.\n\nsyzkaller reported a null-ptr-deref in txopt_get(). [0]\n\nThe offset 0x70 was of struct ipv6_txoptions in struct ipv6_pinfo,\nso struct ipv6_pinfo was NULL there.\n\nHowever, this never happens for IPv6 sockets as inet_sk(sk)-\u003epinet6\nis always set in inet6_create(), meaning the socket was not IPv6 one.\n\nThe root cause is missing validation in netlbl_conn_setattr().\n\nnetlbl_conn_setattr() switches branches based on struct\nsockaddr.sa_family, which is passed from userspace.  However,\nnetlbl_conn_setattr() does not check if the address family matches\nthe socket.\n\nThe syzkaller must have called connect() for an IPv6 address on\nan IPv4 socket.\n\nWe have a proper validation in tcp_v[46]_connect(), but\nsecurity_socket_connect() is called in the earlier stage.\n\nLet\u0027s copy the validation to netlbl_conn_setattr().\n\n[0]:\nOops: general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]\nCPU: 2 UID: 0 PID: 12928 Comm: syz.9.1677 Not tainted 6.12.0 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nRIP: 0010:txopt_get include/net/ipv6.h:390 [inline]\nRIP: 0010:\nCode: 02 00 00 49 8b ac 24 f8 02 00 00 e8 84 69 2a fd e8 ff 00 16 fd 48 8d 7d 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 \u003c80\u003e 3c 02 00 0f 85 53 02 00 00 48 8b 6d 70 48 85 ed 0f 84 ab 01 00\nRSP: 0018:ffff88811b8afc48 EFLAGS: 00010212\nRAX: dffffc0000000000 RBX: 1ffff11023715f8a RCX: ffffffff841ab00c\nRDX: 000000000000000e RSI: ffffc90007d9e000 RDI: 0000000000000070\nRBP: 0000000000000000 R08: ffffed1023715f9d R09: ffffed1023715f9e\nR10: ffffed1023715f9d R11: 0000000000000003 R12: ffff888123075f00\nR13: ffff88810245bd80 R14: ffff888113646780 R15: ffff888100578a80\nFS:  00007f9019bd7640(0000) GS:ffff8882d2d00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f901b927bac CR3: 0000000104788003 CR4: 0000000000770ef0\nPKRU: 80000000\nCall Trace:\n \u003cTASK\u003e\n calipso_sock_setattr+0x56/0x80 net/netlabel/netlabel_calipso.c:557\n netlbl_conn_setattr+0x10c/0x280 net/netlabel/netlabel_kapi.c:1177\n selinux_netlbl_socket_connect_helper+0xd3/0x1b0 security/selinux/netlabel.c:569\n selinux_netlbl_socket_connect_locked security/selinux/netlabel.c:597 [inline]\n selinux_netlbl_socket_connect+0xb6/0x100 security/selinux/netlabel.c:615\n selinux_socket_connect+0x5f/0x80 security/selinux/hooks.c:4931\n security_socket_connect+0x50/0xa0 security/security.c:4598\n __sys_connect_file+0xa4/0x190 net/socket.c:2067\n __sys_connect+0x12c/0x170 net/socket.c:2088\n __do_sys_connect net/socket.c:2098 [inline]\n __se_sys_connect net/socket.c:2095 [inline]\n __x64_sys_connect+0x73/0xb0 net/socket.c:2095\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xaa/0x1b0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f901b61a12d\nCode: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f9019bd6fa8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a\nRAX: ffffffffffffffda RBX: 00007f901b925fa0 RCX: 00007f901b61a12d\nRDX: 000000000000001c RSI: 0000200000000140 RDI: 0000000000000003\nRBP: 00007f901b701505 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 00007f901b5b62a0 R15: 00007f9019bb7000\n \u003c/TASK\u003e\nModules linked in:"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:13:34.888Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/fc2da88411470480b8b7e9177e930cedd893cf56"
        },
        {
          "url": "https://git.kernel.org/stable/c/0c813dbc851dbf418fdc6dc883fd0592d6c555cd"
        },
        {
          "url": "https://git.kernel.org/stable/c/26ce90f1ce60b0ff587de8d6aec399aa55cab28e"
        },
        {
          "url": "https://git.kernel.org/stable/c/c32ebe33626335a536dbbdd09571c06dd9bc1729"
        },
        {
          "url": "https://git.kernel.org/stable/c/946bfdfcb76ac2bac5b8526447035885ff41c598"
        },
        {
          "url": "https://git.kernel.org/stable/c/dd8928897594931d6912ef2f7a43e110b4958d3d"
        },
        {
          "url": "https://git.kernel.org/stable/c/e2ec310c7a50271843c585e27ef14e48c66ce649"
        },
        {
          "url": "https://git.kernel.org/stable/c/6e9f2df1c550ead7cecb3e450af1105735020c92"
        }
      ],
      "title": "calipso: Don\u0027t call calipso functions for AF_INET sk.",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38147",
    "datePublished": "2025-07-03T08:35:52.921Z",
    "dateReserved": "2025-04-16T04:51:23.988Z",
    "dateUpdated": "2025-11-03T17:34:39.593Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38078 (GCVE-0-2025-38078)

Vulnerability from cvelistv5

Published

2025-06-18 09:33

Modified

2025-11-03 17:33

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Fix race of buffer access at PCM OSS layer The PCM OSS layer tries to clear the buffer with the silence data at initialization (or reconfiguration) of a stream with the explicit call of snd_pcm_format_set_silence() with runtime->dma_area. But this may lead to a UAF because the accessed runtime->dma_area might be freed concurrently, as it's performed outside the PCM ops. For avoiding it, move the code into the PCM core and perform it inside the buffer access lock, so that it won't be changed during the operation.

References

URL

Tags

	https://git.kernel.org/stable/c/c0e05a76fc727929524ef24a19c302e6dd40233f
	https://git.kernel.org/stable/c/8170d8ec4efd0be352c14cb61f374e30fb0c2a25
	https://git.kernel.org/stable/c/10217da9644ae75cea7330f902c35fc5ba78bbbf
	https://git.kernel.org/stable/c/f3e14d706ec18faf19f5a6e75060e140fea05d4a
	https://git.kernel.org/stable/c/74d90875f3d43f3eff0e9861c4701418795d3455
	https://git.kernel.org/stable/c/bf85e49aaf3a3c5775ea87369ea5f159c2148db4
	https://git.kernel.org/stable/c/afa56c960fcb4db37f2e3399f28e9402e4e1f470
	https://git.kernel.org/stable/c/93a81ca0657758b607c3f4ba889ae806be9beb73

Impacted products

Vendor

Product

Version

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:33:46.827Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/sound/pcm.h",
            "sound/core/oss/pcm_oss.c",
            "sound/core/pcm_native.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c0e05a76fc727929524ef24a19c302e6dd40233f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "8170d8ec4efd0be352c14cb61f374e30fb0c2a25",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "10217da9644ae75cea7330f902c35fc5ba78bbbf",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "f3e14d706ec18faf19f5a6e75060e140fea05d4a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "74d90875f3d43f3eff0e9861c4701418795d3455",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "bf85e49aaf3a3c5775ea87369ea5f159c2148db4",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "afa56c960fcb4db37f2e3399f28e9402e4e1f470",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "93a81ca0657758b607c3f4ba889ae806be9beb73",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/sound/pcm.h",
            "sound/core/oss/pcm_oss.c",
            "sound/core/pcm_native.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.294",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.238",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.185",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.93",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.294",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.238",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.185",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.141",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.93",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: pcm: Fix race of buffer access at PCM OSS layer\n\nThe PCM OSS layer tries to clear the buffer with the silence data at\ninitialization (or reconfiguration) of a stream with the explicit call\nof snd_pcm_format_set_silence() with runtime-\u003edma_area.  But this may\nlead to a UAF because the accessed runtime-\u003edma_area might be freed\nconcurrently, as it\u0027s performed outside the PCM ops.\n\nFor avoiding it, move the code into the PCM core and perform it inside\nthe buffer access lock, so that it won\u0027t be changed during the\noperation."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-18T09:33:52.644Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c0e05a76fc727929524ef24a19c302e6dd40233f"
        },
        {
          "url": "https://git.kernel.org/stable/c/8170d8ec4efd0be352c14cb61f374e30fb0c2a25"
        },
        {
          "url": "https://git.kernel.org/stable/c/10217da9644ae75cea7330f902c35fc5ba78bbbf"
        },
        {
          "url": "https://git.kernel.org/stable/c/f3e14d706ec18faf19f5a6e75060e140fea05d4a"
        },
        {
          "url": "https://git.kernel.org/stable/c/74d90875f3d43f3eff0e9861c4701418795d3455"
        },
        {
          "url": "https://git.kernel.org/stable/c/bf85e49aaf3a3c5775ea87369ea5f159c2148db4"
        },
        {
          "url": "https://git.kernel.org/stable/c/afa56c960fcb4db37f2e3399f28e9402e4e1f470"
        },
        {
          "url": "https://git.kernel.org/stable/c/93a81ca0657758b607c3f4ba889ae806be9beb73"
        }
      ],
      "title": "ALSA: pcm: Fix race of buffer access at PCM OSS layer",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38078",
    "datePublished": "2025-06-18T09:33:52.644Z",
    "dateReserved": "2025-04-16T04:51:23.980Z",
    "dateUpdated": "2025-11-03T17:33:46.827Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37913 (GCVE-0-2025-37913)

Vulnerability from cvelistv5

Published

2025-05-20 15:21

Modified

2025-11-03 19:57

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net_sched: qfq: Fix double list add in class with netem as child qdisc As described in Gerrard's report [1], there are use cases where a netem child qdisc will make the parent qdisc's enqueue callback reentrant. In the case of qfq, there won't be a UAF, but the code will add the same classifier to the list twice, which will cause memory corruption. This patch checks whether the class was already added to the agg->active list (cl_is_active) before doing the addition to cater for the reentrant case. [1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/

References

URL

Tags

	https://git.kernel.org/stable/c/041f410aec2c1751ee22b8b73ba05d38c3a6a602
	https://git.kernel.org/stable/c/005a479540478a820c52de098e5e767e63e36f0a
	https://git.kernel.org/stable/c/0bf32d6fb1fcbf841bb9945570e0e2a70072c00f
	https://git.kernel.org/stable/c/0aa23e0856b7cedb3c88d8e3d281c212c7e4fbeb
	https://git.kernel.org/stable/c/a43783119e01849fbf2fe8855634e8989b240cb4
	https://git.kernel.org/stable/c/53bc0b55178bd59bdd4bcd16349505cabf54b1a2
	https://git.kernel.org/stable/c/370218e8ce711684acc4cdd3cc3c6dd7956bc165
	https://git.kernel.org/stable/c/f139f37dcdf34b67f5bf92bc8e0f7f6b3ac63aa4

Impacted products

Vendor

Product

Version

Linux

Version: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea
Version: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea
Version: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea
Version: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea
Version: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea
Version: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea
Version: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea
Version: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea

Linux

Version: 5.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:57:15.106Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_qfq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "041f410aec2c1751ee22b8b73ba05d38c3a6a602",
              "status": "affected",
              "version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
              "versionType": "git"
            },
            {
              "lessThan": "005a479540478a820c52de098e5e767e63e36f0a",
              "status": "affected",
              "version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
              "versionType": "git"
            },
            {
              "lessThan": "0bf32d6fb1fcbf841bb9945570e0e2a70072c00f",
              "status": "affected",
              "version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
              "versionType": "git"
            },
            {
              "lessThan": "0aa23e0856b7cedb3c88d8e3d281c212c7e4fbeb",
              "status": "affected",
              "version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
              "versionType": "git"
            },
            {
              "lessThan": "a43783119e01849fbf2fe8855634e8989b240cb4",
              "status": "affected",
              "version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
              "versionType": "git"
            },
            {
              "lessThan": "53bc0b55178bd59bdd4bcd16349505cabf54b1a2",
              "status": "affected",
              "version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
              "versionType": "git"
            },
            {
              "lessThan": "370218e8ce711684acc4cdd3cc3c6dd7956bc165",
              "status": "affected",
              "version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
              "versionType": "git"
            },
            {
              "lessThan": "f139f37dcdf34b67f5bf92bc8e0f7f6b3ac63aa4",
              "status": "affected",
              "version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_qfq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.0"
            },
            {
              "lessThan": "5.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.294",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.238",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.182",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.138",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.90",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.28",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.294",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.238",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.182",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.138",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.90",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.28",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.6",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: qfq: Fix double list add in class with netem as child qdisc\n\nAs described in Gerrard\u0027s report [1], there are use cases where a netem\nchild qdisc will make the parent qdisc\u0027s enqueue callback reentrant.\nIn the case of qfq, there won\u0027t be a UAF, but the code will add the same\nclassifier to the list twice, which will cause memory corruption.\n\nThis patch checks whether the class was already added to the agg-\u003eactive\nlist (cl_is_active) before doing the addition to cater for the reentrant\ncase.\n\n[1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-04T12:57:26.662Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/041f410aec2c1751ee22b8b73ba05d38c3a6a602"
        },
        {
          "url": "https://git.kernel.org/stable/c/005a479540478a820c52de098e5e767e63e36f0a"
        },
        {
          "url": "https://git.kernel.org/stable/c/0bf32d6fb1fcbf841bb9945570e0e2a70072c00f"
        },
        {
          "url": "https://git.kernel.org/stable/c/0aa23e0856b7cedb3c88d8e3d281c212c7e4fbeb"
        },
        {
          "url": "https://git.kernel.org/stable/c/a43783119e01849fbf2fe8855634e8989b240cb4"
        },
        {
          "url": "https://git.kernel.org/stable/c/53bc0b55178bd59bdd4bcd16349505cabf54b1a2"
        },
        {
          "url": "https://git.kernel.org/stable/c/370218e8ce711684acc4cdd3cc3c6dd7956bc165"
        },
        {
          "url": "https://git.kernel.org/stable/c/f139f37dcdf34b67f5bf92bc8e0f7f6b3ac63aa4"
        }
      ],
      "title": "net_sched: qfq: Fix double list add in class with netem as child qdisc",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37913",
    "datePublished": "2025-05-20T15:21:44.793Z",
    "dateReserved": "2025-04-16T04:51:23.967Z",
    "dateUpdated": "2025-11-03T19:57:15.106Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-44963 (GCVE-0-2024-44963)

Vulnerability from cvelistv5

Published

2024-09-04 18:36

Modified

2025-05-04 09:29

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: btrfs: do not BUG_ON() when freeing tree block after error When freeing a tree block, at btrfs_free_tree_block(), if we fail to create a delayed reference we don't deal with the error and just do a BUG_ON(). The error most likely to happen is -ENOMEM, and we have a comment mentioning that only -ENOMEM can happen, but that is not true, because in case qgroups are enabled any error returned from btrfs_qgroup_trace_extent_post() (can be -EUCLEAN or anything returned from btrfs_search_slot() for example) can be propagated back to btrfs_free_tree_block(). So stop doing a BUG_ON() and return the error to the callers and make them abort the transaction to prevent leaking space. Syzbot was triggering this, likely due to memory allocation failure injection.

References

URL

Tags

	https://git.kernel.org/stable/c/22d907bcd283d69d5e60497fc0d51969545c583b
	https://git.kernel.org/stable/c/98251cd60b4d702a8a81de442ab621e83a3fb24f
	https://git.kernel.org/stable/c/bb3868033a4cccff7be57e9145f2117cbdc91c11

Impacted products

Vendor

Product

Version

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-44963",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T17:39:41.059166Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-12T17:33:35.583Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/ctree.c",
            "fs/btrfs/extent-tree.c",
            "fs/btrfs/extent-tree.h",
            "fs/btrfs/free-space-tree.c",
            "fs/btrfs/ioctl.c",
            "fs/btrfs/qgroup.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "22d907bcd283d69d5e60497fc0d51969545c583b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "98251cd60b4d702a8a81de442ab621e83a3fb24f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "bb3868033a4cccff7be57e9145f2117cbdc91c11",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/ctree.c",
            "fs/btrfs/extent-tree.c",
            "fs/btrfs/extent-tree.h",
            "fs/btrfs/free-space-tree.c",
            "fs/btrfs/ioctl.c",
            "fs/btrfs/qgroup.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.10.*",
              "status": "unaffected",
              "version": "6.10.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.11",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.64",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do not BUG_ON() when freeing tree block after error\n\nWhen freeing a tree block, at btrfs_free_tree_block(), if we fail to\ncreate a delayed reference we don\u0027t deal with the error and just do a\nBUG_ON(). The error most likely to happen is -ENOMEM, and we have a\ncomment mentioning that only -ENOMEM can happen, but that is not true,\nbecause in case qgroups are enabled any error returned from\nbtrfs_qgroup_trace_extent_post() (can be -EUCLEAN or anything returned\nfrom btrfs_search_slot() for example) can be propagated back to\nbtrfs_free_tree_block().\n\nSo stop doing a BUG_ON() and return the error to the callers and make\nthem abort the transaction to prevent leaking space. Syzbot was\ntriggering this, likely due to memory allocation failure injection."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:29:53.552Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/22d907bcd283d69d5e60497fc0d51969545c583b"
        },
        {
          "url": "https://git.kernel.org/stable/c/98251cd60b4d702a8a81de442ab621e83a3fb24f"
        },
        {
          "url": "https://git.kernel.org/stable/c/bb3868033a4cccff7be57e9145f2117cbdc91c11"
        }
      ],
      "title": "btrfs: do not BUG_ON() when freeing tree block after error",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-44963",
    "datePublished": "2024-09-04T18:36:00.948Z",
    "dateReserved": "2024-08-21T05:34:56.667Z",
    "dateUpdated": "2025-05-04T09:29:53.552Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38132 (GCVE-0-2025-38132)

Vulnerability from cvelistv5

Published

2025-07-03 08:35

Modified

2025-07-28 04:13

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: coresight: holding cscfg_csdev_lock while removing cscfg from csdev There'll be possible race scenario for coresight config: CPU0 CPU1 (perf enable) load module cscfg_load_config_sets() activate config. // sysfs (sys_active_cnt == 1) ... cscfg_csdev_enable_active_config() lock(csdev->cscfg_csdev_lock) deactivate config // sysfs (sys_activec_cnt == 0) cscfg_unload_config_sets() <iterating config_csdev_list> cscfg_remove_owned_csdev_configs() // here load config activate by CPU1 unlock(csdev->cscfg_csdev_lock) iterating config_csdev_list could be raced with config_csdev_list's entry delete. To resolve this race , hold csdev->cscfg_csdev_lock() while cscfg_remove_owned_csdev_configs()

References

URL

Tags

	https://git.kernel.org/stable/c/42f8afb0b161631fd1d814d017f75f955475ad41
	https://git.kernel.org/stable/c/53b9e2659719b04f5ba7593f2af0f2335f75e94a

Impacted products

Vendor

Product

Version

Linux

Version: 02bd588e12df405bdf55244708151b7f238b79ba
Version: 02bd588e12df405bdf55244708151b7f238b79ba

Linux

Version: 5.17

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/hwtracing/coresight/coresight-syscfg.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "42f8afb0b161631fd1d814d017f75f955475ad41",
              "status": "affected",
              "version": "02bd588e12df405bdf55244708151b7f238b79ba",
              "versionType": "git"
            },
            {
              "lessThan": "53b9e2659719b04f5ba7593f2af0f2335f75e94a",
              "status": "affected",
              "version": "02bd588e12df405bdf55244708151b7f238b79ba",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/hwtracing/coresight/coresight-syscfg.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.17"
            },
            {
              "lessThan": "5.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncoresight: holding cscfg_csdev_lock while removing cscfg from csdev\n\nThere\u0027ll be possible race scenario for coresight config:\n\nCPU0                                          CPU1\n(perf enable)                                 load module\n                                              cscfg_load_config_sets()\n                                              activate config. // sysfs\n                                              (sys_active_cnt == 1)\n...\ncscfg_csdev_enable_active_config()\n  lock(csdev-\u003ecscfg_csdev_lock)\n                                              deactivate config // sysfs\n                                              (sys_activec_cnt == 0)\n                                              cscfg_unload_config_sets()\n  \u003citerating config_csdev_list\u003e               cscfg_remove_owned_csdev_configs()\n  // here load config activate by CPU1\n  unlock(csdev-\u003ecscfg_csdev_lock)\n\niterating config_csdev_list could be raced with config_csdev_list\u0027s\nentry delete.\n\nTo resolve this race , hold csdev-\u003ecscfg_csdev_lock() while\ncscfg_remove_owned_csdev_configs()"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:13:02.340Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/42f8afb0b161631fd1d814d017f75f955475ad41"
        },
        {
          "url": "https://git.kernel.org/stable/c/53b9e2659719b04f5ba7593f2af0f2335f75e94a"
        }
      ],
      "title": "coresight: holding cscfg_csdev_lock while removing cscfg from csdev",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38132",
    "datePublished": "2025-07-03T08:35:35.695Z",
    "dateReserved": "2025-04-16T04:51:23.987Z",
    "dateUpdated": "2025-07-28T04:13:02.340Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38104 (GCVE-0-2025-38104)

Vulnerability from cvelistv5

Published

2025-04-18 07:01

Modified

2025-07-17 16:55

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Replace Mutex with Spinlock for RLCG register access to avoid Priority Inversion in SRIOV RLCG Register Access is a way for virtual functions to safely access GPU registers in a virtualized environment., including TLB flushes and register reads. When multiple threads or VFs try to access the same registers simultaneously, it can lead to race conditions. By using the RLCG interface, the driver can serialize access to the registers. This means that only one thread can access the registers at a time, preventing conflicts and ensuring that operations are performed correctly. Additionally, when a low-priority task holds a mutex that a high-priority task needs, ie., If a thread holding a spinlock tries to acquire a mutex, it can lead to priority inversion. register access in amdgpu_virt_rlcg_reg_rw especially in a fast code path is critical. The call stack shows that the function amdgpu_virt_rlcg_reg_rw is being called, which attempts to acquire the mutex. This function is invoked from amdgpu_sriov_wreg, which in turn is called from gmc_v11_0_flush_gpu_tlb. The [ BUG: Invalid wait context ] indicates that a thread is trying to acquire a mutex while it is in a context that does not allow it to sleep (like holding a spinlock). Fixes the below: [ 253.013423] ============================= [ 253.013434] [ BUG: Invalid wait context ] [ 253.013446] 6.12.0-amdstaging-drm-next-lol-050225 #14 Tainted: G U OE [ 253.013464] ----------------------------- [ 253.013475] kworker/0:1/10 is trying to lock: [ 253.013487] ffff9f30542e3cf8 (&adev->virt.rlcg_reg_lock){+.+.}-{3:3}, at: amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu] [ 253.013815] other info that might help us debug this: [ 253.013827] context-{4:4} [ 253.013835] 3 locks held by kworker/0:1/10: [ 253.013847] #0: ffff9f3040050f58 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x3f5/0x680 [ 253.013877] #1: ffffb789c008be40 ((work_completion)(&wfc.work)){+.+.}-{0:0}, at: process_one_work+0x1d6/0x680 [ 253.013905] #2: ffff9f3054281838 (&adev->gmc.invalidate_lock){+.+.}-{2:2}, at: gmc_v11_0_flush_gpu_tlb+0x198/0x4f0 [amdgpu] [ 253.014154] stack backtrace: [ 253.014164] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Tainted: G U OE 6.12.0-amdstaging-drm-next-lol-050225 #14 [ 253.014189] Tainted: [U]=USER, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE [ 253.014203] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/18/2024 [ 253.014224] Workqueue: events work_for_cpu_fn [ 253.014241] Call Trace: [ 253.014250] <TASK> [ 253.014260] dump_stack_lvl+0x9b/0xf0 [ 253.014275] dump_stack+0x10/0x20 [ 253.014287] __lock_acquire+0xa47/0x2810 [ 253.014303] ? srso_alias_return_thunk+0x5/0xfbef5 [ 253.014321] lock_acquire+0xd1/0x300 [ 253.014333] ? amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu] [ 253.014562] ? __lock_acquire+0xa6b/0x2810 [ 253.014578] __mutex_lock+0x85/0xe20 [ 253.014591] ? amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu] [ 253.014782] ? sched_clock_noinstr+0x9/0x10 [ 253.014795] ? srso_alias_return_thunk+0x5/0xfbef5 [ 253.014808] ? local_clock_noinstr+0xe/0xc0 [ 253.014822] ? amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu] [ 253.015012] ? srso_alias_return_thunk+0x5/0xfbef5 [ 253.015029] mutex_lock_nested+0x1b/0x30 [ 253.015044] ? mutex_lock_nested+0x1b/0x30 [ 253.015057] amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu] [ 253.015249] amdgpu_sriov_wreg+0xc5/0xd0 [amdgpu] [ 253.015435] gmc_v11_0_flush_gpu_tlb+0x44b/0x4f0 [amdgpu] [ 253.015667] gfx_v11_0_hw_init+0x499/0x29c0 [amdgpu] [ 253.015901] ? __pfx_smu_v13_0_update_pcie_parameters+0x10/0x10 [amdgpu] [ 253.016159] ? srso_alias_return_thunk+0x5/0xfbef5 [ 253.016173] ? smu_hw_init+0x18d/0x300 [amdgpu] [ 253.016403] amdgpu_device_init+0x29ad/0x36a0 [amdgpu] [ 253.016614] amdgpu_driver_load_kms+0x1a/0xc0 [amdgpu] [ 253.0170 ---truncated---

References

URL

Tags

	https://git.kernel.org/stable/c/07ed75bfa7ede8bfcfa303fd6efc85db1c8684c7
	https://git.kernel.org/stable/c/1c0378830e42c98acd69e0289882c8637d92f285
	https://git.kernel.org/stable/c/5c1741a0c176ae11675a64cb7f2dd21d72db6b91
	https://git.kernel.org/stable/c/dc0297f3198bd60108ccbd167ee5d9fa4af31ed0

Impacted products

Vendor

Product

Version

Linux

Version: e864180ee49b4d30e640fd1e1d852b86411420c9
Version: e864180ee49b4d30e640fd1e1d852b86411420c9
Version: e864180ee49b4d30e640fd1e1d852b86411420c9
Version: e864180ee49b4d30e640fd1e1d852b86411420c9
Version: f39a3bc42815a7016a915f6cb35e9a1448788f06
Version: 1adb5ebe205e96af77a93512e2d5b8c437548787
Version: e1ab38e99d1607f80a1670a399511a56464c0253

Linux

Version: 6.11

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/amdgpu_device.c",
            "drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c",
            "drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "07ed75bfa7ede8bfcfa303fd6efc85db1c8684c7",
              "status": "affected",
              "version": "e864180ee49b4d30e640fd1e1d852b86411420c9",
              "versionType": "git"
            },
            {
              "lessThan": "1c0378830e42c98acd69e0289882c8637d92f285",
              "status": "affected",
              "version": "e864180ee49b4d30e640fd1e1d852b86411420c9",
              "versionType": "git"
            },
            {
              "lessThan": "5c1741a0c176ae11675a64cb7f2dd21d72db6b91",
              "status": "affected",
              "version": "e864180ee49b4d30e640fd1e1d852b86411420c9",
              "versionType": "git"
            },
            {
              "lessThan": "dc0297f3198bd60108ccbd167ee5d9fa4af31ed0",
              "status": "affected",
              "version": "e864180ee49b4d30e640fd1e1d852b86411420c9",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "f39a3bc42815a7016a915f6cb35e9a1448788f06",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "1adb5ebe205e96af77a93512e2d5b8c437548787",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "e1ab38e99d1607f80a1670a399511a56464c0253",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/amdgpu_device.c",
            "drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c",
            "drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.39",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.11",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.1.105",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.6.46",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.10.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Replace Mutex with Spinlock for RLCG register access to avoid Priority Inversion in SRIOV\n\nRLCG Register Access is a way for virtual functions to safely access GPU\nregisters in a virtualized environment., including TLB flushes and\nregister reads. When multiple threads or VFs try to access the same\nregisters simultaneously, it can lead to race conditions. By using the\nRLCG interface, the driver can serialize access to the registers. This\nmeans that only one thread can access the registers at a time,\npreventing conflicts and ensuring that operations are performed\ncorrectly. Additionally, when a low-priority task holds a mutex that a\nhigh-priority task needs, ie., If a thread holding a spinlock tries to\nacquire a mutex, it can lead to priority inversion. register access in\namdgpu_virt_rlcg_reg_rw especially in a fast code path is critical.\n\nThe call stack shows that the function amdgpu_virt_rlcg_reg_rw is being\ncalled, which attempts to acquire the mutex. This function is invoked\nfrom amdgpu_sriov_wreg, which in turn is called from\ngmc_v11_0_flush_gpu_tlb.\n\nThe [ BUG: Invalid wait context ] indicates that a thread is trying to\nacquire a mutex while it is in a context that does not allow it to sleep\n(like holding a spinlock).\n\nFixes the below:\n\n[  253.013423] =============================\n[  253.013434] [ BUG: Invalid wait context ]\n[  253.013446] 6.12.0-amdstaging-drm-next-lol-050225 #14 Tainted: G     U     OE\n[  253.013464] -----------------------------\n[  253.013475] kworker/0:1/10 is trying to lock:\n[  253.013487] ffff9f30542e3cf8 (\u0026adev-\u003evirt.rlcg_reg_lock){+.+.}-{3:3}, at: amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu]\n[  253.013815] other info that might help us debug this:\n[  253.013827] context-{4:4}\n[  253.013835] 3 locks held by kworker/0:1/10:\n[  253.013847]  #0: ffff9f3040050f58 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x3f5/0x680\n[  253.013877]  #1: ffffb789c008be40 ((work_completion)(\u0026wfc.work)){+.+.}-{0:0}, at: process_one_work+0x1d6/0x680\n[  253.013905]  #2: ffff9f3054281838 (\u0026adev-\u003egmc.invalidate_lock){+.+.}-{2:2}, at: gmc_v11_0_flush_gpu_tlb+0x198/0x4f0 [amdgpu]\n[  253.014154] stack backtrace:\n[  253.014164] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Tainted: G     U     OE      6.12.0-amdstaging-drm-next-lol-050225 #14\n[  253.014189] Tainted: [U]=USER, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n[  253.014203] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/18/2024\n[  253.014224] Workqueue: events work_for_cpu_fn\n[  253.014241] Call Trace:\n[  253.014250]  \u003cTASK\u003e\n[  253.014260]  dump_stack_lvl+0x9b/0xf0\n[  253.014275]  dump_stack+0x10/0x20\n[  253.014287]  __lock_acquire+0xa47/0x2810\n[  253.014303]  ? srso_alias_return_thunk+0x5/0xfbef5\n[  253.014321]  lock_acquire+0xd1/0x300\n[  253.014333]  ? amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu]\n[  253.014562]  ? __lock_acquire+0xa6b/0x2810\n[  253.014578]  __mutex_lock+0x85/0xe20\n[  253.014591]  ? amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu]\n[  253.014782]  ? sched_clock_noinstr+0x9/0x10\n[  253.014795]  ? srso_alias_return_thunk+0x5/0xfbef5\n[  253.014808]  ? local_clock_noinstr+0xe/0xc0\n[  253.014822]  ? amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu]\n[  253.015012]  ? srso_alias_return_thunk+0x5/0xfbef5\n[  253.015029]  mutex_lock_nested+0x1b/0x30\n[  253.015044]  ? mutex_lock_nested+0x1b/0x30\n[  253.015057]  amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu]\n[  253.015249]  amdgpu_sriov_wreg+0xc5/0xd0 [amdgpu]\n[  253.015435]  gmc_v11_0_flush_gpu_tlb+0x44b/0x4f0 [amdgpu]\n[  253.015667]  gfx_v11_0_hw_init+0x499/0x29c0 [amdgpu]\n[  253.015901]  ? __pfx_smu_v13_0_update_pcie_parameters+0x10/0x10 [amdgpu]\n[  253.016159]  ? srso_alias_return_thunk+0x5/0xfbef5\n[  253.016173]  ? smu_hw_init+0x18d/0x300 [amdgpu]\n[  253.016403]  amdgpu_device_init+0x29ad/0x36a0 [amdgpu]\n[  253.016614]  amdgpu_driver_load_kms+0x1a/0xc0 [amdgpu]\n[  253.0170\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-17T16:55:36.648Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/07ed75bfa7ede8bfcfa303fd6efc85db1c8684c7"
        },
        {
          "url": "https://git.kernel.org/stable/c/1c0378830e42c98acd69e0289882c8637d92f285"
        },
        {
          "url": "https://git.kernel.org/stable/c/5c1741a0c176ae11675a64cb7f2dd21d72db6b91"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc0297f3198bd60108ccbd167ee5d9fa4af31ed0"
        }
      ],
      "title": "drm/amdgpu: Replace Mutex with Spinlock for RLCG register access to avoid Priority Inversion in SRIOV",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38104",
    "datePublished": "2025-04-18T07:01:31.091Z",
    "dateReserved": "2025-04-16T04:51:23.985Z",
    "dateUpdated": "2025-07-17T16:55:36.648Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38473 (GCVE-0-2025-38473)

Vulnerability from cvelistv5

Published

2025-07-28 11:21

Modified

2025-11-03 17:38

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb() syzbot reported null-ptr-deref in l2cap_sock_resume_cb(). [0] l2cap_sock_resume_cb() has a similar problem that was fixed by commit 1bff51ea59a9 ("Bluetooth: fix use-after-free error in lock_sock_nested()"). Since both l2cap_sock_kill() and l2cap_sock_resume_cb() are executed under l2cap_sock_resume_cb(), we can avoid the issue simply by checking if chan->data is NULL. Let's not access to the killed socket in l2cap_sock_resume_cb(). [0]: BUG: KASAN: null-ptr-deref in instrument_atomic_write include/linux/instrumented.h:82 [inline] BUG: KASAN: null-ptr-deref in clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline] BUG: KASAN: null-ptr-deref in l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711 Write of size 8 at addr 0000000000000570 by task kworker/u9:0/52 CPU: 1 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Workqueue: hci0 hci_rx_work Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:501 (C) __dump_stack+0x30/0x40 lib/dump_stack.c:94 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 print_report+0x58/0x84 mm/kasan/report.c:524 kasan_report+0xb0/0x110 mm/kasan/report.c:634 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189 __kasan_check_write+0x20/0x30 mm/kasan/shadow.c:37 instrument_atomic_write include/linux/instrumented.h:82 [inline] clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline] l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711 l2cap_security_cfm+0x524/0xea0 net/bluetooth/l2cap_core.c:7357 hci_auth_cfm include/net/bluetooth/hci_core.h:2092 [inline] hci_auth_complete_evt+0x2e8/0xa4c net/bluetooth/hci_event.c:3514 hci_event_func net/bluetooth/hci_event.c:7511 [inline] hci_event_packet+0x650/0xe9c net/bluetooth/hci_event.c:7565 hci_rx_work+0x320/0xb18 net/bluetooth/hci_core.c:4070 process_one_work+0x7e8/0x155c kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3321 [inline] worker_thread+0x958/0xed8 kernel/workqueue.c:3402 kthread+0x5fc/0x75c kernel/kthread.c:464 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:847

References

URL

Tags

	https://git.kernel.org/stable/c/262cd18f5f7ede6a586580cadc5d0799e52e2e7c
	https://git.kernel.org/stable/c/2b27b389006623673e8cfff4ce1e119cce640b05
	https://git.kernel.org/stable/c/3a4eca2a1859955c65f07a570156bd2d9048ce33
	https://git.kernel.org/stable/c/ac3a8147bb24314fb3e84986590148e79f9872ec
	https://git.kernel.org/stable/c/c4f16f6b071a74ac7eefe5c28985285cbbe2cd96
	https://git.kernel.org/stable/c/b97be7ee8a1cd96b89817cbd64a9f5cc16c17d08
	https://git.kernel.org/stable/c/6d63901dcd592a1e3f71d7c6d78f9be5e8d7eef0
	https://git.kernel.org/stable/c/a0075accbf0d76c2dad1ad3993d2e944505d99a0

Impacted products

Vendor

Product

Version

Linux

Version: d97c899bde330cd1c76c3a162558177563a74362
Version: d97c899bde330cd1c76c3a162558177563a74362
Version: d97c899bde330cd1c76c3a162558177563a74362
Version: d97c899bde330cd1c76c3a162558177563a74362
Version: d97c899bde330cd1c76c3a162558177563a74362
Version: d97c899bde330cd1c76c3a162558177563a74362
Version: d97c899bde330cd1c76c3a162558177563a74362
Version: d97c899bde330cd1c76c3a162558177563a74362

Linux

Version: 3.13

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:38:39.105Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/l2cap_sock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "262cd18f5f7ede6a586580cadc5d0799e52e2e7c",
              "status": "affected",
              "version": "d97c899bde330cd1c76c3a162558177563a74362",
              "versionType": "git"
            },
            {
              "lessThan": "2b27b389006623673e8cfff4ce1e119cce640b05",
              "status": "affected",
              "version": "d97c899bde330cd1c76c3a162558177563a74362",
              "versionType": "git"
            },
            {
              "lessThan": "3a4eca2a1859955c65f07a570156bd2d9048ce33",
              "status": "affected",
              "version": "d97c899bde330cd1c76c3a162558177563a74362",
              "versionType": "git"
            },
            {
              "lessThan": "ac3a8147bb24314fb3e84986590148e79f9872ec",
              "status": "affected",
              "version": "d97c899bde330cd1c76c3a162558177563a74362",
              "versionType": "git"
            },
            {
              "lessThan": "c4f16f6b071a74ac7eefe5c28985285cbbe2cd96",
              "status": "affected",
              "version": "d97c899bde330cd1c76c3a162558177563a74362",
              "versionType": "git"
            },
            {
              "lessThan": "b97be7ee8a1cd96b89817cbd64a9f5cc16c17d08",
              "status": "affected",
              "version": "d97c899bde330cd1c76c3a162558177563a74362",
              "versionType": "git"
            },
            {
              "lessThan": "6d63901dcd592a1e3f71d7c6d78f9be5e8d7eef0",
              "status": "affected",
              "version": "d97c899bde330cd1c76c3a162558177563a74362",
              "versionType": "git"
            },
            {
              "lessThan": "a0075accbf0d76c2dad1ad3993d2e944505d99a0",
              "status": "affected",
              "version": "d97c899bde330cd1c76c3a162558177563a74362",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/l2cap_sock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.13"
            },
            {
              "lessThan": "3.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.147",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.100",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.40",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.147",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.100",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.40",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.8",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb()\n\nsyzbot reported null-ptr-deref in l2cap_sock_resume_cb(). [0]\n\nl2cap_sock_resume_cb() has a similar problem that was fixed by commit\n1bff51ea59a9 (\"Bluetooth: fix use-after-free error in lock_sock_nested()\").\n\nSince both l2cap_sock_kill() and l2cap_sock_resume_cb() are executed\nunder l2cap_sock_resume_cb(), we can avoid the issue simply by checking\nif chan-\u003edata is NULL.\n\nLet\u0027s not access to the killed socket in l2cap_sock_resume_cb().\n\n[0]:\nBUG: KASAN: null-ptr-deref in instrument_atomic_write include/linux/instrumented.h:82 [inline]\nBUG: KASAN: null-ptr-deref in clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]\nBUG: KASAN: null-ptr-deref in l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711\nWrite of size 8 at addr 0000000000000570 by task kworker/u9:0/52\n\nCPU: 1 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPT\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\nWorkqueue: hci0 hci_rx_work\nCall trace:\n show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:501 (C)\n __dump_stack+0x30/0x40 lib/dump_stack.c:94\n dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120\n print_report+0x58/0x84 mm/kasan/report.c:524\n kasan_report+0xb0/0x110 mm/kasan/report.c:634\n check_region_inline mm/kasan/generic.c:-1 [inline]\n kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189\n __kasan_check_write+0x20/0x30 mm/kasan/shadow.c:37\n instrument_atomic_write include/linux/instrumented.h:82 [inline]\n clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]\n l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711\n l2cap_security_cfm+0x524/0xea0 net/bluetooth/l2cap_core.c:7357\n hci_auth_cfm include/net/bluetooth/hci_core.h:2092 [inline]\n hci_auth_complete_evt+0x2e8/0xa4c net/bluetooth/hci_event.c:3514\n hci_event_func net/bluetooth/hci_event.c:7511 [inline]\n hci_event_packet+0x650/0xe9c net/bluetooth/hci_event.c:7565\n hci_rx_work+0x320/0xb18 net/bluetooth/hci_core.c:4070\n process_one_work+0x7e8/0x155c kernel/workqueue.c:3238\n process_scheduled_works kernel/workqueue.c:3321 [inline]\n worker_thread+0x958/0xed8 kernel/workqueue.c:3402\n kthread+0x5fc/0x75c kernel/kthread.c:464\n ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:847"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-28T14:43:10.331Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/262cd18f5f7ede6a586580cadc5d0799e52e2e7c"
        },
        {
          "url": "https://git.kernel.org/stable/c/2b27b389006623673e8cfff4ce1e119cce640b05"
        },
        {
          "url": "https://git.kernel.org/stable/c/3a4eca2a1859955c65f07a570156bd2d9048ce33"
        },
        {
          "url": "https://git.kernel.org/stable/c/ac3a8147bb24314fb3e84986590148e79f9872ec"
        },
        {
          "url": "https://git.kernel.org/stable/c/c4f16f6b071a74ac7eefe5c28985285cbbe2cd96"
        },
        {
          "url": "https://git.kernel.org/stable/c/b97be7ee8a1cd96b89817cbd64a9f5cc16c17d08"
        },
        {
          "url": "https://git.kernel.org/stable/c/6d63901dcd592a1e3f71d7c6d78f9be5e8d7eef0"
        },
        {
          "url": "https://git.kernel.org/stable/c/a0075accbf0d76c2dad1ad3993d2e944505d99a0"
        }
      ],
      "title": "Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38473",
    "datePublished": "2025-07-28T11:21:34.880Z",
    "dateReserved": "2025-04-16T04:51:24.021Z",
    "dateUpdated": "2025-11-03T17:38:39.105Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38124 (GCVE-0-2025-38124)

Vulnerability from cvelistv5

Published

2025-07-03 08:35

Modified

2025-11-03 17:34

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net: fix udp gso skb_segment after pull from frag_list Commit a1e40ac5b5e9 ("net: gso: fix udp gso fraglist segmentation after pull from frag_list") detected invalid geometry in frag_list skbs and redirects them from skb_segment_list to more robust skb_segment. But some packets with modified geometry can also hit bugs in that code. We don't know how many such cases exist. Addressing each one by one also requires touching the complex skb_segment code, which risks introducing bugs for other types of skbs. Instead, linearize all these packets that fail the basic invariants on gso fraglist skbs. That is more robust. If only part of the fraglist payload is pulled into head_skb, it will always cause exception when splitting skbs by skb_segment. For detailed call stack information, see below. Valid SKB_GSO_FRAGLIST skbs - consist of two or more segments - the head_skb holds the protocol headers plus first gso_size - one or more frag_list skbs hold exactly one segment - all but the last must be gso_size Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can modify fraglist skbs, breaking these invariants. In extreme cases they pull one part of data into skb linear. For UDP, this causes three payloads with lengths of (11,11,10) bytes were pulled tail to become (12,10,10) bytes. The skbs no longer meets the above SKB_GSO_FRAGLIST conditions because payload was pulled into head_skb, it needs to be linearized before pass to regular skb_segment. skb_segment+0xcd0/0xd14 __udp_gso_segment+0x334/0x5f4 udp4_ufo_fragment+0x118/0x15c inet_gso_segment+0x164/0x338 skb_mac_gso_segment+0xc4/0x13c __skb_gso_segment+0xc4/0x124 validate_xmit_skb+0x9c/0x2c0 validate_xmit_skb_list+0x4c/0x80 sch_direct_xmit+0x70/0x404 __dev_queue_xmit+0x64c/0xe5c neigh_resolve_output+0x178/0x1c4 ip_finish_output2+0x37c/0x47c __ip_finish_output+0x194/0x240 ip_finish_output+0x20/0xf4 ip_output+0x100/0x1a0 NF_HOOK+0xc4/0x16c ip_forward+0x314/0x32c ip_rcv+0x90/0x118 __netif_receive_skb+0x74/0x124 process_backlog+0xe8/0x1a4 __napi_poll+0x5c/0x1f8 net_rx_action+0x154/0x314 handle_softirqs+0x154/0x4b8 [118.376811] [C201134] rxq0_pus: [name:bug&]kernel BUG at net/core/skbuff.c:4278! [118.376829] [C201134] rxq0_pus: [name:traps&]Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP [118.470774] [C201134] rxq0_pus: [name:mrdump&]Kernel Offset: 0x178cc00000 from 0xffffffc008000000 [118.470810] [C201134] rxq0_pus: [name:mrdump&]PHYS_OFFSET: 0x40000000 [118.470827] [C201134] rxq0_pus: [name:mrdump&]pstate: 60400005 (nZCv daif +PAN -UAO) [118.470848] [C201134] rxq0_pus: [name:mrdump&]pc : [0xffffffd79598aefc] skb_segment+0xcd0/0xd14 [118.470900] [C201134] rxq0_pus: [name:mrdump&]lr : [0xffffffd79598a5e8] skb_segment+0x3bc/0xd14 [118.470928] [C201134] rxq0_pus: [name:mrdump&]sp : ffffffc008013770

References

URL

Tags

	https://git.kernel.org/stable/c/0e65f38bd1aa14ea86e221b7bb814d38278d86c3
	https://git.kernel.org/stable/c/85eef1748c024da1a191aed56b30a3a65958c50c
	https://git.kernel.org/stable/c/4399f59a9467a324ed46657555f0e1f209a14acb
	https://git.kernel.org/stable/c/a04302867094bdc6efac1b598370fc47cf3f2388
	https://git.kernel.org/stable/c/3382a1ed7f778db841063f5d7e317ac55f9e7f72

Impacted products

Vendor

Product

Version

Linux

Version: 080e6c9a3908de193a48f646c5ce1bfb15676ffc
Version: af3122f5fdc0d00581d6e598a668df6bf54c9daa
Version: a1e40ac5b5e9077fe1f7ae0eb88034db0f9ae1ab
Version: a1e40ac5b5e9077fe1f7ae0eb88034db0f9ae1ab
Version: a1e40ac5b5e9077fe1f7ae0eb88034db0f9ae1ab
Version: 33e28acf42ee863f332a958bfc2f1a284a3659df
Version: 3cd00d2e3655fad3bda96dc1ebf17b6495f86fea

Linux

Version: 6.12

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:23.227Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/udp_offload.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0e65f38bd1aa14ea86e221b7bb814d38278d86c3",
              "status": "affected",
              "version": "080e6c9a3908de193a48f646c5ce1bfb15676ffc",
              "versionType": "git"
            },
            {
              "lessThan": "85eef1748c024da1a191aed56b30a3a65958c50c",
              "status": "affected",
              "version": "af3122f5fdc0d00581d6e598a668df6bf54c9daa",
              "versionType": "git"
            },
            {
              "lessThan": "4399f59a9467a324ed46657555f0e1f209a14acb",
              "status": "affected",
              "version": "a1e40ac5b5e9077fe1f7ae0eb88034db0f9ae1ab",
              "versionType": "git"
            },
            {
              "lessThan": "a04302867094bdc6efac1b598370fc47cf3f2388",
              "status": "affected",
              "version": "a1e40ac5b5e9077fe1f7ae0eb88034db0f9ae1ab",
              "versionType": "git"
            },
            {
              "lessThan": "3382a1ed7f778db841063f5d7e317ac55f9e7f72",
              "status": "affected",
              "version": "a1e40ac5b5e9077fe1f7ae0eb88034db0f9ae1ab",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "33e28acf42ee863f332a958bfc2f1a284a3659df",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "3cd00d2e3655fad3bda96dc1ebf17b6495f86fea",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/udp_offload.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.12"
            },
            {
              "lessThan": "6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "6.1.113",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "6.6.55",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.10.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.11.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix udp gso skb_segment after pull from frag_list\n\nCommit a1e40ac5b5e9 (\"net: gso: fix udp gso fraglist segmentation after\npull from frag_list\") detected invalid geometry in frag_list skbs and\nredirects them from skb_segment_list to more robust skb_segment. But some\npackets with modified geometry can also hit bugs in that code. We don\u0027t\nknow how many such cases exist. Addressing each one by one also requires\ntouching the complex skb_segment code, which risks introducing bugs for\nother types of skbs. Instead, linearize all these packets that fail the\nbasic invariants on gso fraglist skbs. That is more robust.\n\nIf only part of the fraglist payload is pulled into head_skb, it will\nalways cause exception when splitting skbs by skb_segment. For detailed\ncall stack information, see below.\n\nValid SKB_GSO_FRAGLIST skbs\n- consist of two or more segments\n- the head_skb holds the protocol headers plus first gso_size\n- one or more frag_list skbs hold exactly one segment\n- all but the last must be gso_size\n\nOptional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can\nmodify fraglist skbs, breaking these invariants.\n\nIn extreme cases they pull one part of data into skb linear. For UDP,\nthis  causes three payloads with lengths of (11,11,10) bytes were\npulled tail to become (12,10,10) bytes.\n\nThe skbs no longer meets the above SKB_GSO_FRAGLIST conditions because\npayload was pulled into head_skb, it needs to be linearized before pass\nto regular skb_segment.\n\n    skb_segment+0xcd0/0xd14\n    __udp_gso_segment+0x334/0x5f4\n    udp4_ufo_fragment+0x118/0x15c\n    inet_gso_segment+0x164/0x338\n    skb_mac_gso_segment+0xc4/0x13c\n    __skb_gso_segment+0xc4/0x124\n    validate_xmit_skb+0x9c/0x2c0\n    validate_xmit_skb_list+0x4c/0x80\n    sch_direct_xmit+0x70/0x404\n    __dev_queue_xmit+0x64c/0xe5c\n    neigh_resolve_output+0x178/0x1c4\n    ip_finish_output2+0x37c/0x47c\n    __ip_finish_output+0x194/0x240\n    ip_finish_output+0x20/0xf4\n    ip_output+0x100/0x1a0\n    NF_HOOK+0xc4/0x16c\n    ip_forward+0x314/0x32c\n    ip_rcv+0x90/0x118\n    __netif_receive_skb+0x74/0x124\n    process_backlog+0xe8/0x1a4\n    __napi_poll+0x5c/0x1f8\n    net_rx_action+0x154/0x314\n    handle_softirqs+0x154/0x4b8\n\n    [118.376811] [C201134] rxq0_pus: [name:bug\u0026]kernel BUG at net/core/skbuff.c:4278!\n    [118.376829] [C201134] rxq0_pus: [name:traps\u0026]Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\n    [118.470774] [C201134] rxq0_pus: [name:mrdump\u0026]Kernel Offset: 0x178cc00000 from 0xffffffc008000000\n    [118.470810] [C201134] rxq0_pus: [name:mrdump\u0026]PHYS_OFFSET: 0x40000000\n    [118.470827] [C201134] rxq0_pus: [name:mrdump\u0026]pstate: 60400005 (nZCv daif +PAN -UAO)\n    [118.470848] [C201134] rxq0_pus: [name:mrdump\u0026]pc : [0xffffffd79598aefc] skb_segment+0xcd0/0xd14\n    [118.470900] [C201134] rxq0_pus: [name:mrdump\u0026]lr : [0xffffffd79598a5e8] skb_segment+0x3bc/0xd14\n    [118.470928] [C201134] rxq0_pus: [name:mrdump\u0026]sp : ffffffc008013770"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:12:50.274Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0e65f38bd1aa14ea86e221b7bb814d38278d86c3"
        },
        {
          "url": "https://git.kernel.org/stable/c/85eef1748c024da1a191aed56b30a3a65958c50c"
        },
        {
          "url": "https://git.kernel.org/stable/c/4399f59a9467a324ed46657555f0e1f209a14acb"
        },
        {
          "url": "https://git.kernel.org/stable/c/a04302867094bdc6efac1b598370fc47cf3f2388"
        },
        {
          "url": "https://git.kernel.org/stable/c/3382a1ed7f778db841063f5d7e317ac55f9e7f72"
        }
      ],
      "title": "net: fix udp gso skb_segment after pull from frag_list",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38124",
    "datePublished": "2025-07-03T08:35:30.499Z",
    "dateReserved": "2025-04-16T04:51:23.986Z",
    "dateUpdated": "2025-11-03T17:34:23.227Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38188 (GCVE-0-2025-38188)

Vulnerability from cvelistv5

Published

2025-07-04 13:37

Modified

2025-07-28 04:14

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/msm/a7xx: Call CP_RESET_CONTEXT_STATE Calling this packet is necessary when we switch contexts because there are various pieces of state used by userspace to synchronize between BR and BV that are persistent across submits and we need to make sure that they are in a "safe" state when switching contexts. Otherwise a userspace submission in one context could cause another context to function incorrectly and hang, effectively a denial of service (although without leaking data). This was missed during initial a7xx bringup. Patchwork: https://patchwork.freedesktop.org/patch/654924/

References

URL

Tags

	https://git.kernel.org/stable/c/8a1f52651dd8203695d293c6824d8f6c067877d1
	https://git.kernel.org/stable/c/35fe72f3c425bbf1d580bd9066e2456b1dbae4a8
	https://git.kernel.org/stable/c/2b520c6104f34e3a548525173c38ebca4402cac3

Impacted products

Vendor

Product

Version

Linux

Version: af66706accdf5afef45204afc87037f876e0665c
Version: af66706accdf5afef45204afc87037f876e0665c
Version: af66706accdf5afef45204afc87037f876e0665c

Linux

Version: 6.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/msm/adreno/a6xx_gpu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8a1f52651dd8203695d293c6824d8f6c067877d1",
              "status": "affected",
              "version": "af66706accdf5afef45204afc87037f876e0665c",
              "versionType": "git"
            },
            {
              "lessThan": "35fe72f3c425bbf1d580bd9066e2456b1dbae4a8",
              "status": "affected",
              "version": "af66706accdf5afef45204afc87037f876e0665c",
              "versionType": "git"
            },
            {
              "lessThan": "2b520c6104f34e3a548525173c38ebca4402cac3",
              "status": "affected",
              "version": "af66706accdf5afef45204afc87037f876e0665c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/msm/adreno/a6xx_gpu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/a7xx: Call CP_RESET_CONTEXT_STATE\n\nCalling this packet is necessary when we switch contexts because there\nare various pieces of state used by userspace to synchronize between BR\nand BV that are persistent across submits and we need to make sure that\nthey are in a \"safe\" state when switching contexts. Otherwise a\nuserspace submission in one context could cause another context to\nfunction incorrectly and hang, effectively a denial of service (although\nwithout leaking data). This was missed during initial a7xx bringup.\n\nPatchwork: https://patchwork.freedesktop.org/patch/654924/"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:14:34.008Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8a1f52651dd8203695d293c6824d8f6c067877d1"
        },
        {
          "url": "https://git.kernel.org/stable/c/35fe72f3c425bbf1d580bd9066e2456b1dbae4a8"
        },
        {
          "url": "https://git.kernel.org/stable/c/2b520c6104f34e3a548525173c38ebca4402cac3"
        }
      ],
      "title": "drm/msm/a7xx: Call CP_RESET_CONTEXT_STATE",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38188",
    "datePublished": "2025-07-04T13:37:13.761Z",
    "dateReserved": "2025-04-16T04:51:23.992Z",
    "dateUpdated": "2025-07-28T04:14:34.008Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-50103 (GCVE-0-2022-50103)

Vulnerability from cvelistv5

Published

2025-06-18 11:02

Modified

2025-06-18 11:02

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: sched, cpuset: Fix dl_cpu_busy() panic due to empty cs->cpus_allowed With cgroup v2, the cpuset's cpus_allowed mask can be empty indicating that the cpuset will just use the effective CPUs of its parent. So cpuset_can_attach() can call task_can_attach() with an empty mask. This can lead to cpumask_any_and() returns nr_cpu_ids causing the call to dl_bw_of() to crash due to percpu value access of an out of bound CPU value. For example: [80468.182258] BUG: unable to handle page fault for address: ffffffff8b6648b0 : [80468.191019] RIP: 0010:dl_cpu_busy+0x30/0x2b0 : [80468.207946] Call Trace: [80468.208947] cpuset_can_attach+0xa0/0x140 [80468.209953] cgroup_migrate_execute+0x8c/0x490 [80468.210931] cgroup_update_dfl_csses+0x254/0x270 [80468.211898] cgroup_subtree_control_write+0x322/0x400 [80468.212854] kernfs_fop_write_iter+0x11c/0x1b0 [80468.213777] new_sync_write+0x11f/0x1b0 [80468.214689] vfs_write+0x1eb/0x280 [80468.215592] ksys_write+0x5f/0xe0 [80468.216463] do_syscall_64+0x5c/0x80 [80468.224287] entry_SYSCALL_64_after_hwframe+0x44/0xae Fix that by using effective_cpus instead. For cgroup v1, effective_cpus is the same as cpus_allowed. For v2, effective_cpus is the real cpumask to be used by tasks within the cpuset anyway. Also update task_can_attach()'s 2nd argument name to cs_effective_cpus to reflect the change. In addition, a check is added to task_can_attach() to guard against the possibility that cpumask_any_and() may return a value >= nr_cpu_ids.

References

URL

Tags

	https://git.kernel.org/stable/c/336626564b58071b8980a4e6a31a8f5d92705d9b
	https://git.kernel.org/stable/c/147f66d22f58712dce7ccdd6a1f6cb3ee8042df4
	https://git.kernel.org/stable/c/357f3f0e522a6ce1ce4a571cb780d9861d53bec7
	https://git.kernel.org/stable/c/f56607b44c9896e51678a7e8cdd3a5479f4b4548
	https://git.kernel.org/stable/c/b6e8d40d43ae4dec00c8fea2593eeea3114b8f44

Impacted products

Vendor

Product

Version

Linux

Version: 7f51412a415d87ea8598d14722fb31e4f5701257
Version: 7f51412a415d87ea8598d14722fb31e4f5701257
Version: 7f51412a415d87ea8598d14722fb31e4f5701257
Version: 7f51412a415d87ea8598d14722fb31e4f5701257
Version: 7f51412a415d87ea8598d14722fb31e4f5701257

Linux

Version: 3.19

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/sched.h",
            "kernel/cgroup/cpuset.c",
            "kernel/sched/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "336626564b58071b8980a4e6a31a8f5d92705d9b",
              "status": "affected",
              "version": "7f51412a415d87ea8598d14722fb31e4f5701257",
              "versionType": "git"
            },
            {
              "lessThan": "147f66d22f58712dce7ccdd6a1f6cb3ee8042df4",
              "status": "affected",
              "version": "7f51412a415d87ea8598d14722fb31e4f5701257",
              "versionType": "git"
            },
            {
              "lessThan": "357f3f0e522a6ce1ce4a571cb780d9861d53bec7",
              "status": "affected",
              "version": "7f51412a415d87ea8598d14722fb31e4f5701257",
              "versionType": "git"
            },
            {
              "lessThan": "f56607b44c9896e51678a7e8cdd3a5479f4b4548",
              "status": "affected",
              "version": "7f51412a415d87ea8598d14722fb31e4f5701257",
              "versionType": "git"
            },
            {
              "lessThan": "b6e8d40d43ae4dec00c8fea2593eeea3114b8f44",
              "status": "affected",
              "version": "7f51412a415d87ea8598d14722fb31e4f5701257",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/sched.h",
            "kernel/cgroup/cpuset.c",
            "kernel/sched/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.19"
            },
            {
              "lessThan": "3.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.137",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.61",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.18.*",
              "status": "unaffected",
              "version": "5.18.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.137",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.61",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.18.18",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.2",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched, cpuset: Fix dl_cpu_busy() panic due to empty cs-\u003ecpus_allowed\n\nWith cgroup v2, the cpuset\u0027s cpus_allowed mask can be empty indicating\nthat the cpuset will just use the effective CPUs of its parent. So\ncpuset_can_attach() can call task_can_attach() with an empty mask.\nThis can lead to cpumask_any_and() returns nr_cpu_ids causing the call\nto dl_bw_of() to crash due to percpu value access of an out of bound\nCPU value. For example:\n\n\t[80468.182258] BUG: unable to handle page fault for address: ffffffff8b6648b0\n\t  :\n\t[80468.191019] RIP: 0010:dl_cpu_busy+0x30/0x2b0\n\t  :\n\t[80468.207946] Call Trace:\n\t[80468.208947]  cpuset_can_attach+0xa0/0x140\n\t[80468.209953]  cgroup_migrate_execute+0x8c/0x490\n\t[80468.210931]  cgroup_update_dfl_csses+0x254/0x270\n\t[80468.211898]  cgroup_subtree_control_write+0x322/0x400\n\t[80468.212854]  kernfs_fop_write_iter+0x11c/0x1b0\n\t[80468.213777]  new_sync_write+0x11f/0x1b0\n\t[80468.214689]  vfs_write+0x1eb/0x280\n\t[80468.215592]  ksys_write+0x5f/0xe0\n\t[80468.216463]  do_syscall_64+0x5c/0x80\n\t[80468.224287]  entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nFix that by using effective_cpus instead. For cgroup v1, effective_cpus\nis the same as cpus_allowed. For v2, effective_cpus is the real cpumask\nto be used by tasks within the cpuset anyway.\n\nAlso update task_can_attach()\u0027s 2nd argument name to cs_effective_cpus to\nreflect the change. In addition, a check is added to task_can_attach()\nto guard against the possibility that cpumask_any_and() may return a\nvalue \u003e= nr_cpu_ids."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-18T11:02:38.840Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/336626564b58071b8980a4e6a31a8f5d92705d9b"
        },
        {
          "url": "https://git.kernel.org/stable/c/147f66d22f58712dce7ccdd6a1f6cb3ee8042df4"
        },
        {
          "url": "https://git.kernel.org/stable/c/357f3f0e522a6ce1ce4a571cb780d9861d53bec7"
        },
        {
          "url": "https://git.kernel.org/stable/c/f56607b44c9896e51678a7e8cdd3a5479f4b4548"
        },
        {
          "url": "https://git.kernel.org/stable/c/b6e8d40d43ae4dec00c8fea2593eeea3114b8f44"
        }
      ],
      "title": "sched, cpuset: Fix dl_cpu_busy() panic due to empty cs-\u003ecpus_allowed",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50103",
    "datePublished": "2025-06-18T11:02:38.840Z",
    "dateReserved": "2025-06-18T10:57:27.413Z",
    "dateUpdated": "2025-06-18T11:02:38.840Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38020 (GCVE-0-2025-38020)

Vulnerability from cvelistv5

Published

2025-06-18 09:28

Modified

2025-11-03 19:58

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Disable MACsec offload for uplink representor profile MACsec offload is not supported in switchdev mode for uplink representors. When switching to the uplink representor profile, the MACsec offload feature must be cleared from the netdevice's features. If left enabled, attempts to add offloads result in a null pointer dereference, as the uplink representor does not support MACsec offload even though the feature bit remains set. Clear NETIF_F_HW_MACSEC in mlx5e_fix_uplink_rep_features(). Kernel log: Oops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f] CPU: 29 UID: 0 PID: 4714 Comm: ip Not tainted 6.14.0-rc4_for_upstream_debug_2025_03_02_17_35 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:__mutex_lock+0x128/0x1dd0 Code: d0 7c 08 84 d2 0f 85 ad 15 00 00 8b 35 91 5c fe 03 85 f6 75 29 49 8d 7e 60 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 a6 15 00 00 4d 3b 76 60 0f 85 fd 0b 00 00 65 ff RSP: 0018:ffff888147a4f160 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000001 RDX: 000000000000000f RSI: 0000000000000000 RDI: 0000000000000078 RBP: ffff888147a4f2e0 R08: ffffffffa05d2c19 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: dffffc0000000000 R14: 0000000000000018 R15: ffff888152de0000 FS: 00007f855e27d800(0000) GS:ffff88881ee80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000004e5768 CR3: 000000013ae7c005 CR4: 0000000000372eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 Call Trace: <TASK> ? die_addr+0x3d/0xa0 ? exc_general_protection+0x144/0x220 ? asm_exc_general_protection+0x22/0x30 ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] ? __mutex_lock+0x128/0x1dd0 ? lockdep_set_lock_cmp_fn+0x190/0x190 ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] ? mutex_lock_io_nested+0x1ae0/0x1ae0 ? lock_acquire+0x1c2/0x530 ? macsec_upd_offload+0x145/0x380 ? lockdep_hardirqs_on_prepare+0x400/0x400 ? kasan_save_stack+0x30/0x40 ? kasan_save_stack+0x20/0x40 ? kasan_save_track+0x10/0x30 ? __kasan_kmalloc+0x77/0x90 ? __kmalloc_noprof+0x249/0x6b0 ? genl_family_rcv_msg_attrs_parse.constprop.0+0xb5/0x240 ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] ? mlx5e_macsec_add_rxsa+0x11a0/0x11a0 [mlx5_core] macsec_update_offload+0x26c/0x820 ? macsec_set_mac_address+0x4b0/0x4b0 ? lockdep_hardirqs_on_prepare+0x284/0x400 ? _raw_spin_unlock_irqrestore+0x47/0x50 macsec_upd_offload+0x2c8/0x380 ? macsec_update_offload+0x820/0x820 ? __nla_parse+0x22/0x30 ? genl_family_rcv_msg_attrs_parse.constprop.0+0x15e/0x240 genl_family_rcv_msg_doit+0x1cc/0x2a0 ? genl_family_rcv_msg_attrs_parse.constprop.0+0x240/0x240 ? cap_capable+0xd4/0x330 genl_rcv_msg+0x3ea/0x670 ? genl_family_rcv_msg_dumpit+0x2a0/0x2a0 ? lockdep_set_lock_cmp_fn+0x190/0x190 ? macsec_update_offload+0x820/0x820 netlink_rcv_skb+0x12b/0x390 ? genl_family_rcv_msg_dumpit+0x2a0/0x2a0 ? netlink_ack+0xd80/0xd80 ? rwsem_down_read_slowpath+0xf90/0xf90 ? netlink_deliver_tap+0xcd/0xac0 ? netlink_deliver_tap+0x155/0xac0 ? _copy_from_iter+0x1bb/0x12c0 genl_rcv+0x24/0x40 netlink_unicast+0x440/0x700 ? netlink_attachskb+0x760/0x760 ? lock_acquire+0x1c2/0x530 ? __might_fault+0xbb/0x170 netlink_sendmsg+0x749/0xc10 ? netlink_unicast+0x700/0x700 ? __might_fault+0xbb/0x170 ? netlink_unicast+0x700/0x700 __sock_sendmsg+0xc5/0x190 ____sys_sendmsg+0x53f/0x760 ? import_iovec+0x7/0x10 ? kernel_sendmsg+0x30/0x30 ? __copy_msghdr+0x3c0/0x3c0 ? filter_irq_stacks+0x90/0x90 ? stack_depot_save_flags+0x28/0xa30 ___sys_sen ---truncated---

References

URL

Tags

	https://git.kernel.org/stable/c/1e577aeb51e9deba4f2c10edfcb07cb3cb406598
	https://git.kernel.org/stable/c/b48a47e137cedfd79655accaeeea6b296ad0b9e1
	https://git.kernel.org/stable/c/1f80e6ff026041721d8089da8c269b1963628325
	https://git.kernel.org/stable/c/1a69d53922c1221351739f17837d38e317234e5d
	https://git.kernel.org/stable/c/588431474eb7572e57a927fa8558c9ba2f8af143

Impacted products

Vendor

Product

Version

Linux

Version: 8ff0ac5be1446920d71bdce5547f0d8476e280ff
Version: 8ff0ac5be1446920d71bdce5547f0d8476e280ff
Version: 8ff0ac5be1446920d71bdce5547f0d8476e280ff
Version: 8ff0ac5be1446920d71bdce5547f0d8476e280ff
Version: 8ff0ac5be1446920d71bdce5547f0d8476e280ff

Linux

Version: 6.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:58:20.670Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/en_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1e577aeb51e9deba4f2c10edfcb07cb3cb406598",
              "status": "affected",
              "version": "8ff0ac5be1446920d71bdce5547f0d8476e280ff",
              "versionType": "git"
            },
            {
              "lessThan": "b48a47e137cedfd79655accaeeea6b296ad0b9e1",
              "status": "affected",
              "version": "8ff0ac5be1446920d71bdce5547f0d8476e280ff",
              "versionType": "git"
            },
            {
              "lessThan": "1f80e6ff026041721d8089da8c269b1963628325",
              "status": "affected",
              "version": "8ff0ac5be1446920d71bdce5547f0d8476e280ff",
              "versionType": "git"
            },
            {
              "lessThan": "1a69d53922c1221351739f17837d38e317234e5d",
              "status": "affected",
              "version": "8ff0ac5be1446920d71bdce5547f0d8476e280ff",
              "versionType": "git"
            },
            {
              "lessThan": "588431474eb7572e57a927fa8558c9ba2f8af143",
              "status": "affected",
              "version": "8ff0ac5be1446920d71bdce5547f0d8476e280ff",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/en_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.1"
            },
            {
              "lessThan": "6.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.92",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.140",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.92",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.30",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.8",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Disable MACsec offload for uplink representor profile\n\nMACsec offload is not supported in switchdev mode for uplink\nrepresentors. When switching to the uplink representor profile, the\nMACsec offload feature must be cleared from the netdevice\u0027s features.\n\nIf left enabled, attempts to add offloads result in a null pointer\ndereference, as the uplink representor does not support MACsec offload\neven though the feature bit remains set.\n\nClear NETIF_F_HW_MACSEC in mlx5e_fix_uplink_rep_features().\n\nKernel log:\n\nOops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f]\nCPU: 29 UID: 0 PID: 4714 Comm: ip Not tainted 6.14.0-rc4_for_upstream_debug_2025_03_02_17_35 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:__mutex_lock+0x128/0x1dd0\nCode: d0 7c 08 84 d2 0f 85 ad 15 00 00 8b 35 91 5c fe 03 85 f6 75 29 49 8d 7e 60 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 \u003c80\u003e 3c 02 00 0f 85 a6 15 00 00 4d 3b 76 60 0f 85 fd 0b 00 00 65 ff\nRSP: 0018:ffff888147a4f160 EFLAGS: 00010206\nRAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000001\nRDX: 000000000000000f RSI: 0000000000000000 RDI: 0000000000000078\nRBP: ffff888147a4f2e0 R08: ffffffffa05d2c19 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000\nR13: dffffc0000000000 R14: 0000000000000018 R15: ffff888152de0000\nFS:  00007f855e27d800(0000) GS:ffff88881ee80000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00000000004e5768 CR3: 000000013ae7c005 CR4: 0000000000372eb0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n ? die_addr+0x3d/0xa0\n ? exc_general_protection+0x144/0x220\n ? asm_exc_general_protection+0x22/0x30\n ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core]\n ? __mutex_lock+0x128/0x1dd0\n ? lockdep_set_lock_cmp_fn+0x190/0x190\n ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core]\n ? mutex_lock_io_nested+0x1ae0/0x1ae0\n ? lock_acquire+0x1c2/0x530\n ? macsec_upd_offload+0x145/0x380\n ? lockdep_hardirqs_on_prepare+0x400/0x400\n ? kasan_save_stack+0x30/0x40\n ? kasan_save_stack+0x20/0x40\n ? kasan_save_track+0x10/0x30\n ? __kasan_kmalloc+0x77/0x90\n ? __kmalloc_noprof+0x249/0x6b0\n ? genl_family_rcv_msg_attrs_parse.constprop.0+0xb5/0x240\n ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core]\n mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core]\n ? mlx5e_macsec_add_rxsa+0x11a0/0x11a0 [mlx5_core]\n macsec_update_offload+0x26c/0x820\n ? macsec_set_mac_address+0x4b0/0x4b0\n ? lockdep_hardirqs_on_prepare+0x284/0x400\n ? _raw_spin_unlock_irqrestore+0x47/0x50\n macsec_upd_offload+0x2c8/0x380\n ? macsec_update_offload+0x820/0x820\n ? __nla_parse+0x22/0x30\n ? genl_family_rcv_msg_attrs_parse.constprop.0+0x15e/0x240\n genl_family_rcv_msg_doit+0x1cc/0x2a0\n ? genl_family_rcv_msg_attrs_parse.constprop.0+0x240/0x240\n ? cap_capable+0xd4/0x330\n genl_rcv_msg+0x3ea/0x670\n ? genl_family_rcv_msg_dumpit+0x2a0/0x2a0\n ? lockdep_set_lock_cmp_fn+0x190/0x190\n ? macsec_update_offload+0x820/0x820\n netlink_rcv_skb+0x12b/0x390\n ? genl_family_rcv_msg_dumpit+0x2a0/0x2a0\n ? netlink_ack+0xd80/0xd80\n ? rwsem_down_read_slowpath+0xf90/0xf90\n ? netlink_deliver_tap+0xcd/0xac0\n ? netlink_deliver_tap+0x155/0xac0\n ? _copy_from_iter+0x1bb/0x12c0\n genl_rcv+0x24/0x40\n netlink_unicast+0x440/0x700\n ? netlink_attachskb+0x760/0x760\n ? lock_acquire+0x1c2/0x530\n ? __might_fault+0xbb/0x170\n netlink_sendmsg+0x749/0xc10\n ? netlink_unicast+0x700/0x700\n ? __might_fault+0xbb/0x170\n ? netlink_unicast+0x700/0x700\n __sock_sendmsg+0xc5/0x190\n ____sys_sendmsg+0x53f/0x760\n ? import_iovec+0x7/0x10\n ? kernel_sendmsg+0x30/0x30\n ? __copy_msghdr+0x3c0/0x3c0\n ? filter_irq_stacks+0x90/0x90\n ? stack_depot_save_flags+0x28/0xa30\n ___sys_sen\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-18T09:28:27.674Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1e577aeb51e9deba4f2c10edfcb07cb3cb406598"
        },
        {
          "url": "https://git.kernel.org/stable/c/b48a47e137cedfd79655accaeeea6b296ad0b9e1"
        },
        {
          "url": "https://git.kernel.org/stable/c/1f80e6ff026041721d8089da8c269b1963628325"
        },
        {
          "url": "https://git.kernel.org/stable/c/1a69d53922c1221351739f17837d38e317234e5d"
        },
        {
          "url": "https://git.kernel.org/stable/c/588431474eb7572e57a927fa8558c9ba2f8af143"
        }
      ],
      "title": "net/mlx5e: Disable MACsec offload for uplink representor profile",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38020",
    "datePublished": "2025-06-18T09:28:27.674Z",
    "dateReserved": "2025-04-16T04:51:23.977Z",
    "dateUpdated": "2025-11-03T19:58:20.670Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38135 (GCVE-0-2025-38135)

Vulnerability from cvelistv5

Published

2025-07-03 08:35

Modified

2025-11-03 17:34

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: serial: Fix potential null-ptr-deref in mlb_usio_probe() devm_ioremap() can return NULL on error. Currently, mlb_usio_probe() does not check for this case, which could result in a NULL pointer dereference. Add NULL check after devm_ioremap() to prevent this issue.

References

URL

Tags

	https://git.kernel.org/stable/c/a05ebe384c7ca75476453f3070c67d9cf1d1a89f
	https://git.kernel.org/stable/c/81159a6b064142b993f2f39828b77e199c77872a
	https://git.kernel.org/stable/c/19fd9f5a69363d33079097d866eb6082d61bf31d
	https://git.kernel.org/stable/c/548b0e81b9a0902a8bc8259430ed965663baadfc
	https://git.kernel.org/stable/c/a6c7c365734cd0fa1c5aa225a6294fdf80cad2ea
	https://git.kernel.org/stable/c/c23d87b43f7dba5eb12820f6cf21a1cd4f63eb3d
	https://git.kernel.org/stable/c/e1b144aebe6fb898d96ced8c990d7aa38fda4a7a
	https://git.kernel.org/stable/c/86bcae88c9209e334b2f8c252f4cc66beb261886

Impacted products

Vendor

Product

Version

Linux

Version: ba44dc04300441b47618f9933bf36e75a280e5fe
Version: ba44dc04300441b47618f9933bf36e75a280e5fe
Version: ba44dc04300441b47618f9933bf36e75a280e5fe
Version: ba44dc04300441b47618f9933bf36e75a280e5fe
Version: ba44dc04300441b47618f9933bf36e75a280e5fe
Version: ba44dc04300441b47618f9933bf36e75a280e5fe
Version: ba44dc04300441b47618f9933bf36e75a280e5fe
Version: ba44dc04300441b47618f9933bf36e75a280e5fe

Linux

Version: 5.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:27.045Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/tty/serial/milbeaut_usio.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a05ebe384c7ca75476453f3070c67d9cf1d1a89f",
              "status": "affected",
              "version": "ba44dc04300441b47618f9933bf36e75a280e5fe",
              "versionType": "git"
            },
            {
              "lessThan": "81159a6b064142b993f2f39828b77e199c77872a",
              "status": "affected",
              "version": "ba44dc04300441b47618f9933bf36e75a280e5fe",
              "versionType": "git"
            },
            {
              "lessThan": "19fd9f5a69363d33079097d866eb6082d61bf31d",
              "status": "affected",
              "version": "ba44dc04300441b47618f9933bf36e75a280e5fe",
              "versionType": "git"
            },
            {
              "lessThan": "548b0e81b9a0902a8bc8259430ed965663baadfc",
              "status": "affected",
              "version": "ba44dc04300441b47618f9933bf36e75a280e5fe",
              "versionType": "git"
            },
            {
              "lessThan": "a6c7c365734cd0fa1c5aa225a6294fdf80cad2ea",
              "status": "affected",
              "version": "ba44dc04300441b47618f9933bf36e75a280e5fe",
              "versionType": "git"
            },
            {
              "lessThan": "c23d87b43f7dba5eb12820f6cf21a1cd4f63eb3d",
              "status": "affected",
              "version": "ba44dc04300441b47618f9933bf36e75a280e5fe",
              "versionType": "git"
            },
            {
              "lessThan": "e1b144aebe6fb898d96ced8c990d7aa38fda4a7a",
              "status": "affected",
              "version": "ba44dc04300441b47618f9933bf36e75a280e5fe",
              "versionType": "git"
            },
            {
              "lessThan": "86bcae88c9209e334b2f8c252f4cc66beb261886",
              "status": "affected",
              "version": "ba44dc04300441b47618f9933bf36e75a280e5fe",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/tty/serial/milbeaut_usio.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.2"
            },
            {
              "lessThan": "5.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: Fix potential null-ptr-deref in mlb_usio_probe()\n\ndevm_ioremap() can return NULL on error. Currently, mlb_usio_probe()\ndoes not check for this case, which could result in a NULL pointer\ndereference.\n\nAdd NULL check after devm_ioremap() to prevent this issue."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:13:11.475Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a05ebe384c7ca75476453f3070c67d9cf1d1a89f"
        },
        {
          "url": "https://git.kernel.org/stable/c/81159a6b064142b993f2f39828b77e199c77872a"
        },
        {
          "url": "https://git.kernel.org/stable/c/19fd9f5a69363d33079097d866eb6082d61bf31d"
        },
        {
          "url": "https://git.kernel.org/stable/c/548b0e81b9a0902a8bc8259430ed965663baadfc"
        },
        {
          "url": "https://git.kernel.org/stable/c/a6c7c365734cd0fa1c5aa225a6294fdf80cad2ea"
        },
        {
          "url": "https://git.kernel.org/stable/c/c23d87b43f7dba5eb12820f6cf21a1cd4f63eb3d"
        },
        {
          "url": "https://git.kernel.org/stable/c/e1b144aebe6fb898d96ced8c990d7aa38fda4a7a"
        },
        {
          "url": "https://git.kernel.org/stable/c/86bcae88c9209e334b2f8c252f4cc66beb261886"
        }
      ],
      "title": "serial: Fix potential null-ptr-deref in mlb_usio_probe()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38135",
    "datePublished": "2025-07-03T08:35:38.295Z",
    "dateReserved": "2025-04-16T04:51:23.987Z",
    "dateUpdated": "2025-11-03T17:34:27.045Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-49861 (GCVE-0-2024-49861)

Vulnerability from cvelistv5

Published

2024-10-21 12:27

Modified

2025-11-03 20:41

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix helper writes to read-only maps Lonial found an issue that despite user- and BPF-side frozen BPF map (like in case of .rodata), it was still possible to write into it from a BPF program side through specific helpers having ARG_PTR_TO_{LONG,INT} as arguments. In check_func_arg() when the argument is as mentioned, the meta->raw_mode is never set. Later, check_helper_mem_access(), under the case of PTR_TO_MAP_VALUE as register base type, it assumes BPF_READ for the subsequent call to check_map_access_type() and given the BPF map is read-only it succeeds. The helpers really need to be annotated as ARG_PTR_TO_{LONG,INT} | MEM_UNINIT when results are written into them as opposed to read out of them. The latter indicates that it's okay to pass a pointer to uninitialized memory as the memory is written to anyway. However, ARG_PTR_TO_{LONG,INT} is a special case of ARG_PTR_TO_FIXED_SIZE_MEM just with additional alignment requirement. So it is better to just get rid of the ARG_PTR_TO_{LONG,INT} special cases altogether and reuse the fixed size memory types. For this, add MEM_ALIGNED to additionally ensure alignment given these helpers write directly into the args via *<ptr> = val. The .arg*_size has been initialized reflecting the actual sizeof(*<ptr>). MEM_ALIGNED can only be used in combination with MEM_FIXED_SIZE annotated argument types, since in !MEM_FIXED_SIZE cases the verifier does not know the buffer size a priori and therefore cannot blindly write *<ptr> = val.

References

URL

Tags

	https://git.kernel.org/stable/c/988e55abcf7fdb8fc9a76a7cf3f4e939a4d4fb3a
	https://git.kernel.org/stable/c/a2c8dc7e21803257e762b0bf067fd13e9c995da0
	https://git.kernel.org/stable/c/2ed98ee02d1e08afee88f54baec39ea78dc8a23c
	https://git.kernel.org/stable/c/1e75d25133158b525e0456876e9bcfd6b2993fd5
	https://git.kernel.org/stable/c/32556ce93bc45c730829083cb60f95a2728ea48b

Impacted products

Vendor

Product

Version

Linux

Version: 57c3bb725a3dd97d960d7e1cd0845d88de53217f
Version: 57c3bb725a3dd97d960d7e1cd0845d88de53217f
Version: 57c3bb725a3dd97d960d7e1cd0845d88de53217f
Version: 57c3bb725a3dd97d960d7e1cd0845d88de53217f
Version: 57c3bb725a3dd97d960d7e1cd0845d88de53217f

Linux

Version: 5.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-49861",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-21T12:55:39.105078Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-21T13:04:10.325Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:41:16.087Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/bpf.h",
            "kernel/bpf/helpers.c",
            "kernel/bpf/syscall.c",
            "kernel/bpf/verifier.c",
            "kernel/trace/bpf_trace.c",
            "net/core/filter.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "988e55abcf7fdb8fc9a76a7cf3f4e939a4d4fb3a",
              "status": "affected",
              "version": "57c3bb725a3dd97d960d7e1cd0845d88de53217f",
              "versionType": "git"
            },
            {
              "lessThan": "a2c8dc7e21803257e762b0bf067fd13e9c995da0",
              "status": "affected",
              "version": "57c3bb725a3dd97d960d7e1cd0845d88de53217f",
              "versionType": "git"
            },
            {
              "lessThan": "2ed98ee02d1e08afee88f54baec39ea78dc8a23c",
              "status": "affected",
              "version": "57c3bb725a3dd97d960d7e1cd0845d88de53217f",
              "versionType": "git"
            },
            {
              "lessThan": "1e75d25133158b525e0456876e9bcfd6b2993fd5",
              "status": "affected",
              "version": "57c3bb725a3dd97d960d7e1cd0845d88de53217f",
              "versionType": "git"
            },
            {
              "lessThan": "32556ce93bc45c730829083cb60f95a2728ea48b",
              "status": "affected",
              "version": "57c3bb725a3dd97d960d7e1cd0845d88de53217f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/bpf.h",
            "kernel/bpf/helpers.c",
            "kernel/bpf/syscall.c",
            "kernel/bpf/verifier.c",
            "kernel/trace/bpf_trace.c",
            "net/core/filter.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.2"
            },
            {
              "lessThan": "5.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.54",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.10.*",
              "status": "unaffected",
              "version": "6.10.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.12",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.54",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10.13",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.2",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix helper writes to read-only maps\n\nLonial found an issue that despite user- and BPF-side frozen BPF map\n(like in case of .rodata), it was still possible to write into it from\na BPF program side through specific helpers having ARG_PTR_TO_{LONG,INT}\nas arguments.\n\nIn check_func_arg() when the argument is as mentioned, the meta-\u003eraw_mode\nis never set. Later, check_helper_mem_access(), under the case of\nPTR_TO_MAP_VALUE as register base type, it assumes BPF_READ for the\nsubsequent call to check_map_access_type() and given the BPF map is\nread-only it succeeds.\n\nThe helpers really need to be annotated as ARG_PTR_TO_{LONG,INT} | MEM_UNINIT\nwhen results are written into them as opposed to read out of them. The\nlatter indicates that it\u0027s okay to pass a pointer to uninitialized memory\nas the memory is written to anyway.\n\nHowever, ARG_PTR_TO_{LONG,INT} is a special case of ARG_PTR_TO_FIXED_SIZE_MEM\njust with additional alignment requirement. So it is better to just get\nrid of the ARG_PTR_TO_{LONG,INT} special cases altogether and reuse the\nfixed size memory types. For this, add MEM_ALIGNED to additionally ensure\nalignment given these helpers write directly into the args via *\u003cptr\u003e = val.\nThe .arg*_size has been initialized reflecting the actual sizeof(*\u003cptr\u003e).\n\nMEM_ALIGNED can only be used in combination with MEM_FIXED_SIZE annotated\nargument types, since in !MEM_FIXED_SIZE cases the verifier does not know\nthe buffer size a priori and therefore cannot blindly write *\u003cptr\u003e = val."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:39:46.114Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/988e55abcf7fdb8fc9a76a7cf3f4e939a4d4fb3a"
        },
        {
          "url": "https://git.kernel.org/stable/c/a2c8dc7e21803257e762b0bf067fd13e9c995da0"
        },
        {
          "url": "https://git.kernel.org/stable/c/2ed98ee02d1e08afee88f54baec39ea78dc8a23c"
        },
        {
          "url": "https://git.kernel.org/stable/c/1e75d25133158b525e0456876e9bcfd6b2993fd5"
        },
        {
          "url": "https://git.kernel.org/stable/c/32556ce93bc45c730829083cb60f95a2728ea48b"
        }
      ],
      "title": "bpf: Fix helper writes to read-only maps",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-49861",
    "datePublished": "2024-10-21T12:27:19.321Z",
    "dateReserved": "2024-10-21T12:17:06.017Z",
    "dateUpdated": "2025-11-03T20:41:16.087Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38371 (GCVE-0-2025-38371)

Vulnerability from cvelistv5

Published

2025-07-25 12:53

Modified

2025-11-03 17:37

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Disable interrupts before resetting the GPU Currently, an interrupt can be triggered during a GPU reset, which can lead to GPU hangs and NULL pointer dereference in an interrupt context as shown in the following trace: [ 314.035040] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000c0 [ 314.043822] Mem abort info: [ 314.046606] ESR = 0x0000000096000005 [ 314.050347] EC = 0x25: DABT (current EL), IL = 32 bits [ 314.055651] SET = 0, FnV = 0 [ 314.058695] EA = 0, S1PTW = 0 [ 314.061826] FSC = 0x05: level 1 translation fault [ 314.066694] Data abort info: [ 314.069564] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 314.075039] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 314.080080] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 314.085382] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000102728000 [ 314.091814] [00000000000000c0] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 [ 314.100511] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP [ 314.106770] Modules linked in: v3d i2c_brcmstb vc4 snd_soc_hdmi_codec gpu_sched drm_shmem_helper drm_display_helper cec drm_dma_helper drm_kms_helper drm drm_panel_orientation_quirks snd_soc_core snd_compress snd_pcm_dmaengine snd_pcm snd_timer snd backlight [ 314.129654] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.25+rpt-rpi-v8 #1 Debian 1:6.12.25-1+rpt1 [ 314.139388] Hardware name: Raspberry Pi 4 Model B Rev 1.4 (DT) [ 314.145211] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 314.152165] pc : v3d_irq+0xec/0x2e0 [v3d] [ 314.156187] lr : v3d_irq+0xe0/0x2e0 [v3d] [ 314.160198] sp : ffffffc080003ea0 [ 314.163502] x29: ffffffc080003ea0 x28: ffffffec1f184980 x27: 021202b000000000 [ 314.170633] x26: ffffffec1f17f630 x25: ffffff8101372000 x24: ffffffec1f17d9f0 [ 314.177764] x23: 000000000000002a x22: 000000000000002a x21: ffffff8103252000 [ 314.184895] x20: 0000000000000001 x19: 00000000deadbeef x18: 0000000000000000 [ 314.192026] x17: ffffff94e51d2000 x16: ffffffec1dac3cb0 x15: c306000000000000 [ 314.199156] x14: 0000000000000000 x13: b2fc982e03cc5168 x12: 0000000000000001 [ 314.206286] x11: ffffff8103f8bcc0 x10: ffffffec1f196868 x9 : ffffffec1dac3874 [ 314.213416] x8 : 0000000000000000 x7 : 0000000000042a3a x6 : ffffff810017a180 [ 314.220547] x5 : ffffffec1ebad400 x4 : ffffffec1ebad320 x3 : 00000000000bebeb [ 314.227677] x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000 [ 314.234807] Call trace: [ 314.237243] v3d_irq+0xec/0x2e0 [v3d] [ 314.240906] __handle_irq_event_percpu+0x58/0x218 [ 314.245609] handle_irq_event+0x54/0xb8 [ 314.249439] handle_fasteoi_irq+0xac/0x240 [ 314.253527] handle_irq_desc+0x48/0x68 [ 314.257269] generic_handle_domain_irq+0x24/0x38 [ 314.261879] gic_handle_irq+0x48/0xd8 [ 314.265533] call_on_irq_stack+0x24/0x58 [ 314.269448] do_interrupt_handler+0x88/0x98 [ 314.273624] el1_interrupt+0x34/0x68 [ 314.277193] el1h_64_irq_handler+0x18/0x28 [ 314.281281] el1h_64_irq+0x64/0x68 [ 314.284673] default_idle_call+0x3c/0x168 [ 314.288675] do_idle+0x1fc/0x230 [ 314.291895] cpu_startup_entry+0x3c/0x50 [ 314.295810] rest_init+0xe4/0xf0 [ 314.299030] start_kernel+0x5e8/0x790 [ 314.302684] __primary_switched+0x80/0x90 [ 314.306691] Code: 940029eb 360ffc13 f9442ea0 52800001 (f9406017) [ 314.312775] ---[ end trace 0000000000000000 ]--- [ 314.317384] Kernel panic - not syncing: Oops: Fatal exception in interrupt [ 314.324249] SMP: stopping secondary CPUs [ 314.328167] Kernel Offset: 0x2b9da00000 from 0xffffffc080000000 [ 314.334076] PHYS_OFFSET: 0x0 [ 314.336946] CPU features: 0x08,00002013,c0200000,0200421b [ 314.342337] Memory Limit: none [ 314.345382] ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]--- Before resetting the G ---truncated---

References

URL

Tags

	https://git.kernel.org/stable/c/b9c403d1236cecb10dd0246a30d81e4b265f8e8d
	https://git.kernel.org/stable/c/2446e25e9246e0642a41d91cbf54c33b275da3c3
	https://git.kernel.org/stable/c/576a6739e08ac06c67f2916f71204557232388b0
	https://git.kernel.org/stable/c/c8851a6ab19d9f390677c42a3cc01ff9b2eb6241
	https://git.kernel.org/stable/c/387da3b6d1a90e3210bc9a7fb56703bdad2ac18a
	https://git.kernel.org/stable/c/9ff95ed0371aec4d9617e478e9c69cde86cd7c38
	https://git.kernel.org/stable/c/dc805c927cd832bb8f790b756880ae6c769d5fbc
	https://git.kernel.org/stable/c/226862f50a7a88e4e4de9abbf36c64d19acd6fd0

Impacted products

Vendor

Product

Version

Linux

Version: 57692c94dcbe99a1e0444409a3da13fb3443562c
Version: 57692c94dcbe99a1e0444409a3da13fb3443562c
Version: 57692c94dcbe99a1e0444409a3da13fb3443562c
Version: 57692c94dcbe99a1e0444409a3da13fb3443562c
Version: 57692c94dcbe99a1e0444409a3da13fb3443562c
Version: 57692c94dcbe99a1e0444409a3da13fb3443562c
Version: 57692c94dcbe99a1e0444409a3da13fb3443562c
Version: 57692c94dcbe99a1e0444409a3da13fb3443562c

Linux

Version: 4.18

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:37:10.513Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/v3d/v3d_drv.h",
            "drivers/gpu/drm/v3d/v3d_gem.c",
            "drivers/gpu/drm/v3d/v3d_irq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b9c403d1236cecb10dd0246a30d81e4b265f8e8d",
              "status": "affected",
              "version": "57692c94dcbe99a1e0444409a3da13fb3443562c",
              "versionType": "git"
            },
            {
              "lessThan": "2446e25e9246e0642a41d91cbf54c33b275da3c3",
              "status": "affected",
              "version": "57692c94dcbe99a1e0444409a3da13fb3443562c",
              "versionType": "git"
            },
            {
              "lessThan": "576a6739e08ac06c67f2916f71204557232388b0",
              "status": "affected",
              "version": "57692c94dcbe99a1e0444409a3da13fb3443562c",
              "versionType": "git"
            },
            {
              "lessThan": "c8851a6ab19d9f390677c42a3cc01ff9b2eb6241",
              "status": "affected",
              "version": "57692c94dcbe99a1e0444409a3da13fb3443562c",
              "versionType": "git"
            },
            {
              "lessThan": "387da3b6d1a90e3210bc9a7fb56703bdad2ac18a",
              "status": "affected",
              "version": "57692c94dcbe99a1e0444409a3da13fb3443562c",
              "versionType": "git"
            },
            {
              "lessThan": "9ff95ed0371aec4d9617e478e9c69cde86cd7c38",
              "status": "affected",
              "version": "57692c94dcbe99a1e0444409a3da13fb3443562c",
              "versionType": "git"
            },
            {
              "lessThan": "dc805c927cd832bb8f790b756880ae6c769d5fbc",
              "status": "affected",
              "version": "57692c94dcbe99a1e0444409a3da13fb3443562c",
              "versionType": "git"
            },
            {
              "lessThan": "226862f50a7a88e4e4de9abbf36c64d19acd6fd0",
              "status": "affected",
              "version": "57692c94dcbe99a1e0444409a3da13fb3443562c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/v3d/v3d_drv.h",
            "drivers/gpu/drm/v3d/v3d_gem.c",
            "drivers/gpu/drm/v3d/v3d_irq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.18"
            },
            {
              "lessThan": "4.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.187",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.144",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.97",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.37",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.187",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.144",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.97",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.37",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.6",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/v3d: Disable interrupts before resetting the GPU\n\nCurrently, an interrupt can be triggered during a GPU reset, which can\nlead to GPU hangs and NULL pointer dereference in an interrupt context\nas shown in the following trace:\n\n [  314.035040] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000c0\n [  314.043822] Mem abort info:\n [  314.046606]   ESR = 0x0000000096000005\n [  314.050347]   EC = 0x25: DABT (current EL), IL = 32 bits\n [  314.055651]   SET = 0, FnV = 0\n [  314.058695]   EA = 0, S1PTW = 0\n [  314.061826]   FSC = 0x05: level 1 translation fault\n [  314.066694] Data abort info:\n [  314.069564]   ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n [  314.075039]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n [  314.080080]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n [  314.085382] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000102728000\n [  314.091814] [00000000000000c0] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000\n [  314.100511] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n [  314.106770] Modules linked in: v3d i2c_brcmstb vc4 snd_soc_hdmi_codec gpu_sched drm_shmem_helper drm_display_helper cec drm_dma_helper drm_kms_helper drm drm_panel_orientation_quirks snd_soc_core snd_compress snd_pcm_dmaengine snd_pcm snd_timer snd backlight\n [  314.129654] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.25+rpt-rpi-v8 #1  Debian 1:6.12.25-1+rpt1\n [  314.139388] Hardware name: Raspberry Pi 4 Model B Rev 1.4 (DT)\n [  314.145211] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n [  314.152165] pc : v3d_irq+0xec/0x2e0 [v3d]\n [  314.156187] lr : v3d_irq+0xe0/0x2e0 [v3d]\n [  314.160198] sp : ffffffc080003ea0\n [  314.163502] x29: ffffffc080003ea0 x28: ffffffec1f184980 x27: 021202b000000000\n [  314.170633] x26: ffffffec1f17f630 x25: ffffff8101372000 x24: ffffffec1f17d9f0\n [  314.177764] x23: 000000000000002a x22: 000000000000002a x21: ffffff8103252000\n [  314.184895] x20: 0000000000000001 x19: 00000000deadbeef x18: 0000000000000000\n [  314.192026] x17: ffffff94e51d2000 x16: ffffffec1dac3cb0 x15: c306000000000000\n [  314.199156] x14: 0000000000000000 x13: b2fc982e03cc5168 x12: 0000000000000001\n [  314.206286] x11: ffffff8103f8bcc0 x10: ffffffec1f196868 x9 : ffffffec1dac3874\n [  314.213416] x8 : 0000000000000000 x7 : 0000000000042a3a x6 : ffffff810017a180\n [  314.220547] x5 : ffffffec1ebad400 x4 : ffffffec1ebad320 x3 : 00000000000bebeb\n [  314.227677] x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000\n [  314.234807] Call trace:\n [  314.237243]  v3d_irq+0xec/0x2e0 [v3d]\n [  314.240906]  __handle_irq_event_percpu+0x58/0x218\n [  314.245609]  handle_irq_event+0x54/0xb8\n [  314.249439]  handle_fasteoi_irq+0xac/0x240\n [  314.253527]  handle_irq_desc+0x48/0x68\n [  314.257269]  generic_handle_domain_irq+0x24/0x38\n [  314.261879]  gic_handle_irq+0x48/0xd8\n [  314.265533]  call_on_irq_stack+0x24/0x58\n [  314.269448]  do_interrupt_handler+0x88/0x98\n [  314.273624]  el1_interrupt+0x34/0x68\n [  314.277193]  el1h_64_irq_handler+0x18/0x28\n [  314.281281]  el1h_64_irq+0x64/0x68\n [  314.284673]  default_idle_call+0x3c/0x168\n [  314.288675]  do_idle+0x1fc/0x230\n [  314.291895]  cpu_startup_entry+0x3c/0x50\n [  314.295810]  rest_init+0xe4/0xf0\n [  314.299030]  start_kernel+0x5e8/0x790\n [  314.302684]  __primary_switched+0x80/0x90\n [  314.306691] Code: 940029eb 360ffc13 f9442ea0 52800001 (f9406017)\n [  314.312775] ---[ end trace 0000000000000000 ]---\n [  314.317384] Kernel panic - not syncing: Oops: Fatal exception in interrupt\n [  314.324249] SMP: stopping secondary CPUs\n [  314.328167] Kernel Offset: 0x2b9da00000 from 0xffffffc080000000\n [  314.334076] PHYS_OFFSET: 0x0\n [  314.336946] CPU features: 0x08,00002013,c0200000,0200421b\n [  314.342337] Memory Limit: none\n [  314.345382] ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---\n\nBefore resetting the G\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:20:15.525Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b9c403d1236cecb10dd0246a30d81e4b265f8e8d"
        },
        {
          "url": "https://git.kernel.org/stable/c/2446e25e9246e0642a41d91cbf54c33b275da3c3"
        },
        {
          "url": "https://git.kernel.org/stable/c/576a6739e08ac06c67f2916f71204557232388b0"
        },
        {
          "url": "https://git.kernel.org/stable/c/c8851a6ab19d9f390677c42a3cc01ff9b2eb6241"
        },
        {
          "url": "https://git.kernel.org/stable/c/387da3b6d1a90e3210bc9a7fb56703bdad2ac18a"
        },
        {
          "url": "https://git.kernel.org/stable/c/9ff95ed0371aec4d9617e478e9c69cde86cd7c38"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc805c927cd832bb8f790b756880ae6c769d5fbc"
        },
        {
          "url": "https://git.kernel.org/stable/c/226862f50a7a88e4e4de9abbf36c64d19acd6fd0"
        }
      ],
      "title": "drm/v3d: Disable interrupts before resetting the GPU",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38371",
    "datePublished": "2025-07-25T12:53:14.292Z",
    "dateReserved": "2025-04-16T04:51:24.009Z",
    "dateUpdated": "2025-11-03T17:37:10.513Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38206 (GCVE-0-2025-38206)

Vulnerability from cvelistv5

Published

2025-07-04 13:37

Modified

2025-11-03 17:35

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: exfat: fix double free in delayed_free The double free could happen in the following path. exfat_create_upcase_table() exfat_create_upcase_table() : return error exfat_free_upcase_table() : free ->vol_utbl exfat_load_default_upcase_table : return error exfat_kill_sb() delayed_free() exfat_free_upcase_table() <--------- double free This patch set ->vol_util as NULL after freeing it.

References

URL

Tags

	https://git.kernel.org/stable/c/13d8de1b6568dcc31a95534ced16bc0c9a67bc15
	https://git.kernel.org/stable/c/66e84439ec2af776ce749e8540f8fdd257774152
	https://git.kernel.org/stable/c/d3cef0e7a5c1aa6217c51faa9ce8ecac35d6e1fd
	https://git.kernel.org/stable/c/1f3d9724e16d62c7d42c67d6613b8512f2887c22

Impacted products

Vendor

Product

Version

Linux

Version: 1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003
Version: 1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003
Version: 1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003
Version: 1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003

Linux

Version: 5.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:35:27.691Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/exfat/nls.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "13d8de1b6568dcc31a95534ced16bc0c9a67bc15",
              "status": "affected",
              "version": "1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003",
              "versionType": "git"
            },
            {
              "lessThan": "66e84439ec2af776ce749e8540f8fdd257774152",
              "status": "affected",
              "version": "1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003",
              "versionType": "git"
            },
            {
              "lessThan": "d3cef0e7a5c1aa6217c51faa9ce8ecac35d6e1fd",
              "status": "affected",
              "version": "1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003",
              "versionType": "git"
            },
            {
              "lessThan": "1f3d9724e16d62c7d42c67d6613b8512f2887c22",
              "status": "affected",
              "version": "1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/exfat/nls.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix double free in delayed_free\n\nThe double free could happen in the following path.\n\nexfat_create_upcase_table()\n        exfat_create_upcase_table() : return error\n        exfat_free_upcase_table() : free -\u003evol_utbl\n        exfat_load_default_upcase_table : return error\n     exfat_kill_sb()\n           delayed_free()\n                  exfat_free_upcase_table() \u003c--------- double free\nThis patch set -\u003evol_util as NULL after freeing it."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:15:04.639Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/13d8de1b6568dcc31a95534ced16bc0c9a67bc15"
        },
        {
          "url": "https://git.kernel.org/stable/c/66e84439ec2af776ce749e8540f8fdd257774152"
        },
        {
          "url": "https://git.kernel.org/stable/c/d3cef0e7a5c1aa6217c51faa9ce8ecac35d6e1fd"
        },
        {
          "url": "https://git.kernel.org/stable/c/1f3d9724e16d62c7d42c67d6613b8512f2887c22"
        }
      ],
      "title": "exfat: fix double free in delayed_free",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38206",
    "datePublished": "2025-07-04T13:37:25.966Z",
    "dateReserved": "2025-04-16T04:51:23.994Z",
    "dateUpdated": "2025-11-03T17:35:27.691Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38100 (GCVE-0-2025-38100)

Vulnerability from cvelistv5

Published

2025-07-03 08:35

Modified

2025-11-03 17:34

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: x86/iopl: Cure TIF_IO_BITMAP inconsistencies io_bitmap_exit() is invoked from exit_thread() when a task exists or when a fork fails. In the latter case the exit_thread() cleans up resources which were allocated during fork(). io_bitmap_exit() invokes task_update_io_bitmap(), which in turn ends up in tss_update_io_bitmap(). tss_update_io_bitmap() operates on the current task. If current has TIF_IO_BITMAP set, but no bitmap installed, tss_update_io_bitmap() crashes with a NULL pointer dereference. There are two issues, which lead to that problem: 1) io_bitmap_exit() should not invoke task_update_io_bitmap() when the task, which is cleaned up, is not the current task. That's a clear indicator for a cleanup after a failed fork(). 2) A task should not have TIF_IO_BITMAP set and neither a bitmap installed nor IOPL emulation level 3 activated. This happens when a kernel thread is created in the context of a user space thread, which has TIF_IO_BITMAP set as the thread flags are copied and the IO bitmap pointer is cleared. Other than in the failed fork() case this has no impact because kernel threads including IO workers never return to user space and therefore never invoke tss_update_io_bitmap(). Cure this by adding the missing cleanups and checks: 1) Prevent io_bitmap_exit() to invoke task_update_io_bitmap() if the to be cleaned up task is not the current task. 2) Clear TIF_IO_BITMAP in copy_thread() unconditionally. For user space forks it is set later, when the IO bitmap is inherited in io_bitmap_share(). For paranoia sake, add a warning into tss_update_io_bitmap() to catch the case, when that code is invoked with inconsistent state.

References

URL

Tags

	https://git.kernel.org/stable/c/d64b7b05a827f98d068f412969eef65489b0cf03
	https://git.kernel.org/stable/c/2dace5e016c991424a3dc6e83b1ae5dca8992d08
	https://git.kernel.org/stable/c/aa5ce1485562f20235b4c759eee5ab0c41d2c220
	https://git.kernel.org/stable/c/2cfcbe1554c119402e7382de974c26b0549899fe
	https://git.kernel.org/stable/c/b3b3b6366dc8eb5b22edba9adc4bff3cdacfd64c
	https://git.kernel.org/stable/c/73cfcc8445585b8af7e18be3c9246b851fdf336c
	https://git.kernel.org/stable/c/8b68e978718f14fdcb080c2a7791c52a0d09bc6d

Impacted products

Vendor

Product

Version

Linux

Version: ea5f1cd7ab494f65f50f338299eabb40ad6a1767
Version: ea5f1cd7ab494f65f50f338299eabb40ad6a1767
Version: ea5f1cd7ab494f65f50f338299eabb40ad6a1767
Version: ea5f1cd7ab494f65f50f338299eabb40ad6a1767
Version: ea5f1cd7ab494f65f50f338299eabb40ad6a1767
Version: ea5f1cd7ab494f65f50f338299eabb40ad6a1767
Version: ea5f1cd7ab494f65f50f338299eabb40ad6a1767

Linux

Version: 5.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:04.011Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kernel/ioport.c",
            "arch/x86/kernel/process.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d64b7b05a827f98d068f412969eef65489b0cf03",
              "status": "affected",
              "version": "ea5f1cd7ab494f65f50f338299eabb40ad6a1767",
              "versionType": "git"
            },
            {
              "lessThan": "2dace5e016c991424a3dc6e83b1ae5dca8992d08",
              "status": "affected",
              "version": "ea5f1cd7ab494f65f50f338299eabb40ad6a1767",
              "versionType": "git"
            },
            {
              "lessThan": "aa5ce1485562f20235b4c759eee5ab0c41d2c220",
              "status": "affected",
              "version": "ea5f1cd7ab494f65f50f338299eabb40ad6a1767",
              "versionType": "git"
            },
            {
              "lessThan": "2cfcbe1554c119402e7382de974c26b0549899fe",
              "status": "affected",
              "version": "ea5f1cd7ab494f65f50f338299eabb40ad6a1767",
              "versionType": "git"
            },
            {
              "lessThan": "b3b3b6366dc8eb5b22edba9adc4bff3cdacfd64c",
              "status": "affected",
              "version": "ea5f1cd7ab494f65f50f338299eabb40ad6a1767",
              "versionType": "git"
            },
            {
              "lessThan": "73cfcc8445585b8af7e18be3c9246b851fdf336c",
              "status": "affected",
              "version": "ea5f1cd7ab494f65f50f338299eabb40ad6a1767",
              "versionType": "git"
            },
            {
              "lessThan": "8b68e978718f14fdcb080c2a7791c52a0d09bc6d",
              "status": "affected",
              "version": "ea5f1cd7ab494f65f50f338299eabb40ad6a1767",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kernel/ioport.c",
            "arch/x86/kernel/process.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.5"
            },
            {
              "lessThan": "5.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/iopl: Cure TIF_IO_BITMAP inconsistencies\n\nio_bitmap_exit() is invoked from exit_thread() when a task exists or\nwhen a fork fails. In the latter case the exit_thread() cleans up\nresources which were allocated during fork().\n\nio_bitmap_exit() invokes task_update_io_bitmap(), which in turn ends up\nin tss_update_io_bitmap(). tss_update_io_bitmap() operates on the\ncurrent task. If current has TIF_IO_BITMAP set, but no bitmap installed,\ntss_update_io_bitmap() crashes with a NULL pointer dereference.\n\nThere are two issues, which lead to that problem:\n\n  1) io_bitmap_exit() should not invoke task_update_io_bitmap() when\n     the task, which is cleaned up, is not the current task. That\u0027s a\n     clear indicator for a cleanup after a failed fork().\n\n  2) A task should not have TIF_IO_BITMAP set and neither a bitmap\n     installed nor IOPL emulation level 3 activated.\n\n     This happens when a kernel thread is created in the context of\n     a user space thread, which has TIF_IO_BITMAP set as the thread\n     flags are copied and the IO bitmap pointer is cleared.\n\n     Other than in the failed fork() case this has no impact because\n     kernel threads including IO workers never return to user space and\n     therefore never invoke tss_update_io_bitmap().\n\nCure this by adding the missing cleanups and checks:\n\n  1) Prevent io_bitmap_exit() to invoke task_update_io_bitmap() if\n     the to be cleaned up task is not the current task.\n\n  2) Clear TIF_IO_BITMAP in copy_thread() unconditionally. For user\n     space forks it is set later, when the IO bitmap is inherited in\n     io_bitmap_share().\n\nFor paranoia sake, add a warning into tss_update_io_bitmap() to catch\nthe case, when that code is invoked with inconsistent state."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:12:08.909Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d64b7b05a827f98d068f412969eef65489b0cf03"
        },
        {
          "url": "https://git.kernel.org/stable/c/2dace5e016c991424a3dc6e83b1ae5dca8992d08"
        },
        {
          "url": "https://git.kernel.org/stable/c/aa5ce1485562f20235b4c759eee5ab0c41d2c220"
        },
        {
          "url": "https://git.kernel.org/stable/c/2cfcbe1554c119402e7382de974c26b0549899fe"
        },
        {
          "url": "https://git.kernel.org/stable/c/b3b3b6366dc8eb5b22edba9adc4bff3cdacfd64c"
        },
        {
          "url": "https://git.kernel.org/stable/c/73cfcc8445585b8af7e18be3c9246b851fdf336c"
        },
        {
          "url": "https://git.kernel.org/stable/c/8b68e978718f14fdcb080c2a7791c52a0d09bc6d"
        }
      ],
      "title": "x86/iopl: Cure TIF_IO_BITMAP inconsistencies",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38100",
    "datePublished": "2025-07-03T08:35:09.487Z",
    "dateReserved": "2025-04-16T04:51:23.985Z",
    "dateUpdated": "2025-11-03T17:34:04.011Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38312 (GCVE-0-2025-38312)

Vulnerability from cvelistv5

Published

2025-07-10 07:42

Modified

2025-11-03 17:36

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() In fb_find_mode_cvt(), iff mode->refresh somehow happens to be 0x80000000, cvt.f_refresh will become 0 when multiplying it by 2 due to overflow. It's then passed to fb_cvt_hperiod(), where it's used as a divider -- division by 0 will result in kernel oops. Add a sanity check for cvt.f_refresh to avoid such overflow... Found by Linux Verification Center (linuxtesting.org) with the Svace static analysis tool.

References

URL

Tags

	https://git.kernel.org/stable/c/9027ce4c037b566b658b8939a76326b7125e3627
	https://git.kernel.org/stable/c/610f247f2772e4f92b63442125a1b7ade79898d8
	https://git.kernel.org/stable/c/2d63433e8eaa3c91b2948190e395bc67009db0d9
	https://git.kernel.org/stable/c/54947530663edcbaaee1314c01fdd8c72861b124
	https://git.kernel.org/stable/c/ab91647acdf43b984824776559a452212eaeb21a
	https://git.kernel.org/stable/c/b235393b9f43ff86a38ca2bde6372312ea215dc5
	https://git.kernel.org/stable/c/53784073cbad18f75583fd3da9ffdfc4d1f05405
	https://git.kernel.org/stable/c/3f6dae09fc8c306eb70fdfef70726e1f154e173a

Impacted products

Vendor

Product

Version

Linux

Version: 96fe6a2109db29cd15b90a093c16e6cb4b19371a
Version: 96fe6a2109db29cd15b90a093c16e6cb4b19371a
Version: 96fe6a2109db29cd15b90a093c16e6cb4b19371a
Version: 96fe6a2109db29cd15b90a093c16e6cb4b19371a
Version: 96fe6a2109db29cd15b90a093c16e6cb4b19371a
Version: 96fe6a2109db29cd15b90a093c16e6cb4b19371a
Version: 96fe6a2109db29cd15b90a093c16e6cb4b19371a
Version: 96fe6a2109db29cd15b90a093c16e6cb4b19371a

Linux

Version: 2.6.14

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:36:25.507Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/video/fbdev/core/fbcvt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9027ce4c037b566b658b8939a76326b7125e3627",
              "status": "affected",
              "version": "96fe6a2109db29cd15b90a093c16e6cb4b19371a",
              "versionType": "git"
            },
            {
              "lessThan": "610f247f2772e4f92b63442125a1b7ade79898d8",
              "status": "affected",
              "version": "96fe6a2109db29cd15b90a093c16e6cb4b19371a",
              "versionType": "git"
            },
            {
              "lessThan": "2d63433e8eaa3c91b2948190e395bc67009db0d9",
              "status": "affected",
              "version": "96fe6a2109db29cd15b90a093c16e6cb4b19371a",
              "versionType": "git"
            },
            {
              "lessThan": "54947530663edcbaaee1314c01fdd8c72861b124",
              "status": "affected",
              "version": "96fe6a2109db29cd15b90a093c16e6cb4b19371a",
              "versionType": "git"
            },
            {
              "lessThan": "ab91647acdf43b984824776559a452212eaeb21a",
              "status": "affected",
              "version": "96fe6a2109db29cd15b90a093c16e6cb4b19371a",
              "versionType": "git"
            },
            {
              "lessThan": "b235393b9f43ff86a38ca2bde6372312ea215dc5",
              "status": "affected",
              "version": "96fe6a2109db29cd15b90a093c16e6cb4b19371a",
              "versionType": "git"
            },
            {
              "lessThan": "53784073cbad18f75583fd3da9ffdfc4d1f05405",
              "status": "affected",
              "version": "96fe6a2109db29cd15b90a093c16e6cb4b19371a",
              "versionType": "git"
            },
            {
              "lessThan": "3f6dae09fc8c306eb70fdfef70726e1f154e173a",
              "status": "affected",
              "version": "96fe6a2109db29cd15b90a093c16e6cb4b19371a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/video/fbdev/core/fbcvt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.14"
            },
            {
              "lessThan": "2.6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod()\n\nIn fb_find_mode_cvt(), iff mode-\u003erefresh somehow happens to be 0x80000000,\ncvt.f_refresh will become 0 when multiplying it by 2 due to overflow. It\u0027s\nthen passed to fb_cvt_hperiod(), where it\u0027s used as a divider -- division\nby 0 will result in kernel oops. Add a sanity check for cvt.f_refresh to\navoid such overflow...\n\nFound by Linux Verification Center (linuxtesting.org) with the Svace static\nanalysis tool."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:18:17.112Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9027ce4c037b566b658b8939a76326b7125e3627"
        },
        {
          "url": "https://git.kernel.org/stable/c/610f247f2772e4f92b63442125a1b7ade79898d8"
        },
        {
          "url": "https://git.kernel.org/stable/c/2d63433e8eaa3c91b2948190e395bc67009db0d9"
        },
        {
          "url": "https://git.kernel.org/stable/c/54947530663edcbaaee1314c01fdd8c72861b124"
        },
        {
          "url": "https://git.kernel.org/stable/c/ab91647acdf43b984824776559a452212eaeb21a"
        },
        {
          "url": "https://git.kernel.org/stable/c/b235393b9f43ff86a38ca2bde6372312ea215dc5"
        },
        {
          "url": "https://git.kernel.org/stable/c/53784073cbad18f75583fd3da9ffdfc4d1f05405"
        },
        {
          "url": "https://git.kernel.org/stable/c/3f6dae09fc8c306eb70fdfef70726e1f154e173a"
        }
      ],
      "title": "fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38312",
    "datePublished": "2025-07-10T07:42:20.647Z",
    "dateReserved": "2025-04-16T04:51:24.003Z",
    "dateUpdated": "2025-11-03T17:36:25.507Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38085 (GCVE-0-2025-38085)

Vulnerability from cvelistv5

Published

2025-06-28 07:44

Modified

2025-11-03 17:33

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race huge_pmd_unshare() drops a reference on a page table that may have previously been shared across processes, potentially turning it into a normal page table used in another process in which unrelated VMAs can afterwards be installed. If this happens in the middle of a concurrent gup_fast(), gup_fast() could end up walking the page tables of another process. While I don't see any way in which that immediately leads to kernel memory corruption, it is really weird and unexpected. Fix it with an explicit broadcast IPI through tlb_remove_table_sync_one(), just like we do in khugepaged when removing page tables for a THP collapse.

References

URL

Tags

	https://git.kernel.org/stable/c/952596b08c74e8fe9e2883d1dc8a8f54a37384ec
	https://git.kernel.org/stable/c/a3d864c901a300c295692d129159fc3001a56185
	https://git.kernel.org/stable/c/b7754d3aa7bf9f62218d096c0c8f6c13698fac8b
	https://git.kernel.org/stable/c/fe684290418ef9ef76630072086ee530b92f02b8
	https://git.kernel.org/stable/c/034a52b5ef57c9c8225d94e9067f3390bb33922f
	https://git.kernel.org/stable/c/a6bfeb97941a9187833b526bc6cc4ff5706d0ce9
	https://git.kernel.org/stable/c/1013af4f585fccc4d3e5c5824d174de2257f7d6d
	https://project-zero.issues.chromium.org/issues/420715744

Impacted products

Vendor

Product

Version

Linux

Version: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa
Version: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa
Version: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa
Version: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa
Version: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa
Version: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa
Version: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa

Linux

Version: 2.6.20

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:33:54.315Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/hugetlb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "952596b08c74e8fe9e2883d1dc8a8f54a37384ec",
              "status": "affected",
              "version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
              "versionType": "git"
            },
            {
              "lessThan": "a3d864c901a300c295692d129159fc3001a56185",
              "status": "affected",
              "version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
              "versionType": "git"
            },
            {
              "lessThan": "b7754d3aa7bf9f62218d096c0c8f6c13698fac8b",
              "status": "affected",
              "version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
              "versionType": "git"
            },
            {
              "lessThan": "fe684290418ef9ef76630072086ee530b92f02b8",
              "status": "affected",
              "version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
              "versionType": "git"
            },
            {
              "lessThan": "034a52b5ef57c9c8225d94e9067f3390bb33922f",
              "status": "affected",
              "version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
              "versionType": "git"
            },
            {
              "lessThan": "a6bfeb97941a9187833b526bc6cc4ff5706d0ce9",
              "status": "affected",
              "version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
              "versionType": "git"
            },
            {
              "lessThan": "1013af4f585fccc4d3e5c5824d174de2257f7d6d",
              "status": "affected",
              "version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/hugetlb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.20"
            },
            {
              "lessThan": "2.6.20",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race\n\nhuge_pmd_unshare() drops a reference on a page table that may have\npreviously been shared across processes, potentially turning it into a\nnormal page table used in another process in which unrelated VMAs can\nafterwards be installed.\n\nIf this happens in the middle of a concurrent gup_fast(), gup_fast() could\nend up walking the page tables of another process.  While I don\u0027t see any\nway in which that immediately leads to kernel memory corruption, it is\nreally weird and unexpected.\n\nFix it with an explicit broadcast IPI through tlb_remove_table_sync_one(),\njust like we do in khugepaged when removing page tables for a THP\ncollapse."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-30T05:58:57.434Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/952596b08c74e8fe9e2883d1dc8a8f54a37384ec"
        },
        {
          "url": "https://git.kernel.org/stable/c/a3d864c901a300c295692d129159fc3001a56185"
        },
        {
          "url": "https://git.kernel.org/stable/c/b7754d3aa7bf9f62218d096c0c8f6c13698fac8b"
        },
        {
          "url": "https://git.kernel.org/stable/c/fe684290418ef9ef76630072086ee530b92f02b8"
        },
        {
          "url": "https://git.kernel.org/stable/c/034a52b5ef57c9c8225d94e9067f3390bb33922f"
        },
        {
          "url": "https://git.kernel.org/stable/c/a6bfeb97941a9187833b526bc6cc4ff5706d0ce9"
        },
        {
          "url": "https://git.kernel.org/stable/c/1013af4f585fccc4d3e5c5824d174de2257f7d6d"
        },
        {
          "url": "https://project-zero.issues.chromium.org/issues/420715744"
        }
      ],
      "title": "mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38085",
    "datePublished": "2025-06-28T07:44:26.178Z",
    "dateReserved": "2025-04-16T04:51:23.981Z",
    "dateUpdated": "2025-11-03T17:33:54.315Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38495 (GCVE-0-2025-38495)

Vulnerability from cvelistv5

Published

2025-07-28 11:22

Modified

2025-11-03 17:39

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: HID: core: ensure the allocated report buffer can contain the reserved report ID When the report ID is not used, the low level transport drivers expect the first byte to be 0. However, currently the allocated buffer not account for that extra byte, meaning that instead of having 8 guaranteed bytes for implement to be working, we only have 7.

References

URL

Tags

	https://git.kernel.org/stable/c/7228e36c7875e4b035374cf68ca5e44dffa596b2
	https://git.kernel.org/stable/c/9f2892f7233a8f1320fe671d0f95f122191bfbcd
	https://git.kernel.org/stable/c/7fa83d0043370003e9a0b46ab7ae8f53b00fab06
	https://git.kernel.org/stable/c/d3ed1d84a84538a39b3eb2055d6a97a936c108f2
	https://git.kernel.org/stable/c/fcda39a9c5b834346088c14b1374336b079466c1
	https://git.kernel.org/stable/c/a262370f385e53ff7470efdcdaf40468e5756717
	https://git.kernel.org/stable/c/a47d9d9895bad9ce0e840a39836f19ca0b2a343a
	https://git.kernel.org/stable/c/4f15ee98304b96e164ff2340e1dfd6181c3f42aa

Impacted products

Vendor

Product

Version

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:39:03.891Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7228e36c7875e4b035374cf68ca5e44dffa596b2",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "9f2892f7233a8f1320fe671d0f95f122191bfbcd",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "7fa83d0043370003e9a0b46ab7ae8f53b00fab06",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "d3ed1d84a84538a39b3eb2055d6a97a936c108f2",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "fcda39a9c5b834346088c14b1374336b079466c1",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "a262370f385e53ff7470efdcdaf40468e5756717",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "a47d9d9895bad9ce0e840a39836f19ca0b2a343a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "4f15ee98304b96e164ff2340e1dfd6181c3f42aa",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.147",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.100",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.40",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.147",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.100",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.40",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: ensure the allocated report buffer can contain the reserved report ID\n\nWhen the report ID is not used, the low level transport drivers expect\nthe first byte to be 0. However, currently the allocated buffer not\naccount for that extra byte, meaning that instead of having 8 guaranteed\nbytes for implement to be working, we only have 7."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-28T14:43:29.931Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7228e36c7875e4b035374cf68ca5e44dffa596b2"
        },
        {
          "url": "https://git.kernel.org/stable/c/9f2892f7233a8f1320fe671d0f95f122191bfbcd"
        },
        {
          "url": "https://git.kernel.org/stable/c/7fa83d0043370003e9a0b46ab7ae8f53b00fab06"
        },
        {
          "url": "https://git.kernel.org/stable/c/d3ed1d84a84538a39b3eb2055d6a97a936c108f2"
        },
        {
          "url": "https://git.kernel.org/stable/c/fcda39a9c5b834346088c14b1374336b079466c1"
        },
        {
          "url": "https://git.kernel.org/stable/c/a262370f385e53ff7470efdcdaf40468e5756717"
        },
        {
          "url": "https://git.kernel.org/stable/c/a47d9d9895bad9ce0e840a39836f19ca0b2a343a"
        },
        {
          "url": "https://git.kernel.org/stable/c/4f15ee98304b96e164ff2340e1dfd6181c3f42aa"
        }
      ],
      "title": "HID: core: ensure the allocated report buffer can contain the reserved report ID",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38495",
    "datePublished": "2025-07-28T11:22:04.169Z",
    "dateReserved": "2025-04-16T04:51:24.022Z",
    "dateUpdated": "2025-11-03T17:39:03.891Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2023-52878 (GCVE-0-2023-52878)

Vulnerability from cvelistv5

Published

2024-05-21 15:32

Modified

2025-05-04 07:45

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: can: dev: can_put_echo_skb(): don't crash kernel if can_priv::echo_skb is accessed out of bounds If the "struct can_priv::echoo_skb" is accessed out of bounds, this would cause a kernel crash. Instead, issue a meaningful warning message and return with an error.

References

URL

Tags

	https://git.kernel.org/stable/c/826120c9ba68f2d0dbae58e99013929c883d1444
	https://git.kernel.org/stable/c/0d30931f1fa0fb893fb7d5dc32b6b7edfb775be4
	https://git.kernel.org/stable/c/53c468008a7c9ca3f5fc985951f35ec2acae85bc
	https://git.kernel.org/stable/c/8ab67da060157362b2e0926692c659808784708f
	https://git.kernel.org/stable/c/6411959c10fe917288cbb1038886999148560057

Impacted products

Vendor

Product

Version

Linux

Version: a6e4bc5304033e434fabccabb230b8e9ff55d76f
Version: a6e4bc5304033e434fabccabb230b8e9ff55d76f
Version: a6e4bc5304033e434fabccabb230b8e9ff55d76f
Version: a6e4bc5304033e434fabccabb230b8e9ff55d76f
Version: a6e4bc5304033e434fabccabb230b8e9ff55d76f

Linux

Version: 2.6.33

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-52878",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-21T17:05:12.659416Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:23:41.925Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:18:41.163Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/826120c9ba68f2d0dbae58e99013929c883d1444"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/0d30931f1fa0fb893fb7d5dc32b6b7edfb775be4"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/53c468008a7c9ca3f5fc985951f35ec2acae85bc"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/8ab67da060157362b2e0926692c659808784708f"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/6411959c10fe917288cbb1038886999148560057"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/can/dev/skb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "826120c9ba68f2d0dbae58e99013929c883d1444",
              "status": "affected",
              "version": "a6e4bc5304033e434fabccabb230b8e9ff55d76f",
              "versionType": "git"
            },
            {
              "lessThan": "0d30931f1fa0fb893fb7d5dc32b6b7edfb775be4",
              "status": "affected",
              "version": "a6e4bc5304033e434fabccabb230b8e9ff55d76f",
              "versionType": "git"
            },
            {
              "lessThan": "53c468008a7c9ca3f5fc985951f35ec2acae85bc",
              "status": "affected",
              "version": "a6e4bc5304033e434fabccabb230b8e9ff55d76f",
              "versionType": "git"
            },
            {
              "lessThan": "8ab67da060157362b2e0926692c659808784708f",
              "status": "affected",
              "version": "a6e4bc5304033e434fabccabb230b8e9ff55d76f",
              "versionType": "git"
            },
            {
              "lessThan": "6411959c10fe917288cbb1038886999148560057",
              "status": "affected",
              "version": "a6e4bc5304033e434fabccabb230b8e9ff55d76f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/can/dev/skb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.33"
            },
            {
              "lessThan": "2.6.33",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.139",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.63",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.5.*",
              "status": "unaffected",
              "version": "6.5.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.7",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.139",
                  "versionStartIncluding": "2.6.33",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.63",
                  "versionStartIncluding": "2.6.33",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.5.12",
                  "versionStartIncluding": "2.6.33",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.2",
                  "versionStartIncluding": "2.6.33",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.7",
                  "versionStartIncluding": "2.6.33",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: dev: can_put_echo_skb(): don\u0027t crash kernel if can_priv::echo_skb is accessed out of bounds\n\nIf the \"struct can_priv::echoo_skb\" is accessed out of bounds, this\nwould cause a kernel crash. Instead, issue a meaningful warning\nmessage and return with an error."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:45:00.765Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/826120c9ba68f2d0dbae58e99013929c883d1444"
        },
        {
          "url": "https://git.kernel.org/stable/c/0d30931f1fa0fb893fb7d5dc32b6b7edfb775be4"
        },
        {
          "url": "https://git.kernel.org/stable/c/53c468008a7c9ca3f5fc985951f35ec2acae85bc"
        },
        {
          "url": "https://git.kernel.org/stable/c/8ab67da060157362b2e0926692c659808784708f"
        },
        {
          "url": "https://git.kernel.org/stable/c/6411959c10fe917288cbb1038886999148560057"
        }
      ],
      "title": "can: dev: can_put_echo_skb(): don\u0027t crash kernel if can_priv::echo_skb is accessed out of bounds",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-52878",
    "datePublished": "2024-05-21T15:32:10.616Z",
    "dateReserved": "2024-05-21T15:19:24.264Z",
    "dateUpdated": "2025-05-04T07:45:00.765Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38018 (GCVE-0-2025-38018)

Vulnerability from cvelistv5

Published

2025-06-18 09:28

Modified

2025-11-03 19:58

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net/tls: fix kernel panic when alloc_page failed We cannot set frag_list to NULL pointer when alloc_page failed. It will be used in tls_strp_check_queue_ok when the next time tls_strp_read_sock is called. This is because we don't reset full_len in tls_strp_flush_anchor_copy() so the recv path will try to continue handling the partial record on the next call but we dettached the rcvq from the frag list. Alternative fix would be to reset full_len. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000028 Call trace: tls_strp_check_rcv+0x128/0x27c tls_strp_data_ready+0x34/0x44 tls_data_ready+0x3c/0x1f0 tcp_data_ready+0x9c/0xe4 tcp_data_queue+0xf6c/0x12d0 tcp_rcv_established+0x52c/0x798

References

URL

Tags

	https://git.kernel.org/stable/c/8f7f96549bc55e4ef3a6b499bc5011e5de2f46c4
	https://git.kernel.org/stable/c/406d05da26835943568e61bb751c569efae071d4
	https://git.kernel.org/stable/c/a11b8c0be6acd0505a58ff40d474bd778b25b93a
	https://git.kernel.org/stable/c/5f1f833cb388592bb46104463a1ec1b7c41975b6
	https://git.kernel.org/stable/c/491deb9b8c4ad12fe51d554a69b8165b9ef9429f

Impacted products

Vendor

Product

Version

Linux

Version: 84c61fe1a75b4255df1e1e7c054c9e6d048da417
Version: 84c61fe1a75b4255df1e1e7c054c9e6d048da417
Version: 84c61fe1a75b4255df1e1e7c054c9e6d048da417
Version: 84c61fe1a75b4255df1e1e7c054c9e6d048da417
Version: 84c61fe1a75b4255df1e1e7c054c9e6d048da417

Linux

Version: 6.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:58:19.276Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/tls/tls_strp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8f7f96549bc55e4ef3a6b499bc5011e5de2f46c4",
              "status": "affected",
              "version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
              "versionType": "git"
            },
            {
              "lessThan": "406d05da26835943568e61bb751c569efae071d4",
              "status": "affected",
              "version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
              "versionType": "git"
            },
            {
              "lessThan": "a11b8c0be6acd0505a58ff40d474bd778b25b93a",
              "status": "affected",
              "version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
              "versionType": "git"
            },
            {
              "lessThan": "5f1f833cb388592bb46104463a1ec1b7c41975b6",
              "status": "affected",
              "version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
              "versionType": "git"
            },
            {
              "lessThan": "491deb9b8c4ad12fe51d554a69b8165b9ef9429f",
              "status": "affected",
              "version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/tls/tls_strp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.92",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.140",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.92",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.30",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.8",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tls: fix kernel panic when alloc_page failed\n\nWe cannot set frag_list to NULL pointer when alloc_page failed.\nIt will be used in tls_strp_check_queue_ok when the next time\ntls_strp_read_sock is called.\n\nThis is because we don\u0027t reset full_len in tls_strp_flush_anchor_copy()\nso the recv path will try to continue handling the partial record\non the next call but we dettached the rcvq from the frag list.\nAlternative fix would be to reset full_len.\n\nUnable to handle kernel NULL pointer dereference\nat virtual address 0000000000000028\n Call trace:\n tls_strp_check_rcv+0x128/0x27c\n tls_strp_data_ready+0x34/0x44\n tls_data_ready+0x3c/0x1f0\n tcp_data_ready+0x9c/0xe4\n tcp_data_queue+0xf6c/0x12d0\n tcp_rcv_established+0x52c/0x798"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-18T09:28:26.443Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8f7f96549bc55e4ef3a6b499bc5011e5de2f46c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/406d05da26835943568e61bb751c569efae071d4"
        },
        {
          "url": "https://git.kernel.org/stable/c/a11b8c0be6acd0505a58ff40d474bd778b25b93a"
        },
        {
          "url": "https://git.kernel.org/stable/c/5f1f833cb388592bb46104463a1ec1b7c41975b6"
        },
        {
          "url": "https://git.kernel.org/stable/c/491deb9b8c4ad12fe51d554a69b8165b9ef9429f"
        }
      ],
      "title": "net/tls: fix kernel panic when alloc_page failed",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38018",
    "datePublished": "2025-06-18T09:28:26.443Z",
    "dateReserved": "2025-04-16T04:51:23.977Z",
    "dateUpdated": "2025-11-03T19:58:19.276Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37871 (GCVE-0-2025-37871)

Vulnerability from cvelistv5

Published

2025-05-09 06:43

Modified

2025-11-03 19:56

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: nfsd: decrease sc_count directly if fail to queue dl_recall A deadlock warning occurred when invoking nfs4_put_stid following a failed dl_recall queue operation: T1 T2 nfs4_laundromat nfs4_get_client_reaplist nfs4_anylock_blockers __break_lease spin_lock // ctx->flc_lock spin_lock // clp->cl_lock nfs4_lockowner_has_blockers locks_owner_has_blockers spin_lock // flctx->flc_lock nfsd_break_deleg_cb nfsd_break_one_deleg nfs4_put_stid refcount_dec_and_lock spin_lock // clp->cl_lock When a file is opened, an nfs4_delegation is allocated with sc_count initialized to 1, and the file_lease holds a reference to the delegation. The file_lease is then associated with the file through kernel_setlease. The disassociation is performed in nfsd4_delegreturn via the following call chain: nfsd4_delegreturn --> destroy_delegation --> destroy_unhashed_deleg --> nfs4_unlock_deleg_lease --> kernel_setlease --> generic_delete_lease The corresponding sc_count reference will be released after this disassociation. Since nfsd_break_one_deleg executes while holding the flc_lock, the disassociation process becomes blocked when attempting to acquire flc_lock in generic_delete_lease. This means: 1) sc_count in nfsd_break_one_deleg will not be decremented to 0; 2) The nfs4_put_stid called by nfsd_break_one_deleg will not attempt to acquire cl_lock; 3) Consequently, no deadlock condition is created. Given that sc_count in nfsd_break_one_deleg remains non-zero, we can safely perform refcount_dec on sc_count directly. This approach effectively avoids triggering deadlock warnings.

References

URL

Tags

	https://git.kernel.org/stable/c/b9bbe8f9d5663311d06667ce36d6ed255ead1a26
	https://git.kernel.org/stable/c/a70832d3555987035fc430ccd703acd89393eadb
	https://git.kernel.org/stable/c/ba903539fff745d592d893c71b30e5e268a95413
	https://git.kernel.org/stable/c/7d192e27a431026c58d60edf66dc6cd98d0c01fc
	https://git.kernel.org/stable/c/a7fce086f6ca84db409b9d58493ea77c1978897c
	https://git.kernel.org/stable/c/14985d66b9b99c12995dd99d1c6c8dec4114c2a5
	https://git.kernel.org/stable/c/a1d14d931bf700c1025db8c46d6731aa5cf440f9

Impacted products

Vendor

Product

Version

Linux

Version: b874cdef4e67e5150e07eff0eae1cbb21fb92da1
Version: cdb796137c57e68ca34518d53be53b679351eb86
Version: d96587cc93ec369031bcd7658c6adc719873c9fd
Version: 9a81cde8c7ce65dd90fb47ceea93a45fc1a2fbd1
Version: cad3479b63661a399c9df1d0b759e1806e2df3c8
Version: 133f5e2a37ce08c82d24e8fba65e0a81deae4609
Version: 230ca758453c63bd38e4d9f4a21db698f7abada8
Version: 63b91c8ff4589f5263873b24c052447a28e10ef7

Linux

Version: 5.10.236   ≤
Version: 5.15.180   ≤
Version: 6.1.134   ≤
Version: 6.6.87   ≤
Version: 6.12.23   ≤
Version: 6.14.2   ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:56:48.360Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/nfsd/nfs4state.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b9bbe8f9d5663311d06667ce36d6ed255ead1a26",
              "status": "affected",
              "version": "b874cdef4e67e5150e07eff0eae1cbb21fb92da1",
              "versionType": "git"
            },
            {
              "lessThan": "a70832d3555987035fc430ccd703acd89393eadb",
              "status": "affected",
              "version": "cdb796137c57e68ca34518d53be53b679351eb86",
              "versionType": "git"
            },
            {
              "lessThan": "ba903539fff745d592d893c71b30e5e268a95413",
              "status": "affected",
              "version": "d96587cc93ec369031bcd7658c6adc719873c9fd",
              "versionType": "git"
            },
            {
              "lessThan": "7d192e27a431026c58d60edf66dc6cd98d0c01fc",
              "status": "affected",
              "version": "9a81cde8c7ce65dd90fb47ceea93a45fc1a2fbd1",
              "versionType": "git"
            },
            {
              "lessThan": "a7fce086f6ca84db409b9d58493ea77c1978897c",
              "status": "affected",
              "version": "cad3479b63661a399c9df1d0b759e1806e2df3c8",
              "versionType": "git"
            },
            {
              "lessThan": "14985d66b9b99c12995dd99d1c6c8dec4114c2a5",
              "status": "affected",
              "version": "133f5e2a37ce08c82d24e8fba65e0a81deae4609",
              "versionType": "git"
            },
            {
              "lessThan": "a1d14d931bf700c1025db8c46d6731aa5cf440f9",
              "status": "affected",
              "version": "230ca758453c63bd38e4d9f4a21db698f7abada8",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "63b91c8ff4589f5263873b24c052447a28e10ef7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/nfsd/nfs4state.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5.10.237",
              "status": "affected",
              "version": "5.10.236",
              "versionType": "semver"
            },
            {
              "lessThan": "5.15.181",
              "status": "affected",
              "version": "5.15.180",
              "versionType": "semver"
            },
            {
              "lessThan": "6.1.135",
              "status": "affected",
              "version": "6.1.134",
              "versionType": "semver"
            },
            {
              "lessThan": "6.6.88",
              "status": "affected",
              "version": "6.6.87",
              "versionType": "semver"
            },
            {
              "lessThan": "6.12.25",
              "status": "affected",
              "version": "6.12.23",
              "versionType": "semver"
            },
            {
              "lessThan": "6.14.4",
              "status": "affected",
              "version": "6.14.2",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.237",
                  "versionStartIncluding": "5.10.236",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "5.15.180",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "versionStartIncluding": "6.1.134",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "6.6.87",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.25",
                  "versionStartIncluding": "6.12.23",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.4",
                  "versionStartIncluding": "6.14.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.13.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: decrease sc_count directly if fail to queue dl_recall\n\nA deadlock warning occurred when invoking nfs4_put_stid following a failed\ndl_recall queue operation:\n            T1                            T2\n                                nfs4_laundromat\n                                 nfs4_get_client_reaplist\n                                  nfs4_anylock_blockers\n__break_lease\n spin_lock // ctx-\u003eflc_lock\n                                   spin_lock // clp-\u003ecl_lock\n                                   nfs4_lockowner_has_blockers\n                                    locks_owner_has_blockers\n                                     spin_lock // flctx-\u003eflc_lock\n nfsd_break_deleg_cb\n  nfsd_break_one_deleg\n   nfs4_put_stid\n    refcount_dec_and_lock\n     spin_lock // clp-\u003ecl_lock\n\nWhen a file is opened, an nfs4_delegation is allocated with sc_count\ninitialized to 1, and the file_lease holds a reference to the delegation.\nThe file_lease is then associated with the file through kernel_setlease.\n\nThe disassociation is performed in nfsd4_delegreturn via the following\ncall chain:\nnfsd4_delegreturn --\u003e destroy_delegation --\u003e destroy_unhashed_deleg --\u003e\nnfs4_unlock_deleg_lease --\u003e kernel_setlease --\u003e generic_delete_lease\nThe corresponding sc_count reference will be released after this\ndisassociation.\n\nSince nfsd_break_one_deleg executes while holding the flc_lock, the\ndisassociation process becomes blocked when attempting to acquire flc_lock\nin generic_delete_lease. This means:\n1) sc_count in nfsd_break_one_deleg will not be decremented to 0;\n2) The nfs4_put_stid called by nfsd_break_one_deleg will not attempt to\nacquire cl_lock;\n3) Consequently, no deadlock condition is created.\n\nGiven that sc_count in nfsd_break_one_deleg remains non-zero, we can\nsafely perform refcount_dec on sc_count directly. This approach\neffectively avoids triggering deadlock warnings."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:22:43.674Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b9bbe8f9d5663311d06667ce36d6ed255ead1a26"
        },
        {
          "url": "https://git.kernel.org/stable/c/a70832d3555987035fc430ccd703acd89393eadb"
        },
        {
          "url": "https://git.kernel.org/stable/c/ba903539fff745d592d893c71b30e5e268a95413"
        },
        {
          "url": "https://git.kernel.org/stable/c/7d192e27a431026c58d60edf66dc6cd98d0c01fc"
        },
        {
          "url": "https://git.kernel.org/stable/c/a7fce086f6ca84db409b9d58493ea77c1978897c"
        },
        {
          "url": "https://git.kernel.org/stable/c/14985d66b9b99c12995dd99d1c6c8dec4114c2a5"
        },
        {
          "url": "https://git.kernel.org/stable/c/a1d14d931bf700c1025db8c46d6731aa5cf440f9"
        }
      ],
      "title": "nfsd: decrease sc_count directly if fail to queue dl_recall",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37871",
    "datePublished": "2025-05-09T06:43:59.720Z",
    "dateReserved": "2025-04-16T04:51:23.959Z",
    "dateUpdated": "2025-11-03T19:56:48.360Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37841 (GCVE-0-2025-37841)

Vulnerability from cvelistv5

Published

2025-05-09 06:41

Modified

2025-11-03 19:56

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: pm: cpupower: bench: Prevent NULL dereference on malloc failure If malloc returns NULL due to low memory, 'config' pointer can be NULL. Add a check to prevent NULL dereference.

References

URL

Tags

	https://git.kernel.org/stable/c/34a9394794b0f97af6afedc0c9ee2012c24b28ed
	https://git.kernel.org/stable/c/79bded9d70142d2a11d931fc029afece471641db
	https://git.kernel.org/stable/c/0e297a02e03dceb2874789ca40bd4e65c5371704
	https://git.kernel.org/stable/c/87b9f0867c0afa7e892f4b30c36cff6bf2707f85
	https://git.kernel.org/stable/c/942a4b97fc77516678b1d8af1521ff9a94c13b3e
	https://git.kernel.org/stable/c/f8d28fa305b78c5d1073b63f26db265ba8291ae1
	https://git.kernel.org/stable/c/ceec06f464d5cfc0ba966225f7d50506ceb62242
	https://git.kernel.org/stable/c/5e38122aa3fd0f9788186e86a677925bfec0b2d1
	https://git.kernel.org/stable/c/208baa3ec9043a664d9acfb8174b332e6b17fb69

Impacted products

Vendor

Product

Version

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:56:17.871Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "tools/power/cpupower/bench/parse.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "34a9394794b0f97af6afedc0c9ee2012c24b28ed",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "79bded9d70142d2a11d931fc029afece471641db",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "0e297a02e03dceb2874789ca40bd4e65c5371704",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "87b9f0867c0afa7e892f4b30c36cff6bf2707f85",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "942a4b97fc77516678b1d8af1521ff9a94c13b3e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "f8d28fa305b78c5d1073b63f26db265ba8291ae1",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ceec06f464d5cfc0ba966225f7d50506ceb62242",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "5e38122aa3fd0f9788186e86a677925bfec0b2d1",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "208baa3ec9043a664d9acfb8174b332e6b17fb69",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "tools/power/cpupower/bench/parse.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.293",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.293",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.237",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npm: cpupower: bench: Prevent NULL dereference on malloc failure\n\nIf malloc returns NULL due to low memory, \u0027config\u0027 pointer can be NULL.\nAdd a check to prevent NULL dereference."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:22:04.462Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/34a9394794b0f97af6afedc0c9ee2012c24b28ed"
        },
        {
          "url": "https://git.kernel.org/stable/c/79bded9d70142d2a11d931fc029afece471641db"
        },
        {
          "url": "https://git.kernel.org/stable/c/0e297a02e03dceb2874789ca40bd4e65c5371704"
        },
        {
          "url": "https://git.kernel.org/stable/c/87b9f0867c0afa7e892f4b30c36cff6bf2707f85"
        },
        {
          "url": "https://git.kernel.org/stable/c/942a4b97fc77516678b1d8af1521ff9a94c13b3e"
        },
        {
          "url": "https://git.kernel.org/stable/c/f8d28fa305b78c5d1073b63f26db265ba8291ae1"
        },
        {
          "url": "https://git.kernel.org/stable/c/ceec06f464d5cfc0ba966225f7d50506ceb62242"
        },
        {
          "url": "https://git.kernel.org/stable/c/5e38122aa3fd0f9788186e86a677925bfec0b2d1"
        },
        {
          "url": "https://git.kernel.org/stable/c/208baa3ec9043a664d9acfb8174b332e6b17fb69"
        }
      ],
      "title": "pm: cpupower: bench: Prevent NULL dereference on malloc failure",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37841",
    "datePublished": "2025-05-09T06:41:50.684Z",
    "dateReserved": "2025-04-16T04:51:23.952Z",
    "dateUpdated": "2025-11-03T19:56:17.871Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38343 (GCVE-0-2025-38343)

Vulnerability from cvelistv5

Published

2025-07-10 08:15

Modified

2025-07-28 04:19

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: drop fragments with multicast or broadcast RA IEEE 802.11 fragmentation can only be applied to unicast frames. Therefore, drop fragments with multicast or broadcast RA. This patch addresses vulnerabilities such as CVE-2020-26145.

References

URL

Tags

	https://git.kernel.org/stable/c/24900688ee47071aa6a61e78473999b5b80f0423
	https://git.kernel.org/stable/c/d4b93f9c2f666011dcf810050ef60a6b8d06f186
	https://git.kernel.org/stable/c/5fd5b8132b5de08c99eea003f7715ff2e361b007
	https://git.kernel.org/stable/c/80fda1cd7b0a1edd0849dc71403a070d0922118d

Impacted products

Vendor

Product

Version

Linux

Version: 98686cd21624c75a043e96812beadddf4f6f48e5
Version: 98686cd21624c75a043e96812beadddf4f6f48e5
Version: 98686cd21624c75a043e96812beadddf4f6f48e5
Version: 98686cd21624c75a043e96812beadddf4f6f48e5

Linux

Version: 6.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/mediatek/mt76/mt7996/mac.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "24900688ee47071aa6a61e78473999b5b80f0423",
              "status": "affected",
              "version": "98686cd21624c75a043e96812beadddf4f6f48e5",
              "versionType": "git"
            },
            {
              "lessThan": "d4b93f9c2f666011dcf810050ef60a6b8d06f186",
              "status": "affected",
              "version": "98686cd21624c75a043e96812beadddf4f6f48e5",
              "versionType": "git"
            },
            {
              "lessThan": "5fd5b8132b5de08c99eea003f7715ff2e361b007",
              "status": "affected",
              "version": "98686cd21624c75a043e96812beadddf4f6f48e5",
              "versionType": "git"
            },
            {
              "lessThan": "80fda1cd7b0a1edd0849dc71403a070d0922118d",
              "status": "affected",
              "version": "98686cd21624c75a043e96812beadddf4f6f48e5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/mediatek/mt76/mt7996/mac.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7996: drop fragments with multicast or broadcast RA\n\nIEEE 802.11 fragmentation can only be applied to unicast frames.\nTherefore, drop fragments with multicast or broadcast RA. This patch\naddresses vulnerabilities such as CVE-2020-26145."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:19:27.588Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/24900688ee47071aa6a61e78473999b5b80f0423"
        },
        {
          "url": "https://git.kernel.org/stable/c/d4b93f9c2f666011dcf810050ef60a6b8d06f186"
        },
        {
          "url": "https://git.kernel.org/stable/c/5fd5b8132b5de08c99eea003f7715ff2e361b007"
        },
        {
          "url": "https://git.kernel.org/stable/c/80fda1cd7b0a1edd0849dc71403a070d0922118d"
        }
      ],
      "title": "wifi: mt76: mt7996: drop fragments with multicast or broadcast RA",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38343",
    "datePublished": "2025-07-10T08:15:12.154Z",
    "dateReserved": "2025-04-16T04:51:24.005Z",
    "dateUpdated": "2025-07-28T04:19:27.588Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38348 (GCVE-0-2025-38348)

Vulnerability from cvelistv5

Published

2025-07-10 08:15

Modified

2025-11-03 17:36

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback() Robert Morris reported: |If a malicious USB device pretends to be an Intersil p54 wifi |interface and generates an eeprom_readback message with a large |eeprom->v1.len, p54_rx_eeprom_readback() will copy data from the |message beyond the end of priv->eeprom. | |static void p54_rx_eeprom_readback(struct p54_common *priv, | struct sk_buff *skb) |{ | struct p54_hdr *hdr = (struct p54_hdr *) skb->data; | struct p54_eeprom_lm86 *eeprom = (struct p54_eeprom_lm86 *) hdr->data; | | if (priv->fw_var >= 0x509) { | memcpy(priv->eeprom, eeprom->v2.data, | le16_to_cpu(eeprom->v2.len)); | } else { | memcpy(priv->eeprom, eeprom->v1.data, | le16_to_cpu(eeprom->v1.len)); | } | [...] The eeprom->v{1,2}.len is set by the driver in p54_download_eeprom(). The device is supposed to provide the same length back to the driver. But yes, it's possible (like shown in the report) to alter the value to something that causes a crash/panic due to overrun. This patch addresses the issue by adding the size to the common device context, so p54_rx_eeprom_readback no longer relies on possibly tampered values... That said, it also checks if the "firmware" altered the value and no longer copies them. The one, small saving grace is: Before the driver tries to read the eeprom, it needs to upload >a< firmware. the vendor firmware has a proprietary license and as a reason, it is not present on most distributions by default.

References

URL

Tags

	https://git.kernel.org/stable/c/12134f79e53eb56b0b0b7447fa0c512acf6a8422
	https://git.kernel.org/stable/c/9701f842031b825e2fd5f22d064166f8f13f6e4d
	https://git.kernel.org/stable/c/1f7f8168abe8cbe845ab8bb557228d44784a6b57
	https://git.kernel.org/stable/c/f39b2f8c1549a539846e083790fad396ef6cd802
	https://git.kernel.org/stable/c/0e4dc150423b829c35cbcf399481ca11594fc036
	https://git.kernel.org/stable/c/6d05390d20f110de37d051a3e063ef0a542d01fb
	https://git.kernel.org/stable/c/714afb4c38edd19a057d519c1f9c5d164b43de94
	https://git.kernel.org/stable/c/da1b9a55ff116cb040528ef664c70a4eec03ae99

Impacted products

Vendor

Product

Version

Linux

Version: 7cb770729ba895f73253dfcd46c3fcba45d896f9
Version: 7cb770729ba895f73253dfcd46c3fcba45d896f9
Version: 7cb770729ba895f73253dfcd46c3fcba45d896f9
Version: 7cb770729ba895f73253dfcd46c3fcba45d896f9
Version: 7cb770729ba895f73253dfcd46c3fcba45d896f9
Version: 7cb770729ba895f73253dfcd46c3fcba45d896f9
Version: 7cb770729ba895f73253dfcd46c3fcba45d896f9
Version: 7cb770729ba895f73253dfcd46c3fcba45d896f9

Linux

Version: 2.6.28

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:36:58.983Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/intersil/p54/fwio.c",
            "drivers/net/wireless/intersil/p54/p54.h",
            "drivers/net/wireless/intersil/p54/txrx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "12134f79e53eb56b0b0b7447fa0c512acf6a8422",
              "status": "affected",
              "version": "7cb770729ba895f73253dfcd46c3fcba45d896f9",
              "versionType": "git"
            },
            {
              "lessThan": "9701f842031b825e2fd5f22d064166f8f13f6e4d",
              "status": "affected",
              "version": "7cb770729ba895f73253dfcd46c3fcba45d896f9",
              "versionType": "git"
            },
            {
              "lessThan": "1f7f8168abe8cbe845ab8bb557228d44784a6b57",
              "status": "affected",
              "version": "7cb770729ba895f73253dfcd46c3fcba45d896f9",
              "versionType": "git"
            },
            {
              "lessThan": "f39b2f8c1549a539846e083790fad396ef6cd802",
              "status": "affected",
              "version": "7cb770729ba895f73253dfcd46c3fcba45d896f9",
              "versionType": "git"
            },
            {
              "lessThan": "0e4dc150423b829c35cbcf399481ca11594fc036",
              "status": "affected",
              "version": "7cb770729ba895f73253dfcd46c3fcba45d896f9",
              "versionType": "git"
            },
            {
              "lessThan": "6d05390d20f110de37d051a3e063ef0a542d01fb",
              "status": "affected",
              "version": "7cb770729ba895f73253dfcd46c3fcba45d896f9",
              "versionType": "git"
            },
            {
              "lessThan": "714afb4c38edd19a057d519c1f9c5d164b43de94",
              "status": "affected",
              "version": "7cb770729ba895f73253dfcd46c3fcba45d896f9",
              "versionType": "git"
            },
            {
              "lessThan": "da1b9a55ff116cb040528ef664c70a4eec03ae99",
              "status": "affected",
              "version": "7cb770729ba895f73253dfcd46c3fcba45d896f9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/intersil/p54/fwio.c",
            "drivers/net/wireless/intersil/p54/p54.h",
            "drivers/net/wireless/intersil/p54/txrx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.28"
            },
            {
              "lessThan": "2.6.28",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback()\n\nRobert Morris reported:\n\n|If a malicious USB device pretends to be an Intersil p54 wifi\n|interface and generates an eeprom_readback message with a large\n|eeprom-\u003ev1.len, p54_rx_eeprom_readback() will copy data from the\n|message beyond the end of priv-\u003eeeprom.\n|\n|static void p54_rx_eeprom_readback(struct p54_common *priv,\n|                                   struct sk_buff *skb)\n|{\n|        struct p54_hdr *hdr = (struct p54_hdr *) skb-\u003edata;\n|        struct p54_eeprom_lm86 *eeprom = (struct p54_eeprom_lm86 *) hdr-\u003edata;\n|\n|        if (priv-\u003efw_var \u003e= 0x509) {\n|                memcpy(priv-\u003eeeprom, eeprom-\u003ev2.data,\n|                       le16_to_cpu(eeprom-\u003ev2.len));\n|        } else {\n|                memcpy(priv-\u003eeeprom, eeprom-\u003ev1.data,\n|                       le16_to_cpu(eeprom-\u003ev1.len));\n|        }\n| [...]\n\nThe eeprom-\u003ev{1,2}.len is set by the driver in p54_download_eeprom().\nThe device is supposed to provide the same length back to the driver.\nBut yes, it\u0027s possible (like shown in the report) to alter the value\nto something that causes a crash/panic due to overrun.\n\nThis patch addresses the issue by adding the size to the common device\ncontext, so p54_rx_eeprom_readback no longer relies on possibly tampered\nvalues... That said, it also checks if the \"firmware\" altered the value\nand no longer copies them.\n\nThe one, small saving grace is: Before the driver tries to read the eeprom,\nit needs to upload \u003ea\u003c firmware. the vendor firmware has a proprietary\nlicense and as a reason, it is not present on most distributions by\ndefault."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:19:35.068Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/12134f79e53eb56b0b0b7447fa0c512acf6a8422"
        },
        {
          "url": "https://git.kernel.org/stable/c/9701f842031b825e2fd5f22d064166f8f13f6e4d"
        },
        {
          "url": "https://git.kernel.org/stable/c/1f7f8168abe8cbe845ab8bb557228d44784a6b57"
        },
        {
          "url": "https://git.kernel.org/stable/c/f39b2f8c1549a539846e083790fad396ef6cd802"
        },
        {
          "url": "https://git.kernel.org/stable/c/0e4dc150423b829c35cbcf399481ca11594fc036"
        },
        {
          "url": "https://git.kernel.org/stable/c/6d05390d20f110de37d051a3e063ef0a542d01fb"
        },
        {
          "url": "https://git.kernel.org/stable/c/714afb4c38edd19a057d519c1f9c5d164b43de94"
        },
        {
          "url": "https://git.kernel.org/stable/c/da1b9a55ff116cb040528ef664c70a4eec03ae99"
        }
      ],
      "title": "wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38348",
    "datePublished": "2025-07-10T08:15:15.883Z",
    "dateReserved": "2025-04-16T04:51:24.006Z",
    "dateUpdated": "2025-11-03T17:36:58.983Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-36357 (GCVE-0-2024-36357)

Vulnerability from cvelistv5

Published

2025-07-08 17:01

Modified

2025-11-04 21:08

Severity ?

5.6 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

CWE

CWE-1421 - Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution

Summary

A transient execution vulnerability in some AMD processors may allow an attacker to infer data in the L1D cache, potentially resulting in the leakage of sensitive information across privileged boundaries.

References

URL

Tags

https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7029.html

Impacted products

Vendor

Product

Version

AMD

AMD EPYC™ 7003 Series Processors

	AMD	AMD EPYC™ 9004 Series Processors
	AMD	AMD EPYC™ 8004 Series Processors
	AMD	AMD EPYC™ 9V64H Processor
	AMD	AMD Ryzen™ 5000 Series Desktop Processors
	AMD	AMD Ryzen™ 5000 Series Desktop Processor with Radeon™ Graphics
	AMD	AMD Ryzen™ 7000 Series Desktop Processors
	AMD	AMD Ryzen™ 8000 Series Processor with Radeon™ Graphics
	AMD	AMD Ryzen™ Threadripper™ PRO 7000 WX-Series Processors
	AMD	AMD Ryzen™ 6000 Series Processor with Radeon™ Graphics
	AMD	AMD Ryzen™ 7035 Series Processor with Radeon™ Graphics
	AMD	AMD Ryzen™ 7000 Series Processors with Radeon™ Graphics
	AMD	AMD Ryzen™ 7040 Series Processors with Radeon™ Graphics
	AMD	AMD Ryzen™ 8040 Series Mobile Processors with Radeon™ Graphics
	AMD	AMD Ryzen™ 7000 Series Mobile Processors
	AMD	AMD EPYC™ Embedded 7003 Series Processors
	AMD	AMD EPYC™ Embedded 8004 Series Processors
	AMD	AMD EPYC™ Embedded 9004 Series Processors
	AMD	AMD Ryzen™ Embedded 5000 Series Processors
	AMD	AMD Ryzen™ Embedded 7000 Series Processors
	AMD	AMD Ryzen™ Embedded V3000 Series Processors
	AMD	AMD EPYC™ Embedded 97X4
	AMD	AMD Ryzen™ 5000 Series Processors with Radeon™ Graphics

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-36357",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-09T13:36:59.777404Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-09T13:37:06.013Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T21:08:40.807Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          },
          {
            "url": "http://xenbits.xen.org/xsa/advisory-471.html"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/08/28/2"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "AMD EPYC\u2122 7003 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "MilanPI 1.0.0.G + OS Updates"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD EPYC\u2122 9004 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "GenoaPI 1.0.0.E + OS Updates"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD EPYC\u2122 8004 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "GenoaPI 1.0.0.E + OS Updates"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD EPYC\u2122 9V64H Processor",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "MI300PI 1.0.0.7 + OS Updates"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 5000 Series Desktop Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "ComboAM4v2PI 1.2.0.E + OS Updates"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 5000 Series Desktop Processor with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "ComboAM4v2PI 1.2.0.E + OS Updates"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 7000 Series Desktop Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "ComboAM5PI 1.2.0.3 + OS Updates"
            },
            {
              "status": "unaffected",
              "version": "ComboAM5PI 1.0.0.a+ OS Updates"
            },
            {
              "status": "unaffected",
              "version": "ComboAM5PI  1.1.0.3c+ OS Updates"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 8000 Series Processor with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "ComboAM5PI 1.2.0.3 + OS Updates"
            },
            {
              "status": "unaffected",
              "version": "ComboAM5PI  1.1.0.3c+ OS Updates"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 Threadripper\u2122 PRO 7000 WX-Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "StormPeakPI-SP6 1.1.0.0i + OS Updates"
            },
            {
              "status": "unaffected",
              "version": "StormPeakPI-SP6 1.0.0.1k + OS Updates"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 6000 Series Processor with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "RembrandtPI-FP7 1.0.0.Bb + OS Updates"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 7035 Series Processor with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "RembrandtPI-FP7 1.0.0.Bb + OS Updates"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 7000 Series Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "CezannePI-FP6 1.0.1.1b + OS Updates"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 7040 Series Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "PhoenixPI-FP8-FP7 1.2.0.0 + OS Updates"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 8040 Series Mobile Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "PhoenixPI-FP8-FP7 1.2.0.0 + OS Updates"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 7000 Series Mobile Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "DragonRangeFL1 1.0.0.3g + OS Updates"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD EPYC\u2122 Embedded 7003 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "EmbMilanPI-SP3 1.0.0.A + OS updates"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD EPYC\u2122 Embedded 8004 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "EmbGenoaPI-SP5 1.0.0.9 + OS updates"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD EPYC\u2122 Embedded 9004 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "EmbGenoaPI-SP5 1.0.0.9 + OS updates"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 Embedded 5000 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "EmbAM4PI 1.0.0.7 + OS Update"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 Embedded 7000 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "EmbeddedAM5PI 1.0.0.3 + OS updates"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 Embedded V3000 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "Embedded-PI_FP7r2 100C + OS updates"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD EPYC\u2122 Embedded 97X4",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "EmbGenoaPI-SP5 1.0.0.9 + OS updates"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 5000 Series Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "CezannePI-FP6 1.0.1.1b + OS Updates"
            }
          ]
        }
      ],
      "datePublic": "2025-07-08T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A transient execution vulnerability in some AMD processors may allow an attacker to infer data in the L1D cache, potentially resulting in the leakage of sensitive information across privileged boundaries.\u003cbr\u003e"
            }
          ],
          "value": "A transient execution vulnerability in some AMD processors may allow an attacker to infer data in the L1D cache, potentially resulting in the leakage of sensitive information across privileged boundaries."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1421",
              "description": "CWE-1421  Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-08T17:01:48.957Z",
        "orgId": "b58fc414-a1e4-4f92-9d70-1add41838648",
        "shortName": "AMD"
      },
      "references": [
        {
          "url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7029.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b58fc414-a1e4-4f92-9d70-1add41838648",
    "assignerShortName": "AMD",
    "cveId": "CVE-2024-36357",
    "datePublished": "2025-07-08T17:01:48.957Z",
    "dateReserved": "2024-05-23T19:44:50.001Z",
    "dateUpdated": "2025-11-04T21:08:40.807Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38065 (GCVE-0-2025-38065)

Vulnerability from cvelistv5

Published

2025-06-18 09:33

Modified

2025-11-03 17:33

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: orangefs: Do not truncate file size 'len' is used to store the result of i_size_read(), so making 'len' a size_t results in truncation to 4GiB on 32-bit systems.

References

URL

Tags

	https://git.kernel.org/stable/c/ceaf195ed285b77791e29016ee6344b3ded609b3
	https://git.kernel.org/stable/c/341e3a5984cf5761f3dab16029d7e9fb1641d5ff
	https://git.kernel.org/stable/c/5111227d7f1f57f6804666b3abf780a23f44fc1d
	https://git.kernel.org/stable/c/15602508ad2f923e228b9521960b4addcd27d9c4
	https://git.kernel.org/stable/c/121f0335d91e46369bf55b5da4167d82b099a166
	https://git.kernel.org/stable/c/cd918ec24168fe08c6aafc077dd3b6d88364c5cf
	https://git.kernel.org/stable/c/2323b806221e6268a4e17711bc72e2fc87c191a3
	https://git.kernel.org/stable/c/062e8093592fb866b8e016641a8b27feb6ac509d

Impacted products

Vendor

Product

Version

Linux

Version: f7ab093f74bf638ed98fd1115f3efa17e308bb7f
Version: f7ab093f74bf638ed98fd1115f3efa17e308bb7f
Version: f7ab093f74bf638ed98fd1115f3efa17e308bb7f
Version: f7ab093f74bf638ed98fd1115f3efa17e308bb7f
Version: f7ab093f74bf638ed98fd1115f3efa17e308bb7f
Version: f7ab093f74bf638ed98fd1115f3efa17e308bb7f
Version: f7ab093f74bf638ed98fd1115f3efa17e308bb7f
Version: f7ab093f74bf638ed98fd1115f3efa17e308bb7f

Linux

Version: 4.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:33:32.733Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/orangefs/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ceaf195ed285b77791e29016ee6344b3ded609b3",
              "status": "affected",
              "version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
              "versionType": "git"
            },
            {
              "lessThan": "341e3a5984cf5761f3dab16029d7e9fb1641d5ff",
              "status": "affected",
              "version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
              "versionType": "git"
            },
            {
              "lessThan": "5111227d7f1f57f6804666b3abf780a23f44fc1d",
              "status": "affected",
              "version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
              "versionType": "git"
            },
            {
              "lessThan": "15602508ad2f923e228b9521960b4addcd27d9c4",
              "status": "affected",
              "version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
              "versionType": "git"
            },
            {
              "lessThan": "121f0335d91e46369bf55b5da4167d82b099a166",
              "status": "affected",
              "version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
              "versionType": "git"
            },
            {
              "lessThan": "cd918ec24168fe08c6aafc077dd3b6d88364c5cf",
              "status": "affected",
              "version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
              "versionType": "git"
            },
            {
              "lessThan": "2323b806221e6268a4e17711bc72e2fc87c191a3",
              "status": "affected",
              "version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
              "versionType": "git"
            },
            {
              "lessThan": "062e8093592fb866b8e016641a8b27feb6ac509d",
              "status": "affected",
              "version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/orangefs/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.6"
            },
            {
              "lessThan": "4.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.294",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.238",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.185",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.93",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.294",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.238",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.185",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.141",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.93",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.31",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\norangefs: Do not truncate file size\n\n\u0027len\u0027 is used to store the result of i_size_read(), so making \u0027len\u0027\na size_t results in truncation to 4GiB on 32-bit systems."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-16T08:03:01.162Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ceaf195ed285b77791e29016ee6344b3ded609b3"
        },
        {
          "url": "https://git.kernel.org/stable/c/341e3a5984cf5761f3dab16029d7e9fb1641d5ff"
        },
        {
          "url": "https://git.kernel.org/stable/c/5111227d7f1f57f6804666b3abf780a23f44fc1d"
        },
        {
          "url": "https://git.kernel.org/stable/c/15602508ad2f923e228b9521960b4addcd27d9c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/121f0335d91e46369bf55b5da4167d82b099a166"
        },
        {
          "url": "https://git.kernel.org/stable/c/cd918ec24168fe08c6aafc077dd3b6d88364c5cf"
        },
        {
          "url": "https://git.kernel.org/stable/c/2323b806221e6268a4e17711bc72e2fc87c191a3"
        },
        {
          "url": "https://git.kernel.org/stable/c/062e8093592fb866b8e016641a8b27feb6ac509d"
        }
      ],
      "title": "orangefs: Do not truncate file size",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38065",
    "datePublished": "2025-06-18T09:33:44.048Z",
    "dateReserved": "2025-04-16T04:51:23.980Z",
    "dateUpdated": "2025-11-03T17:33:32.733Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37801 (GCVE-0-2025-37801)

Vulnerability from cvelistv5

Published

2025-05-08 06:26

Modified

2025-11-03 19:55

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: spi: spi-imx: Add check for spi_imx_setupxfer() Add check for the return value of spi_imx_setupxfer(). spi_imx->rx and spi_imx->tx function pointer can be NULL when spi_imx_setupxfer() return error, and make NULL pointer dereference. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Call trace: 0x0 spi_imx_pio_transfer+0x50/0xd8 spi_imx_transfer_one+0x18c/0x858 spi_transfer_one_message+0x43c/0x790 __spi_pump_transfer_message+0x238/0x5d4 __spi_sync+0x2b0/0x454 spi_write_then_read+0x11c/0x200

References

URL

Tags

	https://git.kernel.org/stable/c/2fea0d6d7b5d27fbf55512d51851ba0a346ede52
	https://git.kernel.org/stable/c/2b4479eb462ecb39001b38dfb331fc6028dedac8
	https://git.kernel.org/stable/c/185d376875ea6fb4256b9dc97ee0b4d2b0fdd399
	https://git.kernel.org/stable/c/055ef73bb1afc3f783a9a13b496770a781964a07
	https://git.kernel.org/stable/c/951a04ab3a2db4029debfa48d380ef834b93207e

Impacted products

Vendor

Product

Version

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:55:31.277Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/spi/spi-imx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2fea0d6d7b5d27fbf55512d51851ba0a346ede52",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "2b4479eb462ecb39001b38dfb331fc6028dedac8",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "185d376875ea6fb4256b9dc97ee0b4d2b0fdd399",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "055ef73bb1afc3f783a9a13b496770a781964a07",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "951a04ab3a2db4029debfa48d380ef834b93207e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/spi/spi-imx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.136",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.89",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.26",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.136",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.89",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-imx: Add check for spi_imx_setupxfer()\n\nAdd check for the return value of spi_imx_setupxfer().\nspi_imx-\u003erx and spi_imx-\u003etx function pointer can be NULL when\nspi_imx_setupxfer() return error, and make NULL pointer dereference.\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n Call trace:\n  0x0\n  spi_imx_pio_transfer+0x50/0xd8\n  spi_imx_transfer_one+0x18c/0x858\n  spi_transfer_one_message+0x43c/0x790\n  __spi_pump_transfer_message+0x238/0x5d4\n  __spi_sync+0x2b0/0x454\n  spi_write_then_read+0x11c/0x200"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:21:10.378Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2fea0d6d7b5d27fbf55512d51851ba0a346ede52"
        },
        {
          "url": "https://git.kernel.org/stable/c/2b4479eb462ecb39001b38dfb331fc6028dedac8"
        },
        {
          "url": "https://git.kernel.org/stable/c/185d376875ea6fb4256b9dc97ee0b4d2b0fdd399"
        },
        {
          "url": "https://git.kernel.org/stable/c/055ef73bb1afc3f783a9a13b496770a781964a07"
        },
        {
          "url": "https://git.kernel.org/stable/c/951a04ab3a2db4029debfa48d380ef834b93207e"
        }
      ],
      "title": "spi: spi-imx: Add check for spi_imx_setupxfer()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37801",
    "datePublished": "2025-05-08T06:26:01.980Z",
    "dateReserved": "2025-04-16T04:51:23.941Z",
    "dateUpdated": "2025-11-03T19:55:31.277Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-42265 (GCVE-0-2024-42265)

Vulnerability from cvelistv5

Published

2024-08-17 08:54

Modified

2025-11-03 22:02

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: protect the fetch of ->fd[fd] in do_dup2() from mispredictions both callers have verified that fd is not greater than ->max_fds; however, misprediction might end up with tofree = fdt->fd[fd]; being speculatively executed. That's wrong for the same reasons why it's wrong in close_fd()/file_close_fd_locked(); the same solution applies - array_index_nospec(fd, fdt->max_fds) could differ from fd only in case of speculative execution on mispredicted path.

References

URL

Tags

	https://git.kernel.org/stable/c/ed42e8ff509d2a61c6642d1825032072dab79f26
	https://git.kernel.org/stable/c/41a6c31df77bd8e050136b0a200b537da9e1084a
	https://git.kernel.org/stable/c/08775b3d6ed117cf4518754ec7300ee42b6a5368
	https://git.kernel.org/stable/c/3f480493550b6a23d3a65d095d6569d4a7f56a0f
	https://git.kernel.org/stable/c/5db999fff545b924b24c9afd368ef5c17279b176
	https://git.kernel.org/stable/c/da72e783afd27d9f487836b2e6738146c0edd149
	https://git.kernel.org/stable/c/1171ceccabfd596ca370c5d2cbb47d110c3f2fe1
	https://git.kernel.org/stable/c/8aa37bde1a7b645816cda8b80df4753ecf172bf1

Impacted products

Vendor

Product

Version

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-42265",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T16:12:30.860612Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-12T17:33:05.845Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T22:02:59.813Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/file.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ed42e8ff509d2a61c6642d1825032072dab79f26",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "41a6c31df77bd8e050136b0a200b537da9e1084a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "08775b3d6ed117cf4518754ec7300ee42b6a5368",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "3f480493550b6a23d3a65d095d6569d4a7f56a0f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "5db999fff545b924b24c9afd368ef5c17279b176",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "da72e783afd27d9f487836b2e6738146c0edd149",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "1171ceccabfd596ca370c5d2cbb47d110c3f2fe1",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "8aa37bde1a7b645816cda8b80df4753ecf172bf1",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/file.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.320",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.282",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.224",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.165",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.104",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.45",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.10.*",
              "status": "unaffected",
              "version": "6.10.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.11",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.320",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.282",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.224",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.165",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.104",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.45",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nprotect the fetch of -\u003efd[fd] in do_dup2() from mispredictions\n\nboth callers have verified that fd is not greater than -\u003emax_fds;\nhowever, misprediction might end up with\n        tofree = fdt-\u003efd[fd];\nbeing speculatively executed.  That\u0027s wrong for the same reasons\nwhy it\u0027s wrong in close_fd()/file_close_fd_locked(); the same\nsolution applies - array_index_nospec(fd, fdt-\u003emax_fds) could differ\nfrom fd only in case of speculative execution on mispredicted path."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:25:30.332Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ed42e8ff509d2a61c6642d1825032072dab79f26"
        },
        {
          "url": "https://git.kernel.org/stable/c/41a6c31df77bd8e050136b0a200b537da9e1084a"
        },
        {
          "url": "https://git.kernel.org/stable/c/08775b3d6ed117cf4518754ec7300ee42b6a5368"
        },
        {
          "url": "https://git.kernel.org/stable/c/3f480493550b6a23d3a65d095d6569d4a7f56a0f"
        },
        {
          "url": "https://git.kernel.org/stable/c/5db999fff545b924b24c9afd368ef5c17279b176"
        },
        {
          "url": "https://git.kernel.org/stable/c/da72e783afd27d9f487836b2e6738146c0edd149"
        },
        {
          "url": "https://git.kernel.org/stable/c/1171ceccabfd596ca370c5d2cbb47d110c3f2fe1"
        },
        {
          "url": "https://git.kernel.org/stable/c/8aa37bde1a7b645816cda8b80df4753ecf172bf1"
        }
      ],
      "title": "protect the fetch of -\u003efd[fd] in do_dup2() from mispredictions",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-42265",
    "datePublished": "2024-08-17T08:54:21.636Z",
    "dateReserved": "2024-07-30T07:40:12.259Z",
    "dateUpdated": "2025-11-03T22:02:59.813Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38248 (GCVE-0-2025-38248)

Vulnerability from cvelistv5

Published

2025-07-09 10:42

Modified

2025-07-28 04:16

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: bridge: mcast: Fix use-after-free during router port configuration The bridge maintains a global list of ports behind which a multicast router resides. The list is consulted during forwarding to ensure multicast packets are forwarded to these ports even if the ports are not member in the matching MDB entry. When per-VLAN multicast snooping is enabled, the per-port multicast context is disabled on each port and the port is removed from the global router port list: # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 # ip link add name dummy1 up master br1 type dummy # ip link set dev dummy1 type bridge_slave mcast_router 2 $ bridge -d mdb show | grep router router ports on br1: dummy1 # ip link set dev br1 type bridge mcast_vlan_snooping 1 $ bridge -d mdb show | grep router However, the port can be re-added to the global list even when per-VLAN multicast snooping is enabled: # ip link set dev dummy1 type bridge_slave mcast_router 0 # ip link set dev dummy1 type bridge_slave mcast_router 2 $ bridge -d mdb show | grep router router ports on br1: dummy1 Since commit 4b30ae9adb04 ("net: bridge: mcast: re-implement br_multicast_{enable, disable}_port functions"), when per-VLAN multicast snooping is enabled, multicast disablement on a port will disable the per-{port, VLAN} multicast contexts and not the per-port one. As a result, a port will remain in the global router port list even after it is deleted. This will lead to a use-after-free [1] when the list is traversed (when adding a new port to the list, for example): # ip link del dev dummy1 # ip link add name dummy2 up master br1 type dummy # ip link set dev dummy2 type bridge_slave mcast_router 2 Similarly, stale entries can also be found in the per-VLAN router port list. When per-VLAN multicast snooping is disabled, the per-{port, VLAN} contexts are disabled on each port and the port is removed from the per-VLAN router port list: # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 mcast_vlan_snooping 1 # ip link add name dummy1 up master br1 type dummy # bridge vlan add vid 2 dev dummy1 # bridge vlan global set vid 2 dev br1 mcast_snooping 1 # bridge vlan set vid 2 dev dummy1 mcast_router 2 $ bridge vlan global show dev br1 vid 2 | grep router router ports: dummy1 # ip link set dev br1 type bridge mcast_vlan_snooping 0 $ bridge vlan global show dev br1 vid 2 | grep router However, the port can be re-added to the per-VLAN list even when per-VLAN multicast snooping is disabled: # bridge vlan set vid 2 dev dummy1 mcast_router 0 # bridge vlan set vid 2 dev dummy1 mcast_router 2 $ bridge vlan global show dev br1 vid 2 | grep router router ports: dummy1 When the VLAN is deleted from the port, the per-{port, VLAN} multicast context will not be disabled since multicast snooping is not enabled on the VLAN. As a result, the port will remain in the per-VLAN router port list even after it is no longer member in the VLAN. This will lead to a use-after-free [2] when the list is traversed (when adding a new port to the list, for example): # ip link add name dummy2 up master br1 type dummy # bridge vlan add vid 2 dev dummy2 # bridge vlan del vid 2 dev dummy1 # bridge vlan set vid 2 dev dummy2 mcast_router 2 Fix these issues by removing the port from the relevant (global or per-VLAN) router port list in br_multicast_port_ctx_deinit(). The function is invoked during port deletion with the per-port multicast context and during VLAN deletion with the per-{port, VLAN} multicast context. Note that deleting the multicast router timer is not enough as it only takes care of the temporary multicast router states (1 or 3) and not the permanent one (2). [1] BUG: KASAN: slab-out-of-bounds in br_multicast_add_router.part.0+0x3f1/0x560 Write of size 8 at addr ffff888004a67328 by task ip/384 [...] Call Trace: <TASK> dump_stack ---truncated---

References

URL

Tags

	https://git.kernel.org/stable/c/f05a4f9e959e0fc098046044c650acf897ea52d2
	https://git.kernel.org/stable/c/7544f3f5b0b58c396f374d060898b5939da31709

Impacted products

Vendor

Product

Version

Linux

Version: 2796d846d74a18cc6563e96eff8bf28c5e06f912
Version: 2796d846d74a18cc6563e96eff8bf28c5e06f912

Linux

Version: 5.15

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bridge/br_multicast.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f05a4f9e959e0fc098046044c650acf897ea52d2",
              "status": "affected",
              "version": "2796d846d74a18cc6563e96eff8bf28c5e06f912",
              "versionType": "git"
            },
            {
              "lessThan": "7544f3f5b0b58c396f374d060898b5939da31709",
              "status": "affected",
              "version": "2796d846d74a18cc6563e96eff8bf28c5e06f912",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bridge/br_multicast.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.5",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbridge: mcast: Fix use-after-free during router port configuration\n\nThe bridge maintains a global list of ports behind which a multicast\nrouter resides. The list is consulted during forwarding to ensure\nmulticast packets are forwarded to these ports even if the ports are not\nmember in the matching MDB entry.\n\nWhen per-VLAN multicast snooping is enabled, the per-port multicast\ncontext is disabled on each port and the port is removed from the global\nrouter port list:\n\n # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1\n # ip link add name dummy1 up master br1 type dummy\n # ip link set dev dummy1 type bridge_slave mcast_router 2\n $ bridge -d mdb show | grep router\n router ports on br1: dummy1\n # ip link set dev br1 type bridge mcast_vlan_snooping 1\n $ bridge -d mdb show | grep router\n\nHowever, the port can be re-added to the global list even when per-VLAN\nmulticast snooping is enabled:\n\n # ip link set dev dummy1 type bridge_slave mcast_router 0\n # ip link set dev dummy1 type bridge_slave mcast_router 2\n $ bridge -d mdb show | grep router\n router ports on br1: dummy1\n\nSince commit 4b30ae9adb04 (\"net: bridge: mcast: re-implement\nbr_multicast_{enable, disable}_port functions\"), when per-VLAN multicast\nsnooping is enabled, multicast disablement on a port will disable the\nper-{port, VLAN} multicast contexts and not the per-port one. As a\nresult, a port will remain in the global router port list even after it\nis deleted. This will lead to a use-after-free [1] when the list is\ntraversed (when adding a new port to the list, for example):\n\n # ip link del dev dummy1\n # ip link add name dummy2 up master br1 type dummy\n # ip link set dev dummy2 type bridge_slave mcast_router 2\n\nSimilarly, stale entries can also be found in the per-VLAN router port\nlist. When per-VLAN multicast snooping is disabled, the per-{port, VLAN}\ncontexts are disabled on each port and the port is removed from the\nper-VLAN router port list:\n\n # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 mcast_vlan_snooping 1\n # ip link add name dummy1 up master br1 type dummy\n # bridge vlan add vid 2 dev dummy1\n # bridge vlan global set vid 2 dev br1 mcast_snooping 1\n # bridge vlan set vid 2 dev dummy1 mcast_router 2\n $ bridge vlan global show dev br1 vid 2 | grep router\n       router ports: dummy1\n # ip link set dev br1 type bridge mcast_vlan_snooping 0\n $ bridge vlan global show dev br1 vid 2 | grep router\n\nHowever, the port can be re-added to the per-VLAN list even when\nper-VLAN multicast snooping is disabled:\n\n # bridge vlan set vid 2 dev dummy1 mcast_router 0\n # bridge vlan set vid 2 dev dummy1 mcast_router 2\n $ bridge vlan global show dev br1 vid 2 | grep router\n       router ports: dummy1\n\nWhen the VLAN is deleted from the port, the per-{port, VLAN} multicast\ncontext will not be disabled since multicast snooping is not enabled\non the VLAN. As a result, the port will remain in the per-VLAN router\nport list even after it is no longer member in the VLAN. This will lead\nto a use-after-free [2] when the list is traversed (when adding a new\nport to the list, for example):\n\n # ip link add name dummy2 up master br1 type dummy\n # bridge vlan add vid 2 dev dummy2\n # bridge vlan del vid 2 dev dummy1\n # bridge vlan set vid 2 dev dummy2 mcast_router 2\n\nFix these issues by removing the port from the relevant (global or\nper-VLAN) router port list in br_multicast_port_ctx_deinit(). The\nfunction is invoked during port deletion with the per-port multicast\ncontext and during VLAN deletion with the per-{port, VLAN} multicast\ncontext.\n\nNote that deleting the multicast router timer is not enough as it only\ntakes care of the temporary multicast router states (1 or 3) and not the\npermanent one (2).\n\n[1]\nBUG: KASAN: slab-out-of-bounds in br_multicast_add_router.part.0+0x3f1/0x560\nWrite of size 8 at addr ffff888004a67328 by task ip/384\n[...]\nCall Trace:\n \u003cTASK\u003e\n dump_stack\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:16:09.338Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f05a4f9e959e0fc098046044c650acf897ea52d2"
        },
        {
          "url": "https://git.kernel.org/stable/c/7544f3f5b0b58c396f374d060898b5939da31709"
        }
      ],
      "title": "bridge: mcast: Fix use-after-free during router port configuration",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38248",
    "datePublished": "2025-07-09T10:42:29.133Z",
    "dateReserved": "2025-04-16T04:51:23.997Z",
    "dateUpdated": "2025-07-28T04:16:09.338Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-23141 (GCVE-0-2025-23141)

Vulnerability from cvelistv5

Published

2025-05-01 12:55

Modified

2025-11-03 19:42

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses Acquire a lock on kvm->srcu when userspace is getting MP state to handle a rather extreme edge case where "accepting" APIC events, i.e. processing pending INIT or SIPI, can trigger accesses to guest memory. If the vCPU is in L2 with INIT *and* a TRIPLE_FAULT request pending, then getting MP state will trigger a nested VM-Exit by way of ->check_nested_events(), and emuating the nested VM-Exit can access guest memory. The splat was originally hit by syzkaller on a Google-internal kernel, and reproduced on an upstream kernel by hacking the triple_fault_event_test selftest to stuff a pending INIT, store an MSR on VM-Exit (to generate a memory access on VMX), and do vcpu_mp_state_get() to trigger the scenario. ============================= WARNING: suspicious RCU usage 6.14.0-rc3-b112d356288b-vmx/pi_lockdep_false_pos-lock #3 Not tainted ----------------------------- include/linux/kvm_host.h:1058 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by triple_fault_ev/1256: #0: ffff88810df5a330 (&vcpu->mutex){+.+.}-{4:4}, at: kvm_vcpu_ioctl+0x8b/0x9a0 [kvm] stack backtrace: CPU: 11 UID: 1000 PID: 1256 Comm: triple_fault_ev Not tainted 6.14.0-rc3-b112d356288b-vmx #3 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Call Trace: <TASK> dump_stack_lvl+0x7f/0x90 lockdep_rcu_suspicious+0x144/0x190 kvm_vcpu_gfn_to_memslot+0x156/0x180 [kvm] kvm_vcpu_read_guest+0x3e/0x90 [kvm] read_and_check_msr_entry+0x2e/0x180 [kvm_intel] __nested_vmx_vmexit+0x550/0xde0 [kvm_intel] kvm_check_nested_events+0x1b/0x30 [kvm] kvm_apic_accept_events+0x33/0x100 [kvm] kvm_arch_vcpu_ioctl_get_mpstate+0x30/0x1d0 [kvm] kvm_vcpu_ioctl+0x33e/0x9a0 [kvm] __x64_sys_ioctl+0x8b/0xb0 do_syscall_64+0x6c/0x170 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK>

References

URL

Tags

	https://git.kernel.org/stable/c/0357c8406dfa09430dd9858ebe813feb65524b6e
	https://git.kernel.org/stable/c/8a3df0aa1087a89f5ce55f4aba816bfcb1ecf1be
	https://git.kernel.org/stable/c/7bc5c360375d28ba5ef6298b0d53e735c81d66a1
	https://git.kernel.org/stable/c/f5cbe725b7477b4cd677be1b86b4e08f90572997
	https://git.kernel.org/stable/c/592e040572f216d916f465047c8ce4a308fcca44
	https://git.kernel.org/stable/c/ef01cac401f18647d62720cf773d7bb0541827da

Impacted products

Vendor

Product

Version

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:42:27.035Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kvm/x86.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0357c8406dfa09430dd9858ebe813feb65524b6e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "8a3df0aa1087a89f5ce55f4aba816bfcb1ecf1be",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "7bc5c360375d28ba5ef6298b0d53e735c81d66a1",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "f5cbe725b7477b4cd677be1b86b4e08f90572997",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "592e040572f216d916f465047c8ce4a308fcca44",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ef01cac401f18647d62720cf773d7bb0541827da",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kvm/x86.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses\n\nAcquire a lock on kvm-\u003esrcu when userspace is getting MP state to handle a\nrather extreme edge case where \"accepting\" APIC events, i.e. processing\npending INIT or SIPI, can trigger accesses to guest memory.  If the vCPU\nis in L2 with INIT *and* a TRIPLE_FAULT request pending, then getting MP\nstate will trigger a nested VM-Exit by way of -\u003echeck_nested_events(), and\nemuating the nested VM-Exit can access guest memory.\n\nThe splat was originally hit by syzkaller on a Google-internal kernel, and\nreproduced on an upstream kernel by hacking the triple_fault_event_test\nselftest to stuff a pending INIT, store an MSR on VM-Exit (to generate a\nmemory access on VMX), and do vcpu_mp_state_get() to trigger the scenario.\n\n  =============================\n  WARNING: suspicious RCU usage\n  6.14.0-rc3-b112d356288b-vmx/pi_lockdep_false_pos-lock #3 Not tainted\n  -----------------------------\n  include/linux/kvm_host.h:1058 suspicious rcu_dereference_check() usage!\n\n  other info that might help us debug this:\n\n  rcu_scheduler_active = 2, debug_locks = 1\n  1 lock held by triple_fault_ev/1256:\n   #0: ffff88810df5a330 (\u0026vcpu-\u003emutex){+.+.}-{4:4}, at: kvm_vcpu_ioctl+0x8b/0x9a0 [kvm]\n\n  stack backtrace:\n  CPU: 11 UID: 1000 PID: 1256 Comm: triple_fault_ev Not tainted 6.14.0-rc3-b112d356288b-vmx #3\n  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n  Call Trace:\n   \u003cTASK\u003e\n   dump_stack_lvl+0x7f/0x90\n   lockdep_rcu_suspicious+0x144/0x190\n   kvm_vcpu_gfn_to_memslot+0x156/0x180 [kvm]\n   kvm_vcpu_read_guest+0x3e/0x90 [kvm]\n   read_and_check_msr_entry+0x2e/0x180 [kvm_intel]\n   __nested_vmx_vmexit+0x550/0xde0 [kvm_intel]\n   kvm_check_nested_events+0x1b/0x30 [kvm]\n   kvm_apic_accept_events+0x33/0x100 [kvm]\n   kvm_arch_vcpu_ioctl_get_mpstate+0x30/0x1d0 [kvm]\n   kvm_vcpu_ioctl+0x33e/0x9a0 [kvm]\n   __x64_sys_ioctl+0x8b/0xb0\n   do_syscall_64+0x6c/0x170\n   entry_SYSCALL_64_after_hwframe+0x4b/0x53\n   \u003c/TASK\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:19:20.200Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0357c8406dfa09430dd9858ebe813feb65524b6e"
        },
        {
          "url": "https://git.kernel.org/stable/c/8a3df0aa1087a89f5ce55f4aba816bfcb1ecf1be"
        },
        {
          "url": "https://git.kernel.org/stable/c/7bc5c360375d28ba5ef6298b0d53e735c81d66a1"
        },
        {
          "url": "https://git.kernel.org/stable/c/f5cbe725b7477b4cd677be1b86b4e08f90572997"
        },
        {
          "url": "https://git.kernel.org/stable/c/592e040572f216d916f465047c8ce4a308fcca44"
        },
        {
          "url": "https://git.kernel.org/stable/c/ef01cac401f18647d62720cf773d7bb0541827da"
        }
      ],
      "title": "KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-23141",
    "datePublished": "2025-05-01T12:55:31.525Z",
    "dateReserved": "2025-01-11T14:28:41.512Z",
    "dateUpdated": "2025-11-03T19:42:27.035Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37852 (GCVE-0-2025-37852)

Vulnerability from cvelistv5

Published

2025-05-09 06:41

Modified

2025-11-03 19:56

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: handle amdgpu_cgs_create_device() errors in amd_powerplay_create() Add error handling to propagate amdgpu_cgs_create_device() failures to the caller. When amdgpu_cgs_create_device() fails, release hwmgr and return -ENOMEM to prevent null pointer dereference. [v1]->[v2]: Change error code from -EINVAL to -ENOMEM. Free hwmgr.

References

URL

Tags

	https://git.kernel.org/stable/c/55ef52c30c3e747f145a64de96192e37a8fed670
	https://git.kernel.org/stable/c/f8693e1bae9c08233a2f535c3f412e157df32b33
	https://git.kernel.org/stable/c/dc4380f34613eaae997b3ed263bd1cb3d0fd0075
	https://git.kernel.org/stable/c/22ea19cc089013b55c240134dbb2797700ff5a6a
	https://git.kernel.org/stable/c/b784734811438f11533e2fb9e0deb327844bdb56
	https://git.kernel.org/stable/c/1435e895d4fc967d64e9f5bf81e992ac32f5ac76

Impacted products

Vendor

Product

Version

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:56:29.052Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "55ef52c30c3e747f145a64de96192e37a8fed670",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "f8693e1bae9c08233a2f535c3f412e157df32b33",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "dc4380f34613eaae997b3ed263bd1cb3d0fd0075",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "22ea19cc089013b55c240134dbb2797700ff5a6a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "b784734811438f11533e2fb9e0deb327844bdb56",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "1435e895d4fc967d64e9f5bf81e992ac32f5ac76",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: handle amdgpu_cgs_create_device() errors in amd_powerplay_create()\n\nAdd error handling to propagate amdgpu_cgs_create_device() failures\nto the caller. When amdgpu_cgs_create_device() fails, release hwmgr\nand return -ENOMEM to prevent null pointer dereference.\n\n[v1]-\u003e[v2]: Change error code from -EINVAL to -ENOMEM. Free hwmgr."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:22:18.508Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/55ef52c30c3e747f145a64de96192e37a8fed670"
        },
        {
          "url": "https://git.kernel.org/stable/c/f8693e1bae9c08233a2f535c3f412e157df32b33"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc4380f34613eaae997b3ed263bd1cb3d0fd0075"
        },
        {
          "url": "https://git.kernel.org/stable/c/22ea19cc089013b55c240134dbb2797700ff5a6a"
        },
        {
          "url": "https://git.kernel.org/stable/c/b784734811438f11533e2fb9e0deb327844bdb56"
        },
        {
          "url": "https://git.kernel.org/stable/c/1435e895d4fc967d64e9f5bf81e992ac32f5ac76"
        }
      ],
      "title": "drm/amdgpu: handle amdgpu_cgs_create_device() errors in amd_powerplay_create()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37852",
    "datePublished": "2025-05-09T06:41:59.094Z",
    "dateReserved": "2025-04-16T04:51:23.955Z",
    "dateUpdated": "2025-11-03T19:56:29.052Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37933 (GCVE-0-2025-37933)

Vulnerability from cvelistv5

Published

2025-05-20 15:21

Modified

2025-05-26 05:24

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: octeon_ep: Fix host hang issue during device reboot When the host loses heartbeat messages from the device, the driver calls the device-specific ndo_stop function, which frees the resources. If the driver is unloaded in this scenario, it calls ndo_stop again, attempting to free resources that have already been freed, leading to a host hang issue. To resolve this, dev_close should be called instead of the device-specific stop function.dev_close internally calls ndo_stop to stop the network interface and performs additional cleanup tasks. During the driver unload process, if the device is already down, ndo_stop is not called.

References

URL

Tags

	https://git.kernel.org/stable/c/7e1ca1bed3f66e00377f7d2147be390144924276
	https://git.kernel.org/stable/c/c8d788f800f83b94d9db8b3dacc1d26be38a6ef4
	https://git.kernel.org/stable/c/6d1052423518e7d0aece9af5e77bbc324face8f1
	https://git.kernel.org/stable/c/34f42736b325287a7b2ce37e415838f539767bda

Impacted products

Vendor

Product

Version

Linux

Version: 5cb96c29aa0ea359e4f5d30585538dc6a847d69d
Version: 5cb96c29aa0ea359e4f5d30585538dc6a847d69d
Version: 5cb96c29aa0ea359e4f5d30585538dc6a847d69d
Version: 5cb96c29aa0ea359e4f5d30585538dc6a847d69d

Linux

Version: 6.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/marvell/octeon_ep/octep_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7e1ca1bed3f66e00377f7d2147be390144924276",
              "status": "affected",
              "version": "5cb96c29aa0ea359e4f5d30585538dc6a847d69d",
              "versionType": "git"
            },
            {
              "lessThan": "c8d788f800f83b94d9db8b3dacc1d26be38a6ef4",
              "status": "affected",
              "version": "5cb96c29aa0ea359e4f5d30585538dc6a847d69d",
              "versionType": "git"
            },
            {
              "lessThan": "6d1052423518e7d0aece9af5e77bbc324face8f1",
              "status": "affected",
              "version": "5cb96c29aa0ea359e4f5d30585538dc6a847d69d",
              "versionType": "git"
            },
            {
              "lessThan": "34f42736b325287a7b2ce37e415838f539767bda",
              "status": "affected",
              "version": "5cb96c29aa0ea359e4f5d30585538dc6a847d69d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/marvell/octeon_ep/octep_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.90",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.28",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.90",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.28",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.6",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteon_ep: Fix host hang issue during device reboot\n\nWhen the host loses heartbeat messages from the device,\nthe driver calls the device-specific ndo_stop function,\nwhich frees the resources. If the driver is unloaded in\nthis scenario, it calls ndo_stop again, attempting to free\nresources that have already been freed, leading to a host\nhang issue. To resolve this, dev_close should be called\ninstead of the device-specific stop function.dev_close\ninternally calls ndo_stop to stop the network interface\nand performs additional cleanup tasks. During the driver\nunload process, if the device is already down, ndo_stop\nis not called."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:24:01.206Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7e1ca1bed3f66e00377f7d2147be390144924276"
        },
        {
          "url": "https://git.kernel.org/stable/c/c8d788f800f83b94d9db8b3dacc1d26be38a6ef4"
        },
        {
          "url": "https://git.kernel.org/stable/c/6d1052423518e7d0aece9af5e77bbc324face8f1"
        },
        {
          "url": "https://git.kernel.org/stable/c/34f42736b325287a7b2ce37e415838f539767bda"
        }
      ],
      "title": "octeon_ep: Fix host hang issue during device reboot",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37933",
    "datePublished": "2025-05-20T15:21:58.169Z",
    "dateReserved": "2025-04-16T04:51:23.970Z",
    "dateUpdated": "2025-05-26T05:24:01.206Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38305 (GCVE-0-2025-38305)

Vulnerability from cvelistv5

Published

2025-07-10 07:42

Modified

2025-11-03 17:36

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use() There is no disagreement that we should check both ptp->is_virtual_clock and ptp->n_vclocks to check if the ptp virtual clock is in use. However, when we acquire ptp->n_vclocks_mux to read ptp->n_vclocks in ptp_vclock_in_use(), we observe a recursive lock in the call trace starting from n_vclocks_store(). ============================================ WARNING: possible recursive locking detected 6.15.0-rc6 #1 Not tainted -------------------------------------------- syz.0.1540/13807 is trying to acquire lock: ffff888035a24868 (&ptp->n_vclocks_mux){+.+.}-{4:4}, at: ptp_vclock_in_use drivers/ptp/ptp_private.h:103 [inline] ffff888035a24868 (&ptp->n_vclocks_mux){+.+.}-{4:4}, at: ptp_clock_unregister+0x21/0x250 drivers/ptp/ptp_clock.c:415 but task is already holding lock: ffff888030704868 (&ptp->n_vclocks_mux){+.+.}-{4:4}, at: n_vclocks_store+0xf1/0x6d0 drivers/ptp/ptp_sysfs.c:215 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&ptp->n_vclocks_mux); lock(&ptp->n_vclocks_mux); *** DEADLOCK *** .... ============================================ The best way to solve this is to remove the logic that checks ptp->n_vclocks in ptp_vclock_in_use(). The reason why this is appropriate is that any path that uses ptp->n_vclocks must unconditionally check if ptp->n_vclocks is greater than 0 before unregistering vclocks, and all functions are already written this way. And in the function that uses ptp->n_vclocks, we already get ptp->n_vclocks_mux before unregistering vclocks. Therefore, we need to remove the redundant check for ptp->n_vclocks in ptp_vclock_in_use() to prevent recursive locking.

References

URL

Tags

	https://git.kernel.org/stable/c/5d217e7031a5c06d366580fc6ddbf43527b780d4
	https://git.kernel.org/stable/c/b1b73c452331451020be3bf4b014901015ae6663
	https://git.kernel.org/stable/c/259119595227fd20f6aa29d85abe086b6fdd9eb1
	https://git.kernel.org/stable/c/b93e6fef4eda48e17d9c642b9abad98a066fd4a3
	https://git.kernel.org/stable/c/ef8fc007c28a30a4c0d90bf755e0f343d99bb392
	https://git.kernel.org/stable/c/87f7ce260a3c838b49e1dc1ceedf1006795157a2

Impacted products

Vendor

Product

Version

Linux

Version: 73f37068d540eba5f93ba3a0019bf479d35ebd76
Version: 73f37068d540eba5f93ba3a0019bf479d35ebd76
Version: 73f37068d540eba5f93ba3a0019bf479d35ebd76
Version: 73f37068d540eba5f93ba3a0019bf479d35ebd76
Version: 73f37068d540eba5f93ba3a0019bf479d35ebd76
Version: 73f37068d540eba5f93ba3a0019bf479d35ebd76

Linux

Version: 5.14

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:36:22.602Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/ptp/ptp_private.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5d217e7031a5c06d366580fc6ddbf43527b780d4",
              "status": "affected",
              "version": "73f37068d540eba5f93ba3a0019bf479d35ebd76",
              "versionType": "git"
            },
            {
              "lessThan": "b1b73c452331451020be3bf4b014901015ae6663",
              "status": "affected",
              "version": "73f37068d540eba5f93ba3a0019bf479d35ebd76",
              "versionType": "git"
            },
            {
              "lessThan": "259119595227fd20f6aa29d85abe086b6fdd9eb1",
              "status": "affected",
              "version": "73f37068d540eba5f93ba3a0019bf479d35ebd76",
              "versionType": "git"
            },
            {
              "lessThan": "b93e6fef4eda48e17d9c642b9abad98a066fd4a3",
              "status": "affected",
              "version": "73f37068d540eba5f93ba3a0019bf479d35ebd76",
              "versionType": "git"
            },
            {
              "lessThan": "ef8fc007c28a30a4c0d90bf755e0f343d99bb392",
              "status": "affected",
              "version": "73f37068d540eba5f93ba3a0019bf479d35ebd76",
              "versionType": "git"
            },
            {
              "lessThan": "87f7ce260a3c838b49e1dc1ceedf1006795157a2",
              "status": "affected",
              "version": "73f37068d540eba5f93ba3a0019bf479d35ebd76",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/ptp/ptp_private.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.14"
            },
            {
              "lessThan": "5.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nptp: remove ptp-\u003en_vclocks check logic in ptp_vclock_in_use()\n\nThere is no disagreement that we should check both ptp-\u003eis_virtual_clock\nand ptp-\u003en_vclocks to check if the ptp virtual clock is in use.\n\nHowever, when we acquire ptp-\u003en_vclocks_mux to read ptp-\u003en_vclocks in\nptp_vclock_in_use(), we observe a recursive lock in the call trace\nstarting from n_vclocks_store().\n\n============================================\nWARNING: possible recursive locking detected\n6.15.0-rc6 #1 Not tainted\n--------------------------------------------\nsyz.0.1540/13807 is trying to acquire lock:\nffff888035a24868 (\u0026ptp-\u003en_vclocks_mux){+.+.}-{4:4}, at:\n ptp_vclock_in_use drivers/ptp/ptp_private.h:103 [inline]\nffff888035a24868 (\u0026ptp-\u003en_vclocks_mux){+.+.}-{4:4}, at:\n ptp_clock_unregister+0x21/0x250 drivers/ptp/ptp_clock.c:415\n\nbut task is already holding lock:\nffff888030704868 (\u0026ptp-\u003en_vclocks_mux){+.+.}-{4:4}, at:\n n_vclocks_store+0xf1/0x6d0 drivers/ptp/ptp_sysfs.c:215\n\nother info that might help us debug this:\n Possible unsafe locking scenario:\n\n       CPU0\n       ----\n  lock(\u0026ptp-\u003en_vclocks_mux);\n  lock(\u0026ptp-\u003en_vclocks_mux);\n\n *** DEADLOCK ***\n....\n============================================\n\nThe best way to solve this is to remove the logic that checks\nptp-\u003en_vclocks in ptp_vclock_in_use().\n\nThe reason why this is appropriate is that any path that uses\nptp-\u003en_vclocks must unconditionally check if ptp-\u003en_vclocks is greater\nthan 0 before unregistering vclocks, and all functions are already\nwritten this way. And in the function that uses ptp-\u003en_vclocks, we\nalready get ptp-\u003en_vclocks_mux before unregistering vclocks.\n\nTherefore, we need to remove the redundant check for ptp-\u003en_vclocks in\nptp_vclock_in_use() to prevent recursive locking."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:18:06.998Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5d217e7031a5c06d366580fc6ddbf43527b780d4"
        },
        {
          "url": "https://git.kernel.org/stable/c/b1b73c452331451020be3bf4b014901015ae6663"
        },
        {
          "url": "https://git.kernel.org/stable/c/259119595227fd20f6aa29d85abe086b6fdd9eb1"
        },
        {
          "url": "https://git.kernel.org/stable/c/b93e6fef4eda48e17d9c642b9abad98a066fd4a3"
        },
        {
          "url": "https://git.kernel.org/stable/c/ef8fc007c28a30a4c0d90bf755e0f343d99bb392"
        },
        {
          "url": "https://git.kernel.org/stable/c/87f7ce260a3c838b49e1dc1ceedf1006795157a2"
        }
      ],
      "title": "ptp: remove ptp-\u003en_vclocks check logic in ptp_vclock_in_use()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38305",
    "datePublished": "2025-07-10T07:42:16.127Z",
    "dateReserved": "2025-04-16T04:51:24.002Z",
    "dateUpdated": "2025-11-03T17:36:22.602Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38426 (GCVE-0-2025-38426)

Vulnerability from cvelistv5

Published

2025-07-25 14:16

Modified

2025-07-28 11:16

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Add basic validation for RAS header If RAS header read from EEPROM is corrupted, it could result in trying to allocate huge memory for reading the records. Add some validation to header fields.

References

URL

Tags

	https://git.kernel.org/stable/c/b52f52bc5ba9feb026c0be600f8ac584fd12d187
	https://git.kernel.org/stable/c/5df0d6addb7e9b6f71f7162d1253762a5be9138e

Impacted products

Vendor

Product

Version

Linux

Version: 64f55e629237e4752db18df4d6969a69e3f4835a
Version: 64f55e629237e4752db18df4d6969a69e3f4835a

Linux

Version: 5.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b52f52bc5ba9feb026c0be600f8ac584fd12d187",
              "status": "affected",
              "version": "64f55e629237e4752db18df4d6969a69e3f4835a",
              "versionType": "git"
            },
            {
              "lessThan": "5df0d6addb7e9b6f71f7162d1253762a5be9138e",
              "status": "affected",
              "version": "64f55e629237e4752db18df4d6969a69e3f4835a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.4"
            },
            {
              "lessThan": "5.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Add basic validation for RAS header\n\nIf RAS header read from EEPROM is corrupted, it could result in trying\nto allocate huge memory for reading the records. Add some validation to\nheader fields."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T11:16:57.653Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b52f52bc5ba9feb026c0be600f8ac584fd12d187"
        },
        {
          "url": "https://git.kernel.org/stable/c/5df0d6addb7e9b6f71f7162d1253762a5be9138e"
        }
      ],
      "title": "drm/amdgpu: Add basic validation for RAS header",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38426",
    "datePublished": "2025-07-25T14:16:46.482Z",
    "dateReserved": "2025-04-16T04:51:24.015Z",
    "dateUpdated": "2025-07-28T11:16:57.653Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-36348 (GCVE-0-2024-36348)

Vulnerability from cvelistv5

Published

2025-07-08 16:42

Modified

2025-11-04 21:08

Severity ?

3.8 (Low) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

CWE

CWE-1420 - Exposure of Sensitive Information during Transient Execution

Summary

A transient execution vulnerability in some AMD processors may allow a user process to infer the control registers speculatively even if UMIP feature is enabled, potentially resulting in information leakage.

References

URL

Tags

https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7029.html

Impacted products

Vendor

Product

Version

AMD

AMD EPYC™ 7002 Series Processors

Version: all

AMD	AMD EPYC™ 7003 Series Processors	Version: all
AMD	AMD EPYC™ 9004 Series Processors	Version: all
AMD	AMD EPYC™ 8004 Series Processors	Version: all
AMD	AMD EPYC™ 4004 Series Processors	Version: all
AMD	AMD EPYC™ 9V64H Processor	Version: all
AMD	AMD Ryzen™ 5000 Series Desktop Processors	Version: all
AMD	AMD Ryzen™ 5000 Series Desktop Processor with Radeon™ Graphics	Version: all
AMD	AMD Ryzen™ 3000 Series Desktop Processors	Version: all
AMD	AMD Athlon™ 3000 Series Desktop Processors with Radeon™ Graphics	Version: all
AMD	AMD Ryzen™ 7000 Series Desktop Processors	Version: all
AMD	AMD Ryzen™ 4000 Series Desktop Processor with Radeon™ Graphics	Version: all
AMD	AMD Ryzen™ 8000 Series Processor with Radeon™ Graphics	Version: all
AMD	AMD Ryzen™ Threadripper™ 3000 Series Processors	Version: all
AMD	AMD Ryzen™ Threadripper™ PRO 7000 WX-Series Processors	Version: all
AMD	AMD Ryzen™ Threadripper™ PRO 3000WX Series Processors	Version: all
AMD	AMD Ryzen™ Threadripper™ PRO 5000WX- Series Desktop Processors	Version: all
AMD	AMD Ryzen™ 7020 Series Processors with Radeon™ Graphics	Version: all
AMD	AMD Ryzen™ 6000 Series Processor with Radeon™ Graphics	Version: all
AMD	AMD Ryzen™ 7035 Series Processor with Radeon™ Graphics	Version: all
AMD	AMD Ryzen™ 7000 Series Processors with Radeon™ Graphics	Version: all
AMD	AMD Ryzen™ 7040 Series Processors with Radeon™ Graphics	Version: all
AMD	AMD Ryzen™ 8040 Series Mobile Processors with Radeon™ Graphics	Version: all
AMD	AMD Ryzen™ 7000 Series Mobile Processors	Version: all
AMD	AMD EPYC™ Embedded 7002 Series Processors	Version: all
AMD	AMD EPYC™ Embedded 7003 Series Processors	Version: all
AMD	AMD EPYC™ Embedded 8004 Series Processors	Version: all
AMD	AMD EPYC™ Embedded 9004 Series Processors	Version: all
AMD	AMD Ryzen™ Embedded 5000 Series Processors	Version: all
AMD	AMD Ryzen™ Embedded 7000 Series Processors	Version: all
AMD	AMD Ryzen™ Embedded V2000 Series Processors	Version: all
AMD	AMD Ryzen™ Embedded V3000 Series Processors	Version: all

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-36348",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-08T19:01:13.256423Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-08T19:01:28.169Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T21:08:38.170Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/08/28/2"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "AMD EPYC\u2122 7002 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD EPYC\u2122 7003 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD EPYC\u2122 9004 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD EPYC\u2122 8004 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD EPYC\u2122 4004 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD EPYC\u2122 9V64H Processor",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 5000 Series Desktop Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 5000 Series Desktop Processor with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 3000 Series Desktop Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Athlon\u2122 3000 Series Desktop Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 7000 Series Desktop Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 4000 Series Desktop Processor with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 8000 Series Processor with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 Threadripper\u2122 3000 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 Threadripper\u2122 PRO 7000 WX-Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 Threadripper\u2122 PRO 3000WX Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 Threadripper\u2122 PRO 5000WX- Series Desktop Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 7020 Series Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 6000 Series Processor with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 7035 Series Processor with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 7000 Series Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 7040 Series Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 8040 Series Mobile Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 7000 Series Mobile Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD EPYC\u2122 Embedded 7002 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD EPYC\u2122 Embedded 7003 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD EPYC\u2122 Embedded 8004 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD EPYC\u2122 Embedded 9004 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 Embedded 5000 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 Embedded 7000 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 Embedded V2000 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 Embedded V3000 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        }
      ],
      "datePublic": "2025-07-08T16:06:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A transient execution vulnerability in some AMD processors may allow a user process to infer the control registers speculatively even if UMIP feature is enabled, potentially resulting in information leakage."
            }
          ],
          "value": "A transient execution vulnerability in some AMD processors may allow a user process to infer the control registers speculatively even if UMIP feature is enabled, potentially resulting in information leakage."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 3.8,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1420",
              "description": "CWE-1420  Exposure of Sensitive Information during Transient Execution",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-08T16:42:32.665Z",
        "orgId": "b58fc414-a1e4-4f92-9d70-1add41838648",
        "shortName": "AMD"
      },
      "references": [
        {
          "url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7029.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b58fc414-a1e4-4f92-9d70-1add41838648",
    "assignerShortName": "AMD",
    "cveId": "CVE-2024-36348",
    "datePublished": "2025-07-08T16:42:32.665Z",
    "dateReserved": "2024-05-23T19:44:50.000Z",
    "dateUpdated": "2025-11-04T21:08:38.170Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38084 (GCVE-0-2025-38084)

Vulnerability from cvelistv5

Published

2025-06-28 07:44

Modified

2025-11-03 17:33

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: unshare page tables during VMA split, not before Currently, __split_vma() triggers hugetlb page table unsharing through vm_ops->may_split(). This happens before the VMA lock and rmap locks are taken - which is too early, it allows racing VMA-locked page faults in our process and racing rmap walks from other processes to cause page tables to be shared again before we actually perform the split. Fix it by explicitly calling into the hugetlb unshare logic from __split_vma() in the same place where THP splitting also happens. At that point, both the VMA and the rmap(s) are write-locked. An annoying detail is that we can now call into the helper hugetlb_unshare_pmds() from two different locking contexts: 1. from hugetlb_split(), holding: - mmap lock (exclusively) - VMA lock - file rmap lock (exclusively) 2. hugetlb_unshare_all_pmds(), which I think is designed to be able to call us with only the mmap lock held (in shared mode), but currently only runs while holding mmap lock (exclusively) and VMA lock Backporting note: This commit fixes a racy protection that was introduced in commit b30c14cd6102 ("hugetlb: unshare some PMDs when splitting VMAs"); that commit claimed to fix an issue introduced in 5.13, but it should actually also go all the way back. [jannh@google.com: v2]

References

URL

Tags

	https://git.kernel.org/stable/c/e8847d18cd9fff1edbb45e963d9141273c3b539c
	https://git.kernel.org/stable/c/366298f2b04d2bf1f2f2b7078405bdf9df9bd5d0
	https://git.kernel.org/stable/c/2511ac64bc1617ca716d3ba8464e481a647c1902
	https://git.kernel.org/stable/c/af6cfcd0efb7f051af221c418ec8b37a10211947
	https://git.kernel.org/stable/c/9cf5b2a3b72c23fb7b84736d5d19ee6ea718762b
	https://git.kernel.org/stable/c/8a21d5584826f4880f45bbf8f72375f4e6c0ff2a
	https://git.kernel.org/stable/c/081056dc00a27bccb55ccc3c6f230a3d5fd3f7e0
	https://project-zero.issues.chromium.org/issues/420715744

Impacted products

Vendor

Product

Version

Linux

Version: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa
Version: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa
Version: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa
Version: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa
Version: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa
Version: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa
Version: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa

Linux

Version: 2.6.20

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:33:52.441Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/hugetlb.h",
            "mm/hugetlb.c",
            "mm/vma.c",
            "tools/testing/vma/vma_internal.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e8847d18cd9fff1edbb45e963d9141273c3b539c",
              "status": "affected",
              "version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
              "versionType": "git"
            },
            {
              "lessThan": "366298f2b04d2bf1f2f2b7078405bdf9df9bd5d0",
              "status": "affected",
              "version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
              "versionType": "git"
            },
            {
              "lessThan": "2511ac64bc1617ca716d3ba8464e481a647c1902",
              "status": "affected",
              "version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
              "versionType": "git"
            },
            {
              "lessThan": "af6cfcd0efb7f051af221c418ec8b37a10211947",
              "status": "affected",
              "version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
              "versionType": "git"
            },
            {
              "lessThan": "9cf5b2a3b72c23fb7b84736d5d19ee6ea718762b",
              "status": "affected",
              "version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
              "versionType": "git"
            },
            {
              "lessThan": "8a21d5584826f4880f45bbf8f72375f4e6c0ff2a",
              "status": "affected",
              "version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
              "versionType": "git"
            },
            {
              "lessThan": "081056dc00a27bccb55ccc3c6f230a3d5fd3f7e0",
              "status": "affected",
              "version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/hugetlb.h",
            "mm/hugetlb.c",
            "mm/vma.c",
            "tools/testing/vma/vma_internal.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.20"
            },
            {
              "lessThan": "2.6.20",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: unshare page tables during VMA split, not before\n\nCurrently, __split_vma() triggers hugetlb page table unsharing through\nvm_ops-\u003emay_split().  This happens before the VMA lock and rmap locks are\ntaken - which is too early, it allows racing VMA-locked page faults in our\nprocess and racing rmap walks from other processes to cause page tables to\nbe shared again before we actually perform the split.\n\nFix it by explicitly calling into the hugetlb unshare logic from\n__split_vma() in the same place where THP splitting also happens.  At that\npoint, both the VMA and the rmap(s) are write-locked.\n\nAn annoying detail is that we can now call into the helper\nhugetlb_unshare_pmds() from two different locking contexts:\n\n1. from hugetlb_split(), holding:\n    - mmap lock (exclusively)\n    - VMA lock\n    - file rmap lock (exclusively)\n2. hugetlb_unshare_all_pmds(), which I think is designed to be able to\n   call us with only the mmap lock held (in shared mode), but currently\n   only runs while holding mmap lock (exclusively) and VMA lock\n\nBackporting note:\nThis commit fixes a racy protection that was introduced in commit\nb30c14cd6102 (\"hugetlb: unshare some PMDs when splitting VMAs\"); that\ncommit claimed to fix an issue introduced in 5.13, but it should actually\nalso go all the way back.\n\n[jannh@google.com: v2]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-30T05:58:56.193Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e8847d18cd9fff1edbb45e963d9141273c3b539c"
        },
        {
          "url": "https://git.kernel.org/stable/c/366298f2b04d2bf1f2f2b7078405bdf9df9bd5d0"
        },
        {
          "url": "https://git.kernel.org/stable/c/2511ac64bc1617ca716d3ba8464e481a647c1902"
        },
        {
          "url": "https://git.kernel.org/stable/c/af6cfcd0efb7f051af221c418ec8b37a10211947"
        },
        {
          "url": "https://git.kernel.org/stable/c/9cf5b2a3b72c23fb7b84736d5d19ee6ea718762b"
        },
        {
          "url": "https://git.kernel.org/stable/c/8a21d5584826f4880f45bbf8f72375f4e6c0ff2a"
        },
        {
          "url": "https://git.kernel.org/stable/c/081056dc00a27bccb55ccc3c6f230a3d5fd3f7e0"
        },
        {
          "url": "https://project-zero.issues.chromium.org/issues/420715744"
        }
      ],
      "title": "mm/hugetlb: unshare page tables during VMA split, not before",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38084",
    "datePublished": "2025-06-28T07:44:25.379Z",
    "dateReserved": "2025-04-16T04:51:23.981Z",
    "dateUpdated": "2025-11-03T17:33:52.441Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21881 (GCVE-0-2025-21881)

Vulnerability from cvelistv5

Published

2025-03-27 14:57

Modified

2025-11-03 19:38

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: uprobes: Reject the shared zeropage in uprobe_write_opcode() We triggered the following crash in syzkaller tests: BUG: Bad page state in process syz.7.38 pfn:1eff3 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1eff3 flags: 0x3fffff00004004(referenced|reserved|node=0|zone=1|lastcpupid=0x1fffff) raw: 003fffff00004004 ffffe6c6c07bfcc8 ffffe6c6c07bfcc8 0000000000000000 raw: 0000000000000000 0000000000000000 00000000fffffffe 0000000000000000 page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x32/0x50 bad_page+0x69/0xf0 free_unref_page_prepare+0x401/0x500 free_unref_page+0x6d/0x1b0 uprobe_write_opcode+0x460/0x8e0 install_breakpoint.part.0+0x51/0x80 register_for_each_vma+0x1d9/0x2b0 __uprobe_register+0x245/0x300 bpf_uprobe_multi_link_attach+0x29b/0x4f0 link_create+0x1e2/0x280 __sys_bpf+0x75f/0xac0 __x64_sys_bpf+0x1a/0x30 do_syscall_64+0x56/0x100 entry_SYSCALL_64_after_hwframe+0x78/0xe2 BUG: Bad rss-counter state mm:00000000452453e0 type:MM_FILEPAGES val:-1 The following syzkaller test case can be used to reproduce: r2 = creat(&(0x7f0000000000)='./file0\x00', 0x8) write$nbd(r2, &(0x7f0000000580)=ANY=[], 0x10) r4 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x42, 0x0) mmap$IORING_OFF_SQ_RING(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x0, 0x12, r4, 0x0) r5 = userfaultfd(0x80801) ioctl$UFFDIO_API(r5, 0xc018aa3f, &(0x7f0000000040)={0xaa, 0x20}) r6 = userfaultfd(0x80801) ioctl$UFFDIO_API(r6, 0xc018aa3f, &(0x7f0000000140)) ioctl$UFFDIO_REGISTER(r6, 0xc020aa00, &(0x7f0000000100)={{&(0x7f0000ffc000/0x4000)=nil, 0x4000}, 0x2}) ioctl$UFFDIO_ZEROPAGE(r5, 0xc020aa04, &(0x7f0000000000)={{&(0x7f0000ffd000/0x1000)=nil, 0x1000}}) r7 = bpf$PROG_LOAD(0x5, &(0x7f0000000140)={0x2, 0x3, &(0x7f0000000200)=ANY=[@ANYBLOB="1800000000120000000000000000000095"], &(0x7f0000000000)='GPL\x00', 0x7, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x30, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000040)={r7, 0x0, 0x30, 0x1e, @val=@uprobe_multi={&(0x7f0000000080)='./file0\x00', &(0x7f0000000100)=[0x2], 0x0, 0x0, 0x1}}, 0x40) The cause is that zero pfn is set to the PTE without increasing the RSS count in mfill_atomic_pte_zeropage() and the refcount of zero folio does not increase accordingly. Then, the operation on the same pfn is performed in uprobe_write_opcode()->__replace_page() to unconditional decrease the RSS count and old_folio's refcount. Therefore, two bugs are introduced: 1. The RSS count is incorrect, when process exit, the check_mm() report error "Bad rss-count". 2. The reserved folio (zero folio) is freed when folio->refcount is zero, then free_pages_prepare->free_page_is_bad() report error "Bad page state". There is more, the following warning could also theoretically be triggered: __replace_page() -> ... -> folio_remove_rmap_pte() -> VM_WARN_ON_FOLIO(is_zero_folio(folio), folio) Considering that uprobe hit on the zero folio is a very rare case, just reject zero old folio immediately after get_user_page_vma_remote(). [ mingo: Cleaned up the changelog ]

References

URL

Tags

	https://git.kernel.org/stable/c/c4cb2bfa99513311886c1eb5c1c2ac26f3338a6e
	https://git.kernel.org/stable/c/0b6f19714588cf2366b0364234f97ba963688f63
	https://git.kernel.org/stable/c/13cca2b73e2b0ec3ea6d6615d615395621d22752
	https://git.kernel.org/stable/c/54011fc94422f094eaf47555284de70a4bc32bb9
	https://git.kernel.org/stable/c/bddf10d26e6e5114e7415a0e442ec6f51a559468

Impacted products

Vendor

Product

Version

Linux

Version: 2b144498350860b6ee9dc57ff27a93ad488de5dc
Version: 2b144498350860b6ee9dc57ff27a93ad488de5dc
Version: 2b144498350860b6ee9dc57ff27a93ad488de5dc
Version: 2b144498350860b6ee9dc57ff27a93ad488de5dc
Version: 2b144498350860b6ee9dc57ff27a93ad488de5dc

Linux

Version: 3.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:38:38.879Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/events/uprobes.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c4cb2bfa99513311886c1eb5c1c2ac26f3338a6e",
              "status": "affected",
              "version": "2b144498350860b6ee9dc57ff27a93ad488de5dc",
              "versionType": "git"
            },
            {
              "lessThan": "0b6f19714588cf2366b0364234f97ba963688f63",
              "status": "affected",
              "version": "2b144498350860b6ee9dc57ff27a93ad488de5dc",
              "versionType": "git"
            },
            {
              "lessThan": "13cca2b73e2b0ec3ea6d6615d615395621d22752",
              "status": "affected",
              "version": "2b144498350860b6ee9dc57ff27a93ad488de5dc",
              "versionType": "git"
            },
            {
              "lessThan": "54011fc94422f094eaf47555284de70a4bc32bb9",
              "status": "affected",
              "version": "2b144498350860b6ee9dc57ff27a93ad488de5dc",
              "versionType": "git"
            },
            {
              "lessThan": "bddf10d26e6e5114e7415a0e442ec6f51a559468",
              "status": "affected",
              "version": "2b144498350860b6ee9dc57ff27a93ad488de5dc",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/events/uprobes.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.5"
            },
            {
              "lessThan": "3.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.130",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.81",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.18",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.6",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nuprobes: Reject the shared zeropage in uprobe_write_opcode()\n\nWe triggered the following crash in syzkaller tests:\n\n  BUG: Bad page state in process syz.7.38  pfn:1eff3\n  page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1eff3\n  flags: 0x3fffff00004004(referenced|reserved|node=0|zone=1|lastcpupid=0x1fffff)\n  raw: 003fffff00004004 ffffe6c6c07bfcc8 ffffe6c6c07bfcc8 0000000000000000\n  raw: 0000000000000000 0000000000000000 00000000fffffffe 0000000000000000\n  page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\n  Call Trace:\n   \u003cTASK\u003e\n   dump_stack_lvl+0x32/0x50\n   bad_page+0x69/0xf0\n   free_unref_page_prepare+0x401/0x500\n   free_unref_page+0x6d/0x1b0\n   uprobe_write_opcode+0x460/0x8e0\n   install_breakpoint.part.0+0x51/0x80\n   register_for_each_vma+0x1d9/0x2b0\n   __uprobe_register+0x245/0x300\n   bpf_uprobe_multi_link_attach+0x29b/0x4f0\n   link_create+0x1e2/0x280\n   __sys_bpf+0x75f/0xac0\n   __x64_sys_bpf+0x1a/0x30\n   do_syscall_64+0x56/0x100\n   entry_SYSCALL_64_after_hwframe+0x78/0xe2\n\n   BUG: Bad rss-counter state mm:00000000452453e0 type:MM_FILEPAGES val:-1\n\nThe following syzkaller test case can be used to reproduce:\n\n  r2 = creat(\u0026(0x7f0000000000)=\u0027./file0\\x00\u0027, 0x8)\n  write$nbd(r2, \u0026(0x7f0000000580)=ANY=[], 0x10)\n  r4 = openat(0xffffffffffffff9c, \u0026(0x7f0000000040)=\u0027./file0\\x00\u0027, 0x42, 0x0)\n  mmap$IORING_OFF_SQ_RING(\u0026(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x0, 0x12, r4, 0x0)\n  r5 = userfaultfd(0x80801)\n  ioctl$UFFDIO_API(r5, 0xc018aa3f, \u0026(0x7f0000000040)={0xaa, 0x20})\n  r6 = userfaultfd(0x80801)\n  ioctl$UFFDIO_API(r6, 0xc018aa3f, \u0026(0x7f0000000140))\n  ioctl$UFFDIO_REGISTER(r6, 0xc020aa00, \u0026(0x7f0000000100)={{\u0026(0x7f0000ffc000/0x4000)=nil, 0x4000}, 0x2})\n  ioctl$UFFDIO_ZEROPAGE(r5, 0xc020aa04, \u0026(0x7f0000000000)={{\u0026(0x7f0000ffd000/0x1000)=nil, 0x1000}})\n  r7 = bpf$PROG_LOAD(0x5, \u0026(0x7f0000000140)={0x2, 0x3, \u0026(0x7f0000000200)=ANY=[@ANYBLOB=\"1800000000120000000000000000000095\"], \u0026(0x7f0000000000)=\u0027GPL\\x00\u0027, 0x7, 0x0, 0x0, 0x0, 0x0, \u0027\\x00\u0027, 0x0, @fallback=0x30, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)\n  bpf$BPF_LINK_CREATE_XDP(0x1c, \u0026(0x7f0000000040)={r7, 0x0, 0x30, 0x1e, @val=@uprobe_multi={\u0026(0x7f0000000080)=\u0027./file0\\x00\u0027, \u0026(0x7f0000000100)=[0x2], 0x0, 0x0, 0x1}}, 0x40)\n\nThe cause is that zero pfn is set to the PTE without increasing the RSS\ncount in mfill_atomic_pte_zeropage() and the refcount of zero folio does\nnot increase accordingly. Then, the operation on the same pfn is performed\nin uprobe_write_opcode()-\u003e__replace_page() to unconditional decrease the\nRSS count and old_folio\u0027s refcount.\n\nTherefore, two bugs are introduced:\n\n 1. The RSS count is incorrect, when process exit, the check_mm() report\n    error \"Bad rss-count\".\n\n 2. The reserved folio (zero folio) is freed when folio-\u003erefcount is zero,\n    then free_pages_prepare-\u003efree_page_is_bad() report error\n    \"Bad page state\".\n\nThere is more, the following warning could also theoretically be triggered:\n\n  __replace_page()\n    -\u003e ...\n      -\u003e folio_remove_rmap_pte()\n        -\u003e VM_WARN_ON_FOLIO(is_zero_folio(folio), folio)\n\nConsidering that uprobe hit on the zero folio is a very rare case, just\nreject zero old folio immediately after get_user_page_vma_remote().\n\n[ mingo: Cleaned up the changelog ]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:23:14.242Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c4cb2bfa99513311886c1eb5c1c2ac26f3338a6e"
        },
        {
          "url": "https://git.kernel.org/stable/c/0b6f19714588cf2366b0364234f97ba963688f63"
        },
        {
          "url": "https://git.kernel.org/stable/c/13cca2b73e2b0ec3ea6d6615d615395621d22752"
        },
        {
          "url": "https://git.kernel.org/stable/c/54011fc94422f094eaf47555284de70a4bc32bb9"
        },
        {
          "url": "https://git.kernel.org/stable/c/bddf10d26e6e5114e7415a0e442ec6f51a559468"
        }
      ],
      "title": "uprobes: Reject the shared zeropage in uprobe_write_opcode()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21881",
    "datePublished": "2025-03-27T14:57:10.241Z",
    "dateReserved": "2024-12-29T08:45:45.782Z",
    "dateUpdated": "2025-11-03T19:38:38.879Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38226 (GCVE-0-2025-38226)

Vulnerability from cvelistv5

Published

2025-07-04 13:37

Modified

2025-11-03 17:35

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: media: vivid: Change the siize of the composing syzkaller found a bug: BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline] BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705 Write of size 1440 at addr ffffc9000d0ffda0 by task vivid-000-vid-c/5304 CPU: 0 UID: 0 PID: 5304 Comm: vivid-000-vid-c Not tainted 6.14.0-rc2-syzkaller-00039-g09fbf3d50205 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106 tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline] tpg_fill_plane_buffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705 vivid_fillbuff drivers/media/test-drivers/vivid/vivid-kthread-cap.c:470 [inline] vivid_thread_vid_cap_tick+0xf8e/0x60d0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:629 vivid_thread_vid_cap+0x8aa/0xf30 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:767 kthread+0x7a9/0x920 kernel/kthread.c:464 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> The composition size cannot be larger than the size of fmt_cap_rect. So execute v4l2_rect_map_inside() even if has_compose_cap == 0.

References

URL

Tags

	https://git.kernel.org/stable/c/57597d8db5bbda618ba2145b7e8a7e6f01b6a27e
	https://git.kernel.org/stable/c/635cea4f44c1ddae208666772c164eab5a6bce39
	https://git.kernel.org/stable/c/89b5ab822bf69867c3951dd0eb34b0314c38966b
	https://git.kernel.org/stable/c/5d89aa42534723400fefd46e26e053b9c382b4ee
	https://git.kernel.org/stable/c/f6b1b0f8ba0b61d8b511df5649d57235f230c135
	https://git.kernel.org/stable/c/00da1c767a6567e56f23dda586847586868ac064
	https://git.kernel.org/stable/c/c56398885716d97ee9bcadb2bc9663a8c1757a34
	https://git.kernel.org/stable/c/f83ac8d30c43fd902af7c84c480f216157b60ef0

Impacted products

Vendor

Product

Version

Linux

Version: 54f259906039dbfe46c550011409fa16f72370f6
Version: f9d19f3a044ca651b0be52a4bf951ffe74259b9f
Version: ab54081a2843aefb837812fac5488cc8f1696142
Version: 2f558c5208b0f70c8140e08ce09fcc84da48e789
Version: 94a7ad9283464b75b12516c5512541d467cefcf8
Version: 94a7ad9283464b75b12516c5512541d467cefcf8
Version: 94a7ad9283464b75b12516c5512541d467cefcf8
Version: 94a7ad9283464b75b12516c5512541d467cefcf8
Version: 8c0ee15d9a102c732d0745566d254040085d5663
Version: 5edc3604151919da8da0fb092b71d7dce07d848a
Version: 9c7fba9503b826f0c061d136f8f0c9f953ed18b9
Version: ccb5392c4fea0e7d9f7ab35567e839d74cb3998b

Linux

Version: 6.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:35:42.979Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/test-drivers/vivid/vivid-vid-cap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "57597d8db5bbda618ba2145b7e8a7e6f01b6a27e",
              "status": "affected",
              "version": "54f259906039dbfe46c550011409fa16f72370f6",
              "versionType": "git"
            },
            {
              "lessThan": "635cea4f44c1ddae208666772c164eab5a6bce39",
              "status": "affected",
              "version": "f9d19f3a044ca651b0be52a4bf951ffe74259b9f",
              "versionType": "git"
            },
            {
              "lessThan": "89b5ab822bf69867c3951dd0eb34b0314c38966b",
              "status": "affected",
              "version": "ab54081a2843aefb837812fac5488cc8f1696142",
              "versionType": "git"
            },
            {
              "lessThan": "5d89aa42534723400fefd46e26e053b9c382b4ee",
              "status": "affected",
              "version": "2f558c5208b0f70c8140e08ce09fcc84da48e789",
              "versionType": "git"
            },
            {
              "lessThan": "f6b1b0f8ba0b61d8b511df5649d57235f230c135",
              "status": "affected",
              "version": "94a7ad9283464b75b12516c5512541d467cefcf8",
              "versionType": "git"
            },
            {
              "lessThan": "00da1c767a6567e56f23dda586847586868ac064",
              "status": "affected",
              "version": "94a7ad9283464b75b12516c5512541d467cefcf8",
              "versionType": "git"
            },
            {
              "lessThan": "c56398885716d97ee9bcadb2bc9663a8c1757a34",
              "status": "affected",
              "version": "94a7ad9283464b75b12516c5512541d467cefcf8",
              "versionType": "git"
            },
            {
              "lessThan": "f83ac8d30c43fd902af7c84c480f216157b60ef0",
              "status": "affected",
              "version": "94a7ad9283464b75b12516c5512541d467cefcf8",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "8c0ee15d9a102c732d0745566d254040085d5663",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "5edc3604151919da8da0fb092b71d7dce07d848a",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "9c7fba9503b826f0c061d136f8f0c9f953ed18b9",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "ccb5392c4fea0e7d9f7ab35567e839d74cb3998b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/test-drivers/vivid/vivid-vid-cap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "5.4.229",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "5.10.163",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "5.15.86",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "6.1.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.9.337",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.14.303",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.270",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.0.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vivid: Change the siize of the composing\n\nsyzkaller found a bug:\n\nBUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline]\nBUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705\nWrite of size 1440 at addr ffffc9000d0ffda0 by task vivid-000-vid-c/5304\n\nCPU: 0 UID: 0 PID: 5304 Comm: vivid-000-vid-c Not tainted 6.14.0-rc2-syzkaller-00039-g09fbf3d50205 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:489\n kasan_report+0x143/0x180 mm/kasan/report.c:602\n kasan_check_range+0x282/0x290 mm/kasan/generic.c:189\n __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106\n tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline]\n tpg_fill_plane_buffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705\n vivid_fillbuff drivers/media/test-drivers/vivid/vivid-kthread-cap.c:470 [inline]\n vivid_thread_vid_cap_tick+0xf8e/0x60d0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:629\n vivid_thread_vid_cap+0x8aa/0xf30 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:767\n kthread+0x7a9/0x920 kernel/kthread.c:464\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n \u003c/TASK\u003e\n\nThe composition size cannot be larger than the size of fmt_cap_rect.\nSo execute v4l2_rect_map_inside() even if has_compose_cap == 0."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:15:39.756Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/57597d8db5bbda618ba2145b7e8a7e6f01b6a27e"
        },
        {
          "url": "https://git.kernel.org/stable/c/635cea4f44c1ddae208666772c164eab5a6bce39"
        },
        {
          "url": "https://git.kernel.org/stable/c/89b5ab822bf69867c3951dd0eb34b0314c38966b"
        },
        {
          "url": "https://git.kernel.org/stable/c/5d89aa42534723400fefd46e26e053b9c382b4ee"
        },
        {
          "url": "https://git.kernel.org/stable/c/f6b1b0f8ba0b61d8b511df5649d57235f230c135"
        },
        {
          "url": "https://git.kernel.org/stable/c/00da1c767a6567e56f23dda586847586868ac064"
        },
        {
          "url": "https://git.kernel.org/stable/c/c56398885716d97ee9bcadb2bc9663a8c1757a34"
        },
        {
          "url": "https://git.kernel.org/stable/c/f83ac8d30c43fd902af7c84c480f216157b60ef0"
        }
      ],
      "title": "media: vivid: Change the siize of the composing",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38226",
    "datePublished": "2025-07-04T13:37:40.977Z",
    "dateReserved": "2025-04-16T04:51:23.995Z",
    "dateUpdated": "2025-11-03T17:35:42.979Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38145 (GCVE-0-2025-38145)

Vulnerability from cvelistv5

Published

2025-07-03 08:35

Modified

2025-11-03 17:34

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop() devm_kasprintf() returns NULL when memory allocation fails. Currently, aspeed_lpc_enable_snoop() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue. [arj: Fix Fixes: tag to use subject from 3772e5da4454]

References

URL

Tags

	https://git.kernel.org/stable/c/2beee9cf833374550e673d428ad8b6ab37c175b3
	https://git.kernel.org/stable/c/c550999f939b529d28a914d5034cc4290066aea6
	https://git.kernel.org/stable/c/1fd889c145722579aa038c31cbc07cfdd4d75166
	https://git.kernel.org/stable/c/d62a589eaaec6385e3e2b25cf5a28b4560ace93f
	https://git.kernel.org/stable/c/8312b1f776f71979bf33bda7acc05b348e8792c7
	https://git.kernel.org/stable/c/f697ef117ecbf3a367dfc559a6a3589905956530
	https://git.kernel.org/stable/c/45b2e8b0fdd280aba04c3cc869e9ae500c44e4b7
	https://git.kernel.org/stable/c/f1706e0e1a74b095cbc60375b9b1e6205f5f4c98

Impacted products

Vendor

Product

Version

Linux

Version: 3772e5da445420543b25825ac2b5971f3743f6e8
Version: 3772e5da445420543b25825ac2b5971f3743f6e8
Version: 3772e5da445420543b25825ac2b5971f3743f6e8
Version: 3772e5da445420543b25825ac2b5971f3743f6e8
Version: 3772e5da445420543b25825ac2b5971f3743f6e8
Version: 3772e5da445420543b25825ac2b5971f3743f6e8
Version: 3772e5da445420543b25825ac2b5971f3743f6e8
Version: 3772e5da445420543b25825ac2b5971f3743f6e8

Linux

Version: 4.19

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:35.777Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/soc/aspeed/aspeed-lpc-snoop.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2beee9cf833374550e673d428ad8b6ab37c175b3",
              "status": "affected",
              "version": "3772e5da445420543b25825ac2b5971f3743f6e8",
              "versionType": "git"
            },
            {
              "lessThan": "c550999f939b529d28a914d5034cc4290066aea6",
              "status": "affected",
              "version": "3772e5da445420543b25825ac2b5971f3743f6e8",
              "versionType": "git"
            },
            {
              "lessThan": "1fd889c145722579aa038c31cbc07cfdd4d75166",
              "status": "affected",
              "version": "3772e5da445420543b25825ac2b5971f3743f6e8",
              "versionType": "git"
            },
            {
              "lessThan": "d62a589eaaec6385e3e2b25cf5a28b4560ace93f",
              "status": "affected",
              "version": "3772e5da445420543b25825ac2b5971f3743f6e8",
              "versionType": "git"
            },
            {
              "lessThan": "8312b1f776f71979bf33bda7acc05b348e8792c7",
              "status": "affected",
              "version": "3772e5da445420543b25825ac2b5971f3743f6e8",
              "versionType": "git"
            },
            {
              "lessThan": "f697ef117ecbf3a367dfc559a6a3589905956530",
              "status": "affected",
              "version": "3772e5da445420543b25825ac2b5971f3743f6e8",
              "versionType": "git"
            },
            {
              "lessThan": "45b2e8b0fdd280aba04c3cc869e9ae500c44e4b7",
              "status": "affected",
              "version": "3772e5da445420543b25825ac2b5971f3743f6e8",
              "versionType": "git"
            },
            {
              "lessThan": "f1706e0e1a74b095cbc60375b9b1e6205f5f4c98",
              "status": "affected",
              "version": "3772e5da445420543b25825ac2b5971f3743f6e8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/soc/aspeed/aspeed-lpc-snoop.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.19"
            },
            {
              "lessThan": "4.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: aspeed: Add NULL check in aspeed_lpc_enable_snoop()\n\ndevm_kasprintf() returns NULL when memory allocation fails. Currently,\naspeed_lpc_enable_snoop() does not check for this case, which results in a\nNULL pointer dereference.\n\nAdd NULL check after devm_kasprintf() to prevent this issue.\n\n[arj: Fix Fixes: tag to use subject from 3772e5da4454]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:13:26.787Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2beee9cf833374550e673d428ad8b6ab37c175b3"
        },
        {
          "url": "https://git.kernel.org/stable/c/c550999f939b529d28a914d5034cc4290066aea6"
        },
        {
          "url": "https://git.kernel.org/stable/c/1fd889c145722579aa038c31cbc07cfdd4d75166"
        },
        {
          "url": "https://git.kernel.org/stable/c/d62a589eaaec6385e3e2b25cf5a28b4560ace93f"
        },
        {
          "url": "https://git.kernel.org/stable/c/8312b1f776f71979bf33bda7acc05b348e8792c7"
        },
        {
          "url": "https://git.kernel.org/stable/c/f697ef117ecbf3a367dfc559a6a3589905956530"
        },
        {
          "url": "https://git.kernel.org/stable/c/45b2e8b0fdd280aba04c3cc869e9ae500c44e4b7"
        },
        {
          "url": "https://git.kernel.org/stable/c/f1706e0e1a74b095cbc60375b9b1e6205f5f4c98"
        }
      ],
      "title": "soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38145",
    "datePublished": "2025-07-03T08:35:51.566Z",
    "dateReserved": "2025-04-16T04:51:23.988Z",
    "dateUpdated": "2025-11-03T17:34:35.777Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37953 (GCVE-0-2025-37953)

Vulnerability from cvelistv5

Published

2025-05-20 16:01

Modified

2025-11-03 19:57

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: sch_htb: make htb_deactivate() idempotent Alan reported a NULL pointer dereference in htb_next_rb_node() after we made htb_qlen_notify() idempotent. It turns out in the following case it introduced some regression: htb_dequeue_tree(): |-> fq_codel_dequeue() |-> qdisc_tree_reduce_backlog() |-> htb_qlen_notify() |-> htb_deactivate() |-> htb_next_rb_node() |-> htb_deactivate() For htb_next_rb_node(), after calling the 1st htb_deactivate(), the clprio[prio]->ptr could be already set to NULL, which means htb_next_rb_node() is vulnerable here. For htb_deactivate(), although we checked qlen before calling it, in case of qlen==0 after qdisc_tree_reduce_backlog(), we may call it again which triggers the warning inside. To fix the issues here, we need to: 1) Make htb_deactivate() idempotent, that is, simply return if we already call it before. 2) Make htb_next_rb_node() safe against ptr==NULL. Many thanks to Alan for testing and for the reproducer.

References

URL

Tags

	https://git.kernel.org/stable/c/99ff8a20fd61315bf9ae627440a5ff07d22ee153
	https://git.kernel.org/stable/c/a9945f7cf1709adc5d2d31cb6cfc85627ce299a8
	https://git.kernel.org/stable/c/c2d25fddd867ce20a266806634eeeb5c30cb520c
	https://git.kernel.org/stable/c/c928dd4f6bf0c25c72b11824a1e9ac9bd37296a0
	https://git.kernel.org/stable/c/31ff70ad39485698cf779f2078132d80b57f6c07
	https://git.kernel.org/stable/c/98cd7ed92753090a714f0802d4434314526fe61d
	https://git.kernel.org/stable/c/c4792b9e38d2f61b07eac72f10909fa76130314b
	https://git.kernel.org/stable/c/3769478610135e82b262640252d90f6efb05be71

Impacted products

Vendor

Product

Version

Linux

Version: e6b45f4de763b00dc1c55e685e2dd1aaf525d3c1
Version: 32ae12ce6a9f6bace186ca7335220ff59b6cc3cd
Version: 967955c9e57f8eebfccc298037d4aaf3d42bc1c9
Version: 73cf6af13153d62f9b76eff422eea79dbc70f15e
Version: bbbf5e0f87078b715e7a665d662a2c0e77f044ae
Version: 0a188c0e197383683fd093ab1ea6ce9a5869a6ea
Version: a61f1b5921761fbaf166231418bc1db301e5bf59
Version: 5ba8b837b522d7051ef81bacf3d95383ff8edce5

Linux

Version: 6.1.138   ≤
Version: 6.6.90   ≤
Version: 6.12.28   ≤
Version: 6.14.6   ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:57:42.885Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_htb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "99ff8a20fd61315bf9ae627440a5ff07d22ee153",
              "status": "affected",
              "version": "e6b45f4de763b00dc1c55e685e2dd1aaf525d3c1",
              "versionType": "git"
            },
            {
              "lessThan": "a9945f7cf1709adc5d2d31cb6cfc85627ce299a8",
              "status": "affected",
              "version": "32ae12ce6a9f6bace186ca7335220ff59b6cc3cd",
              "versionType": "git"
            },
            {
              "lessThan": "c2d25fddd867ce20a266806634eeeb5c30cb520c",
              "status": "affected",
              "version": "967955c9e57f8eebfccc298037d4aaf3d42bc1c9",
              "versionType": "git"
            },
            {
              "lessThan": "c928dd4f6bf0c25c72b11824a1e9ac9bd37296a0",
              "status": "affected",
              "version": "73cf6af13153d62f9b76eff422eea79dbc70f15e",
              "versionType": "git"
            },
            {
              "lessThan": "31ff70ad39485698cf779f2078132d80b57f6c07",
              "status": "affected",
              "version": "bbbf5e0f87078b715e7a665d662a2c0e77f044ae",
              "versionType": "git"
            },
            {
              "lessThan": "98cd7ed92753090a714f0802d4434314526fe61d",
              "status": "affected",
              "version": "0a188c0e197383683fd093ab1ea6ce9a5869a6ea",
              "versionType": "git"
            },
            {
              "lessThan": "c4792b9e38d2f61b07eac72f10909fa76130314b",
              "status": "affected",
              "version": "a61f1b5921761fbaf166231418bc1db301e5bf59",
              "versionType": "git"
            },
            {
              "lessThan": "3769478610135e82b262640252d90f6efb05be71",
              "status": "affected",
              "version": "5ba8b837b522d7051ef81bacf3d95383ff8edce5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_htb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6.1.139",
              "status": "affected",
              "version": "6.1.138",
              "versionType": "semver"
            },
            {
              "lessThan": "6.6.91",
              "status": "affected",
              "version": "6.6.90",
              "versionType": "semver"
            },
            {
              "lessThan": "6.12.29",
              "status": "affected",
              "version": "6.12.28",
              "versionType": "semver"
            },
            {
              "lessThan": "6.14.7",
              "status": "affected",
              "version": "6.14.6",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.139",
                  "versionStartIncluding": "6.1.138",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.91",
                  "versionStartIncluding": "6.6.90",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.29",
                  "versionStartIncluding": "6.12.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.7",
                  "versionStartIncluding": "6.14.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsch_htb: make htb_deactivate() idempotent\n\nAlan reported a NULL pointer dereference in htb_next_rb_node()\nafter we made htb_qlen_notify() idempotent.\n\nIt turns out in the following case it introduced some regression:\n\nhtb_dequeue_tree():\n  |-\u003e fq_codel_dequeue()\n    |-\u003e qdisc_tree_reduce_backlog()\n      |-\u003e htb_qlen_notify()\n        |-\u003e htb_deactivate()\n  |-\u003e htb_next_rb_node()\n  |-\u003e htb_deactivate()\n\nFor htb_next_rb_node(), after calling the 1st htb_deactivate(), the\nclprio[prio]-\u003eptr could be already set to  NULL, which means\nhtb_next_rb_node() is vulnerable here.\n\nFor htb_deactivate(), although we checked qlen before calling it, in\ncase of qlen==0 after qdisc_tree_reduce_backlog(), we may call it again\nwhich triggers the warning inside.\n\nTo fix the issues here, we need to:\n\n1) Make htb_deactivate() idempotent, that is, simply return if we\n   already call it before.\n2) Make htb_next_rb_node() safe against ptr==NULL.\n\nMany thanks to Alan for testing and for the reproducer."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-28T14:42:55.095Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/99ff8a20fd61315bf9ae627440a5ff07d22ee153"
        },
        {
          "url": "https://git.kernel.org/stable/c/a9945f7cf1709adc5d2d31cb6cfc85627ce299a8"
        },
        {
          "url": "https://git.kernel.org/stable/c/c2d25fddd867ce20a266806634eeeb5c30cb520c"
        },
        {
          "url": "https://git.kernel.org/stable/c/c928dd4f6bf0c25c72b11824a1e9ac9bd37296a0"
        },
        {
          "url": "https://git.kernel.org/stable/c/31ff70ad39485698cf779f2078132d80b57f6c07"
        },
        {
          "url": "https://git.kernel.org/stable/c/98cd7ed92753090a714f0802d4434314526fe61d"
        },
        {
          "url": "https://git.kernel.org/stable/c/c4792b9e38d2f61b07eac72f10909fa76130314b"
        },
        {
          "url": "https://git.kernel.org/stable/c/3769478610135e82b262640252d90f6efb05be71"
        }
      ],
      "title": "sch_htb: make htb_deactivate() idempotent",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37953",
    "datePublished": "2025-05-20T16:01:47.818Z",
    "dateReserved": "2025-04-16T04:51:23.973Z",
    "dateUpdated": "2025-11-03T19:57:42.885Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38373 (GCVE-0-2025-38373)

Vulnerability from cvelistv5

Published

2025-07-25 12:53

Modified

2025-07-28 04:20

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: IB/mlx5: Fix potential deadlock in MR deregistration The issue arises when kzalloc() is invoked while holding umem_mutex or any other lock acquired under umem_mutex. This is problematic because kzalloc() can trigger fs_reclaim_aqcuire(), which may, in turn, invoke mmu_notifier_invalidate_range_start(). This function can lead to mlx5_ib_invalidate_range(), which attempts to acquire umem_mutex again, resulting in a deadlock. The problematic flow: CPU0 | CPU1 ---------------------------------------|------------------------------------------------ mlx5_ib_dereg_mr() | → revoke_mr() | → mutex_lock(&umem_odp->umem_mutex) | | mlx5_mkey_cache_init() | → mutex_lock(&dev->cache.rb_lock) | → mlx5r_cache_create_ent_locked() | → kzalloc(GFP_KERNEL) | → fs_reclaim() | → mmu_notifier_invalidate_range_start() | → mlx5_ib_invalidate_range() | → mutex_lock(&umem_odp->umem_mutex) → cache_ent_find_and_store() | → mutex_lock(&dev->cache.rb_lock) | Additionally, when kzalloc() is called from within cache_ent_find_and_store(), we encounter the same deadlock due to re-acquisition of umem_mutex. Solve by releasing umem_mutex in dereg_mr() after umr_revoke_mr() and before acquiring rb_lock. This ensures that we don't hold umem_mutex while performing memory allocations that could trigger the reclaim path. This change prevents the deadlock by ensuring proper lock ordering and avoiding holding locks during memory allocation operations that could trigger the reclaim path. The following lockdep warning demonstrates the deadlock: python3/20557 is trying to acquire lock: ffff888387542128 (&umem_odp->umem_mutex){+.+.}-{4:4}, at: mlx5_ib_invalidate_range+0x5b/0x550 [mlx5_ib] but task is already holding lock: ffffffff82f6b840 (mmu_notifier_invalidate_range_start){+.+.}-{0:0}, at: unmap_vmas+0x7b/0x1a0 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #3 (mmu_notifier_invalidate_range_start){+.+.}-{0:0}: fs_reclaim_acquire+0x60/0xd0 mem_cgroup_css_alloc+0x6f/0x9b0 cgroup_init_subsys+0xa4/0x240 cgroup_init+0x1c8/0x510 start_kernel+0x747/0x760 x86_64_start_reservations+0x25/0x30 x86_64_start_kernel+0x73/0x80 common_startup_64+0x129/0x138 -> #2 (fs_reclaim){+.+.}-{0:0}: fs_reclaim_acquire+0x91/0xd0 __kmalloc_cache_noprof+0x4d/0x4c0 mlx5r_cache_create_ent_locked+0x75/0x620 [mlx5_ib] mlx5_mkey_cache_init+0x186/0x360 [mlx5_ib] mlx5_ib_stage_post_ib_reg_umr_init+0x3c/0x60 [mlx5_ib] __mlx5_ib_add+0x4b/0x190 [mlx5_ib] mlx5r_probe+0xd9/0x320 [mlx5_ib] auxiliary_bus_probe+0x42/0x70 really_probe+0xdb/0x360 __driver_probe_device+0x8f/0x130 driver_probe_device+0x1f/0xb0 __driver_attach+0xd4/0x1f0 bus_for_each_dev+0x79/0xd0 bus_add_driver+0xf0/0x200 driver_register+0x6e/0xc0 __auxiliary_driver_register+0x6a/0xc0 do_one_initcall+0x5e/0x390 do_init_module+0x88/0x240 init_module_from_file+0x85/0xc0 idempotent_init_module+0x104/0x300 __x64_sys_finit_module+0x68/0xc0 do_syscall_64+0x6d/0x140 entry_SYSCALL_64_after_hwframe+0x4b/0x53 -> #1 (&dev->cache.rb_lock){+.+.}-{4:4}: __mutex_lock+0x98/0xf10 __mlx5_ib_dereg_mr+0x6f2/0x890 [mlx5_ib] mlx5_ib_dereg_mr+0x21/0x110 [mlx5_ib] ib_dereg_mr_user+0x85/0x1f0 [ib_core] ---truncated---

References

URL

Tags

	https://git.kernel.org/stable/c/beb89ada5715e7bd1518c58863eedce89ec051a7
	https://git.kernel.org/stable/c/727eb1be65a370572edf307558ec3396b8573156
	https://git.kernel.org/stable/c/2ed25aa7f7711f508b6120e336f05cd9d49943c0

Impacted products

Vendor

Product

Version

Linux

Version: b13d32786acabf70a7b04ed24b7468fc3c82977c
Version: abb604a1a9c87255c7a6f3b784410a9707baf467
Version: abb604a1a9c87255c7a6f3b784410a9707baf467
Version: 5297f5ddffef47b94172ab0d3d62270002a3dcc1

Linux

Version: 6.14

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/mlx5/mr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "beb89ada5715e7bd1518c58863eedce89ec051a7",
              "status": "affected",
              "version": "b13d32786acabf70a7b04ed24b7468fc3c82977c",
              "versionType": "git"
            },
            {
              "lessThan": "727eb1be65a370572edf307558ec3396b8573156",
              "status": "affected",
              "version": "abb604a1a9c87255c7a6f3b784410a9707baf467",
              "versionType": "git"
            },
            {
              "lessThan": "2ed25aa7f7711f508b6120e336f05cd9d49943c0",
              "status": "affected",
              "version": "abb604a1a9c87255c7a6f3b784410a9707baf467",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "5297f5ddffef47b94172ab0d3d62270002a3dcc1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/mlx5/mr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.14"
            },
            {
              "lessThan": "6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.37",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.37",
                  "versionStartIncluding": "6.12.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.6",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.13.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/mlx5: Fix potential deadlock in MR deregistration\n\nThe issue arises when kzalloc() is invoked while holding umem_mutex or\nany other lock acquired under umem_mutex. This is problematic because\nkzalloc() can trigger fs_reclaim_aqcuire(), which may, in turn, invoke\nmmu_notifier_invalidate_range_start(). This function can lead to\nmlx5_ib_invalidate_range(), which attempts to acquire umem_mutex again,\nresulting in a deadlock.\n\nThe problematic flow:\n             CPU0                      |              CPU1\n---------------------------------------|------------------------------------------------\nmlx5_ib_dereg_mr()                     |\n \u2192 revoke_mr()                         |\n   \u2192 mutex_lock(\u0026umem_odp-\u003eumem_mutex) |\n                                       | mlx5_mkey_cache_init()\n                                       |  \u2192 mutex_lock(\u0026dev-\u003ecache.rb_lock)\n                                       |  \u2192 mlx5r_cache_create_ent_locked()\n                                       |    \u2192 kzalloc(GFP_KERNEL)\n                                       |      \u2192 fs_reclaim()\n                                       |        \u2192 mmu_notifier_invalidate_range_start()\n                                       |          \u2192 mlx5_ib_invalidate_range()\n                                       |            \u2192 mutex_lock(\u0026umem_odp-\u003eumem_mutex)\n   \u2192 cache_ent_find_and_store()        |\n     \u2192 mutex_lock(\u0026dev-\u003ecache.rb_lock) |\n\nAdditionally, when kzalloc() is called from within\ncache_ent_find_and_store(), we encounter the same deadlock due to\nre-acquisition of umem_mutex.\n\nSolve by releasing umem_mutex in dereg_mr() after umr_revoke_mr()\nand before acquiring rb_lock. This ensures that we don\u0027t hold\numem_mutex while performing memory allocations that could trigger\nthe reclaim path.\n\nThis change prevents the deadlock by ensuring proper lock ordering and\navoiding holding locks during memory allocation operations that could\ntrigger the reclaim path.\n\nThe following lockdep warning demonstrates the deadlock:\n\n python3/20557 is trying to acquire lock:\n ffff888387542128 (\u0026umem_odp-\u003eumem_mutex){+.+.}-{4:4}, at:\n mlx5_ib_invalidate_range+0x5b/0x550 [mlx5_ib]\n\n but task is already holding lock:\n ffffffff82f6b840 (mmu_notifier_invalidate_range_start){+.+.}-{0:0}, at:\n unmap_vmas+0x7b/0x1a0\n\n which lock already depends on the new lock.\n\n the existing dependency chain (in reverse order) is:\n\n -\u003e #3 (mmu_notifier_invalidate_range_start){+.+.}-{0:0}:\n       fs_reclaim_acquire+0x60/0xd0\n       mem_cgroup_css_alloc+0x6f/0x9b0\n       cgroup_init_subsys+0xa4/0x240\n       cgroup_init+0x1c8/0x510\n       start_kernel+0x747/0x760\n       x86_64_start_reservations+0x25/0x30\n       x86_64_start_kernel+0x73/0x80\n       common_startup_64+0x129/0x138\n\n -\u003e #2 (fs_reclaim){+.+.}-{0:0}:\n       fs_reclaim_acquire+0x91/0xd0\n       __kmalloc_cache_noprof+0x4d/0x4c0\n       mlx5r_cache_create_ent_locked+0x75/0x620 [mlx5_ib]\n       mlx5_mkey_cache_init+0x186/0x360 [mlx5_ib]\n       mlx5_ib_stage_post_ib_reg_umr_init+0x3c/0x60 [mlx5_ib]\n       __mlx5_ib_add+0x4b/0x190 [mlx5_ib]\n       mlx5r_probe+0xd9/0x320 [mlx5_ib]\n       auxiliary_bus_probe+0x42/0x70\n       really_probe+0xdb/0x360\n       __driver_probe_device+0x8f/0x130\n       driver_probe_device+0x1f/0xb0\n       __driver_attach+0xd4/0x1f0\n       bus_for_each_dev+0x79/0xd0\n       bus_add_driver+0xf0/0x200\n       driver_register+0x6e/0xc0\n       __auxiliary_driver_register+0x6a/0xc0\n       do_one_initcall+0x5e/0x390\n       do_init_module+0x88/0x240\n       init_module_from_file+0x85/0xc0\n       idempotent_init_module+0x104/0x300\n       __x64_sys_finit_module+0x68/0xc0\n       do_syscall_64+0x6d/0x140\n       entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n -\u003e #1 (\u0026dev-\u003ecache.rb_lock){+.+.}-{4:4}:\n       __mutex_lock+0x98/0xf10\n       __mlx5_ib_dereg_mr+0x6f2/0x890 [mlx5_ib]\n       mlx5_ib_dereg_mr+0x21/0x110 [mlx5_ib]\n       ib_dereg_mr_user+0x85/0x1f0 [ib_core]\n  \n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:20:18.459Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/beb89ada5715e7bd1518c58863eedce89ec051a7"
        },
        {
          "url": "https://git.kernel.org/stable/c/727eb1be65a370572edf307558ec3396b8573156"
        },
        {
          "url": "https://git.kernel.org/stable/c/2ed25aa7f7711f508b6120e336f05cd9d49943c0"
        }
      ],
      "title": "IB/mlx5: Fix potential deadlock in MR deregistration",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38373",
    "datePublished": "2025-07-25T12:53:16.082Z",
    "dateReserved": "2025-04-16T04:51:24.009Z",
    "dateUpdated": "2025-07-28T04:20:18.459Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38468 (GCVE-0-2025-38468)

Vulnerability from cvelistv5

Published

2025-07-28 11:12

Modified

2025-11-03 17:38

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree htb_lookup_leaf has a BUG_ON that can trigger with the following: tc qdisc del dev lo root tc qdisc add dev lo root handle 1: htb default 1 tc class add dev lo parent 1: classid 1:1 htb rate 64bit tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2:1 handle 3: blackhole ping -I lo -c1 -W0.001 127.0.0.1 The root cause is the following: 1. htb_dequeue calls htb_dequeue_tree which calls the dequeue handler on the selected leaf qdisc 2. netem_dequeue calls enqueue on the child qdisc 3. blackhole_enqueue drops the packet and returns a value that is not just NET_XMIT_SUCCESS 4. Because of this, netem_dequeue calls qdisc_tree_reduce_backlog, and since qlen is now 0, it calls htb_qlen_notify -> htb_deactivate -> htb_deactiviate_prios -> htb_remove_class_from_row -> htb_safe_rb_erase 5. As this is the only class in the selected hprio rbtree, __rb_change_child in __rb_erase_augmented sets the rb_root pointer to NULL 6. Because blackhole_dequeue returns NULL, netem_dequeue returns NULL, which causes htb_dequeue_tree to call htb_lookup_leaf with the same hprio rbtree, and fail the BUG_ON The function graph for this scenario is shown here: 0) | htb_enqueue() { 0) + 13.635 us | netem_enqueue(); 0) 4.719 us | htb_activate_prios(); 0) # 2249.199 us | } 0) | htb_dequeue() { 0) 2.355 us | htb_lookup_leaf(); 0) | netem_dequeue() { 0) + 11.061 us | blackhole_enqueue(); 0) | qdisc_tree_reduce_backlog() { 0) | qdisc_lookup_rcu() { 0) 1.873 us | qdisc_match_from_root(); 0) 6.292 us | } 0) 1.894 us | htb_search(); 0) | htb_qlen_notify() { 0) 2.655 us | htb_deactivate_prios(); 0) 6.933 us | } 0) + 25.227 us | } 0) 1.983 us | blackhole_dequeue(); 0) + 86.553 us | } 0) # 2932.761 us | qdisc_warn_nonwc(); 0) | htb_lookup_leaf() { 0) | BUG_ON(); ------------------------------------------ The full original bug report can be seen here [1]. We can fix this just by returning NULL instead of the BUG_ON, as htb_dequeue_tree returns NULL when htb_lookup_leaf returns NULL. [1] https://lore.kernel.org/netdev/pF5XOOIim0IuEfhI-SOxTgRvNoDwuux7UHKnE_Y5-zVd4wmGvNk2ceHjKb8ORnzw0cGwfmVu42g9dL7XyJLf1NEzaztboTWcm0Ogxuojoeo=@willsroot.io/

References

URL

Tags

	https://git.kernel.org/stable/c/fed3570e548a6c9f95c5f4c9e1a7afc1679fd90d
	https://git.kernel.org/stable/c/5c0506cd1b1a3b145bda2612bbf7fe78d186c355
	https://git.kernel.org/stable/c/850226aef8d28a00cf966ef26d2f8f2bff344535
	https://git.kernel.org/stable/c/890a5d423ef0a7bd13447ceaffad21189f557301
	https://git.kernel.org/stable/c/7ff2d83ecf2619060f30ecf9fad4f2a700fca344
	https://git.kernel.org/stable/c/e5c480dc62a3025b8428d4818e722da30ad6804f
	https://git.kernel.org/stable/c/3691f84269a23f7edd263e9b6edbc27b7ae332f4
	https://git.kernel.org/stable/c/0e1d5d9b5c5966e2e42e298670808590db5ed628

Impacted products

Vendor

Product

Version

Linux

Version: 512bb43eb5422ee69a1be05ea0d89dc074fac9a2
Version: 512bb43eb5422ee69a1be05ea0d89dc074fac9a2
Version: 512bb43eb5422ee69a1be05ea0d89dc074fac9a2
Version: 512bb43eb5422ee69a1be05ea0d89dc074fac9a2
Version: 512bb43eb5422ee69a1be05ea0d89dc074fac9a2
Version: 512bb43eb5422ee69a1be05ea0d89dc074fac9a2
Version: 512bb43eb5422ee69a1be05ea0d89dc074fac9a2
Version: 512bb43eb5422ee69a1be05ea0d89dc074fac9a2

Linux

Version: 2.6.29

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:38:33.418Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_htb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "fed3570e548a6c9f95c5f4c9e1a7afc1679fd90d",
              "status": "affected",
              "version": "512bb43eb5422ee69a1be05ea0d89dc074fac9a2",
              "versionType": "git"
            },
            {
              "lessThan": "5c0506cd1b1a3b145bda2612bbf7fe78d186c355",
              "status": "affected",
              "version": "512bb43eb5422ee69a1be05ea0d89dc074fac9a2",
              "versionType": "git"
            },
            {
              "lessThan": "850226aef8d28a00cf966ef26d2f8f2bff344535",
              "status": "affected",
              "version": "512bb43eb5422ee69a1be05ea0d89dc074fac9a2",
              "versionType": "git"
            },
            {
              "lessThan": "890a5d423ef0a7bd13447ceaffad21189f557301",
              "status": "affected",
              "version": "512bb43eb5422ee69a1be05ea0d89dc074fac9a2",
              "versionType": "git"
            },
            {
              "lessThan": "7ff2d83ecf2619060f30ecf9fad4f2a700fca344",
              "status": "affected",
              "version": "512bb43eb5422ee69a1be05ea0d89dc074fac9a2",
              "versionType": "git"
            },
            {
              "lessThan": "e5c480dc62a3025b8428d4818e722da30ad6804f",
              "status": "affected",
              "version": "512bb43eb5422ee69a1be05ea0d89dc074fac9a2",
              "versionType": "git"
            },
            {
              "lessThan": "3691f84269a23f7edd263e9b6edbc27b7ae332f4",
              "status": "affected",
              "version": "512bb43eb5422ee69a1be05ea0d89dc074fac9a2",
              "versionType": "git"
            },
            {
              "lessThan": "0e1d5d9b5c5966e2e42e298670808590db5ed628",
              "status": "affected",
              "version": "512bb43eb5422ee69a1be05ea0d89dc074fac9a2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_htb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.29"
            },
            {
              "lessThan": "2.6.29",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.147",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.100",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.40",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.147",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.100",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.40",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.8",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree\n\nhtb_lookup_leaf has a BUG_ON that can trigger with the following:\n\ntc qdisc del dev lo root\ntc qdisc add dev lo root handle 1: htb default 1\ntc class add dev lo parent 1: classid 1:1 htb rate 64bit\ntc qdisc add dev lo parent 1:1 handle 2: netem\ntc qdisc add dev lo parent 2:1 handle 3: blackhole\nping -I lo -c1 -W0.001 127.0.0.1\n\nThe root cause is the following:\n\n1. htb_dequeue calls htb_dequeue_tree which calls the dequeue handler on\n   the selected leaf qdisc\n2. netem_dequeue calls enqueue on the child qdisc\n3. blackhole_enqueue drops the packet and returns a value that is not\n   just NET_XMIT_SUCCESS\n4. Because of this, netem_dequeue calls qdisc_tree_reduce_backlog, and\n   since qlen is now 0, it calls htb_qlen_notify -\u003e htb_deactivate -\u003e\n   htb_deactiviate_prios -\u003e htb_remove_class_from_row -\u003e htb_safe_rb_erase\n5. As this is the only class in the selected hprio rbtree,\n   __rb_change_child in __rb_erase_augmented sets the rb_root pointer to\n   NULL\n6. Because blackhole_dequeue returns NULL, netem_dequeue returns NULL,\n   which causes htb_dequeue_tree to call htb_lookup_leaf with the same\n   hprio rbtree, and fail the BUG_ON\n\nThe function graph for this scenario is shown here:\n 0)               |  htb_enqueue() {\n 0) + 13.635 us   |    netem_enqueue();\n 0)   4.719 us    |    htb_activate_prios();\n 0) # 2249.199 us |  }\n 0)               |  htb_dequeue() {\n 0)   2.355 us    |    htb_lookup_leaf();\n 0)               |    netem_dequeue() {\n 0) + 11.061 us   |      blackhole_enqueue();\n 0)               |      qdisc_tree_reduce_backlog() {\n 0)               |        qdisc_lookup_rcu() {\n 0)   1.873 us    |          qdisc_match_from_root();\n 0)   6.292 us    |        }\n 0)   1.894 us    |        htb_search();\n 0)               |        htb_qlen_notify() {\n 0)   2.655 us    |          htb_deactivate_prios();\n 0)   6.933 us    |        }\n 0) + 25.227 us   |      }\n 0)   1.983 us    |      blackhole_dequeue();\n 0) + 86.553 us   |    }\n 0) # 2932.761 us |    qdisc_warn_nonwc();\n 0)               |    htb_lookup_leaf() {\n 0)               |      BUG_ON();\n ------------------------------------------\n\nThe full original bug report can be seen here [1].\n\nWe can fix this just by returning NULL instead of the BUG_ON,\nas htb_dequeue_tree returns NULL when htb_lookup_leaf returns\nNULL.\n\n[1] https://lore.kernel.org/netdev/pF5XOOIim0IuEfhI-SOxTgRvNoDwuux7UHKnE_Y5-zVd4wmGvNk2ceHjKb8ORnzw0cGwfmVu42g9dL7XyJLf1NEzaztboTWcm0Ogxuojoeo=@willsroot.io/"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-28T14:43:07.848Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/fed3570e548a6c9f95c5f4c9e1a7afc1679fd90d"
        },
        {
          "url": "https://git.kernel.org/stable/c/5c0506cd1b1a3b145bda2612bbf7fe78d186c355"
        },
        {
          "url": "https://git.kernel.org/stable/c/850226aef8d28a00cf966ef26d2f8f2bff344535"
        },
        {
          "url": "https://git.kernel.org/stable/c/890a5d423ef0a7bd13447ceaffad21189f557301"
        },
        {
          "url": "https://git.kernel.org/stable/c/7ff2d83ecf2619060f30ecf9fad4f2a700fca344"
        },
        {
          "url": "https://git.kernel.org/stable/c/e5c480dc62a3025b8428d4818e722da30ad6804f"
        },
        {
          "url": "https://git.kernel.org/stable/c/3691f84269a23f7edd263e9b6edbc27b7ae332f4"
        },
        {
          "url": "https://git.kernel.org/stable/c/0e1d5d9b5c5966e2e42e298670808590db5ed628"
        }
      ],
      "title": "net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38468",
    "datePublished": "2025-07-28T11:12:20.188Z",
    "dateReserved": "2025-04-16T04:51:24.020Z",
    "dateUpdated": "2025-11-03T17:38:33.418Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37752 (GCVE-0-2025-37752)

Vulnerability from cvelistv5

Published

2025-05-01 12:55

Modified

2025-11-03 19:54

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: move the limit validation It is not sufficient to directly validate the limit on the data that the user passes as it can be updated based on how the other parameters are changed. Move the check at the end of the configuration update process to also catch scenarios where the limit is indirectly updated, for example with the following configurations: tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 depth 1 tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 divisor 1 This fixes the following syzkaller reported crash: ------------[ cut here ]------------ UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:203:6 index 65535 is out of range for type 'struct sfq_head[128]' CPU: 1 UID: 0 PID: 3037 Comm: syz.2.16 Not tainted 6.14.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x201/0x300 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_out_of_bounds+0xf5/0x120 lib/ubsan.c:429 sfq_link net/sched/sch_sfq.c:203 [inline] sfq_dec+0x53c/0x610 net/sched/sch_sfq.c:231 sfq_dequeue+0x34e/0x8c0 net/sched/sch_sfq.c:493 sfq_reset+0x17/0x60 net/sched/sch_sfq.c:518 qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035 tbf_reset+0x41/0x110 net/sched/sch_tbf.c:339 qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035 dev_reset_queue+0x100/0x1b0 net/sched/sch_generic.c:1311 netdev_for_each_tx_queue include/linux/netdevice.h:2590 [inline] dev_deactivate_many+0x7e5/0xe70 net/sched/sch_generic.c:1375

References

URL

Tags

	https://git.kernel.org/stable/c/8fadc871a42933aacb7f1ce9ed9a96485e2c9cf4
	https://git.kernel.org/stable/c/7d62ded97db6b7c94c891f704151f372b1ba4688
	https://git.kernel.org/stable/c/6c589aa318023690f1606c666a7fb5f4c1c9c219
	https://git.kernel.org/stable/c/1348214fa042a71406964097e743c87a42c85a49
	https://git.kernel.org/stable/c/d2718324f9e329b10ddc091fba5a0ba2b9d4d96a
	https://git.kernel.org/stable/c/f86293adce0c201cfabb283ef9d6f21292089bb8
	https://git.kernel.org/stable/c/5e5e1fcc1b8ed57f902c424c5d9b328a3a19073d
	https://git.kernel.org/stable/c/b36a68192037d1614317a09b0d78c7814e2eecf9
	https://git.kernel.org/stable/c/b3bf8f63e6179076b57c9de660c9f80b5abefe70

Impacted products

Vendor

Product

Version

Linux

Version: e12f6013d0a69660e8b99bfe381b9546ae667328
Version: 1e6d9d87626cf89eeffb4d943db12cb5b10bf961
Version: 1b562b7f9231432da40d12e19786c1bd7df653a7
Version: 35d0137305ae2f97260a9047f445bd4434bd6cc7
Version: 833e9a1c27b82024db7ff5038a51651f48f05e5e
Version: 7d8947f2153ee9c5ab4cb17861a11cc45f30e8c4
Version: 7fefc294204f10a3405f175f4ac2be16d63f135e
Version: 10685681bafce6febb39770f3387621bf5d67d0b
Version: 10685681bafce6febb39770f3387621bf5d67d0b

Linux

Version: 6.14

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:54:26.177Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_sfq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8fadc871a42933aacb7f1ce9ed9a96485e2c9cf4",
              "status": "affected",
              "version": "e12f6013d0a69660e8b99bfe381b9546ae667328",
              "versionType": "git"
            },
            {
              "lessThan": "7d62ded97db6b7c94c891f704151f372b1ba4688",
              "status": "affected",
              "version": "1e6d9d87626cf89eeffb4d943db12cb5b10bf961",
              "versionType": "git"
            },
            {
              "lessThan": "6c589aa318023690f1606c666a7fb5f4c1c9c219",
              "status": "affected",
              "version": "1b562b7f9231432da40d12e19786c1bd7df653a7",
              "versionType": "git"
            },
            {
              "lessThan": "1348214fa042a71406964097e743c87a42c85a49",
              "status": "affected",
              "version": "35d0137305ae2f97260a9047f445bd4434bd6cc7",
              "versionType": "git"
            },
            {
              "lessThan": "d2718324f9e329b10ddc091fba5a0ba2b9d4d96a",
              "status": "affected",
              "version": "833e9a1c27b82024db7ff5038a51651f48f05e5e",
              "versionType": "git"
            },
            {
              "lessThan": "f86293adce0c201cfabb283ef9d6f21292089bb8",
              "status": "affected",
              "version": "7d8947f2153ee9c5ab4cb17861a11cc45f30e8c4",
              "versionType": "git"
            },
            {
              "lessThan": "5e5e1fcc1b8ed57f902c424c5d9b328a3a19073d",
              "status": "affected",
              "version": "7fefc294204f10a3405f175f4ac2be16d63f135e",
              "versionType": "git"
            },
            {
              "lessThan": "b36a68192037d1614317a09b0d78c7814e2eecf9",
              "status": "affected",
              "version": "10685681bafce6febb39770f3387621bf5d67d0b",
              "versionType": "git"
            },
            {
              "lessThan": "b3bf8f63e6179076b57c9de660c9f80b5abefe70",
              "status": "affected",
              "version": "10685681bafce6febb39770f3387621bf5d67d0b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_sfq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.14"
            },
            {
              "lessThan": "6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "versionStartIncluding": "6.1.129",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "6.6.76",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.24",
                  "versionStartIncluding": "6.12.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.12",
                  "versionStartIncluding": "6.13.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: sch_sfq: move the limit validation\n\nIt is not sufficient to directly validate the limit on the data that\nthe user passes as it can be updated based on how the other parameters\nare changed.\n\nMove the check at the end of the configuration update process to also\ncatch scenarios where the limit is indirectly updated, for example\nwith the following configurations:\n\ntc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 depth 1\ntc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 divisor 1\n\nThis fixes the following syzkaller reported crash:\n\n------------[ cut here ]------------\nUBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:203:6\nindex 65535 is out of range for type \u0027struct sfq_head[128]\u0027\nCPU: 1 UID: 0 PID: 3037 Comm: syz.2.16 Not tainted 6.14.0-rc2-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x201/0x300 lib/dump_stack.c:120\n ubsan_epilogue lib/ubsan.c:231 [inline]\n __ubsan_handle_out_of_bounds+0xf5/0x120 lib/ubsan.c:429\n sfq_link net/sched/sch_sfq.c:203 [inline]\n sfq_dec+0x53c/0x610 net/sched/sch_sfq.c:231\n sfq_dequeue+0x34e/0x8c0 net/sched/sch_sfq.c:493\n sfq_reset+0x17/0x60 net/sched/sch_sfq.c:518\n qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035\n tbf_reset+0x41/0x110 net/sched/sch_tbf.c:339\n qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035\n dev_reset_queue+0x100/0x1b0 net/sched/sch_generic.c:1311\n netdev_for_each_tx_queue include/linux/netdevice.h:2590 [inline]\n dev_deactivate_many+0x7e5/0xe70 net/sched/sch_generic.c:1375"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-28T14:42:49.885Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8fadc871a42933aacb7f1ce9ed9a96485e2c9cf4"
        },
        {
          "url": "https://git.kernel.org/stable/c/7d62ded97db6b7c94c891f704151f372b1ba4688"
        },
        {
          "url": "https://git.kernel.org/stable/c/6c589aa318023690f1606c666a7fb5f4c1c9c219"
        },
        {
          "url": "https://git.kernel.org/stable/c/1348214fa042a71406964097e743c87a42c85a49"
        },
        {
          "url": "https://git.kernel.org/stable/c/d2718324f9e329b10ddc091fba5a0ba2b9d4d96a"
        },
        {
          "url": "https://git.kernel.org/stable/c/f86293adce0c201cfabb283ef9d6f21292089bb8"
        },
        {
          "url": "https://git.kernel.org/stable/c/5e5e1fcc1b8ed57f902c424c5d9b328a3a19073d"
        },
        {
          "url": "https://git.kernel.org/stable/c/b36a68192037d1614317a09b0d78c7814e2eecf9"
        },
        {
          "url": "https://git.kernel.org/stable/c/b3bf8f63e6179076b57c9de660c9f80b5abefe70"
        }
      ],
      "title": "net_sched: sch_sfq: move the limit validation",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37752",
    "datePublished": "2025-05-01T12:55:57.280Z",
    "dateReserved": "2025-04-16T04:51:23.937Z",
    "dateUpdated": "2025-11-03T19:54:26.177Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38127 (GCVE-0-2025-38127)

Vulnerability from cvelistv5

Published

2025-07-03 08:35

Modified

2025-07-28 04:12

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ice: fix Tx scheduler error handling in XDP callback When the XDP program is loaded, the XDP callback adds new Tx queues. This means that the callback must update the Tx scheduler with the new queue number. In the event of a Tx scheduler failure, the XDP callback should also fail and roll back any changes previously made for XDP preparation. The previous implementation had a bug that not all changes made by the XDP callback were rolled back. This caused the crash with the following call trace: [ +9.549584] ice 0000:ca:00.0: Failed VSI LAN queue config for XDP, error: -5 [ +0.382335] Oops: general protection fault, probably for non-canonical address 0x50a2250a90495525: 0000 [#1] SMP NOPTI [ +0.010710] CPU: 103 UID: 0 PID: 0 Comm: swapper/103 Not tainted 6.14.0-net-next-mar-31+ #14 PREEMPT(voluntary) [ +0.010175] Hardware name: Intel Corporation M50CYP2SBSTD/M50CYP2SBSTD, BIOS SE5C620.86B.01.01.0005.2202160810 02/16/2022 [ +0.010946] RIP: 0010:__ice_update_sample+0x39/0xe0 [ice] [...] [ +0.002715] Call Trace: [ +0.002452] <IRQ> [ +0.002021] ? __die_body.cold+0x19/0x29 [ +0.003922] ? die_addr+0x3c/0x60 [ +0.003319] ? exc_general_protection+0x17c/0x400 [ +0.004707] ? asm_exc_general_protection+0x26/0x30 [ +0.004879] ? __ice_update_sample+0x39/0xe0 [ice] [ +0.004835] ice_napi_poll+0x665/0x680 [ice] [ +0.004320] __napi_poll+0x28/0x190 [ +0.003500] net_rx_action+0x198/0x360 [ +0.003752] ? update_rq_clock+0x39/0x220 [ +0.004013] handle_softirqs+0xf1/0x340 [ +0.003840] ? sched_clock_cpu+0xf/0x1f0 [ +0.003925] __irq_exit_rcu+0xc2/0xe0 [ +0.003665] common_interrupt+0x85/0xa0 [ +0.003839] </IRQ> [ +0.002098] <TASK> [ +0.002106] asm_common_interrupt+0x26/0x40 [ +0.004184] RIP: 0010:cpuidle_enter_state+0xd3/0x690 Fix this by performing the missing unmapping of XDP queues from q_vectors and setting the XDP rings pointer back to NULL after all those queues are released. Also, add an immediate exit from the XDP callback in case of ring preparation failure.

References

URL

Tags

	https://git.kernel.org/stable/c/1d3c5d0dec6797eca3a861dab0816fa9505d9c3e
	https://git.kernel.org/stable/c/276849954d7cbe6eec827b21fe2df43f9bf07011
	https://git.kernel.org/stable/c/0e061abaad1498c5b76c10c594d4359ceb6b9145
	https://git.kernel.org/stable/c/0153f36041b8e52019ebfa8629c13bf8f9b0a951

Impacted products

Vendor

Product

Version

Linux

Version: efc2214b6047b6f5b4ca53151eba62521b9452d6
Version: efc2214b6047b6f5b4ca53151eba62521b9452d6
Version: efc2214b6047b6f5b4ca53151eba62521b9452d6
Version: efc2214b6047b6f5b4ca53151eba62521b9452d6

Linux

Version: 5.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/ice/ice_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1d3c5d0dec6797eca3a861dab0816fa9505d9c3e",
              "status": "affected",
              "version": "efc2214b6047b6f5b4ca53151eba62521b9452d6",
              "versionType": "git"
            },
            {
              "lessThan": "276849954d7cbe6eec827b21fe2df43f9bf07011",
              "status": "affected",
              "version": "efc2214b6047b6f5b4ca53151eba62521b9452d6",
              "versionType": "git"
            },
            {
              "lessThan": "0e061abaad1498c5b76c10c594d4359ceb6b9145",
              "status": "affected",
              "version": "efc2214b6047b6f5b4ca53151eba62521b9452d6",
              "versionType": "git"
            },
            {
              "lessThan": "0153f36041b8e52019ebfa8629c13bf8f9b0a951",
              "status": "affected",
              "version": "efc2214b6047b6f5b4ca53151eba62521b9452d6",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/ice/ice_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.5"
            },
            {
              "lessThan": "5.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix Tx scheduler error handling in XDP callback\n\nWhen the XDP program is loaded, the XDP callback adds new Tx queues.\nThis means that the callback must update the Tx scheduler with the new\nqueue number. In the event of a Tx scheduler failure, the XDP callback\nshould also fail and roll back any changes previously made for XDP\npreparation.\n\nThe previous implementation had a bug that not all changes made by the\nXDP callback were rolled back. This caused the crash with the following\ncall trace:\n\n[  +9.549584] ice 0000:ca:00.0: Failed VSI LAN queue config for XDP, error: -5\n[  +0.382335] Oops: general protection fault, probably for non-canonical address 0x50a2250a90495525: 0000 [#1] SMP NOPTI\n[  +0.010710] CPU: 103 UID: 0 PID: 0 Comm: swapper/103 Not tainted 6.14.0-net-next-mar-31+ #14 PREEMPT(voluntary)\n[  +0.010175] Hardware name: Intel Corporation M50CYP2SBSTD/M50CYP2SBSTD, BIOS SE5C620.86B.01.01.0005.2202160810 02/16/2022\n[  +0.010946] RIP: 0010:__ice_update_sample+0x39/0xe0 [ice]\n\n[...]\n\n[  +0.002715] Call Trace:\n[  +0.002452]  \u003cIRQ\u003e\n[  +0.002021]  ? __die_body.cold+0x19/0x29\n[  +0.003922]  ? die_addr+0x3c/0x60\n[  +0.003319]  ? exc_general_protection+0x17c/0x400\n[  +0.004707]  ? asm_exc_general_protection+0x26/0x30\n[  +0.004879]  ? __ice_update_sample+0x39/0xe0 [ice]\n[  +0.004835]  ice_napi_poll+0x665/0x680 [ice]\n[  +0.004320]  __napi_poll+0x28/0x190\n[  +0.003500]  net_rx_action+0x198/0x360\n[  +0.003752]  ? update_rq_clock+0x39/0x220\n[  +0.004013]  handle_softirqs+0xf1/0x340\n[  +0.003840]  ? sched_clock_cpu+0xf/0x1f0\n[  +0.003925]  __irq_exit_rcu+0xc2/0xe0\n[  +0.003665]  common_interrupt+0x85/0xa0\n[  +0.003839]  \u003c/IRQ\u003e\n[  +0.002098]  \u003cTASK\u003e\n[  +0.002106]  asm_common_interrupt+0x26/0x40\n[  +0.004184] RIP: 0010:cpuidle_enter_state+0xd3/0x690\n\nFix this by performing the missing unmapping of XDP queues from\nq_vectors and setting the XDP rings pointer back to NULL after all those\nqueues are released.\nAlso, add an immediate exit from the XDP callback in case of ring\npreparation failure."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:12:54.977Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1d3c5d0dec6797eca3a861dab0816fa9505d9c3e"
        },
        {
          "url": "https://git.kernel.org/stable/c/276849954d7cbe6eec827b21fe2df43f9bf07011"
        },
        {
          "url": "https://git.kernel.org/stable/c/0e061abaad1498c5b76c10c594d4359ceb6b9145"
        },
        {
          "url": "https://git.kernel.org/stable/c/0153f36041b8e52019ebfa8629c13bf8f9b0a951"
        }
      ],
      "title": "ice: fix Tx scheduler error handling in XDP callback",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38127",
    "datePublished": "2025-07-03T08:35:32.453Z",
    "dateReserved": "2025-04-16T04:51:23.986Z",
    "dateUpdated": "2025-07-28T04:12:54.977Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38158 (GCVE-0-2025-38158)

Vulnerability from cvelistv5

Published

2025-07-03 08:36

Modified

2025-11-03 17:34

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: hisi_acc_vfio_pci: fix XQE dma address error The dma addresses of EQE and AEQE are wrong after migration and results in guest kernel-mode encryption services failure. Comparing the definition of hardware registers, we found that there was an error when the data read from the register was combined into an address. Therefore, the address combination sequence needs to be corrected. Even after fixing the above problem, we still have an issue where the Guest from an old kernel can get migrated to new kernel and may result in wrong data. In order to ensure that the address is correct after migration, if an old magic number is detected, the dma address needs to be updated.

References

URL

Tags

	https://git.kernel.org/stable/c/809a9c10274e1bcf6d05f1c0341459a425a4f05f
	https://git.kernel.org/stable/c/f0423873e7aeb69cb68f4e8fa3827832e7b037ba
	https://git.kernel.org/stable/c/884a76e813178778d271fea59783763d32bb7e72
	https://git.kernel.org/stable/c/7710c883eb8cb5cf510ca47ec0e26c6cb7e94a4f
	https://git.kernel.org/stable/c/8bb7170c5a055ea17c6857c256ee73c10ff872eb

Impacted products

Vendor

Product

Version

Linux

Version: b0eed085903e7758532696d64397901a75bba8ba
Version: b0eed085903e7758532696d64397901a75bba8ba
Version: b0eed085903e7758532696d64397901a75bba8ba
Version: b0eed085903e7758532696d64397901a75bba8ba
Version: b0eed085903e7758532696d64397901a75bba8ba

Linux

Version: 5.18

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:47.281Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c",
            "drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "809a9c10274e1bcf6d05f1c0341459a425a4f05f",
              "status": "affected",
              "version": "b0eed085903e7758532696d64397901a75bba8ba",
              "versionType": "git"
            },
            {
              "lessThan": "f0423873e7aeb69cb68f4e8fa3827832e7b037ba",
              "status": "affected",
              "version": "b0eed085903e7758532696d64397901a75bba8ba",
              "versionType": "git"
            },
            {
              "lessThan": "884a76e813178778d271fea59783763d32bb7e72",
              "status": "affected",
              "version": "b0eed085903e7758532696d64397901a75bba8ba",
              "versionType": "git"
            },
            {
              "lessThan": "7710c883eb8cb5cf510ca47ec0e26c6cb7e94a4f",
              "status": "affected",
              "version": "b0eed085903e7758532696d64397901a75bba8ba",
              "versionType": "git"
            },
            {
              "lessThan": "8bb7170c5a055ea17c6857c256ee73c10ff872eb",
              "status": "affected",
              "version": "b0eed085903e7758532696d64397901a75bba8ba",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c",
            "drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.18"
            },
            {
              "lessThan": "5.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhisi_acc_vfio_pci: fix XQE dma address error\n\nThe dma addresses of EQE and AEQE are wrong after migration and\nresults in guest kernel-mode encryption services  failure.\nComparing the definition of hardware registers, we found that\nthere was an error when the data read from the register was\ncombined into an address. Therefore, the address combination\nsequence needs to be corrected.\n\nEven after fixing the above problem, we still have an issue\nwhere the Guest from an old kernel can get migrated to\nnew kernel and may result in wrong data.\n\nIn order to ensure that the address is correct after migration,\nif an old magic number is detected, the dma address needs to be\nupdated."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:13:49.556Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/809a9c10274e1bcf6d05f1c0341459a425a4f05f"
        },
        {
          "url": "https://git.kernel.org/stable/c/f0423873e7aeb69cb68f4e8fa3827832e7b037ba"
        },
        {
          "url": "https://git.kernel.org/stable/c/884a76e813178778d271fea59783763d32bb7e72"
        },
        {
          "url": "https://git.kernel.org/stable/c/7710c883eb8cb5cf510ca47ec0e26c6cb7e94a4f"
        },
        {
          "url": "https://git.kernel.org/stable/c/8bb7170c5a055ea17c6857c256ee73c10ff872eb"
        }
      ],
      "title": "hisi_acc_vfio_pci: fix XQE dma address error",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38158",
    "datePublished": "2025-07-03T08:36:00.776Z",
    "dateReserved": "2025-04-16T04:51:23.990Z",
    "dateUpdated": "2025-11-03T17:34:47.281Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37995 (GCVE-0-2025-37995)

Vulnerability from cvelistv5

Published

2025-05-29 13:15

Modified

2025-11-03 19:58

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: module: ensure that kobject_put() is safe for module type kobjects In 'lookup_or_create_module_kobject()', an internal kobject is created using 'module_ktype'. So call to 'kobject_put()' on error handling path causes an attempt to use an uninitialized completion pointer in 'module_kobject_release()'. In this scenario, we just want to release kobject without an extra synchronization required for a regular module unloading process, so adding an extra check whether 'complete()' is actually required makes 'kobject_put()' safe.

References

URL

Tags

	https://git.kernel.org/stable/c/93799fb988757cdacf19acba57807746c00378e6
	https://git.kernel.org/stable/c/a63d99873547d8b39eb2f6db79dd235761e7098a
	https://git.kernel.org/stable/c/f1c71b4bd721a4ea21da408806964b10468623f2
	https://git.kernel.org/stable/c/9e7b49ce4f9d0cb5b6e87db9e07a2fb9e754b0dd
	https://git.kernel.org/stable/c/faa9059631d3491d699c69ecf512de9e1a3d6649
	https://git.kernel.org/stable/c/d63851049f412cdfadaeef7a7eaef5031d11c1e9
	https://git.kernel.org/stable/c/31d8df3f303c3ae9115230820977ef8c35c88808
	https://git.kernel.org/stable/c/a6aeb739974ec73e5217c75a7c008a688d3d5cf1

Impacted products

Vendor

Product

Version

Linux

Version: 942e443127e928a5631c3d5102aca8c8b3c2dd98
Version: 942e443127e928a5631c3d5102aca8c8b3c2dd98
Version: 942e443127e928a5631c3d5102aca8c8b3c2dd98
Version: 942e443127e928a5631c3d5102aca8c8b3c2dd98
Version: 942e443127e928a5631c3d5102aca8c8b3c2dd98
Version: 942e443127e928a5631c3d5102aca8c8b3c2dd98
Version: 942e443127e928a5631c3d5102aca8c8b3c2dd98
Version: 942e443127e928a5631c3d5102aca8c8b3c2dd98

Linux

Version: 3.12

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:58:09.408Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/params.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "93799fb988757cdacf19acba57807746c00378e6",
              "status": "affected",
              "version": "942e443127e928a5631c3d5102aca8c8b3c2dd98",
              "versionType": "git"
            },
            {
              "lessThan": "a63d99873547d8b39eb2f6db79dd235761e7098a",
              "status": "affected",
              "version": "942e443127e928a5631c3d5102aca8c8b3c2dd98",
              "versionType": "git"
            },
            {
              "lessThan": "f1c71b4bd721a4ea21da408806964b10468623f2",
              "status": "affected",
              "version": "942e443127e928a5631c3d5102aca8c8b3c2dd98",
              "versionType": "git"
            },
            {
              "lessThan": "9e7b49ce4f9d0cb5b6e87db9e07a2fb9e754b0dd",
              "status": "affected",
              "version": "942e443127e928a5631c3d5102aca8c8b3c2dd98",
              "versionType": "git"
            },
            {
              "lessThan": "faa9059631d3491d699c69ecf512de9e1a3d6649",
              "status": "affected",
              "version": "942e443127e928a5631c3d5102aca8c8b3c2dd98",
              "versionType": "git"
            },
            {
              "lessThan": "d63851049f412cdfadaeef7a7eaef5031d11c1e9",
              "status": "affected",
              "version": "942e443127e928a5631c3d5102aca8c8b3c2dd98",
              "versionType": "git"
            },
            {
              "lessThan": "31d8df3f303c3ae9115230820977ef8c35c88808",
              "status": "affected",
              "version": "942e443127e928a5631c3d5102aca8c8b3c2dd98",
              "versionType": "git"
            },
            {
              "lessThan": "a6aeb739974ec73e5217c75a7c008a688d3d5cf1",
              "status": "affected",
              "version": "942e443127e928a5631c3d5102aca8c8b3c2dd98",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/params.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.12"
            },
            {
              "lessThan": "3.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.294",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.238",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.183",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.139",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.91",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.29",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.294",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.238",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.183",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.139",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.91",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.29",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.7",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmodule: ensure that kobject_put() is safe for module type kobjects\n\nIn \u0027lookup_or_create_module_kobject()\u0027, an internal kobject is created\nusing \u0027module_ktype\u0027. So call to \u0027kobject_put()\u0027 on error handling\npath causes an attempt to use an uninitialized completion pointer in\n\u0027module_kobject_release()\u0027. In this scenario, we just want to release\nkobject without an extra synchronization required for a regular module\nunloading process, so adding an extra check whether \u0027complete()\u0027 is\nactually required makes \u0027kobject_put()\u0027 safe."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-04T12:57:43.549Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/93799fb988757cdacf19acba57807746c00378e6"
        },
        {
          "url": "https://git.kernel.org/stable/c/a63d99873547d8b39eb2f6db79dd235761e7098a"
        },
        {
          "url": "https://git.kernel.org/stable/c/f1c71b4bd721a4ea21da408806964b10468623f2"
        },
        {
          "url": "https://git.kernel.org/stable/c/9e7b49ce4f9d0cb5b6e87db9e07a2fb9e754b0dd"
        },
        {
          "url": "https://git.kernel.org/stable/c/faa9059631d3491d699c69ecf512de9e1a3d6649"
        },
        {
          "url": "https://git.kernel.org/stable/c/d63851049f412cdfadaeef7a7eaef5031d11c1e9"
        },
        {
          "url": "https://git.kernel.org/stable/c/31d8df3f303c3ae9115230820977ef8c35c88808"
        },
        {
          "url": "https://git.kernel.org/stable/c/a6aeb739974ec73e5217c75a7c008a688d3d5cf1"
        }
      ],
      "title": "module: ensure that kobject_put() is safe for module type kobjects",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37995",
    "datePublished": "2025-05-29T13:15:54.095Z",
    "dateReserved": "2025-04-16T04:51:23.976Z",
    "dateUpdated": "2025-11-03T19:58:09.408Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37800 (GCVE-0-2025-37800)

Vulnerability from cvelistv5

Published

2025-05-08 06:26

Modified

2025-05-26 05:21

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: driver core: fix potential NULL pointer dereference in dev_uevent() If userspace reads "uevent" device attribute at the same time as another threads unbinds the device from its driver, change to dev->driver from a valid pointer to NULL may result in crash. Fix this by using READ_ONCE() when fetching the pointer, and take bus' drivers klist lock to make sure driver instance will not disappear while we access it. Use WRITE_ONCE() when setting the driver pointer to ensure there is no tearing.

References

URL

Tags

	https://git.kernel.org/stable/c/abe56be73eb10a677d16066f65ff9d30251f5eee
	https://git.kernel.org/stable/c/2b344e779d9afd0fcb5ee4000e4d0fc7d8d867eb
	https://git.kernel.org/stable/c/3781e4b83e174364998855de777e184cf0b62c40
	https://git.kernel.org/stable/c/18daa52418e7e4629ed1703b64777294209d2622

Impacted products

Vendor

Product

Version

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/base/base.h",
            "drivers/base/bus.c",
            "drivers/base/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "abe56be73eb10a677d16066f65ff9d30251f5eee",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "2b344e779d9afd0fcb5ee4000e4d0fc7d8d867eb",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "3781e4b83e174364998855de777e184cf0b62c40",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "18daa52418e7e4629ed1703b64777294209d2622",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/base/base.h",
            "drivers/base/bus.c",
            "drivers/base/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.89",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.26",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.89",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver core: fix potential NULL pointer dereference in dev_uevent()\n\nIf userspace reads \"uevent\" device attribute at the same time as another\nthreads unbinds the device from its driver, change to dev-\u003edriver from a\nvalid pointer to NULL may result in crash. Fix this by using READ_ONCE()\nwhen fetching the pointer, and take bus\u0027 drivers klist lock to make sure\ndriver instance will not disappear while we access it.\n\nUse WRITE_ONCE() when setting the driver pointer to ensure there is no\ntearing."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:21:09.088Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/abe56be73eb10a677d16066f65ff9d30251f5eee"
        },
        {
          "url": "https://git.kernel.org/stable/c/2b344e779d9afd0fcb5ee4000e4d0fc7d8d867eb"
        },
        {
          "url": "https://git.kernel.org/stable/c/3781e4b83e174364998855de777e184cf0b62c40"
        },
        {
          "url": "https://git.kernel.org/stable/c/18daa52418e7e4629ed1703b64777294209d2622"
        }
      ],
      "title": "driver core: fix potential NULL pointer dereference in dev_uevent()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37800",
    "datePublished": "2025-05-08T06:26:01.125Z",
    "dateReserved": "2025-04-16T04:51:23.941Z",
    "dateUpdated": "2025-05-26T05:21:09.088Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38120 (GCVE-0-2025-38120)

Vulnerability from cvelistv5

Published

2025-07-03 08:35

Modified

2025-11-03 17:34

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_set_pipapo_avx2: fix initial map fill If the first field doesn't cover the entire start map, then we must zero out the remainder, else we leak those bits into the next match round map. The early fix was incomplete and did only fix up the generic C implementation. A followup patch adds a test case to nft_concat_range.sh.

References

URL

Tags

	https://git.kernel.org/stable/c/b5ad58285f9217d68cd5ea2ad86ce254a3fe7c4d
	https://git.kernel.org/stable/c/90bc7f5a244aadee4292b28098b7c98aadd4b3aa
	https://git.kernel.org/stable/c/39bab2d3517b5b50c609b4f8c66129bf619fffa0
	https://git.kernel.org/stable/c/251496ce1728c9fd47bd2b20a7b21b20b9a020ca
	https://git.kernel.org/stable/c/8068e1e42b46518ce680dc6470bcd710efc3fa0a
	https://git.kernel.org/stable/c/ea77c397bff8b6d59f6d83dae1425b08f465e8b5

Impacted products

Vendor

Product

Version

Linux

Version: 957a4d1c4c5849e4515c9fb4db21bf85318103dc
Version: 9625c46ce6fd4f922595a4b32b1de5066d70464f
Version: 69b6a67f7052905e928d75a0c5871de50e686986
Version: 791a615b7ad2258c560f91852be54b0480837c93
Version: 791a615b7ad2258c560f91852be54b0480837c93
Version: 791a615b7ad2258c560f91852be54b0480837c93
Version: 8058c88ac0df21239daee54b5934d5c80ca9685f

Linux

Version: 6.11

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:21.242Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nft_set_pipapo_avx2.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b5ad58285f9217d68cd5ea2ad86ce254a3fe7c4d",
              "status": "affected",
              "version": "957a4d1c4c5849e4515c9fb4db21bf85318103dc",
              "versionType": "git"
            },
            {
              "lessThan": "90bc7f5a244aadee4292b28098b7c98aadd4b3aa",
              "status": "affected",
              "version": "9625c46ce6fd4f922595a4b32b1de5066d70464f",
              "versionType": "git"
            },
            {
              "lessThan": "39bab2d3517b5b50c609b4f8c66129bf619fffa0",
              "status": "affected",
              "version": "69b6a67f7052905e928d75a0c5871de50e686986",
              "versionType": "git"
            },
            {
              "lessThan": "251496ce1728c9fd47bd2b20a7b21b20b9a020ca",
              "status": "affected",
              "version": "791a615b7ad2258c560f91852be54b0480837c93",
              "versionType": "git"
            },
            {
              "lessThan": "8068e1e42b46518ce680dc6470bcd710efc3fa0a",
              "status": "affected",
              "version": "791a615b7ad2258c560f91852be54b0480837c93",
              "versionType": "git"
            },
            {
              "lessThan": "ea77c397bff8b6d59f6d83dae1425b08f465e8b5",
              "status": "affected",
              "version": "791a615b7ad2258c560f91852be54b0480837c93",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "8058c88ac0df21239daee54b5934d5c80ca9685f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nft_set_pipapo_avx2.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "5.15.165",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "6.1.103",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "6.6.44",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.10.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_set_pipapo_avx2: fix initial map fill\n\nIf the first field doesn\u0027t cover the entire start map, then we must zero\nout the remainder, else we leak those bits into the next match round map.\n\nThe early fix was incomplete and did only fix up the generic C\nimplementation.\n\nA followup patch adds a test case to nft_concat_range.sh."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:12:39.824Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b5ad58285f9217d68cd5ea2ad86ce254a3fe7c4d"
        },
        {
          "url": "https://git.kernel.org/stable/c/90bc7f5a244aadee4292b28098b7c98aadd4b3aa"
        },
        {
          "url": "https://git.kernel.org/stable/c/39bab2d3517b5b50c609b4f8c66129bf619fffa0"
        },
        {
          "url": "https://git.kernel.org/stable/c/251496ce1728c9fd47bd2b20a7b21b20b9a020ca"
        },
        {
          "url": "https://git.kernel.org/stable/c/8068e1e42b46518ce680dc6470bcd710efc3fa0a"
        },
        {
          "url": "https://git.kernel.org/stable/c/ea77c397bff8b6d59f6d83dae1425b08f465e8b5"
        }
      ],
      "title": "netfilter: nf_set_pipapo_avx2: fix initial map fill",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38120",
    "datePublished": "2025-07-03T08:35:27.233Z",
    "dateReserved": "2025-04-16T04:51:23.986Z",
    "dateUpdated": "2025-11-03T17:34:21.242Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38148 (GCVE-0-2025-38148)

Vulnerability from cvelistv5

Published

2025-07-03 08:35

Modified

2025-11-03 17:34

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net: phy: mscc: Fix memory leak when using one step timestamping Fix memory leak when running one-step timestamping. When running one-step sync timestamping, the HW is configured to insert the TX time into the frame, so there is no reason to keep the skb anymore. As in this case the HW will never generate an interrupt to say that the frame was timestamped, then the frame will never released. Fix this by freeing the frame in case of one-step timestamping.

References

URL

Tags

	https://git.kernel.org/stable/c/24b24295464f25fb771d36ed558c7cd942119361
	https://git.kernel.org/stable/c/db2a12ddd3a31f668137ff6a4befc1343c79cbc4
	https://git.kernel.org/stable/c/0b40aeaf83ca04d4c9801e235b7533400c8b5f17
	https://git.kernel.org/stable/c/66abe22017522dd56b820e41ca3a5b131a637001
	https://git.kernel.org/stable/c/cdbabd316c5a4a9b0fda6aafe491e2db17fbb95d
	https://git.kernel.org/stable/c/846992645b25ec4253167e3f931e4597eb84af56

Impacted products

Vendor

Product

Version

Linux

Version: 7d272e63e0979d38a6256108adbe462d621c26c5
Version: 7d272e63e0979d38a6256108adbe462d621c26c5
Version: 7d272e63e0979d38a6256108adbe462d621c26c5
Version: 7d272e63e0979d38a6256108adbe462d621c26c5
Version: 7d272e63e0979d38a6256108adbe462d621c26c5
Version: 7d272e63e0979d38a6256108adbe462d621c26c5

Linux

Version: 5.9

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:40.556Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/phy/mscc/mscc_ptp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "24b24295464f25fb771d36ed558c7cd942119361",
              "status": "affected",
              "version": "7d272e63e0979d38a6256108adbe462d621c26c5",
              "versionType": "git"
            },
            {
              "lessThan": "db2a12ddd3a31f668137ff6a4befc1343c79cbc4",
              "status": "affected",
              "version": "7d272e63e0979d38a6256108adbe462d621c26c5",
              "versionType": "git"
            },
            {
              "lessThan": "0b40aeaf83ca04d4c9801e235b7533400c8b5f17",
              "status": "affected",
              "version": "7d272e63e0979d38a6256108adbe462d621c26c5",
              "versionType": "git"
            },
            {
              "lessThan": "66abe22017522dd56b820e41ca3a5b131a637001",
              "status": "affected",
              "version": "7d272e63e0979d38a6256108adbe462d621c26c5",
              "versionType": "git"
            },
            {
              "lessThan": "cdbabd316c5a4a9b0fda6aafe491e2db17fbb95d",
              "status": "affected",
              "version": "7d272e63e0979d38a6256108adbe462d621c26c5",
              "versionType": "git"
            },
            {
              "lessThan": "846992645b25ec4253167e3f931e4597eb84af56",
              "status": "affected",
              "version": "7d272e63e0979d38a6256108adbe462d621c26c5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/phy/mscc/mscc_ptp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.9"
            },
            {
              "lessThan": "5.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.192",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.192",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: mscc: Fix memory leak when using one step timestamping\n\nFix memory leak when running one-step timestamping. When running\none-step sync timestamping, the HW is configured to insert the TX time\ninto the frame, so there is no reason to keep the skb anymore. As in\nthis case the HW will never generate an interrupt to say that the frame\nwas timestamped, then the frame will never released.\nFix this by freeing the frame in case of one-step timestamping."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-09T17:06:08.416Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/24b24295464f25fb771d36ed558c7cd942119361"
        },
        {
          "url": "https://git.kernel.org/stable/c/db2a12ddd3a31f668137ff6a4befc1343c79cbc4"
        },
        {
          "url": "https://git.kernel.org/stable/c/0b40aeaf83ca04d4c9801e235b7533400c8b5f17"
        },
        {
          "url": "https://git.kernel.org/stable/c/66abe22017522dd56b820e41ca3a5b131a637001"
        },
        {
          "url": "https://git.kernel.org/stable/c/cdbabd316c5a4a9b0fda6aafe491e2db17fbb95d"
        },
        {
          "url": "https://git.kernel.org/stable/c/846992645b25ec4253167e3f931e4597eb84af56"
        }
      ],
      "title": "net: phy: mscc: Fix memory leak when using one step timestamping",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38148",
    "datePublished": "2025-07-03T08:35:53.544Z",
    "dateReserved": "2025-04-16T04:51:23.988Z",
    "dateUpdated": "2025-11-03T17:34:40.556Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37742 (GCVE-0-2025-37742)

Vulnerability from cvelistv5

Published

2025-05-01 12:55

Modified

2025-11-03 19:54

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: jfs: Fix uninit-value access of imap allocated in the diMount() function syzbot reports that hex_dump_to_buffer is using uninit-value: ===================================================== BUG: KMSAN: uninit-value in hex_dump_to_buffer+0x888/0x1100 lib/hexdump.c:171 hex_dump_to_buffer+0x888/0x1100 lib/hexdump.c:171 print_hex_dump+0x13d/0x3e0 lib/hexdump.c:276 diFree+0x5ba/0x4350 fs/jfs/jfs_imap.c:876 jfs_evict_inode+0x510/0x550 fs/jfs/inode.c:156 evict+0x723/0xd10 fs/inode.c:796 iput_final fs/inode.c:1946 [inline] iput+0x97b/0xdb0 fs/inode.c:1972 txUpdateMap+0xf3e/0x1150 fs/jfs/jfs_txnmgr.c:2367 txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline] jfs_lazycommit+0x627/0x11d0 fs/jfs/jfs_txnmgr.c:2733 kthread+0x6b9/0xef0 kernel/kthread.c:464 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Uninit was created at: slab_post_alloc_hook mm/slub.c:4121 [inline] slab_alloc_node mm/slub.c:4164 [inline] __kmalloc_cache_noprof+0x8e3/0xdf0 mm/slub.c:4320 kmalloc_noprof include/linux/slab.h:901 [inline] diMount+0x61/0x7f0 fs/jfs/jfs_imap.c:105 jfs_mount+0xa8e/0x11d0 fs/jfs/jfs_mount.c:176 jfs_fill_super+0xa47/0x17c0 fs/jfs/super.c:523 get_tree_bdev_flags+0x6ec/0x910 fs/super.c:1636 get_tree_bdev+0x37/0x50 fs/super.c:1659 jfs_get_tree+0x34/0x40 fs/jfs/super.c:635 vfs_get_tree+0xb1/0x5a0 fs/super.c:1814 do_new_mount+0x71f/0x15e0 fs/namespace.c:3560 path_mount+0x742/0x1f10 fs/namespace.c:3887 do_mount fs/namespace.c:3900 [inline] __do_sys_mount fs/namespace.c:4111 [inline] __se_sys_mount+0x71f/0x800 fs/namespace.c:4088 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4088 x64_sys_call+0x39bf/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:166 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f ===================================================== The reason is that imap is not properly initialized after memory allocation. It will cause the snprintf() function to write uninitialized data into linebuf within hex_dump_to_buffer(). Fix this by using kzalloc instead of kmalloc to clear its content at the beginning in diMount().

References

URL

Tags

	https://git.kernel.org/stable/c/4f10732712fce33e53703ffe5ed9155f23814097
	https://git.kernel.org/stable/c/cab1852368dd74d629ee02abdbc559218ca64dde
	https://git.kernel.org/stable/c/067347e00a3a7d04afed93f080c6c131e5dd15ee
	https://git.kernel.org/stable/c/63148ce4904faa668daffdd1d3c1199ae315ef2c
	https://git.kernel.org/stable/c/7057f3aab47629d38e54eae83505813cf0da1e4b
	https://git.kernel.org/stable/c/d0d7eca253ccd0619b3d2b683ffe32218ebca9ac
	https://git.kernel.org/stable/c/9629d7d66c621671d9a47afe27ca9336bfc8a9ea

Impacted products

Vendor

Product

Version

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:54:20.666Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/jfs/jfs_imap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4f10732712fce33e53703ffe5ed9155f23814097",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "cab1852368dd74d629ee02abdbc559218ca64dde",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "067347e00a3a7d04afed93f080c6c131e5dd15ee",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "63148ce4904faa668daffdd1d3c1199ae315ef2c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "7057f3aab47629d38e54eae83505813cf0da1e4b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "d0d7eca253ccd0619b3d2b683ffe32218ebca9ac",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "9629d7d66c621671d9a47afe27ca9336bfc8a9ea",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/jfs/jfs_imap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: Fix uninit-value access of imap allocated in the diMount() function\n\nsyzbot reports that hex_dump_to_buffer is using uninit-value:\n\n=====================================================\nBUG: KMSAN: uninit-value in hex_dump_to_buffer+0x888/0x1100 lib/hexdump.c:171\nhex_dump_to_buffer+0x888/0x1100 lib/hexdump.c:171\nprint_hex_dump+0x13d/0x3e0 lib/hexdump.c:276\ndiFree+0x5ba/0x4350 fs/jfs/jfs_imap.c:876\njfs_evict_inode+0x510/0x550 fs/jfs/inode.c:156\nevict+0x723/0xd10 fs/inode.c:796\niput_final fs/inode.c:1946 [inline]\niput+0x97b/0xdb0 fs/inode.c:1972\ntxUpdateMap+0xf3e/0x1150 fs/jfs/jfs_txnmgr.c:2367\ntxLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]\njfs_lazycommit+0x627/0x11d0 fs/jfs/jfs_txnmgr.c:2733\nkthread+0x6b9/0xef0 kernel/kthread.c:464\nret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:148\nret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n\nUninit was created at:\nslab_post_alloc_hook mm/slub.c:4121 [inline]\nslab_alloc_node mm/slub.c:4164 [inline]\n__kmalloc_cache_noprof+0x8e3/0xdf0 mm/slub.c:4320\nkmalloc_noprof include/linux/slab.h:901 [inline]\ndiMount+0x61/0x7f0 fs/jfs/jfs_imap.c:105\njfs_mount+0xa8e/0x11d0 fs/jfs/jfs_mount.c:176\njfs_fill_super+0xa47/0x17c0 fs/jfs/super.c:523\nget_tree_bdev_flags+0x6ec/0x910 fs/super.c:1636\nget_tree_bdev+0x37/0x50 fs/super.c:1659\njfs_get_tree+0x34/0x40 fs/jfs/super.c:635\nvfs_get_tree+0xb1/0x5a0 fs/super.c:1814\ndo_new_mount+0x71f/0x15e0 fs/namespace.c:3560\npath_mount+0x742/0x1f10 fs/namespace.c:3887\ndo_mount fs/namespace.c:3900 [inline]\n__do_sys_mount fs/namespace.c:4111 [inline]\n__se_sys_mount+0x71f/0x800 fs/namespace.c:4088\n__x64_sys_mount+0xe4/0x150 fs/namespace.c:4088\nx64_sys_call+0x39bf/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:166\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\n=====================================================\n\nThe reason is that imap is not properly initialized after memory\nallocation. It will cause the snprintf() function to write uninitialized\ndata into linebuf within hex_dump_to_buffer().\n\nFix this by using kzalloc instead of kmalloc to clear its content at the\nbeginning in diMount()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:19:54.853Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4f10732712fce33e53703ffe5ed9155f23814097"
        },
        {
          "url": "https://git.kernel.org/stable/c/cab1852368dd74d629ee02abdbc559218ca64dde"
        },
        {
          "url": "https://git.kernel.org/stable/c/067347e00a3a7d04afed93f080c6c131e5dd15ee"
        },
        {
          "url": "https://git.kernel.org/stable/c/63148ce4904faa668daffdd1d3c1199ae315ef2c"
        },
        {
          "url": "https://git.kernel.org/stable/c/7057f3aab47629d38e54eae83505813cf0da1e4b"
        },
        {
          "url": "https://git.kernel.org/stable/c/d0d7eca253ccd0619b3d2b683ffe32218ebca9ac"
        },
        {
          "url": "https://git.kernel.org/stable/c/9629d7d66c621671d9a47afe27ca9336bfc8a9ea"
        }
      ],
      "title": "jfs: Fix uninit-value access of imap allocated in the diMount() function",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37742",
    "datePublished": "2025-05-01T12:55:50.603Z",
    "dateReserved": "2025-04-16T04:51:23.936Z",
    "dateUpdated": "2025-11-03T19:54:20.666Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38022 (GCVE-0-2025-38022)

Vulnerability from cvelistv5

Published

2025-06-18 09:28

Modified

2025-06-18 09:28

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 strlen+0x93/0xa0 lib/string.c:420 __fortify_strlen include/linux/fortify-string.h:268 [inline] get_kobj_path_length lib/kobject.c:118 [inline] kobject_get_path+0x3f/0x2a0 lib/kobject.c:158 kobject_uevent_env+0x289/0x1870 lib/kobject_uevent.c:545 ib_register_device drivers/infiniband/core/device.c:1472 [inline] ib_register_device+0x8cf/0xe00 drivers/infiniband/core/device.c:1393 rxe_register_device+0x275/0x320 drivers/infiniband/sw/rxe/rxe_verbs.c:1552 rxe_net_add+0x8e/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:550 rxe_newlink+0x70/0x190 drivers/infiniband/sw/rxe/rxe.c:225 nldev_newlink+0x3a3/0x680 drivers/infiniband/core/nldev.c:1796 rdma_nl_rcv_msg+0x387/0x6e0 drivers/infiniband/core/netlink.c:195 rdma_nl_rcv_skb.constprop.0.isra.0+0x2e5/0x450 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] netlink_unicast+0x53a/0x7f0 net/netlink/af_netlink.c:1339 netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1883 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg net/socket.c:727 [inline] ____sys_sendmsg+0xa95/0xc70 net/socket.c:2566 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2620 __sys_sendmsg+0x16d/0x220 net/socket.c:2652 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f This problem is similar to the problem that the commit 1d6a9e7449e2 ("RDMA/core: Fix use-after-free when rename device name") fixes. The root cause is: the function ib_device_rename() renames the name with lock. But in the function kobject_uevent(), this name is accessed without lock protection at the same time. The solution is to add the lock protection when this name is accessed in the function kobject_uevent().

References

URL

Tags

	https://git.kernel.org/stable/c/10c7f1c647da3b77ef8827d974a97b6530b64df0
	https://git.kernel.org/stable/c/03df57ad4b0ff9c5a93ff981aba0b42578ad1571
	https://git.kernel.org/stable/c/d0706bfd3ee40923c001c6827b786a309e2a8713

Impacted products

Vendor

Product

Version

Linux

Version: 779e0bf47632c609c59f527f9711ecd3214dccb0
Version: 779e0bf47632c609c59f527f9711ecd3214dccb0
Version: 779e0bf47632c609c59f527f9711ecd3214dccb0
Version: 9b54e31fd08f8d8db507d021c88e760d5f8e4640
Version: 53e9a5a692f839780084ad81dbd461ec917f74f7

Linux

Version: 5.11

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/core/device.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "10c7f1c647da3b77ef8827d974a97b6530b64df0",
              "status": "affected",
              "version": "779e0bf47632c609c59f527f9711ecd3214dccb0",
              "versionType": "git"
            },
            {
              "lessThan": "03df57ad4b0ff9c5a93ff981aba0b42578ad1571",
              "status": "affected",
              "version": "779e0bf47632c609c59f527f9711ecd3214dccb0",
              "versionType": "git"
            },
            {
              "lessThan": "d0706bfd3ee40923c001c6827b786a309e2a8713",
              "status": "affected",
              "version": "779e0bf47632c609c59f527f9711ecd3214dccb0",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "9b54e31fd08f8d8db507d021c88e760d5f8e4640",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "53e9a5a692f839780084ad81dbd461ec917f74f7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/core/device.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.11"
            },
            {
              "lessThan": "5.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.30",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.8",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.4.86",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.10.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Fix \"KASAN: slab-use-after-free Read in ib_register_device\" problem\n\nCall Trace:\n\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:408 [inline]\n print_report+0xc3/0x670 mm/kasan/report.c:521\n kasan_report+0xe0/0x110 mm/kasan/report.c:634\n strlen+0x93/0xa0 lib/string.c:420\n __fortify_strlen include/linux/fortify-string.h:268 [inline]\n get_kobj_path_length lib/kobject.c:118 [inline]\n kobject_get_path+0x3f/0x2a0 lib/kobject.c:158\n kobject_uevent_env+0x289/0x1870 lib/kobject_uevent.c:545\n ib_register_device drivers/infiniband/core/device.c:1472 [inline]\n ib_register_device+0x8cf/0xe00 drivers/infiniband/core/device.c:1393\n rxe_register_device+0x275/0x320 drivers/infiniband/sw/rxe/rxe_verbs.c:1552\n rxe_net_add+0x8e/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:550\n rxe_newlink+0x70/0x190 drivers/infiniband/sw/rxe/rxe.c:225\n nldev_newlink+0x3a3/0x680 drivers/infiniband/core/nldev.c:1796\n rdma_nl_rcv_msg+0x387/0x6e0 drivers/infiniband/core/netlink.c:195\n rdma_nl_rcv_skb.constprop.0.isra.0+0x2e5/0x450\n netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]\n netlink_unicast+0x53a/0x7f0 net/netlink/af_netlink.c:1339\n netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1883\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg net/socket.c:727 [inline]\n ____sys_sendmsg+0xa95/0xc70 net/socket.c:2566\n ___sys_sendmsg+0x134/0x1d0 net/socket.c:2620\n __sys_sendmsg+0x16d/0x220 net/socket.c:2652\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThis problem is similar to the problem that the\ncommit 1d6a9e7449e2 (\"RDMA/core: Fix use-after-free when rename device name\")\nfixes.\n\nThe root cause is: the function ib_device_rename() renames the name with\nlock. But in the function kobject_uevent(), this name is accessed without\nlock protection at the same time.\n\nThe solution is to add the lock protection when this name is accessed in\nthe function kobject_uevent()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-18T09:28:29.218Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/10c7f1c647da3b77ef8827d974a97b6530b64df0"
        },
        {
          "url": "https://git.kernel.org/stable/c/03df57ad4b0ff9c5a93ff981aba0b42578ad1571"
        },
        {
          "url": "https://git.kernel.org/stable/c/d0706bfd3ee40923c001c6827b786a309e2a8713"
        }
      ],
      "title": "RDMA/core: Fix \"KASAN: slab-use-after-free Read in ib_register_device\" problem",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38022",
    "datePublished": "2025-06-18T09:28:29.218Z",
    "dateReserved": "2025-04-16T04:51:23.977Z",
    "dateUpdated": "2025-06-18T09:28:29.218Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-50033 (GCVE-0-2022-50033)

Vulnerability from cvelistv5

Published

2025-06-18 11:01

Modified

2025-09-03 12:59

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: host: ohci-ppc-of: Fix refcount leak bug In ohci_hcd_ppc_of_probe(), of_find_compatible_node() will return a node pointer with refcount incremented. We should use of_node_put() when it is not used anymore.

References

URL

Tags

	https://git.kernel.org/stable/c/fe6fe64403710287f0ae61a516954d8a4f7c9e3f
	https://git.kernel.org/stable/c/c5c5bd5cdcc6dc9f75f53d1c89af463d39a2bb96
	https://git.kernel.org/stable/c/ec583e300aee9f152a64911445092d18e1c36729
	https://git.kernel.org/stable/c/0334d23c56ecf1ee1563bb83e29cc5a51ed7fb4e
	https://git.kernel.org/stable/c/cb5dd65e889163e723df1c2f02288cc527a57785
	https://git.kernel.org/stable/c/0fc62bbc95319bbd330e3645afc7c286acec9ef8
	https://git.kernel.org/stable/c/403132881e66db7aa98b55c6655daedd80d407fd
	https://git.kernel.org/stable/c/40a959d7042bb7711e404ad2318b30e9f92c6b9b

Impacted products

Vendor

Product

Version

Linux

Version: 796bcae7361c28cf825780f6f1aac9dd3411394e
Version: 796bcae7361c28cf825780f6f1aac9dd3411394e
Version: 796bcae7361c28cf825780f6f1aac9dd3411394e
Version: 796bcae7361c28cf825780f6f1aac9dd3411394e
Version: 796bcae7361c28cf825780f6f1aac9dd3411394e
Version: 796bcae7361c28cf825780f6f1aac9dd3411394e
Version: 796bcae7361c28cf825780f6f1aac9dd3411394e
Version: 796bcae7361c28cf825780f6f1aac9dd3411394e

Linux

Version: 2.6.29

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/host/ohci-ppc-of.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "fe6fe64403710287f0ae61a516954d8a4f7c9e3f",
              "status": "affected",
              "version": "796bcae7361c28cf825780f6f1aac9dd3411394e",
              "versionType": "git"
            },
            {
              "lessThan": "c5c5bd5cdcc6dc9f75f53d1c89af463d39a2bb96",
              "status": "affected",
              "version": "796bcae7361c28cf825780f6f1aac9dd3411394e",
              "versionType": "git"
            },
            {
              "lessThan": "ec583e300aee9f152a64911445092d18e1c36729",
              "status": "affected",
              "version": "796bcae7361c28cf825780f6f1aac9dd3411394e",
              "versionType": "git"
            },
            {
              "lessThan": "0334d23c56ecf1ee1563bb83e29cc5a51ed7fb4e",
              "status": "affected",
              "version": "796bcae7361c28cf825780f6f1aac9dd3411394e",
              "versionType": "git"
            },
            {
              "lessThan": "cb5dd65e889163e723df1c2f02288cc527a57785",
              "status": "affected",
              "version": "796bcae7361c28cf825780f6f1aac9dd3411394e",
              "versionType": "git"
            },
            {
              "lessThan": "0fc62bbc95319bbd330e3645afc7c286acec9ef8",
              "status": "affected",
              "version": "796bcae7361c28cf825780f6f1aac9dd3411394e",
              "versionType": "git"
            },
            {
              "lessThan": "403132881e66db7aa98b55c6655daedd80d407fd",
              "status": "affected",
              "version": "796bcae7361c28cf825780f6f1aac9dd3411394e",
              "versionType": "git"
            },
            {
              "lessThan": "40a959d7042bb7711e404ad2318b30e9f92c6b9b",
              "status": "affected",
              "version": "796bcae7361c28cf825780f6f1aac9dd3411394e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/host/ohci-ppc-of.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.29"
            },
            {
              "lessThan": "2.6.29",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.9.*",
              "status": "unaffected",
              "version": "4.9.326",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.256",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.211",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.138",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.63",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.9.326",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.291",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.256",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.211",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.138",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.63",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.4",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: host: ohci-ppc-of: Fix refcount leak bug\n\nIn ohci_hcd_ppc_of_probe(), of_find_compatible_node() will return\na node pointer with refcount incremented. We should use of_node_put()\nwhen it is not used anymore."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-03T12:59:02.239Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/fe6fe64403710287f0ae61a516954d8a4f7c9e3f"
        },
        {
          "url": "https://git.kernel.org/stable/c/c5c5bd5cdcc6dc9f75f53d1c89af463d39a2bb96"
        },
        {
          "url": "https://git.kernel.org/stable/c/ec583e300aee9f152a64911445092d18e1c36729"
        },
        {
          "url": "https://git.kernel.org/stable/c/0334d23c56ecf1ee1563bb83e29cc5a51ed7fb4e"
        },
        {
          "url": "https://git.kernel.org/stable/c/cb5dd65e889163e723df1c2f02288cc527a57785"
        },
        {
          "url": "https://git.kernel.org/stable/c/0fc62bbc95319bbd330e3645afc7c286acec9ef8"
        },
        {
          "url": "https://git.kernel.org/stable/c/403132881e66db7aa98b55c6655daedd80d407fd"
        },
        {
          "url": "https://git.kernel.org/stable/c/40a959d7042bb7711e404ad2318b30e9f92c6b9b"
        }
      ],
      "title": "usb: host: ohci-ppc-of: Fix refcount leak bug",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50033",
    "datePublished": "2025-06-18T11:01:35.679Z",
    "dateReserved": "2025-06-18T10:57:27.395Z",
    "dateUpdated": "2025-09-03T12:59:02.239Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-23148 (GCVE-0-2025-23148)

Vulnerability from cvelistv5

Published

2025-05-01 12:55

Modified

2025-11-03 19:42

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe() soc_dev_attr->revision could be NULL, thus, a pointer check is added to prevent potential NULL pointer dereference. This is similar to the fix in commit 3027e7b15b02 ("ice: Fix some null pointer dereference issues in ice_ptp.c"). This issue is found by our static analysis tool.

References

URL

Tags

	https://git.kernel.org/stable/c/8ce469d23205249bb17c1135ccadea879576adfc
	https://git.kernel.org/stable/c/8ee067cf0cf82429e9b204283c7d0d8d6891d10e
	https://git.kernel.org/stable/c/475b9b45dc32eba58ab794b5d47ac689fc018398
	https://git.kernel.org/stable/c/5f80fd2ff8bfd13e41554741740e0ca8e6445ded
	https://git.kernel.org/stable/c/44a2572a0fdcf3e7565763690d579b998a8f0562
	https://git.kernel.org/stable/c/4f51d169fd0d4821bce775618db024062b09a3f7
	https://git.kernel.org/stable/c/4129760e462f45f14e61b10408ace61aa7c2ed30
	https://git.kernel.org/stable/c/c8222ef6cf29dd7cad21643228f96535cc02b327

Impacted products

Vendor

Product

Version

Linux

Version: 3253b7b7cd44c4dd029a4ce280ef9f409a256e5f
Version: 3253b7b7cd44c4dd029a4ce280ef9f409a256e5f
Version: 3253b7b7cd44c4dd029a4ce280ef9f409a256e5f
Version: 3253b7b7cd44c4dd029a4ce280ef9f409a256e5f
Version: 3253b7b7cd44c4dd029a4ce280ef9f409a256e5f
Version: 3253b7b7cd44c4dd029a4ce280ef9f409a256e5f
Version: 3253b7b7cd44c4dd029a4ce280ef9f409a256e5f
Version: 3253b7b7cd44c4dd029a4ce280ef9f409a256e5f

Linux

Version: 5.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:42:44.119Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/soc/samsung/exynos-chipid.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8ce469d23205249bb17c1135ccadea879576adfc",
              "status": "affected",
              "version": "3253b7b7cd44c4dd029a4ce280ef9f409a256e5f",
              "versionType": "git"
            },
            {
              "lessThan": "8ee067cf0cf82429e9b204283c7d0d8d6891d10e",
              "status": "affected",
              "version": "3253b7b7cd44c4dd029a4ce280ef9f409a256e5f",
              "versionType": "git"
            },
            {
              "lessThan": "475b9b45dc32eba58ab794b5d47ac689fc018398",
              "status": "affected",
              "version": "3253b7b7cd44c4dd029a4ce280ef9f409a256e5f",
              "versionType": "git"
            },
            {
              "lessThan": "5f80fd2ff8bfd13e41554741740e0ca8e6445ded",
              "status": "affected",
              "version": "3253b7b7cd44c4dd029a4ce280ef9f409a256e5f",
              "versionType": "git"
            },
            {
              "lessThan": "44a2572a0fdcf3e7565763690d579b998a8f0562",
              "status": "affected",
              "version": "3253b7b7cd44c4dd029a4ce280ef9f409a256e5f",
              "versionType": "git"
            },
            {
              "lessThan": "4f51d169fd0d4821bce775618db024062b09a3f7",
              "status": "affected",
              "version": "3253b7b7cd44c4dd029a4ce280ef9f409a256e5f",
              "versionType": "git"
            },
            {
              "lessThan": "4129760e462f45f14e61b10408ace61aa7c2ed30",
              "status": "affected",
              "version": "3253b7b7cd44c4dd029a4ce280ef9f409a256e5f",
              "versionType": "git"
            },
            {
              "lessThan": "c8222ef6cf29dd7cad21643228f96535cc02b327",
              "status": "affected",
              "version": "3253b7b7cd44c4dd029a4ce280ef9f409a256e5f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/soc/samsung/exynos-chipid.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.4"
            },
            {
              "lessThan": "5.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.237",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.24",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.12",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe()\n\nsoc_dev_attr-\u003erevision could be NULL, thus,\na pointer check is added to prevent potential NULL pointer dereference.\nThis is similar to the fix in commit 3027e7b15b02\n(\"ice: Fix some null pointer dereference issues in ice_ptp.c\").\n\nThis issue is found by our static analysis tool."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:19:29.320Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8ce469d23205249bb17c1135ccadea879576adfc"
        },
        {
          "url": "https://git.kernel.org/stable/c/8ee067cf0cf82429e9b204283c7d0d8d6891d10e"
        },
        {
          "url": "https://git.kernel.org/stable/c/475b9b45dc32eba58ab794b5d47ac689fc018398"
        },
        {
          "url": "https://git.kernel.org/stable/c/5f80fd2ff8bfd13e41554741740e0ca8e6445ded"
        },
        {
          "url": "https://git.kernel.org/stable/c/44a2572a0fdcf3e7565763690d579b998a8f0562"
        },
        {
          "url": "https://git.kernel.org/stable/c/4f51d169fd0d4821bce775618db024062b09a3f7"
        },
        {
          "url": "https://git.kernel.org/stable/c/4129760e462f45f14e61b10408ace61aa7c2ed30"
        },
        {
          "url": "https://git.kernel.org/stable/c/c8222ef6cf29dd7cad21643228f96535cc02b327"
        }
      ],
      "title": "soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-23148",
    "datePublished": "2025-05-01T12:55:36.726Z",
    "dateReserved": "2025-01-11T14:28:41.513Z",
    "dateUpdated": "2025-11-03T19:42:44.119Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-23161 (GCVE-0-2025-23161)

Vulnerability from cvelistv5

Published

2025-05-01 12:55

Modified

2025-11-03 19:43

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: PCI: vmd: Make vmd_dev::cfg_lock a raw_spinlock_t type The access to the PCI config space via pci_ops::read and pci_ops::write is a low-level hardware access. The functions can be accessed with disabled interrupts even on PREEMPT_RT. The pci_lock is a raw_spinlock_t for this purpose. A spinlock_t becomes a sleeping lock on PREEMPT_RT, so it cannot be acquired with disabled interrupts. The vmd_dev::cfg_lock is accessed in the same context as the pci_lock. Make vmd_dev::cfg_lock a raw_spinlock_t type so it can be used with interrupts disabled. This was reported as: BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 Call Trace: rt_spin_lock+0x4e/0x130 vmd_pci_read+0x8d/0x100 [vmd] pci_user_read_config_byte+0x6f/0xe0 pci_read_config+0xfe/0x290 sysfs_kf_bin_read+0x68/0x90 [bigeasy: reword commit message] Tested-off-by: Luis Claudio R. Goncalves <lgoncalv@redhat.com> [kwilczynski: commit log] [bhelgaas: add back report info from https://lore.kernel.org/lkml/20241218115951.83062-1-ryotkkr98@gmail.com/]

References

URL

Tags

	https://git.kernel.org/stable/c/c250262d6485ca333e9821f85b07eb383ec546b1
	https://git.kernel.org/stable/c/c2968c812339593ac6e2bdd5cc3adabe3f05fa53
	https://git.kernel.org/stable/c/13e5148f70e81991acbe0bab5b1b50ba699116e7
	https://git.kernel.org/stable/c/5c3cfcf0b4bf43530788b08a8eaf7896ec567484
	https://git.kernel.org/stable/c/2358046ead696ca5c7c628d6c0e2c6792619a3e5
	https://git.kernel.org/stable/c/20d0a9062c031068fa39f725a32f182b709b5525
	https://git.kernel.org/stable/c/18056a48669a040bef491e63b25896561ee14d90

Impacted products

Vendor

Product

Version

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:43:01.027Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/pci/controller/vmd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c250262d6485ca333e9821f85b07eb383ec546b1",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "c2968c812339593ac6e2bdd5cc3adabe3f05fa53",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "13e5148f70e81991acbe0bab5b1b50ba699116e7",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "5c3cfcf0b4bf43530788b08a8eaf7896ec567484",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "2358046ead696ca5c7c628d6c0e2c6792619a3e5",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "20d0a9062c031068fa39f725a32f182b709b5525",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "18056a48669a040bef491e63b25896561ee14d90",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/pci/controller/vmd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: vmd: Make vmd_dev::cfg_lock a raw_spinlock_t type\n\nThe access to the PCI config space via pci_ops::read and pci_ops::write is\na low-level hardware access. The functions can be accessed with disabled\ninterrupts even on PREEMPT_RT. The pci_lock is a raw_spinlock_t for this\npurpose.\n\nA spinlock_t becomes a sleeping lock on PREEMPT_RT, so it cannot be\nacquired with disabled interrupts. The vmd_dev::cfg_lock is accessed in\nthe same context as the pci_lock.\n\nMake vmd_dev::cfg_lock a raw_spinlock_t type so it can be used with\ninterrupts disabled.\n\nThis was reported as:\n\n  BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48\n  Call Trace:\n   rt_spin_lock+0x4e/0x130\n   vmd_pci_read+0x8d/0x100 [vmd]\n   pci_user_read_config_byte+0x6f/0xe0\n   pci_read_config+0xfe/0x290\n   sysfs_kf_bin_read+0x68/0x90\n\n[bigeasy: reword commit message]\nTested-off-by: Luis Claudio R. Goncalves \u003clgoncalv@redhat.com\u003e\n[kwilczynski: commit log]\n[bhelgaas: add back report info from\nhttps://lore.kernel.org/lkml/20241218115951.83062-1-ryotkkr98@gmail.com/]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:19:45.849Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c250262d6485ca333e9821f85b07eb383ec546b1"
        },
        {
          "url": "https://git.kernel.org/stable/c/c2968c812339593ac6e2bdd5cc3adabe3f05fa53"
        },
        {
          "url": "https://git.kernel.org/stable/c/13e5148f70e81991acbe0bab5b1b50ba699116e7"
        },
        {
          "url": "https://git.kernel.org/stable/c/5c3cfcf0b4bf43530788b08a8eaf7896ec567484"
        },
        {
          "url": "https://git.kernel.org/stable/c/2358046ead696ca5c7c628d6c0e2c6792619a3e5"
        },
        {
          "url": "https://git.kernel.org/stable/c/20d0a9062c031068fa39f725a32f182b709b5525"
        },
        {
          "url": "https://git.kernel.org/stable/c/18056a48669a040bef491e63b25896561ee14d90"
        }
      ],
      "title": "PCI: vmd: Make vmd_dev::cfg_lock a raw_spinlock_t type",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-23161",
    "datePublished": "2025-05-01T12:55:46.021Z",
    "dateReserved": "2025-01-11T14:28:41.515Z",
    "dateUpdated": "2025-11-03T19:43:01.027Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21868 (GCVE-0-2025-21868)

Vulnerability from cvelistv5

Published

2025-03-27 13:38

Modified

2025-11-24 09:49

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net: allow small head cache usage with large MAX_SKB_FRAGS values Sabrina reported the following splat: WARNING: CPU: 0 PID: 1 at net/core/dev.c:6935 netif_napi_add_weight_locked+0x8f2/0xba0 Modules linked in: CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.14.0-rc1-net-00092-g011b03359038 #996 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 RIP: 0010:netif_napi_add_weight_locked+0x8f2/0xba0 Code: e8 c3 e6 6a fe 48 83 c4 28 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc c7 44 24 10 ff ff ff ff e9 8f fb ff ff e8 9e e6 6a fe <0f> 0b e9 d3 fe ff ff e8 92 e6 6a fe 48 8b 04 24 be ff ff ff ff 48 RSP: 0000:ffffc9000001fc60 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff88806ce48128 RCX: 1ffff11001664b9e RDX: ffff888008f00040 RSI: ffffffff8317ca42 RDI: ffff88800b325cb6 RBP: ffff88800b325c40 R08: 0000000000000001 R09: ffffed100167502c R10: ffff88800b3a8163 R11: 0000000000000000 R12: ffff88800ac1c168 R13: ffff88800ac1c168 R14: ffff88800ac1c168 R15: 0000000000000007 FS: 0000000000000000(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff888008201000 CR3: 0000000004c94001 CR4: 0000000000370ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> gro_cells_init+0x1ba/0x270 xfrm_input_init+0x4b/0x2a0 xfrm_init+0x38/0x50 ip_rt_init+0x2d7/0x350 ip_init+0xf/0x20 inet_init+0x406/0x590 do_one_initcall+0x9d/0x2e0 do_initcalls+0x23b/0x280 kernel_init_freeable+0x445/0x490 kernel_init+0x20/0x1d0 ret_from_fork+0x46/0x80 ret_from_fork_asm+0x1a/0x30 </TASK> irq event stamp: 584330 hardirqs last enabled at (584338): [<ffffffff8168bf87>] __up_console_sem+0x77/0xb0 hardirqs last disabled at (584345): [<ffffffff8168bf6c>] __up_console_sem+0x5c/0xb0 softirqs last enabled at (583242): [<ffffffff833ee96d>] netlink_insert+0x14d/0x470 softirqs last disabled at (583754): [<ffffffff8317c8cd>] netif_napi_add_weight_locked+0x77d/0xba0 on kernel built with MAX_SKB_FRAGS=45, where SKB_WITH_OVERHEAD(1024) is smaller than GRO_MAX_HEAD. Such built additionally contains the revert of the single page frag cache so that napi_get_frags() ends up using the page frag allocator, triggering the splat. Note that the underlying issue is independent from the mentioned revert; address it ensuring that the small head cache will fit either TCP and GRO allocation and updating napi_alloc_skb() and __netdev_alloc_skb() to select kmalloc() usage for any allocation fitting such cache.

References

URL

Tags

	https://git.kernel.org/stable/c/ed8a77fee4618facd2a539cad7b7366697b5a575
	https://git.kernel.org/stable/c/ed0ca7d2127c63991cfaf1932b827e3f4f8ee480
	https://git.kernel.org/stable/c/648e440c98e260dec835e48a5d7a9993477b1f9d
	https://git.kernel.org/stable/c/14ad6ed30a10afbe91b0749d6378285f4225d482

Impacted products

Vendor

Product

Version

Linux

Version: 3948b05950fdd64002a5f182c65ba5cf2d53cf71
Version: 3948b05950fdd64002a5f182c65ba5cf2d53cf71
Version: 3948b05950fdd64002a5f182c65ba5cf2d53cf71
Version: 3948b05950fdd64002a5f182c65ba5cf2d53cf71

Linux

Version: 6.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/net/gro.h",
            "net/core/gro.c",
            "net/core/skbuff.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ed8a77fee4618facd2a539cad7b7366697b5a575",
              "status": "affected",
              "version": "3948b05950fdd64002a5f182c65ba5cf2d53cf71",
              "versionType": "git"
            },
            {
              "lessThan": "ed0ca7d2127c63991cfaf1932b827e3f4f8ee480",
              "status": "affected",
              "version": "3948b05950fdd64002a5f182c65ba5cf2d53cf71",
              "versionType": "git"
            },
            {
              "lessThan": "648e440c98e260dec835e48a5d7a9993477b1f9d",
              "status": "affected",
              "version": "3948b05950fdd64002a5f182c65ba5cf2d53cf71",
              "versionType": "git"
            },
            {
              "lessThan": "14ad6ed30a10afbe91b0749d6378285f4225d482",
              "status": "affected",
              "version": "3948b05950fdd64002a5f182c65ba5cf2d53cf71",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/net/gro.h",
            "net/core/gro.c",
            "net/core/skbuff.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.17",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.5",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: allow small head cache usage with large MAX_SKB_FRAGS values\n\nSabrina reported the following splat:\n\n    WARNING: CPU: 0 PID: 1 at net/core/dev.c:6935 netif_napi_add_weight_locked+0x8f2/0xba0\n    Modules linked in:\n    CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.14.0-rc1-net-00092-g011b03359038 #996\n    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014\n    RIP: 0010:netif_napi_add_weight_locked+0x8f2/0xba0\n    Code: e8 c3 e6 6a fe 48 83 c4 28 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc c7 44 24 10 ff ff ff ff e9 8f fb ff ff e8 9e e6 6a fe \u003c0f\u003e 0b e9 d3 fe ff ff e8 92 e6 6a fe 48 8b 04 24 be ff ff ff ff 48\n    RSP: 0000:ffffc9000001fc60 EFLAGS: 00010293\n    RAX: 0000000000000000 RBX: ffff88806ce48128 RCX: 1ffff11001664b9e\n    RDX: ffff888008f00040 RSI: ffffffff8317ca42 RDI: ffff88800b325cb6\n    RBP: ffff88800b325c40 R08: 0000000000000001 R09: ffffed100167502c\n    R10: ffff88800b3a8163 R11: 0000000000000000 R12: ffff88800ac1c168\n    R13: ffff88800ac1c168 R14: ffff88800ac1c168 R15: 0000000000000007\n    FS:  0000000000000000(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000\n    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n    CR2: ffff888008201000 CR3: 0000000004c94001 CR4: 0000000000370ef0\n    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n    Call Trace:\n    \u003cTASK\u003e\n    gro_cells_init+0x1ba/0x270\n    xfrm_input_init+0x4b/0x2a0\n    xfrm_init+0x38/0x50\n    ip_rt_init+0x2d7/0x350\n    ip_init+0xf/0x20\n    inet_init+0x406/0x590\n    do_one_initcall+0x9d/0x2e0\n    do_initcalls+0x23b/0x280\n    kernel_init_freeable+0x445/0x490\n    kernel_init+0x20/0x1d0\n    ret_from_fork+0x46/0x80\n    ret_from_fork_asm+0x1a/0x30\n    \u003c/TASK\u003e\n    irq event stamp: 584330\n    hardirqs last  enabled at (584338): [\u003cffffffff8168bf87\u003e] __up_console_sem+0x77/0xb0\n    hardirqs last disabled at (584345): [\u003cffffffff8168bf6c\u003e] __up_console_sem+0x5c/0xb0\n    softirqs last  enabled at (583242): [\u003cffffffff833ee96d\u003e] netlink_insert+0x14d/0x470\n    softirqs last disabled at (583754): [\u003cffffffff8317c8cd\u003e] netif_napi_add_weight_locked+0x77d/0xba0\n\non kernel built with MAX_SKB_FRAGS=45, where SKB_WITH_OVERHEAD(1024)\nis smaller than GRO_MAX_HEAD.\n\nSuch built additionally contains the revert of the single page frag cache\nso that napi_get_frags() ends up using the page frag allocator, triggering\nthe splat.\n\nNote that the underlying issue is independent from the mentioned\nrevert; address it ensuring that the small head cache will fit either TCP\nand GRO allocation and updating napi_alloc_skb() and __netdev_alloc_skb()\nto select kmalloc() usage for any allocation fitting such cache."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-24T09:49:37.879Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ed8a77fee4618facd2a539cad7b7366697b5a575"
        },
        {
          "url": "https://git.kernel.org/stable/c/ed0ca7d2127c63991cfaf1932b827e3f4f8ee480"
        },
        {
          "url": "https://git.kernel.org/stable/c/648e440c98e260dec835e48a5d7a9993477b1f9d"
        },
        {
          "url": "https://git.kernel.org/stable/c/14ad6ed30a10afbe91b0749d6378285f4225d482"
        }
      ],
      "title": "net: allow small head cache usage with large MAX_SKB_FRAGS values",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21868",
    "datePublished": "2025-03-27T13:38:21.586Z",
    "dateReserved": "2024-12-29T08:45:45.781Z",
    "dateUpdated": "2025-11-24T09:49:37.879Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21839 (GCVE-0-2025-21839)

Vulnerability from cvelistv5

Published

2025-03-07 09:09

Modified

2025-11-03 19:37

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop Move the conditional loading of hardware DR6 with the guest's DR6 value out of the core .vcpu_run() loop to fix a bug where KVM can load hardware with a stale vcpu->arch.dr6. When the guest accesses a DR and host userspace isn't debugging the guest, KVM disables DR interception and loads the guest's values into hardware on VM-Enter and saves them on VM-Exit. This allows the guest to access DRs at will, e.g. so that a sequence of DR accesses to configure a breakpoint only generates one VM-Exit. For DR0-DR3, the logic/behavior is identical between VMX and SVM, and also identical between KVM_DEBUGREG_BP_ENABLED (userspace debugging the guest) and KVM_DEBUGREG_WONT_EXIT (guest using DRs), and so KVM handles loading DR0-DR3 in common code, _outside_ of the core kvm_x86_ops.vcpu_run() loop. But for DR6, the guest's value doesn't need to be loaded into hardware for KVM_DEBUGREG_BP_ENABLED, and SVM provides a dedicated VMCB field whereas VMX requires software to manually load the guest value, and so loading the guest's value into DR6 is handled by {svm,vmx}_vcpu_run(), i.e. is done _inside_ the core run loop. Unfortunately, saving the guest values on VM-Exit is initiated by common x86, again outside of the core run loop. If the guest modifies DR6 (in hardware, when DR interception is disabled), and then the next VM-Exit is a fastpath VM-Exit, KVM will reload hardware DR6 with vcpu->arch.dr6 and clobber the guest's actual value. The bug shows up primarily with nested VMX because KVM handles the VMX preemption timer in the fastpath, and the window between hardware DR6 being modified (in guest context) and DR6 being read by guest software is orders of magnitude larger in a nested setup. E.g. in non-nested, the VMX preemption timer would need to fire precisely between #DB injection and the #DB handler's read of DR6, whereas with a KVM-on-KVM setup, the window where hardware DR6 is "dirty" extends all the way from L1 writing DR6 to VMRESUME (in L1). L1's view: ========== <L1 disables DR interception> CPU 0/KVM-7289 [023] d.... 2925.640961: kvm_entry: vcpu 0 A: L1 Writes DR6 CPU 0/KVM-7289 [023] d.... 2925.640963: <hack>: Set DRs, DR6 = 0xffff0ff1 B: CPU 0/KVM-7289 [023] d.... 2925.640967: kvm_exit: vcpu 0 reason EXTERNAL_INTERRUPT intr_info 0x800000ec D: L1 reads DR6, arch.dr6 = 0 CPU 0/KVM-7289 [023] d.... 2925.640969: <hack>: Sync DRs, DR6 = 0xffff0ff0 CPU 0/KVM-7289 [023] d.... 2925.640976: kvm_entry: vcpu 0 L2 reads DR6, L1 disables DR interception CPU 0/KVM-7289 [023] d.... 2925.640980: kvm_exit: vcpu 0 reason DR_ACCESS info1 0x0000000000000216 CPU 0/KVM-7289 [023] d.... 2925.640983: kvm_entry: vcpu 0 CPU 0/KVM-7289 [023] d.... 2925.640983: <hack>: Set DRs, DR6 = 0xffff0ff0 L2 detects failure CPU 0/KVM-7289 [023] d.... 2925.640987: kvm_exit: vcpu 0 reason HLT L1 reads DR6 (confirms failure) CPU 0/KVM-7289 [023] d.... 2925.640990: <hack>: Sync DRs, DR6 = 0xffff0ff0 L0's view: ========== L2 reads DR6, arch.dr6 = 0 CPU 23/KVM-5046 [001] d.... 3410.005610: kvm_exit: vcpu 23 reason DR_ACCESS info1 0x0000000000000216 CPU 23/KVM-5046 [001] ..... 3410.005610: kvm_nested_vmexit: vcpu 23 reason DR_ACCESS info1 0x0000000000000216 L2 => L1 nested VM-Exit CPU 23/KVM-5046 [001] ..... 3410.005610: kvm_nested_vmexit_inject: reason: DR_ACCESS ext_inf1: 0x0000000000000216 CPU 23/KVM-5046 [001] d.... 3410.005610: kvm_entry: vcpu 23 CPU 23/KVM-5046 [001] d.... 3410.005611: kvm_exit: vcpu 23 reason VMREAD CPU 23/KVM-5046 [001] d.... 3410.005611: kvm_entry: vcpu 23 CPU 23/KVM-5046 [001] d.... 3410. ---truncated---

References

URL

Tags

	https://git.kernel.org/stable/c/9efb2b99b96c86664bbdbdd2cdb354ac9627eb20
	https://git.kernel.org/stable/c/93eeb6df1605b3a24f38afdba7ab903ba6b64133
	https://git.kernel.org/stable/c/a1723e9c53fe6431415be19302a56543daf503f5
	https://git.kernel.org/stable/c/4eb063de686bfcdfd03a8c801d1bbe87d2d5eb55
	https://git.kernel.org/stable/c/d456de38d9eb753a4e9fde053c18d4ef8e485339
	https://git.kernel.org/stable/c/c2fee09fc167c74a64adb08656cb993ea475197e

Impacted products

Vendor

Product

Version

Linux

Version: d67668e9dd76d98136048935723947156737932b
Version: d67668e9dd76d98136048935723947156737932b
Version: d67668e9dd76d98136048935723947156737932b
Version: d67668e9dd76d98136048935723947156737932b
Version: d67668e9dd76d98136048935723947156737932b
Version: d67668e9dd76d98136048935723947156737932b

Linux

Version: 5.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:37:57.827Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/include/asm/kvm-x86-ops.h",
            "arch/x86/include/asm/kvm_host.h",
            "arch/x86/kvm/svm/svm.c",
            "arch/x86/kvm/vmx/main.c",
            "arch/x86/kvm/vmx/vmx.c",
            "arch/x86/kvm/vmx/x86_ops.h",
            "arch/x86/kvm/x86.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9efb2b99b96c86664bbdbdd2cdb354ac9627eb20",
              "status": "affected",
              "version": "d67668e9dd76d98136048935723947156737932b",
              "versionType": "git"
            },
            {
              "lessThan": "93eeb6df1605b3a24f38afdba7ab903ba6b64133",
              "status": "affected",
              "version": "d67668e9dd76d98136048935723947156737932b",
              "versionType": "git"
            },
            {
              "lessThan": "a1723e9c53fe6431415be19302a56543daf503f5",
              "status": "affected",
              "version": "d67668e9dd76d98136048935723947156737932b",
              "versionType": "git"
            },
            {
              "lessThan": "4eb063de686bfcdfd03a8c801d1bbe87d2d5eb55",
              "status": "affected",
              "version": "d67668e9dd76d98136048935723947156737932b",
              "versionType": "git"
            },
            {
              "lessThan": "d456de38d9eb753a4e9fde053c18d4ef8e485339",
              "status": "affected",
              "version": "d67668e9dd76d98136048935723947156737932b",
              "versionType": "git"
            },
            {
              "lessThan": "c2fee09fc167c74a64adb08656cb993ea475197e",
              "status": "affected",
              "version": "d67668e9dd76d98136048935723947156737932b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/include/asm/kvm-x86-ops.h",
            "arch/x86/include/asm/kvm_host.h",
            "arch/x86/kvm/svm/svm.c",
            "arch/x86/kvm/vmx/main.c",
            "arch/x86/kvm/vmx/vmx.c",
            "arch/x86/kvm/vmx/x86_ops.h",
            "arch/x86/kvm/x86.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.182",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.138",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.90",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.182",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.138",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.90",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop\n\nMove the conditional loading of hardware DR6 with the guest\u0027s DR6 value\nout of the core .vcpu_run() loop to fix a bug where KVM can load hardware\nwith a stale vcpu-\u003earch.dr6.\n\nWhen the guest accesses a DR and host userspace isn\u0027t debugging the guest,\nKVM disables DR interception and loads the guest\u0027s values into hardware on\nVM-Enter and saves them on VM-Exit.  This allows the guest to access DRs\nat will, e.g. so that a sequence of DR accesses to configure a breakpoint\nonly generates one VM-Exit.\n\nFor DR0-DR3, the logic/behavior is identical between VMX and SVM, and also\nidentical between KVM_DEBUGREG_BP_ENABLED (userspace debugging the guest)\nand KVM_DEBUGREG_WONT_EXIT (guest using DRs), and so KVM handles loading\nDR0-DR3 in common code, _outside_ of the core kvm_x86_ops.vcpu_run() loop.\n\nBut for DR6, the guest\u0027s value doesn\u0027t need to be loaded into hardware for\nKVM_DEBUGREG_BP_ENABLED, and SVM provides a dedicated VMCB field whereas\nVMX requires software to manually load the guest value, and so loading the\nguest\u0027s value into DR6 is handled by {svm,vmx}_vcpu_run(), i.e. is done\n_inside_ the core run loop.\n\nUnfortunately, saving the guest values on VM-Exit is initiated by common\nx86, again outside of the core run loop.  If the guest modifies DR6 (in\nhardware, when DR interception is disabled), and then the next VM-Exit is\na fastpath VM-Exit, KVM will reload hardware DR6 with vcpu-\u003earch.dr6 and\nclobber the guest\u0027s actual value.\n\nThe bug shows up primarily with nested VMX because KVM handles the VMX\npreemption timer in the fastpath, and the window between hardware DR6\nbeing modified (in guest context) and DR6 being read by guest software is\norders of magnitude larger in a nested setup.  E.g. in non-nested, the\nVMX preemption timer would need to fire precisely between #DB injection\nand the #DB handler\u0027s read of DR6, whereas with a KVM-on-KVM setup, the\nwindow where hardware DR6 is \"dirty\" extends all the way from L1 writing\nDR6 to VMRESUME (in L1).\n\n    L1\u0027s view:\n    ==========\n    \u003cL1 disables DR interception\u003e\n           CPU 0/KVM-7289    [023] d....  2925.640961: kvm_entry: vcpu 0\n A:  L1 Writes DR6\n           CPU 0/KVM-7289    [023] d....  2925.640963: \u003chack\u003e: Set DRs, DR6 = 0xffff0ff1\n\n B:        CPU 0/KVM-7289    [023] d....  2925.640967: kvm_exit: vcpu 0 reason EXTERNAL_INTERRUPT intr_info 0x800000ec\n\n D: L1 reads DR6, arch.dr6 = 0\n           CPU 0/KVM-7289    [023] d....  2925.640969: \u003chack\u003e: Sync DRs, DR6 = 0xffff0ff0\n\n           CPU 0/KVM-7289    [023] d....  2925.640976: kvm_entry: vcpu 0\n    L2 reads DR6, L1 disables DR interception\n           CPU 0/KVM-7289    [023] d....  2925.640980: kvm_exit: vcpu 0 reason DR_ACCESS info1 0x0000000000000216\n           CPU 0/KVM-7289    [023] d....  2925.640983: kvm_entry: vcpu 0\n\n           CPU 0/KVM-7289    [023] d....  2925.640983: \u003chack\u003e: Set DRs, DR6 = 0xffff0ff0\n\n    L2 detects failure\n           CPU 0/KVM-7289    [023] d....  2925.640987: kvm_exit: vcpu 0 reason HLT\n    L1 reads DR6 (confirms failure)\n           CPU 0/KVM-7289    [023] d....  2925.640990: \u003chack\u003e: Sync DRs, DR6 = 0xffff0ff0\n\n    L0\u0027s view:\n    ==========\n    L2 reads DR6, arch.dr6 = 0\n          CPU 23/KVM-5046    [001] d....  3410.005610: kvm_exit: vcpu 23 reason DR_ACCESS info1 0x0000000000000216\n          CPU 23/KVM-5046    [001] .....  3410.005610: kvm_nested_vmexit: vcpu 23 reason DR_ACCESS info1 0x0000000000000216\n\n    L2 =\u003e L1 nested VM-Exit\n          CPU 23/KVM-5046    [001] .....  3410.005610: kvm_nested_vmexit_inject: reason: DR_ACCESS ext_inf1: 0x0000000000000216\n\n          CPU 23/KVM-5046    [001] d....  3410.005610: kvm_entry: vcpu 23\n          CPU 23/KVM-5046    [001] d....  3410.005611: kvm_exit: vcpu 23 reason VMREAD\n          CPU 23/KVM-5046    [001] d....  3410.005611: kvm_entry: vcpu 23\n          CPU 23/KVM-5046    [001] d....  3410.\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-09T08:06:11.288Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9efb2b99b96c86664bbdbdd2cdb354ac9627eb20"
        },
        {
          "url": "https://git.kernel.org/stable/c/93eeb6df1605b3a24f38afdba7ab903ba6b64133"
        },
        {
          "url": "https://git.kernel.org/stable/c/a1723e9c53fe6431415be19302a56543daf503f5"
        },
        {
          "url": "https://git.kernel.org/stable/c/4eb063de686bfcdfd03a8c801d1bbe87d2d5eb55"
        },
        {
          "url": "https://git.kernel.org/stable/c/d456de38d9eb753a4e9fde053c18d4ef8e485339"
        },
        {
          "url": "https://git.kernel.org/stable/c/c2fee09fc167c74a64adb08656cb993ea475197e"
        }
      ],
      "title": "KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21839",
    "datePublished": "2025-03-07T09:09:58.220Z",
    "dateReserved": "2024-12-29T08:45:45.777Z",
    "dateUpdated": "2025-11-03T19:37:57.827Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37915 (GCVE-0-2025-37915)

Vulnerability from cvelistv5

Published

2025-05-20 15:21

Modified

2025-11-03 19:57

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net_sched: drr: Fix double list add in class with netem as child qdisc As described in Gerrard's report [1], there are use cases where a netem child qdisc will make the parent qdisc's enqueue callback reentrant. In the case of drr, there won't be a UAF, but the code will add the same classifier to the list twice, which will cause memory corruption. In addition to checking for qlen being zero, this patch checks whether the class was already added to the active_list (cl_is_active) before adding to the list to cover for the reentrant case. [1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/

References

URL

Tags

	https://git.kernel.org/stable/c/5da3aad1a13e7edb8ff0778a444ccf49930313e9
	https://git.kernel.org/stable/c/4b07ac06b0a712923255aaf2691637693fc7100d
	https://git.kernel.org/stable/c/2968632880f1792007eedd12eeedf7f6e2b7e9f3
	https://git.kernel.org/stable/c/4f0ecf50cdf76da95828578a92f130b653ac2fcf
	https://git.kernel.org/stable/c/db205b92dfe0501e5b92fb7cf00971d0e44ba3eb
	https://git.kernel.org/stable/c/26e75716b94d6ff9be5ea07d63675c4d189f30b4
	https://git.kernel.org/stable/c/ab2248110738d4429668140ad22f530a9ee730e1
	https://git.kernel.org/stable/c/f99a3fbf023e20b626be4b0f042463d598050c9a

Impacted products

Vendor

Product

Version

Linux

Version: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea
Version: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea
Version: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea
Version: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea
Version: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea
Version: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea
Version: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea
Version: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea

Linux

Version: 5.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:57:17.858Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_drr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5da3aad1a13e7edb8ff0778a444ccf49930313e9",
              "status": "affected",
              "version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
              "versionType": "git"
            },
            {
              "lessThan": "4b07ac06b0a712923255aaf2691637693fc7100d",
              "status": "affected",
              "version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
              "versionType": "git"
            },
            {
              "lessThan": "2968632880f1792007eedd12eeedf7f6e2b7e9f3",
              "status": "affected",
              "version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
              "versionType": "git"
            },
            {
              "lessThan": "4f0ecf50cdf76da95828578a92f130b653ac2fcf",
              "status": "affected",
              "version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
              "versionType": "git"
            },
            {
              "lessThan": "db205b92dfe0501e5b92fb7cf00971d0e44ba3eb",
              "status": "affected",
              "version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
              "versionType": "git"
            },
            {
              "lessThan": "26e75716b94d6ff9be5ea07d63675c4d189f30b4",
              "status": "affected",
              "version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
              "versionType": "git"
            },
            {
              "lessThan": "ab2248110738d4429668140ad22f530a9ee730e1",
              "status": "affected",
              "version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
              "versionType": "git"
            },
            {
              "lessThan": "f99a3fbf023e20b626be4b0f042463d598050c9a",
              "status": "affected",
              "version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_drr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.0"
            },
            {
              "lessThan": "5.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.294",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.238",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.182",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.138",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.90",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.28",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.294",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.238",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.182",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.138",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.90",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.28",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.6",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: drr: Fix double list add in class with netem as child qdisc\n\nAs described in Gerrard\u0027s report [1], there are use cases where a netem\nchild qdisc will make the parent qdisc\u0027s enqueue callback reentrant.\nIn the case of drr, there won\u0027t be a UAF, but the code will add the same\nclassifier to the list twice, which will cause memory corruption.\n\nIn addition to checking for qlen being zero, this patch checks whether the\nclass was already added to the active_list (cl_is_active) before adding\nto the list to cover for the reentrant case.\n\n[1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-04T12:57:28.827Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5da3aad1a13e7edb8ff0778a444ccf49930313e9"
        },
        {
          "url": "https://git.kernel.org/stable/c/4b07ac06b0a712923255aaf2691637693fc7100d"
        },
        {
          "url": "https://git.kernel.org/stable/c/2968632880f1792007eedd12eeedf7f6e2b7e9f3"
        },
        {
          "url": "https://git.kernel.org/stable/c/4f0ecf50cdf76da95828578a92f130b653ac2fcf"
        },
        {
          "url": "https://git.kernel.org/stable/c/db205b92dfe0501e5b92fb7cf00971d0e44ba3eb"
        },
        {
          "url": "https://git.kernel.org/stable/c/26e75716b94d6ff9be5ea07d63675c4d189f30b4"
        },
        {
          "url": "https://git.kernel.org/stable/c/ab2248110738d4429668140ad22f530a9ee730e1"
        },
        {
          "url": "https://git.kernel.org/stable/c/f99a3fbf023e20b626be4b0f042463d598050c9a"
        }
      ],
      "title": "net_sched: drr: Fix double list add in class with netem as child qdisc",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37915",
    "datePublished": "2025-05-20T15:21:46.440Z",
    "dateReserved": "2025-04-16T04:51:23.967Z",
    "dateUpdated": "2025-11-03T19:57:17.858Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21731 (GCVE-0-2025-21731)

Vulnerability from cvelistv5

Published

2025-02-27 02:07

Modified

2025-11-03 19:36

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: nbd: don't allow reconnect after disconnect Following process can cause nbd_config UAF: 1) grab nbd_config temporarily; 2) nbd_genl_disconnect() flush all recv_work() and release the initial reference: nbd_genl_disconnect nbd_disconnect_and_put nbd_disconnect flush_workqueue(nbd->recv_workq) if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF, ...)) nbd_config_put -> due to step 1), reference is still not zero 3) nbd_genl_reconfigure() queue recv_work() again; nbd_genl_reconfigure config = nbd_get_config_unlocked(nbd) if (!config) -> succeed if (!test_bit(NBD_RT_BOUND, ...)) -> succeed nbd_reconnect_socket queue_work(nbd->recv_workq, &args->work) 4) step 1) release the reference; 5) Finially, recv_work() will trigger UAF: recv_work nbd_config_put(nbd) -> nbd_config is freed atomic_dec(&config->recv_threads) -> UAF Fix the problem by clearing NBD_RT_BOUND in nbd_genl_disconnect(), so that nbd_genl_reconfigure() will fail.

References

URL

Tags

	https://git.kernel.org/stable/c/e70a578487a47d7cf058904141e586684d1c3381
	https://git.kernel.org/stable/c/6bef6222a3f6c7adb6396f77f25a3579d821b09a
	https://git.kernel.org/stable/c/e3be8862d73cac833e0fb7602636c19c6cb94b11
	https://git.kernel.org/stable/c/e7343fa33751cb07c1c56b666bf37cfca357130e
	https://git.kernel.org/stable/c/d208d2c52b652913b5eefc8ca434b0d6b757f68f
	https://git.kernel.org/stable/c/a8ee6ecde2b7bfb58c8a3afe8a9d2b848f580739
	https://git.kernel.org/stable/c/9793bd5ae4bdbdb2dde401a3cab94a6bfd05e302
	https://git.kernel.org/stable/c/844b8cdc681612ff24df62cdefddeab5772fadf1

Impacted products

Vendor

Product

Version

Linux

Version: b7aa3d39385dc2d95899f9e379623fef446a2acd
Version: b7aa3d39385dc2d95899f9e379623fef446a2acd
Version: b7aa3d39385dc2d95899f9e379623fef446a2acd
Version: b7aa3d39385dc2d95899f9e379623fef446a2acd
Version: b7aa3d39385dc2d95899f9e379623fef446a2acd
Version: b7aa3d39385dc2d95899f9e379623fef446a2acd
Version: b7aa3d39385dc2d95899f9e379623fef446a2acd
Version: b7aa3d39385dc2d95899f9e379623fef446a2acd

Linux

Version: 4.12

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21731",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T17:58:00.860096Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T18:02:27.838Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:36:36.130Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/block/nbd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e70a578487a47d7cf058904141e586684d1c3381",
              "status": "affected",
              "version": "b7aa3d39385dc2d95899f9e379623fef446a2acd",
              "versionType": "git"
            },
            {
              "lessThan": "6bef6222a3f6c7adb6396f77f25a3579d821b09a",
              "status": "affected",
              "version": "b7aa3d39385dc2d95899f9e379623fef446a2acd",
              "versionType": "git"
            },
            {
              "lessThan": "e3be8862d73cac833e0fb7602636c19c6cb94b11",
              "status": "affected",
              "version": "b7aa3d39385dc2d95899f9e379623fef446a2acd",
              "versionType": "git"
            },
            {
              "lessThan": "e7343fa33751cb07c1c56b666bf37cfca357130e",
              "status": "affected",
              "version": "b7aa3d39385dc2d95899f9e379623fef446a2acd",
              "versionType": "git"
            },
            {
              "lessThan": "d208d2c52b652913b5eefc8ca434b0d6b757f68f",
              "status": "affected",
              "version": "b7aa3d39385dc2d95899f9e379623fef446a2acd",
              "versionType": "git"
            },
            {
              "lessThan": "a8ee6ecde2b7bfb58c8a3afe8a9d2b848f580739",
              "status": "affected",
              "version": "b7aa3d39385dc2d95899f9e379623fef446a2acd",
              "versionType": "git"
            },
            {
              "lessThan": "9793bd5ae4bdbdb2dde401a3cab94a6bfd05e302",
              "status": "affected",
              "version": "b7aa3d39385dc2d95899f9e379623fef446a2acd",
              "versionType": "git"
            },
            {
              "lessThan": "844b8cdc681612ff24df62cdefddeab5772fadf1",
              "status": "affected",
              "version": "b7aa3d39385dc2d95899f9e379623fef446a2acd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/block/nbd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.12"
            },
            {
              "lessThan": "4.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: don\u0027t allow reconnect after disconnect\n\nFollowing process can cause nbd_config UAF:\n\n1) grab nbd_config temporarily;\n\n2) nbd_genl_disconnect() flush all recv_work() and release the\ninitial reference:\n\n  nbd_genl_disconnect\n   nbd_disconnect_and_put\n    nbd_disconnect\n     flush_workqueue(nbd-\u003erecv_workq)\n    if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF, ...))\n     nbd_config_put\n     -\u003e due to step 1), reference is still not zero\n\n3) nbd_genl_reconfigure() queue recv_work() again;\n\n  nbd_genl_reconfigure\n   config = nbd_get_config_unlocked(nbd)\n   if (!config)\n   -\u003e succeed\n   if (!test_bit(NBD_RT_BOUND, ...))\n   -\u003e succeed\n   nbd_reconnect_socket\n    queue_work(nbd-\u003erecv_workq, \u0026args-\u003ework)\n\n4) step 1) release the reference;\n\n5) Finially, recv_work() will trigger UAF:\n\n  recv_work\n   nbd_config_put(nbd)\n   -\u003e nbd_config is freed\n   atomic_dec(\u0026config-\u003erecv_threads)\n   -\u003e UAF\n\nFix the problem by clearing NBD_RT_BOUND in nbd_genl_disconnect(), so\nthat nbd_genl_reconfigure() will fail."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:19:56.650Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e70a578487a47d7cf058904141e586684d1c3381"
        },
        {
          "url": "https://git.kernel.org/stable/c/6bef6222a3f6c7adb6396f77f25a3579d821b09a"
        },
        {
          "url": "https://git.kernel.org/stable/c/e3be8862d73cac833e0fb7602636c19c6cb94b11"
        },
        {
          "url": "https://git.kernel.org/stable/c/e7343fa33751cb07c1c56b666bf37cfca357130e"
        },
        {
          "url": "https://git.kernel.org/stable/c/d208d2c52b652913b5eefc8ca434b0d6b757f68f"
        },
        {
          "url": "https://git.kernel.org/stable/c/a8ee6ecde2b7bfb58c8a3afe8a9d2b848f580739"
        },
        {
          "url": "https://git.kernel.org/stable/c/9793bd5ae4bdbdb2dde401a3cab94a6bfd05e302"
        },
        {
          "url": "https://git.kernel.org/stable/c/844b8cdc681612ff24df62cdefddeab5772fadf1"
        }
      ],
      "title": "nbd: don\u0027t allow reconnect after disconnect",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21731",
    "datePublished": "2025-02-27T02:07:35.927Z",
    "dateReserved": "2024-12-29T08:45:45.755Z",
    "dateUpdated": "2025-11-03T19:36:36.130Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38074 (GCVE-0-2025-38074)

Vulnerability from cvelistv5

Published

2025-06-18 09:33

Modified

2025-11-03 17:33

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: protect vq->log_used with vq->mutex The vhost-scsi completion path may access vq->log_base when vq->log_used is already set to false. vhost-thread QEMU-thread vhost_scsi_complete_cmd_work() -> vhost_add_used() -> vhost_add_used_n() if (unlikely(vq->log_used)) QEMU disables vq->log_used via VHOST_SET_VRING_ADDR. mutex_lock(&vq->mutex); vq->log_used = false now! mutex_unlock(&vq->mutex); QEMU gfree(vq->log_base) log_used() -> log_write(vq->log_base) Assuming the VMM is QEMU. The vq->log_base is from QEMU userpace and can be reclaimed via gfree(). As a result, this causes invalid memory writes to QEMU userspace. The control queue path has the same issue.

References

URL

Tags

	https://git.kernel.org/stable/c/80cf68489681c165ded460930e391b1eb37b5f6f
	https://git.kernel.org/stable/c/8312a1ccff1566f375191a89b9ba71b6eb48a8cd
	https://git.kernel.org/stable/c/59614c5acf6688f7af3c245d359082c0e9e53117
	https://git.kernel.org/stable/c/ca85c2d0db5f8309832be45858b960d933c2131c
	https://git.kernel.org/stable/c/bd8c9404e44adb9f6219c09b3409a61ab7ce3427
	https://git.kernel.org/stable/c/c0039e3afda29be469d29b3013d7f9bdee136834
	https://git.kernel.org/stable/c/f591cf9fce724e5075cc67488c43c6e39e8cbe27

Impacted products

Vendor

Product

Version

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:33:42.169Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/vhost/scsi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "80cf68489681c165ded460930e391b1eb37b5f6f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "8312a1ccff1566f375191a89b9ba71b6eb48a8cd",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "59614c5acf6688f7af3c245d359082c0e9e53117",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ca85c2d0db5f8309832be45858b960d933c2131c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "bd8c9404e44adb9f6219c09b3409a61ab7ce3427",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "c0039e3afda29be469d29b3013d7f9bdee136834",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "f591cf9fce724e5075cc67488c43c6e39e8cbe27",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/vhost/scsi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.189",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.146",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.93",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.189",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.146",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.93",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost-scsi: protect vq-\u003elog_used with vq-\u003emutex\n\nThe vhost-scsi completion path may access vq-\u003elog_base when vq-\u003elog_used is\nalready set to false.\n\n    vhost-thread                       QEMU-thread\n\nvhost_scsi_complete_cmd_work()\n-\u003e vhost_add_used()\n   -\u003e vhost_add_used_n()\n      if (unlikely(vq-\u003elog_used))\n                                      QEMU disables vq-\u003elog_used\n                                      via VHOST_SET_VRING_ADDR.\n                                      mutex_lock(\u0026vq-\u003emutex);\n                                      vq-\u003elog_used = false now!\n                                      mutex_unlock(\u0026vq-\u003emutex);\n\n\t\t\t\t      QEMU gfree(vq-\u003elog_base)\n        log_used()\n        -\u003e log_write(vq-\u003elog_base)\n\nAssuming the VMM is QEMU. The vq-\u003elog_base is from QEMU userpace and can be\nreclaimed via gfree(). As a result, this causes invalid memory writes to\nQEMU userspace.\n\nThe control queue path has the same issue."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-17T16:55:34.504Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/80cf68489681c165ded460930e391b1eb37b5f6f"
        },
        {
          "url": "https://git.kernel.org/stable/c/8312a1ccff1566f375191a89b9ba71b6eb48a8cd"
        },
        {
          "url": "https://git.kernel.org/stable/c/59614c5acf6688f7af3c245d359082c0e9e53117"
        },
        {
          "url": "https://git.kernel.org/stable/c/ca85c2d0db5f8309832be45858b960d933c2131c"
        },
        {
          "url": "https://git.kernel.org/stable/c/bd8c9404e44adb9f6219c09b3409a61ab7ce3427"
        },
        {
          "url": "https://git.kernel.org/stable/c/c0039e3afda29be469d29b3013d7f9bdee136834"
        },
        {
          "url": "https://git.kernel.org/stable/c/f591cf9fce724e5075cc67488c43c6e39e8cbe27"
        }
      ],
      "title": "vhost-scsi: protect vq-\u003elog_used with vq-\u003emutex",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38074",
    "datePublished": "2025-06-18T09:33:50.006Z",
    "dateReserved": "2025-04-16T04:51:23.980Z",
    "dateUpdated": "2025-11-03T17:33:42.169Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38376 (GCVE-0-2025-38376)

Vulnerability from cvelistv5

Published

2025-07-25 12:53

Modified

2025-07-28 04:20

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: chipidea: udc: disconnect/reconnect from host when do suspend/resume Shawn and John reported a hang issue during system suspend as below: - USB gadget is enabled as Ethernet - There is data transfer over USB Ethernet (scp a big file between host and device) - Device is going in/out suspend (echo mem > /sys/power/state) The root cause is the USB device controller is suspended but the USB bus is still active which caused the USB host continues to transfer data with device and the device continues to queue USB requests (in this case, a delayed TCP ACK packet trigger the issue) after controller is suspended, however the USB controller clock is already gated off. Then if udc driver access registers after that point, the system will hang. The correct way to avoid such issue is to disconnect device from host when the USB bus is not at suspend state. Then the host will receive disconnect event and stop data transfer in time. To continue make USB gadget device work after system resume, this will reconnect device automatically. To make usb wakeup work if USB bus is already at suspend state, this will keep connection for it only when USB device controller has enabled wakeup capability.

References

URL

Tags

	https://git.kernel.org/stable/c/937f49be49d6ee696eb5457c21ff89c135c9b5ae
	https://git.kernel.org/stable/c/c68a27bbebbdb4e0ccd45d4f0df7111a09ddac24
	https://git.kernel.org/stable/c/5fd585fedb79bac2af9976b0fa3ffa354f0cc0bb
	https://git.kernel.org/stable/c/31a6afbe86e8e9deba9ab53876ec49eafc7fd901

Impacted products

Vendor

Product

Version

Linux

Version: 235ffc17d0146d806f6ad8c094c24ff4878f2edb
Version: 235ffc17d0146d806f6ad8c094c24ff4878f2edb
Version: 235ffc17d0146d806f6ad8c094c24ff4878f2edb
Version: 235ffc17d0146d806f6ad8c094c24ff4878f2edb

Linux

Version: 6.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/chipidea/udc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "937f49be49d6ee696eb5457c21ff89c135c9b5ae",
              "status": "affected",
              "version": "235ffc17d0146d806f6ad8c094c24ff4878f2edb",
              "versionType": "git"
            },
            {
              "lessThan": "c68a27bbebbdb4e0ccd45d4f0df7111a09ddac24",
              "status": "affected",
              "version": "235ffc17d0146d806f6ad8c094c24ff4878f2edb",
              "versionType": "git"
            },
            {
              "lessThan": "5fd585fedb79bac2af9976b0fa3ffa354f0cc0bb",
              "status": "affected",
              "version": "235ffc17d0146d806f6ad8c094c24ff4878f2edb",
              "versionType": "git"
            },
            {
              "lessThan": "31a6afbe86e8e9deba9ab53876ec49eafc7fd901",
              "status": "affected",
              "version": "235ffc17d0146d806f6ad8c094c24ff4878f2edb",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/chipidea/udc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.97",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.37",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.97",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.37",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.6",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: chipidea: udc: disconnect/reconnect from host when do suspend/resume\n\nShawn and John reported a hang issue during system suspend as below:\n\n - USB gadget is enabled as Ethernet\n - There is data transfer over USB Ethernet (scp a big file between host\n                                             and device)\n - Device is going in/out suspend (echo mem \u003e /sys/power/state)\n\nThe root cause is the USB device controller is suspended but the USB bus\nis still active which caused the USB host continues to transfer data with\ndevice and the device continues to queue USB requests (in this case, a\ndelayed TCP ACK packet trigger the issue) after controller is suspended,\nhowever the USB controller clock is already gated off. Then if udc driver\naccess registers after that point, the system will hang.\n\nThe correct way to avoid such issue is to disconnect device from host when\nthe USB bus is not at suspend state. Then the host will receive disconnect\nevent and stop data transfer in time. To continue make USB gadget device\nwork after system resume, this will reconnect device automatically.\n\nTo make usb wakeup work if USB bus is already at suspend state, this will\nkeep connection for it only when USB device controller has enabled wakeup\ncapability."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:20:22.602Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/937f49be49d6ee696eb5457c21ff89c135c9b5ae"
        },
        {
          "url": "https://git.kernel.org/stable/c/c68a27bbebbdb4e0ccd45d4f0df7111a09ddac24"
        },
        {
          "url": "https://git.kernel.org/stable/c/5fd585fedb79bac2af9976b0fa3ffa354f0cc0bb"
        },
        {
          "url": "https://git.kernel.org/stable/c/31a6afbe86e8e9deba9ab53876ec49eafc7fd901"
        }
      ],
      "title": "usb: chipidea: udc: disconnect/reconnect from host when do suspend/resume",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38376",
    "datePublished": "2025-07-25T12:53:18.330Z",
    "dateReserved": "2025-04-16T04:51:24.010Z",
    "dateUpdated": "2025-07-28T04:20:22.602Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38265 (GCVE-0-2025-38265)

Vulnerability from cvelistv5

Published

2025-07-10 07:37

Modified

2025-07-28 04:16

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: serial: jsm: fix NPE during jsm_uart_port_init No device was set which caused serial_base_ctrl_add to crash. BUG: kernel NULL pointer dereference, address: 0000000000000050 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 16 UID: 0 PID: 368 Comm: (udev-worker) Not tainted 6.12.25-amd64 #1 Debian 6.12.25-1 RIP: 0010:serial_base_ctrl_add+0x96/0x120 Call Trace: <TASK> serial_core_register_port+0x1a0/0x580 ? __setup_irq+0x39c/0x660 ? __kmalloc_cache_noprof+0x111/0x310 jsm_uart_port_init+0xe8/0x180 [jsm] jsm_probe_one+0x1f4/0x410 [jsm] local_pci_probe+0x42/0x90 pci_device_probe+0x22f/0x270 really_probe+0xdb/0x340 ? pm_runtime_barrier+0x54/0x90 ? __pfx___driver_attach+0x10/0x10 __driver_probe_device+0x78/0x110 driver_probe_device+0x1f/0xa0 __driver_attach+0xba/0x1c0 bus_for_each_dev+0x8c/0xe0 bus_add_driver+0x112/0x1f0 driver_register+0x72/0xd0 jsm_init_module+0x36/0xff0 [jsm] ? __pfx_jsm_init_module+0x10/0x10 [jsm] do_one_initcall+0x58/0x310 do_init_module+0x60/0x230 Tested with Digi Neo PCIe 8 port card.

References

URL

Tags

	https://git.kernel.org/stable/c/3258d7ff8ebfa451426662b23e8f2b51b129afe1
	https://git.kernel.org/stable/c/985961dd2688a527a4847300d41beaad475ab7af
	https://git.kernel.org/stable/c/a14c0d2eb3f0b1836fdec22908b87ecffd2ac844
	https://git.kernel.org/stable/c/abaecb2a4ad021c2f2426e9b2a9c020aef57aca9
	https://git.kernel.org/stable/c/e3975aa899c0a3bbc10d035e699b142cd1373a71

Impacted products

Vendor

Product

Version

Linux

Version: 84a9582fd203063cd4d301204971ff2cd8327f1a
Version: 84a9582fd203063cd4d301204971ff2cd8327f1a
Version: 84a9582fd203063cd4d301204971ff2cd8327f1a
Version: 84a9582fd203063cd4d301204971ff2cd8327f1a
Version: 84a9582fd203063cd4d301204971ff2cd8327f1a

Linux

Version: 6.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/tty/serial/jsm/jsm_tty.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3258d7ff8ebfa451426662b23e8f2b51b129afe1",
              "status": "affected",
              "version": "84a9582fd203063cd4d301204971ff2cd8327f1a",
              "versionType": "git"
            },
            {
              "lessThan": "985961dd2688a527a4847300d41beaad475ab7af",
              "status": "affected",
              "version": "84a9582fd203063cd4d301204971ff2cd8327f1a",
              "versionType": "git"
            },
            {
              "lessThan": "a14c0d2eb3f0b1836fdec22908b87ecffd2ac844",
              "status": "affected",
              "version": "84a9582fd203063cd4d301204971ff2cd8327f1a",
              "versionType": "git"
            },
            {
              "lessThan": "abaecb2a4ad021c2f2426e9b2a9c020aef57aca9",
              "status": "affected",
              "version": "84a9582fd203063cd4d301204971ff2cd8327f1a",
              "versionType": "git"
            },
            {
              "lessThan": "e3975aa899c0a3bbc10d035e699b142cd1373a71",
              "status": "affected",
              "version": "84a9582fd203063cd4d301204971ff2cd8327f1a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/tty/serial/jsm/jsm_tty.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.5"
            },
            {
              "lessThan": "6.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.33",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.33",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.11",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.2",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: jsm: fix NPE during jsm_uart_port_init\n\nNo device was set which caused serial_base_ctrl_add to crash.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000050\n Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 16 UID: 0 PID: 368 Comm: (udev-worker) Not tainted 6.12.25-amd64 #1  Debian 6.12.25-1\n RIP: 0010:serial_base_ctrl_add+0x96/0x120\n Call Trace:\n  \u003cTASK\u003e\n  serial_core_register_port+0x1a0/0x580\n  ? __setup_irq+0x39c/0x660\n  ? __kmalloc_cache_noprof+0x111/0x310\n  jsm_uart_port_init+0xe8/0x180 [jsm]\n  jsm_probe_one+0x1f4/0x410 [jsm]\n  local_pci_probe+0x42/0x90\n  pci_device_probe+0x22f/0x270\n  really_probe+0xdb/0x340\n  ? pm_runtime_barrier+0x54/0x90\n  ? __pfx___driver_attach+0x10/0x10\n  __driver_probe_device+0x78/0x110\n  driver_probe_device+0x1f/0xa0\n  __driver_attach+0xba/0x1c0\n  bus_for_each_dev+0x8c/0xe0\n  bus_add_driver+0x112/0x1f0\n  driver_register+0x72/0xd0\n  jsm_init_module+0x36/0xff0 [jsm]\n  ? __pfx_jsm_init_module+0x10/0x10 [jsm]\n  do_one_initcall+0x58/0x310\n  do_init_module+0x60/0x230\n\nTested with Digi Neo PCIe 8 port card."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:16:38.880Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3258d7ff8ebfa451426662b23e8f2b51b129afe1"
        },
        {
          "url": "https://git.kernel.org/stable/c/985961dd2688a527a4847300d41beaad475ab7af"
        },
        {
          "url": "https://git.kernel.org/stable/c/a14c0d2eb3f0b1836fdec22908b87ecffd2ac844"
        },
        {
          "url": "https://git.kernel.org/stable/c/abaecb2a4ad021c2f2426e9b2a9c020aef57aca9"
        },
        {
          "url": "https://git.kernel.org/stable/c/e3975aa899c0a3bbc10d035e699b142cd1373a71"
        }
      ],
      "title": "serial: jsm: fix NPE during jsm_uart_port_init",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38265",
    "datePublished": "2025-07-10T07:37:33.778Z",
    "dateReserved": "2025-04-16T04:51:23.998Z",
    "dateUpdated": "2025-07-28T04:16:38.880Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38345 (GCVE-0-2025-38345)

Vulnerability from cvelistv5

Published

2025-07-10 08:15

Modified

2025-11-03 17:36

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ACPICA: fix acpi operand cache leak in dswstate.c ACPICA commit 987a3b5cf7175916e2a4b6ea5b8e70f830dfe732 I found an ACPI cache leak in ACPI early termination and boot continuing case. When early termination occurs due to malicious ACPI table, Linux kernel terminates ACPI function and continues to boot process. While kernel terminates ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak. Boot log of ACPI operand cache leak is as follows: >[ 0.585957] ACPI: Added _OSI(Module Device) >[ 0.587218] ACPI: Added _OSI(Processor Device) >[ 0.588530] ACPI: Added _OSI(3.0 _SCP Extensions) >[ 0.589790] ACPI: Added _OSI(Processor Aggregator Device) >[ 0.591534] ACPI Error: Illegal I/O port address/length above 64K: C806E00000004002/0x2 (20170303/hwvalid-155) >[ 0.594351] ACPI Exception: AE_LIMIT, Unable to initialize fixed events (20170303/evevent-88) >[ 0.597858] ACPI: Unable to start the ACPI Interpreter >[ 0.599162] ACPI Error: Could not remove SCI handler (20170303/evmisc-281) >[ 0.601836] kmem_cache_destroy Acpi-Operand: Slab cache still has objects >[ 0.603556] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26 >[ 0.605159] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006 >[ 0.609177] Call Trace: >[ 0.610063] ? dump_stack+0x5c/0x81 >[ 0.611118] ? kmem_cache_destroy+0x1aa/0x1c0 >[ 0.612632] ? acpi_sleep_proc_init+0x27/0x27 >[ 0.613906] ? acpi_os_delete_cache+0xa/0x10 >[ 0.617986] ? acpi_ut_delete_caches+0x3f/0x7b >[ 0.619293] ? acpi_terminate+0xa/0x14 >[ 0.620394] ? acpi_init+0x2af/0x34f >[ 0.621616] ? __class_create+0x4c/0x80 >[ 0.623412] ? video_setup+0x7f/0x7f >[ 0.624585] ? acpi_sleep_proc_init+0x27/0x27 >[ 0.625861] ? do_one_initcall+0x4e/0x1a0 >[ 0.627513] ? kernel_init_freeable+0x19e/0x21f >[ 0.628972] ? rest_init+0x80/0x80 >[ 0.630043] ? kernel_init+0xa/0x100 >[ 0.631084] ? ret_from_fork+0x25/0x30 >[ 0.633343] vgaarb: loaded >[ 0.635036] EDAC MC: Ver: 3.0.0 >[ 0.638601] PCI: Probing PCI hardware >[ 0.639833] PCI host bridge to bus 0000:00 >[ 0.641031] pci_bus 0000:00: root bus resource [io 0x0000-0xffff] > ... Continue to boot and log is omitted ... I analyzed this memory leak in detail and found acpi_ds_obj_stack_pop_and_ delete() function miscalculated the top of the stack. acpi_ds_obj_stack_push() function uses walk_state->operand_index for start position of the top, but acpi_ds_obj_stack_pop_and_delete() function considers index 0 for it. Therefore, this causes acpi operand memory leak. This cache leak causes a security threat because an old kernel (<= 4.9) shows memory locations of kernel functions in stack dump. Some malicious users could use this information to neutralize kernel ASLR. I made a patch to fix ACPI operand cache leak.

References

URL

Tags

	https://git.kernel.org/stable/c/4fa430a8bca708c7776f6b9d001257f48b19a5b7
	https://git.kernel.org/stable/c/1c0d9115a001979cb446ba5e8331dd1d29a10bbf
	https://git.kernel.org/stable/c/5a68893b594ee6ce0efce5f74c07e64e9dd0c2c4
	https://git.kernel.org/stable/c/64c4bcf0308dd1d752ef31d560040b8725e29984
	https://git.kernel.org/stable/c/755a8006b76792922ff7b1c9674d8897a476b5d7
	https://git.kernel.org/stable/c/76d37168155880f2b04a0aad92ceb0f9d799950e
	https://git.kernel.org/stable/c/e0783910ca4368b01466bc8dcdcc13c3e0b7db53
	https://git.kernel.org/stable/c/156fd20a41e776bbf334bd5e45c4f78dfc90ce1c

Impacted products

Vendor

Product

Version

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:36:53.250Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/acpi/acpica/dsutils.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4fa430a8bca708c7776f6b9d001257f48b19a5b7",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "1c0d9115a001979cb446ba5e8331dd1d29a10bbf",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "5a68893b594ee6ce0efce5f74c07e64e9dd0c2c4",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "64c4bcf0308dd1d752ef31d560040b8725e29984",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "755a8006b76792922ff7b1c9674d8897a476b5d7",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "76d37168155880f2b04a0aad92ceb0f9d799950e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "e0783910ca4368b01466bc8dcdcc13c3e0b7db53",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "156fd20a41e776bbf334bd5e45c4f78dfc90ce1c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/acpi/acpica/dsutils.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: fix acpi operand cache leak in dswstate.c\n\nACPICA commit 987a3b5cf7175916e2a4b6ea5b8e70f830dfe732\n\nI found an ACPI cache leak in ACPI early termination and boot continuing case.\n\nWhen early termination occurs due to malicious ACPI table, Linux kernel\nterminates ACPI function and continues to boot process. While kernel terminates\nACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak.\n\nBoot log of ACPI operand cache leak is as follows:\n\u003e[    0.585957] ACPI: Added _OSI(Module Device)\n\u003e[    0.587218] ACPI: Added _OSI(Processor Device)\n\u003e[    0.588530] ACPI: Added _OSI(3.0 _SCP Extensions)\n\u003e[    0.589790] ACPI: Added _OSI(Processor Aggregator Device)\n\u003e[    0.591534] ACPI Error: Illegal I/O port address/length above 64K: C806E00000004002/0x2 (20170303/hwvalid-155)\n\u003e[    0.594351] ACPI Exception: AE_LIMIT, Unable to initialize fixed events (20170303/evevent-88)\n\u003e[    0.597858] ACPI: Unable to start the ACPI Interpreter\n\u003e[    0.599162] ACPI Error: Could not remove SCI handler (20170303/evmisc-281)\n\u003e[    0.601836] kmem_cache_destroy Acpi-Operand: Slab cache still has objects\n\u003e[    0.603556] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26\n\u003e[    0.605159] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006\n\u003e[    0.609177] Call Trace:\n\u003e[    0.610063]  ? dump_stack+0x5c/0x81\n\u003e[    0.611118]  ? kmem_cache_destroy+0x1aa/0x1c0\n\u003e[    0.612632]  ? acpi_sleep_proc_init+0x27/0x27\n\u003e[    0.613906]  ? acpi_os_delete_cache+0xa/0x10\n\u003e[    0.617986]  ? acpi_ut_delete_caches+0x3f/0x7b\n\u003e[    0.619293]  ? acpi_terminate+0xa/0x14\n\u003e[    0.620394]  ? acpi_init+0x2af/0x34f\n\u003e[    0.621616]  ? __class_create+0x4c/0x80\n\u003e[    0.623412]  ? video_setup+0x7f/0x7f\n\u003e[    0.624585]  ? acpi_sleep_proc_init+0x27/0x27\n\u003e[    0.625861]  ? do_one_initcall+0x4e/0x1a0\n\u003e[    0.627513]  ? kernel_init_freeable+0x19e/0x21f\n\u003e[    0.628972]  ? rest_init+0x80/0x80\n\u003e[    0.630043]  ? kernel_init+0xa/0x100\n\u003e[    0.631084]  ? ret_from_fork+0x25/0x30\n\u003e[    0.633343] vgaarb: loaded\n\u003e[    0.635036] EDAC MC: Ver: 3.0.0\n\u003e[    0.638601] PCI: Probing PCI hardware\n\u003e[    0.639833] PCI host bridge to bus 0000:00\n\u003e[    0.641031] pci_bus 0000:00: root bus resource [io  0x0000-0xffff]\n\u003e ... Continue to boot and log is omitted ...\n\nI analyzed this memory leak in detail and found acpi_ds_obj_stack_pop_and_\ndelete() function miscalculated the top of the stack. acpi_ds_obj_stack_push()\nfunction uses walk_state-\u003eoperand_index for start position of the top, but\nacpi_ds_obj_stack_pop_and_delete() function considers index 0 for it.\nTherefore, this causes acpi operand memory leak.\n\nThis cache leak causes a security threat because an old kernel (\u003c= 4.9) shows\nmemory locations of kernel functions in stack dump. Some malicious users\ncould use this information to neutralize kernel ASLR.\n\nI made a patch to fix ACPI operand cache leak."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:19:30.571Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4fa430a8bca708c7776f6b9d001257f48b19a5b7"
        },
        {
          "url": "https://git.kernel.org/stable/c/1c0d9115a001979cb446ba5e8331dd1d29a10bbf"
        },
        {
          "url": "https://git.kernel.org/stable/c/5a68893b594ee6ce0efce5f74c07e64e9dd0c2c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/64c4bcf0308dd1d752ef31d560040b8725e29984"
        },
        {
          "url": "https://git.kernel.org/stable/c/755a8006b76792922ff7b1c9674d8897a476b5d7"
        },
        {
          "url": "https://git.kernel.org/stable/c/76d37168155880f2b04a0aad92ceb0f9d799950e"
        },
        {
          "url": "https://git.kernel.org/stable/c/e0783910ca4368b01466bc8dcdcc13c3e0b7db53"
        },
        {
          "url": "https://git.kernel.org/stable/c/156fd20a41e776bbf334bd5e45c4f78dfc90ce1c"
        }
      ],
      "title": "ACPICA: fix acpi operand cache leak in dswstate.c",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38345",
    "datePublished": "2025-07-10T08:15:13.652Z",
    "dateReserved": "2025-04-16T04:51:24.006Z",
    "dateUpdated": "2025-11-03T17:36:53.250Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37875 (GCVE-0-2025-37875)

Vulnerability from cvelistv5

Published

2025-05-09 06:44

Modified

2025-11-03 19:56

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: igc: fix PTM cycle trigger logic Writing to clear the PTM status 'valid' bit while the PTM cycle is triggered results in unreliable PTM operation. To fix this, clear the PTM 'trigger' and status after each PTM transaction. The issue can be reproduced with the following: $ sudo phc2sys -R 1000 -O 0 -i tsn0 -m Note: 1000 Hz (-R 1000) is unrealistically large, but provides a way to quickly reproduce the issue. PHC2SYS exits with: "ioctl PTP_OFFSET_PRECISE: Connection timed out" when the PTM transaction fails This patch also fixes a hang in igc_probe() when loading the igc driver in the kdump kernel on systems supporting PTM. The igc driver running in the base kernel enables PTM trigger in igc_probe(). Therefore the driver is always in PTM trigger mode, except in brief periods when manually triggering a PTM cycle. When a crash occurs, the NIC is reset while PTM trigger is enabled. Due to a hardware problem, the NIC is subsequently in a bad busmaster state and doesn't handle register reads/writes. When running igc_probe() in the kdump kernel, the first register access to a NIC register hangs driver probing and ultimately breaks kdump. With this patch, igc has PTM trigger disabled most of the time, and the trigger is only enabled for very brief (10 - 100 us) periods when manually triggering a PTM cycle. Chances that a crash occurs during a PTM trigger are not 0, but extremely reduced.

References

URL

Tags

	https://git.kernel.org/stable/c/c1f174edaccc5a00f8e218c42a0aa9156efd5f76
	https://git.kernel.org/stable/c/0c03e4fbe1321697d9d04587e21e416705e1b19f
	https://git.kernel.org/stable/c/16194ca3f3b4448a062650c869a7b3b206c6f5d3
	https://git.kernel.org/stable/c/f3516229cd12dcd45f23ed01adab17e8772b1bd5
	https://git.kernel.org/stable/c/31959e06143692f7e02b8eef7d7d6ac645637906
	https://git.kernel.org/stable/c/8e404ad95d2c10c261e2ef6992c7c12dde03df0e

Impacted products

Vendor

Product

Version

Linux

Version: a90ec84837325df4b9a6798c2cc0df202b5680bd
Version: a90ec84837325df4b9a6798c2cc0df202b5680bd
Version: a90ec84837325df4b9a6798c2cc0df202b5680bd
Version: a90ec84837325df4b9a6798c2cc0df202b5680bd
Version: a90ec84837325df4b9a6798c2cc0df202b5680bd
Version: a90ec84837325df4b9a6798c2cc0df202b5680bd

Linux

Version: 5.15

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:56:49.727Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/igc/igc_defines.h",
            "drivers/net/ethernet/intel/igc/igc_ptp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c1f174edaccc5a00f8e218c42a0aa9156efd5f76",
              "status": "affected",
              "version": "a90ec84837325df4b9a6798c2cc0df202b5680bd",
              "versionType": "git"
            },
            {
              "lessThan": "0c03e4fbe1321697d9d04587e21e416705e1b19f",
              "status": "affected",
              "version": "a90ec84837325df4b9a6798c2cc0df202b5680bd",
              "versionType": "git"
            },
            {
              "lessThan": "16194ca3f3b4448a062650c869a7b3b206c6f5d3",
              "status": "affected",
              "version": "a90ec84837325df4b9a6798c2cc0df202b5680bd",
              "versionType": "git"
            },
            {
              "lessThan": "f3516229cd12dcd45f23ed01adab17e8772b1bd5",
              "status": "affected",
              "version": "a90ec84837325df4b9a6798c2cc0df202b5680bd",
              "versionType": "git"
            },
            {
              "lessThan": "31959e06143692f7e02b8eef7d7d6ac645637906",
              "status": "affected",
              "version": "a90ec84837325df4b9a6798c2cc0df202b5680bd",
              "versionType": "git"
            },
            {
              "lessThan": "8e404ad95d2c10c261e2ef6992c7c12dde03df0e",
              "status": "affected",
              "version": "a90ec84837325df4b9a6798c2cc0df202b5680bd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/igc/igc_defines.h",
            "drivers/net/ethernet/intel/igc/igc_ptp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.25",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.25",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.4",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nigc: fix PTM cycle trigger logic\n\nWriting to clear the PTM status \u0027valid\u0027 bit while the PTM cycle is\ntriggered results in unreliable PTM operation. To fix this, clear the\nPTM \u0027trigger\u0027 and status after each PTM transaction.\n\nThe issue can be reproduced with the following:\n\n$ sudo phc2sys -R 1000 -O 0 -i tsn0 -m\n\nNote: 1000 Hz (-R 1000) is unrealistically large, but provides a way to\nquickly reproduce the issue.\n\nPHC2SYS exits with:\n\n\"ioctl PTP_OFFSET_PRECISE: Connection timed out\" when the PTM transaction\n  fails\n\nThis patch also fixes a hang in igc_probe() when loading the igc\ndriver in the kdump kernel on systems supporting PTM.\n\nThe igc driver running in the base kernel enables PTM trigger in\nigc_probe().  Therefore the driver is always in PTM trigger mode,\nexcept in brief periods when manually triggering a PTM cycle.\n\nWhen a crash occurs, the NIC is reset while PTM trigger is enabled.\nDue to a hardware problem, the NIC is subsequently in a bad busmaster\nstate and doesn\u0027t handle register reads/writes.  When running\nigc_probe() in the kdump kernel, the first register access to a NIC\nregister hangs driver probing and ultimately breaks kdump.\n\nWith this patch, igc has PTM trigger disabled most of the time,\nand the trigger is only enabled for very brief (10 - 100 us) periods\nwhen manually triggering a PTM cycle.  Chances that a crash occurs\nduring a PTM trigger are not 0, but extremely reduced."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:22:48.769Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c1f174edaccc5a00f8e218c42a0aa9156efd5f76"
        },
        {
          "url": "https://git.kernel.org/stable/c/0c03e4fbe1321697d9d04587e21e416705e1b19f"
        },
        {
          "url": "https://git.kernel.org/stable/c/16194ca3f3b4448a062650c869a7b3b206c6f5d3"
        },
        {
          "url": "https://git.kernel.org/stable/c/f3516229cd12dcd45f23ed01adab17e8772b1bd5"
        },
        {
          "url": "https://git.kernel.org/stable/c/31959e06143692f7e02b8eef7d7d6ac645637906"
        },
        {
          "url": "https://git.kernel.org/stable/c/8e404ad95d2c10c261e2ef6992c7c12dde03df0e"
        }
      ],
      "title": "igc: fix PTM cycle trigger logic",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37875",
    "datePublished": "2025-05-09T06:44:03.368Z",
    "dateReserved": "2025-04-16T04:51:23.960Z",
    "dateUpdated": "2025-11-03T19:56:49.727Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38480 (GCVE-0-2025-38480)

Vulnerability from cvelistv5

Published

2025-07-28 11:21

Modified

2025-11-03 17:38

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: comedi: Fix use of uninitialized data in insn_rw_emulate_bits() For Comedi `INSN_READ` and `INSN_WRITE` instructions on "digital" subdevices (subdevice types `COMEDI_SUBD_DI`, `COMEDI_SUBD_DO`, and `COMEDI_SUBD_DIO`), it is common for the subdevice driver not to have `insn_read` and `insn_write` handler functions, but to have an `insn_bits` handler function for handling Comedi `INSN_BITS` instructions. In that case, the subdevice's `insn_read` and/or `insn_write` function handler pointers are set to point to the `insn_rw_emulate_bits()` function by `__comedi_device_postconfig()`. For `INSN_WRITE`, `insn_rw_emulate_bits()` currently assumes that the supplied `data[0]` value is a valid copy from user memory. It will at least exist because `do_insnlist_ioctl()` and `do_insn_ioctl()` in "comedi_fops.c" ensure at lease `MIN_SAMPLES` (16) elements are allocated. However, if `insn->n` is 0 (which is allowable for `INSN_READ` and `INSN_WRITE` instructions, then `data[0]` may contain uninitialized data, and certainly contains invalid data, possibly from a different instruction in the array of instructions handled by `do_insnlist_ioctl()`. This will result in an incorrect value being written to the digital output channel (or to the digital input/output channel if configured as an output), and may be reflected in the internal saved state of the channel. Fix it by returning 0 early if `insn->n` is 0, before reaching the code that accesses `data[0]`. Previously, the function always returned 1 on success, but it is supposed to be the number of data samples actually read or written up to `insn->n`, which is 0 in this case.

References

URL

Tags

	https://git.kernel.org/stable/c/4c2981bf30401adfcdbfece4ab6f411f7c5875a1
	https://git.kernel.org/stable/c/16256d7efcf7acc9f39abe21522c4c6b77f67c00
	https://git.kernel.org/stable/c/c53570e62b5b28bdb56bb563190227f8307817a5
	https://git.kernel.org/stable/c/3050d197d6bc9ef128944a70210f42d2430b3000
	https://git.kernel.org/stable/c/10f9024a8c824a41827fff1fefefb314c98e2c88
	https://git.kernel.org/stable/c/2af1e7d389c2619219171d23f5b96dbcbb7f9656
	https://git.kernel.org/stable/c/3ab55ffaaf75d0c7b68e332c1cdcc1b0e0044870
	https://git.kernel.org/stable/c/e9cb26291d009243a4478a7ffb37b3a9175bfce9

Impacted products

Vendor

Product

Version

Linux

Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4
Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4
Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4
Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4
Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4
Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4
Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4
Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4

Linux

Version: 2.6.29

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:38:48.508Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/comedi/drivers.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4c2981bf30401adfcdbfece4ab6f411f7c5875a1",
              "status": "affected",
              "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
              "versionType": "git"
            },
            {
              "lessThan": "16256d7efcf7acc9f39abe21522c4c6b77f67c00",
              "status": "affected",
              "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
              "versionType": "git"
            },
            {
              "lessThan": "c53570e62b5b28bdb56bb563190227f8307817a5",
              "status": "affected",
              "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
              "versionType": "git"
            },
            {
              "lessThan": "3050d197d6bc9ef128944a70210f42d2430b3000",
              "status": "affected",
              "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
              "versionType": "git"
            },
            {
              "lessThan": "10f9024a8c824a41827fff1fefefb314c98e2c88",
              "status": "affected",
              "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
              "versionType": "git"
            },
            {
              "lessThan": "2af1e7d389c2619219171d23f5b96dbcbb7f9656",
              "status": "affected",
              "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
              "versionType": "git"
            },
            {
              "lessThan": "3ab55ffaaf75d0c7b68e332c1cdcc1b0e0044870",
              "status": "affected",
              "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
              "versionType": "git"
            },
            {
              "lessThan": "e9cb26291d009243a4478a7ffb37b3a9175bfce9",
              "status": "affected",
              "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/comedi/drivers.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.29"
            },
            {
              "lessThan": "2.6.29",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.147",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.100",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.40",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.147",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.100",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.40",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.8",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: Fix use of uninitialized data in insn_rw_emulate_bits()\n\nFor Comedi `INSN_READ` and `INSN_WRITE` instructions on \"digital\"\nsubdevices (subdevice types `COMEDI_SUBD_DI`, `COMEDI_SUBD_DO`, and\n`COMEDI_SUBD_DIO`), it is common for the subdevice driver not to have\n`insn_read` and `insn_write` handler functions, but to have an\n`insn_bits` handler function for handling Comedi `INSN_BITS`\ninstructions.  In that case, the subdevice\u0027s `insn_read` and/or\n`insn_write` function handler pointers are set to point to the\n`insn_rw_emulate_bits()` function by `__comedi_device_postconfig()`.\n\nFor `INSN_WRITE`, `insn_rw_emulate_bits()` currently assumes that the\nsupplied `data[0]` value is a valid copy from user memory.  It will at\nleast exist because `do_insnlist_ioctl()` and `do_insn_ioctl()` in\n\"comedi_fops.c\" ensure at lease `MIN_SAMPLES` (16) elements are\nallocated.  However, if `insn-\u003en` is 0 (which is allowable for\n`INSN_READ` and `INSN_WRITE` instructions, then `data[0]` may contain\nuninitialized data, and certainly contains invalid data, possibly from a\ndifferent instruction in the array of instructions handled by\n`do_insnlist_ioctl()`.  This will result in an incorrect value being\nwritten to the digital output channel (or to the digital input/output\nchannel if configured as an output), and may be reflected in the\ninternal saved state of the channel.\n\nFix it by returning 0 early if `insn-\u003en` is 0, before reaching the code\nthat accesses `data[0]`.  Previously, the function always returned 1 on\nsuccess, but it is supposed to be the number of data samples actually\nread or written up to `insn-\u003en`, which is 0 in this case."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-28T14:43:19.703Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4c2981bf30401adfcdbfece4ab6f411f7c5875a1"
        },
        {
          "url": "https://git.kernel.org/stable/c/16256d7efcf7acc9f39abe21522c4c6b77f67c00"
        },
        {
          "url": "https://git.kernel.org/stable/c/c53570e62b5b28bdb56bb563190227f8307817a5"
        },
        {
          "url": "https://git.kernel.org/stable/c/3050d197d6bc9ef128944a70210f42d2430b3000"
        },
        {
          "url": "https://git.kernel.org/stable/c/10f9024a8c824a41827fff1fefefb314c98e2c88"
        },
        {
          "url": "https://git.kernel.org/stable/c/2af1e7d389c2619219171d23f5b96dbcbb7f9656"
        },
        {
          "url": "https://git.kernel.org/stable/c/3ab55ffaaf75d0c7b68e332c1cdcc1b0e0044870"
        },
        {
          "url": "https://git.kernel.org/stable/c/e9cb26291d009243a4478a7ffb37b3a9175bfce9"
        }
      ],
      "title": "comedi: Fix use of uninitialized data in insn_rw_emulate_bits()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38480",
    "datePublished": "2025-07-28T11:21:45.142Z",
    "dateReserved": "2025-04-16T04:51:24.021Z",
    "dateUpdated": "2025-11-03T17:38:48.508Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-23158 (GCVE-0-2025-23158)

Vulnerability from cvelistv5

Published

2025-05-01 12:55

Modified

2025-11-03 19:42

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: media: venus: hfi: add check to handle incorrect queue size qsize represents size of shared queued between driver and video firmware. Firmware can modify this value to an invalid large value. In such situation, empty_space will be bigger than the space actually available. Since new_wr_idx is not checked, so the following code will result in an OOB write. ... qsize = qhdr->q_size if (wr_idx >= rd_idx) empty_space = qsize - (wr_idx - rd_idx) .... if (new_wr_idx < qsize) { memcpy(wr_ptr, packet, dwords << 2) --> OOB write Add check to ensure qsize is within the allocated size while reading and writing packets into the queue.

References

URL

Tags

	https://git.kernel.org/stable/c/1b86c1917e16bafbbb08ab90baaff533aa36c62d
	https://git.kernel.org/stable/c/a45957bcde529169188929816775a575de77d84f
	https://git.kernel.org/stable/c/32af5c1fdb9bc274f52ee0472d3b060b18e4aab4
	https://git.kernel.org/stable/c/cf5f7bb4e0d786f4d9d50ae6b5963935eab71d75
	https://git.kernel.org/stable/c/40084302f639b3fe954398c5ba5ee556b7242b54
	https://git.kernel.org/stable/c/679424f8b31446f90080befd0300ea915485b096
	https://git.kernel.org/stable/c/edb89d69b1438681daaf5ca90aed3242df94cc96
	https://git.kernel.org/stable/c/101a86619aab42bb61f2253bbf720121022eab86
	https://git.kernel.org/stable/c/69baf245b23e20efda0079238b27fc63ecf13de1

Impacted products

Vendor

Product

Version

Linux

Version: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb
Version: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb
Version: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb
Version: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb
Version: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb
Version: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb
Version: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb
Version: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb
Version: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb

Linux

Version: 4.13

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:42:56.722Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/platform/qcom/venus/hfi_venus.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1b86c1917e16bafbbb08ab90baaff533aa36c62d",
              "status": "affected",
              "version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
              "versionType": "git"
            },
            {
              "lessThan": "a45957bcde529169188929816775a575de77d84f",
              "status": "affected",
              "version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
              "versionType": "git"
            },
            {
              "lessThan": "32af5c1fdb9bc274f52ee0472d3b060b18e4aab4",
              "status": "affected",
              "version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
              "versionType": "git"
            },
            {
              "lessThan": "cf5f7bb4e0d786f4d9d50ae6b5963935eab71d75",
              "status": "affected",
              "version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
              "versionType": "git"
            },
            {
              "lessThan": "40084302f639b3fe954398c5ba5ee556b7242b54",
              "status": "affected",
              "version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
              "versionType": "git"
            },
            {
              "lessThan": "679424f8b31446f90080befd0300ea915485b096",
              "status": "affected",
              "version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
              "versionType": "git"
            },
            {
              "lessThan": "edb89d69b1438681daaf5ca90aed3242df94cc96",
              "status": "affected",
              "version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
              "versionType": "git"
            },
            {
              "lessThan": "101a86619aab42bb61f2253bbf720121022eab86",
              "status": "affected",
              "version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
              "versionType": "git"
            },
            {
              "lessThan": "69baf245b23e20efda0079238b27fc63ecf13de1",
              "status": "affected",
              "version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/platform/qcom/venus/hfi_venus.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.13"
            },
            {
              "lessThan": "4.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.293",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.293",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.237",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.24",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.12",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: venus: hfi: add check to handle incorrect queue size\n\nqsize represents size of shared queued between driver and video\nfirmware. Firmware can modify this value to an invalid large value. In\nsuch situation, empty_space will be bigger than the space actually\navailable. Since new_wr_idx is not checked, so the following code will\nresult in an OOB write.\n...\nqsize = qhdr-\u003eq_size\n\nif (wr_idx \u003e= rd_idx)\n empty_space = qsize - (wr_idx - rd_idx)\n....\nif (new_wr_idx \u003c qsize) {\n memcpy(wr_ptr, packet, dwords \u003c\u003c 2) --\u003e OOB write\n\nAdd check to ensure qsize is within the allocated size while\nreading and writing packets into the queue."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:19:41.987Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1b86c1917e16bafbbb08ab90baaff533aa36c62d"
        },
        {
          "url": "https://git.kernel.org/stable/c/a45957bcde529169188929816775a575de77d84f"
        },
        {
          "url": "https://git.kernel.org/stable/c/32af5c1fdb9bc274f52ee0472d3b060b18e4aab4"
        },
        {
          "url": "https://git.kernel.org/stable/c/cf5f7bb4e0d786f4d9d50ae6b5963935eab71d75"
        },
        {
          "url": "https://git.kernel.org/stable/c/40084302f639b3fe954398c5ba5ee556b7242b54"
        },
        {
          "url": "https://git.kernel.org/stable/c/679424f8b31446f90080befd0300ea915485b096"
        },
        {
          "url": "https://git.kernel.org/stable/c/edb89d69b1438681daaf5ca90aed3242df94cc96"
        },
        {
          "url": "https://git.kernel.org/stable/c/101a86619aab42bb61f2253bbf720121022eab86"
        },
        {
          "url": "https://git.kernel.org/stable/c/69baf245b23e20efda0079238b27fc63ecf13de1"
        }
      ],
      "title": "media: venus: hfi: add check to handle incorrect queue size",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-23158",
    "datePublished": "2025-05-01T12:55:43.804Z",
    "dateReserved": "2025-01-11T14:28:41.515Z",
    "dateUpdated": "2025-11-03T19:42:56.722Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-23156 (GCVE-0-2025-23156)

Vulnerability from cvelistv5

Published

2025-05-01 12:55

Modified

2025-11-03 19:42

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: media: venus: hfi_parser: refactor hfi packet parsing logic words_count denotes the number of words in total payload, while data points to payload of various property within it. When words_count reaches last word, data can access memory beyond the total payload. This can lead to OOB access. With this patch, the utility api for handling individual properties now returns the size of data consumed. Accordingly remaining bytes are calculated before parsing the payload, thereby eliminates the OOB access possibilities.

References

URL

Tags

	https://git.kernel.org/stable/c/0beabe9b49190a02321b02792b29fc0f0e28b51f
	https://git.kernel.org/stable/c/f195e94c7af921d99abd79f57026a218d191d2c7
	https://git.kernel.org/stable/c/0f9a4bab7d83738963365372e4745854938eab2d
	https://git.kernel.org/stable/c/05b07e52a0d08239147ba3460045855f4fb398de
	https://git.kernel.org/stable/c/bb3fd8b7906a12dc2b61389abb742bf6542d97fb
	https://git.kernel.org/stable/c/a736c72d476d1c7ca7be5018f2614ee61168ad01
	https://git.kernel.org/stable/c/6d278c5548d840c4d85d445347b2a5c31b2ab3a0
	https://git.kernel.org/stable/c/9edaaa8e3e15aab1ca413ab50556de1975bcb329

Impacted products

Vendor

Product

Version

Linux

Version: 1a73374a04e555103e5369429a30999114001dda
Version: 1a73374a04e555103e5369429a30999114001dda
Version: 1a73374a04e555103e5369429a30999114001dda
Version: 1a73374a04e555103e5369429a30999114001dda
Version: 1a73374a04e555103e5369429a30999114001dda
Version: 1a73374a04e555103e5369429a30999114001dda
Version: 1a73374a04e555103e5369429a30999114001dda
Version: 1a73374a04e555103e5369429a30999114001dda

Linux

Version: 4.19

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:42:51.136Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/platform/qcom/venus/hfi_parser.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0beabe9b49190a02321b02792b29fc0f0e28b51f",
              "status": "affected",
              "version": "1a73374a04e555103e5369429a30999114001dda",
              "versionType": "git"
            },
            {
              "lessThan": "f195e94c7af921d99abd79f57026a218d191d2c7",
              "status": "affected",
              "version": "1a73374a04e555103e5369429a30999114001dda",
              "versionType": "git"
            },
            {
              "lessThan": "0f9a4bab7d83738963365372e4745854938eab2d",
              "status": "affected",
              "version": "1a73374a04e555103e5369429a30999114001dda",
              "versionType": "git"
            },
            {
              "lessThan": "05b07e52a0d08239147ba3460045855f4fb398de",
              "status": "affected",
              "version": "1a73374a04e555103e5369429a30999114001dda",
              "versionType": "git"
            },
            {
              "lessThan": "bb3fd8b7906a12dc2b61389abb742bf6542d97fb",
              "status": "affected",
              "version": "1a73374a04e555103e5369429a30999114001dda",
              "versionType": "git"
            },
            {
              "lessThan": "a736c72d476d1c7ca7be5018f2614ee61168ad01",
              "status": "affected",
              "version": "1a73374a04e555103e5369429a30999114001dda",
              "versionType": "git"
            },
            {
              "lessThan": "6d278c5548d840c4d85d445347b2a5c31b2ab3a0",
              "status": "affected",
              "version": "1a73374a04e555103e5369429a30999114001dda",
              "versionType": "git"
            },
            {
              "lessThan": "9edaaa8e3e15aab1ca413ab50556de1975bcb329",
              "status": "affected",
              "version": "1a73374a04e555103e5369429a30999114001dda",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/platform/qcom/venus/hfi_parser.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.19"
            },
            {
              "lessThan": "4.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.237",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.24",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.12",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: venus: hfi_parser: refactor hfi packet parsing logic\n\nwords_count denotes the number of words in total payload, while data\npoints to payload of various property within it. When words_count\nreaches last word, data can access memory beyond the total payload. This\ncan lead to OOB access. With this patch, the utility api for handling\nindividual properties now returns the size of data consumed. Accordingly\nremaining bytes are calculated before parsing the payload, thereby\neliminates the OOB access possibilities."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:19:39.378Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0beabe9b49190a02321b02792b29fc0f0e28b51f"
        },
        {
          "url": "https://git.kernel.org/stable/c/f195e94c7af921d99abd79f57026a218d191d2c7"
        },
        {
          "url": "https://git.kernel.org/stable/c/0f9a4bab7d83738963365372e4745854938eab2d"
        },
        {
          "url": "https://git.kernel.org/stable/c/05b07e52a0d08239147ba3460045855f4fb398de"
        },
        {
          "url": "https://git.kernel.org/stable/c/bb3fd8b7906a12dc2b61389abb742bf6542d97fb"
        },
        {
          "url": "https://git.kernel.org/stable/c/a736c72d476d1c7ca7be5018f2614ee61168ad01"
        },
        {
          "url": "https://git.kernel.org/stable/c/6d278c5548d840c4d85d445347b2a5c31b2ab3a0"
        },
        {
          "url": "https://git.kernel.org/stable/c/9edaaa8e3e15aab1ca413ab50556de1975bcb329"
        }
      ],
      "title": "media: venus: hfi_parser: refactor hfi packet parsing logic",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-23156",
    "datePublished": "2025-05-01T12:55:42.545Z",
    "dateReserved": "2025-01-11T14:28:41.514Z",
    "dateUpdated": "2025-11-03T19:42:51.136Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37849 (GCVE-0-2025-37849)

Vulnerability from cvelistv5

Published

2025-05-09 06:41

Modified

2025-11-03 19:56

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Tear down vGIC on failed vCPU creation If kvm_arch_vcpu_create() fails to share the vCPU page with the hypervisor, we propagate the error back to the ioctl but leave the vGIC vCPU data initialised. Note only does this leak the corresponding memory when the vCPU is destroyed but it can also lead to use-after-free if the redistributor device handling tries to walk into the vCPU. Add the missing cleanup to kvm_arch_vcpu_create(), ensuring that the vGIC vCPU structures are destroyed on error.

References

URL

Tags

	https://git.kernel.org/stable/c/07476e0d932afc53c05468076393ac35d0b4999e
	https://git.kernel.org/stable/c/5085e02362b9948f82fceca979b8f8e12acb1cc5
	https://git.kernel.org/stable/c/c322789613407647a05ff5c451a7bf545fb34e73
	https://git.kernel.org/stable/c/2480326eba8ae9ccc5e4c3c2dc8d407db68e3c52
	https://git.kernel.org/stable/c/f1e9087abaeedec9bf2894a282ee4f0d8383f299
	https://git.kernel.org/stable/c/250f25367b58d8c65a1b060a2dda037eea09a672

Impacted products

Vendor

Product

Version

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:56:22.007Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/kvm/arm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "07476e0d932afc53c05468076393ac35d0b4999e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "5085e02362b9948f82fceca979b8f8e12acb1cc5",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "c322789613407647a05ff5c451a7bf545fb34e73",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "2480326eba8ae9ccc5e4c3c2dc8d407db68e3c52",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "f1e9087abaeedec9bf2894a282ee4f0d8383f299",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "250f25367b58d8c65a1b060a2dda037eea09a672",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/kvm/arm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Tear down vGIC on failed vCPU creation\n\nIf kvm_arch_vcpu_create() fails to share the vCPU page with the\nhypervisor, we propagate the error back to the ioctl but leave the\nvGIC vCPU data initialised. Note only does this leak the corresponding\nmemory when the vCPU is destroyed but it can also lead to use-after-free\nif the redistributor device handling tries to walk into the vCPU.\n\nAdd the missing cleanup to kvm_arch_vcpu_create(), ensuring that the\nvGIC vCPU structures are destroyed on error."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:22:14.682Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/07476e0d932afc53c05468076393ac35d0b4999e"
        },
        {
          "url": "https://git.kernel.org/stable/c/5085e02362b9948f82fceca979b8f8e12acb1cc5"
        },
        {
          "url": "https://git.kernel.org/stable/c/c322789613407647a05ff5c451a7bf545fb34e73"
        },
        {
          "url": "https://git.kernel.org/stable/c/2480326eba8ae9ccc5e4c3c2dc8d407db68e3c52"
        },
        {
          "url": "https://git.kernel.org/stable/c/f1e9087abaeedec9bf2894a282ee4f0d8383f299"
        },
        {
          "url": "https://git.kernel.org/stable/c/250f25367b58d8c65a1b060a2dda037eea09a672"
        }
      ],
      "title": "KVM: arm64: Tear down vGIC on failed vCPU creation",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37849",
    "datePublished": "2025-05-09T06:41:56.874Z",
    "dateReserved": "2025-04-16T04:51:23.954Z",
    "dateUpdated": "2025-11-03T19:56:22.007Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38465 (GCVE-0-2025-38465)

Vulnerability from cvelistv5

Published

2025-07-25 15:27

Modified

2025-11-03 17:38

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: netlink: Fix wraparounds of sk->sk_rmem_alloc. Netlink has this pattern in some places if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf) atomic_add(skb->truesize, &sk->sk_rmem_alloc); , which has the same problem fixed by commit 5a465a0da13e ("udp: Fix multiple wraparounds of sk->sk_rmem_alloc."). For example, if we set INT_MAX to SO_RCVBUFFORCE, the condition is always false as the two operands are of int. Then, a single socket can eat as many skb as possible until OOM happens, and we can see multiple wraparounds of sk->sk_rmem_alloc. Let's fix it by using atomic_add_return() and comparing the two variables as unsigned int. Before: [root@fedora ~]# ss -f netlink Recv-Q Send-Q Local Address:Port Peer Address:Port -1668710080 0 rtnl:nl_wraparound/293 * After: [root@fedora ~]# ss -f netlink Recv-Q Send-Q Local Address:Port Peer Address:Port 2147483072 0 rtnl:nl_wraparound/290 * ^ `--- INT_MAX - 576

References

URL

Tags

	https://git.kernel.org/stable/c/9da025150b7c14a8390fc06aea314c0a4011e82c
	https://git.kernel.org/stable/c/c4ceaac5c5ba0b992ee1dc88e2a02421549e5c98
	https://git.kernel.org/stable/c/fd69af06101090eaa60b3d216ae715f9c0a58e5b
	https://git.kernel.org/stable/c/76602d8e13864524382b0687dc32cd8f19164d5a
	https://git.kernel.org/stable/c/55baecb9eb90238f60a8350660d6762046ebd3bd
	https://git.kernel.org/stable/c/4b8e18af7bea92f8b7fb92d40aeae729209db250
	https://git.kernel.org/stable/c/cd7ff61bfffd7000143c42bbffb85eeb792466d6
	https://git.kernel.org/stable/c/ae8f160e7eb24240a2a79fc4c815c6a0d4ee16cc

Impacted products

Vendor

Product

Version

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Version: 2.6.12

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:38:27.585Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netlink/af_netlink.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9da025150b7c14a8390fc06aea314c0a4011e82c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "c4ceaac5c5ba0b992ee1dc88e2a02421549e5c98",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "fd69af06101090eaa60b3d216ae715f9c0a58e5b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "76602d8e13864524382b0687dc32cd8f19164d5a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "55baecb9eb90238f60a8350660d6762046ebd3bd",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "4b8e18af7bea92f8b7fb92d40aeae729209db250",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "cd7ff61bfffd7000143c42bbffb85eeb792466d6",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ae8f160e7eb24240a2a79fc4c815c6a0d4ee16cc",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netlink/af_netlink.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.189",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.146",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.99",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.189",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.146",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.99",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.39",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.7",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: Fix wraparounds of sk-\u003esk_rmem_alloc.\n\nNetlink has this pattern in some places\n\n  if (atomic_read(\u0026sk-\u003esk_rmem_alloc) \u003e sk-\u003esk_rcvbuf)\n  \tatomic_add(skb-\u003etruesize, \u0026sk-\u003esk_rmem_alloc);\n\n, which has the same problem fixed by commit 5a465a0da13e (\"udp:\nFix multiple wraparounds of sk-\u003esk_rmem_alloc.\").\n\nFor example, if we set INT_MAX to SO_RCVBUFFORCE, the condition\nis always false as the two operands are of int.\n\nThen, a single socket can eat as many skb as possible until OOM\nhappens, and we can see multiple wraparounds of sk-\u003esk_rmem_alloc.\n\nLet\u0027s fix it by using atomic_add_return() and comparing the two\nvariables as unsigned int.\n\nBefore:\n  [root@fedora ~]# ss -f netlink\n  Recv-Q      Send-Q Local Address:Port                Peer Address:Port\n  -1668710080 0               rtnl:nl_wraparound/293               *\n\nAfter:\n  [root@fedora ~]# ss -f netlink\n  Recv-Q     Send-Q Local Address:Port                Peer Address:Port\n  2147483072 0               rtnl:nl_wraparound/290               *\n  ^\n  `--- INT_MAX - 576"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:23:13.790Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9da025150b7c14a8390fc06aea314c0a4011e82c"
        },
        {
          "url": "https://git.kernel.org/stable/c/c4ceaac5c5ba0b992ee1dc88e2a02421549e5c98"
        },
        {
          "url": "https://git.kernel.org/stable/c/fd69af06101090eaa60b3d216ae715f9c0a58e5b"
        },
        {
          "url": "https://git.kernel.org/stable/c/76602d8e13864524382b0687dc32cd8f19164d5a"
        },
        {
          "url": "https://git.kernel.org/stable/c/55baecb9eb90238f60a8350660d6762046ebd3bd"
        },
        {
          "url": "https://git.kernel.org/stable/c/4b8e18af7bea92f8b7fb92d40aeae729209db250"
        },
        {
          "url": "https://git.kernel.org/stable/c/cd7ff61bfffd7000143c42bbffb85eeb792466d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/ae8f160e7eb24240a2a79fc4c815c6a0d4ee16cc"
        }
      ],
      "title": "netlink: Fix wraparounds of sk-\u003esk_rmem_alloc.",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38465",
    "datePublished": "2025-07-25T15:27:47.510Z",
    "dateReserved": "2025-04-16T04:51:24.020Z",
    "dateUpdated": "2025-11-03T17:38:27.585Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37900 (GCVE-0-2025-37900)

Vulnerability from cvelistv5

Published

2025-05-20 15:21

Modified

2025-05-26 05:23

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: iommu: Fix two issues in iommu_copy_struct_from_user() In the review for iommu_copy_struct_to_user() helper, Matt pointed out that a NULL pointer should be rejected prior to dereferencing it: https://lore.kernel.org/all/86881827-8E2D-461C-BDA3-FA8FD14C343C@nvidia.com And Alok pointed out a typo at the same time: https://lore.kernel.org/all/480536af-6830-43ce-a327-adbd13dc3f1d@oracle.com Since both issues were copied from iommu_copy_struct_from_user(), fix them first in the current header.

References

URL

Tags

	https://git.kernel.org/stable/c/2e303d010722787dc84d94f68d70fe10dfc1b9ea
	https://git.kernel.org/stable/c/967d6f0d9a20a1bf15ee7ed881e2d4e532e22709
	https://git.kernel.org/stable/c/30a3f2f3e4bd6335b727c83c08a982d969752bc1

Impacted products

Vendor

Product

Version

Linux

Version: e9d36c07bb787840e4813fb09a929a17d522a69f
Version: e9d36c07bb787840e4813fb09a929a17d522a69f
Version: e9d36c07bb787840e4813fb09a929a17d522a69f

Linux

Version: 6.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/iommu.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2e303d010722787dc84d94f68d70fe10dfc1b9ea",
              "status": "affected",
              "version": "e9d36c07bb787840e4813fb09a929a17d522a69f",
              "versionType": "git"
            },
            {
              "lessThan": "967d6f0d9a20a1bf15ee7ed881e2d4e532e22709",
              "status": "affected",
              "version": "e9d36c07bb787840e4813fb09a929a17d522a69f",
              "versionType": "git"
            },
            {
              "lessThan": "30a3f2f3e4bd6335b727c83c08a982d969752bc1",
              "status": "affected",
              "version": "e9d36c07bb787840e4813fb09a929a17d522a69f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/iommu.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.28",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.28",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.6",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu: Fix two issues in iommu_copy_struct_from_user()\n\nIn the review for iommu_copy_struct_to_user() helper, Matt pointed out that\na NULL pointer should be rejected prior to dereferencing it:\nhttps://lore.kernel.org/all/86881827-8E2D-461C-BDA3-FA8FD14C343C@nvidia.com\n\nAnd Alok pointed out a typo at the same time:\nhttps://lore.kernel.org/all/480536af-6830-43ce-a327-adbd13dc3f1d@oracle.com\n\nSince both issues were copied from iommu_copy_struct_from_user(), fix them\nfirst in the current header."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:23:19.890Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2e303d010722787dc84d94f68d70fe10dfc1b9ea"
        },
        {
          "url": "https://git.kernel.org/stable/c/967d6f0d9a20a1bf15ee7ed881e2d4e532e22709"
        },
        {
          "url": "https://git.kernel.org/stable/c/30a3f2f3e4bd6335b727c83c08a982d969752bc1"
        }
      ],
      "title": "iommu: Fix two issues in iommu_copy_struct_from_user()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37900",
    "datePublished": "2025-05-20T15:21:35.433Z",
    "dateReserved": "2025-04-16T04:51:23.965Z",
    "dateUpdated": "2025-05-26T05:23:19.890Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38292 (GCVE-0-2025-38292)

Vulnerability from cvelistv5

Published

2025-07-10 07:42

Modified

2025-07-28 04:17

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix invalid access to memory In ath12k_dp_rx_msdu_coalesce(), rxcb is fetched from skb and boolean is_continuation is part of rxcb. Currently, after freeing the skb, the rxcb->is_continuation accessed again which is wrong since the memory is already freed. This might lead use-after-free error. Hence, fix by locally defining bool is_continuation from rxcb, so that after freeing skb, is_continuation can be used. Compile tested only.

References

URL

Tags

	https://git.kernel.org/stable/c/371b340affa52f280f6eadfd25fbd43f09f0d5c0
	https://git.kernel.org/stable/c/5f09d16cd57764c95c8548fe5b70672c9ac01127
	https://git.kernel.org/stable/c/9f17747fbda6fca934854463873c4abf8061491d

Impacted products

Vendor

Product

Version

Linux

Version: d889913205cf7ebda905b1e62c5867ed4e39f6c2
Version: d889913205cf7ebda905b1e62c5867ed4e39f6c2
Version: d889913205cf7ebda905b1e62c5867ed4e39f6c2

Linux

Version: 6.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath12k/dp_rx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "371b340affa52f280f6eadfd25fbd43f09f0d5c0",
              "status": "affected",
              "version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
              "versionType": "git"
            },
            {
              "lessThan": "5f09d16cd57764c95c8548fe5b70672c9ac01127",
              "status": "affected",
              "version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
              "versionType": "git"
            },
            {
              "lessThan": "9f17747fbda6fca934854463873c4abf8061491d",
              "status": "affected",
              "version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath12k/dp_rx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.3"
            },
            {
              "lessThan": "6.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix invalid access to memory\n\nIn ath12k_dp_rx_msdu_coalesce(), rxcb is fetched from skb and boolean\nis_continuation is part of rxcb.\nCurrently, after freeing the skb, the rxcb-\u003eis_continuation accessed\nagain which is wrong since the memory is already freed.\nThis might lead use-after-free error.\n\nHence, fix by locally defining bool is_continuation from rxcb,\nso that after freeing skb, is_continuation can be used.\n\nCompile tested only."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:17:42.735Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/371b340affa52f280f6eadfd25fbd43f09f0d5c0"
        },
        {
          "url": "https://git.kernel.org/stable/c/5f09d16cd57764c95c8548fe5b70672c9ac01127"
        },
        {
          "url": "https://git.kernel.org/stable/c/9f17747fbda6fca934854463873c4abf8061491d"
        }
      ],
      "title": "wifi: ath12k: fix invalid access to memory",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38292",
    "datePublished": "2025-07-10T07:42:07.506Z",
    "dateReserved": "2025-04-16T04:51:24.001Z",
    "dateUpdated": "2025-07-28T04:17:42.735Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38355 (GCVE-0-2025-38355)

Vulnerability from cvelistv5

Published

2025-07-25 12:47

Modified

2025-07-28 04:19

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/xe: Process deferred GGTT node removals on device unwind While we are indirectly draining our dedicated workqueue ggtt->wq that we use to complete asynchronous removal of some GGTT nodes, this happends as part of the managed-drm unwinding (ggtt_fini_early), which could be later then manage-device unwinding, where we could already unmap our MMIO/GMS mapping (mmio_fini). This was recently observed during unsuccessful VF initialization: [ ] xe 0000:00:02.1: probe with driver xe failed with error -62 [ ] xe 0000:00:02.1: DEVRES REL ffff88811e747340 __xe_bo_unpin_map_no_vm (16 bytes) [ ] xe 0000:00:02.1: DEVRES REL ffff88811e747540 __xe_bo_unpin_map_no_vm (16 bytes) [ ] xe 0000:00:02.1: DEVRES REL ffff88811e747240 __xe_bo_unpin_map_no_vm (16 bytes) [ ] xe 0000:00:02.1: DEVRES REL ffff88811e747040 tiles_fini (16 bytes) [ ] xe 0000:00:02.1: DEVRES REL ffff88811e746840 mmio_fini (16 bytes) [ ] xe 0000:00:02.1: DEVRES REL ffff88811e747f40 xe_bo_pinned_fini (16 bytes) [ ] xe 0000:00:02.1: DEVRES REL ffff88811e746b40 devm_drm_dev_init_release (16 bytes) [ ] xe 0000:00:02.1: [drm:drm_managed_release] drmres release begin [ ] xe 0000:00:02.1: [drm:drm_managed_release] REL ffff88810ef81640 __fini_relay (8 bytes) [ ] xe 0000:00:02.1: [drm:drm_managed_release] REL ffff88810ef80d40 guc_ct_fini (8 bytes) [ ] xe 0000:00:02.1: [drm:drm_managed_release] REL ffff88810ef80040 __drmm_mutex_release (8 bytes) [ ] xe 0000:00:02.1: [drm:drm_managed_release] REL ffff88810ef80140 ggtt_fini_early (8 bytes) and this was leading to: [ ] BUG: unable to handle page fault for address: ffffc900058162a0 [ ] #PF: supervisor write access in kernel mode [ ] #PF: error_code(0x0002) - not-present page [ ] Oops: Oops: 0002 [#1] SMP NOPTI [ ] Tainted: [W]=WARN [ ] Workqueue: xe-ggtt-wq ggtt_node_remove_work_func [xe] [ ] RIP: 0010:xe_ggtt_set_pte+0x6d/0x350 [xe] [ ] Call Trace: [ ] <TASK> [ ] xe_ggtt_clear+0xb0/0x270 [xe] [ ] ggtt_node_remove+0xbb/0x120 [xe] [ ] ggtt_node_remove_work_func+0x30/0x50 [xe] [ ] process_one_work+0x22b/0x6f0 [ ] worker_thread+0x1e8/0x3d Add managed-device action that will explicitly drain the workqueue with all pending node removals prior to releasing MMIO/GSM mapping. (cherry picked from commit 89d2835c3680ab1938e22ad81b1c9f8c686bd391)

References

URL

Tags

	https://git.kernel.org/stable/c/1b12f8dabbb8fd7d5a2611dd7bc5982ffbc2e5df
	https://git.kernel.org/stable/c/5ab4eba9b26a93605b4f2f2b688d6ba818d7331d
	https://git.kernel.org/stable/c/af2b588abe006bd55ddd358c4c3b87523349c475

Impacted products

Vendor

Product

Version

Linux

Version: 919bb54e989c1edef87e9797be125c94c450fc65
Version: 919bb54e989c1edef87e9797be125c94c450fc65
Version: 919bb54e989c1edef87e9797be125c94c450fc65

Linux

Version: 6.12

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/xe/xe_ggtt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1b12f8dabbb8fd7d5a2611dd7bc5982ffbc2e5df",
              "status": "affected",
              "version": "919bb54e989c1edef87e9797be125c94c450fc65",
              "versionType": "git"
            },
            {
              "lessThan": "5ab4eba9b26a93605b4f2f2b688d6ba818d7331d",
              "status": "affected",
              "version": "919bb54e989c1edef87e9797be125c94c450fc65",
              "versionType": "git"
            },
            {
              "lessThan": "af2b588abe006bd55ddd358c4c3b87523349c475",
              "status": "affected",
              "version": "919bb54e989c1edef87e9797be125c94c450fc65",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/xe/xe_ggtt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.12"
            },
            {
              "lessThan": "6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.36",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.36",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.5",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Process deferred GGTT node removals on device unwind\n\nWhile we are indirectly draining our dedicated workqueue ggtt-\u003ewq\nthat we use to complete asynchronous removal of some GGTT nodes,\nthis happends as part of the managed-drm unwinding (ggtt_fini_early),\nwhich could be later then manage-device unwinding, where we could\nalready unmap our MMIO/GMS mapping (mmio_fini).\n\nThis was recently observed during unsuccessful VF initialization:\n\n [ ] xe 0000:00:02.1: probe with driver xe failed with error -62\n [ ] xe 0000:00:02.1: DEVRES REL ffff88811e747340 __xe_bo_unpin_map_no_vm (16 bytes)\n [ ] xe 0000:00:02.1: DEVRES REL ffff88811e747540 __xe_bo_unpin_map_no_vm (16 bytes)\n [ ] xe 0000:00:02.1: DEVRES REL ffff88811e747240 __xe_bo_unpin_map_no_vm (16 bytes)\n [ ] xe 0000:00:02.1: DEVRES REL ffff88811e747040 tiles_fini (16 bytes)\n [ ] xe 0000:00:02.1: DEVRES REL ffff88811e746840 mmio_fini (16 bytes)\n [ ] xe 0000:00:02.1: DEVRES REL ffff88811e747f40 xe_bo_pinned_fini (16 bytes)\n [ ] xe 0000:00:02.1: DEVRES REL ffff88811e746b40 devm_drm_dev_init_release (16 bytes)\n [ ] xe 0000:00:02.1: [drm:drm_managed_release] drmres release begin\n [ ] xe 0000:00:02.1: [drm:drm_managed_release] REL ffff88810ef81640 __fini_relay (8 bytes)\n [ ] xe 0000:00:02.1: [drm:drm_managed_release] REL ffff88810ef80d40 guc_ct_fini (8 bytes)\n [ ] xe 0000:00:02.1: [drm:drm_managed_release] REL ffff88810ef80040 __drmm_mutex_release (8 bytes)\n [ ] xe 0000:00:02.1: [drm:drm_managed_release] REL ffff88810ef80140 ggtt_fini_early (8 bytes)\n\nand this was leading to:\n\n [ ] BUG: unable to handle page fault for address: ffffc900058162a0\n [ ] #PF: supervisor write access in kernel mode\n [ ] #PF: error_code(0x0002) - not-present page\n [ ] Oops: Oops: 0002 [#1] SMP NOPTI\n [ ] Tainted: [W]=WARN\n [ ] Workqueue: xe-ggtt-wq ggtt_node_remove_work_func [xe]\n [ ] RIP: 0010:xe_ggtt_set_pte+0x6d/0x350 [xe]\n [ ] Call Trace:\n [ ]  \u003cTASK\u003e\n [ ]  xe_ggtt_clear+0xb0/0x270 [xe]\n [ ]  ggtt_node_remove+0xbb/0x120 [xe]\n [ ]  ggtt_node_remove_work_func+0x30/0x50 [xe]\n [ ]  process_one_work+0x22b/0x6f0\n [ ]  worker_thread+0x1e8/0x3d\n\nAdd managed-device action that will explicitly drain the workqueue\nwith all pending node removals prior to releasing MMIO/GSM mapping.\n\n(cherry picked from commit 89d2835c3680ab1938e22ad81b1c9f8c686bd391)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:19:45.620Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1b12f8dabbb8fd7d5a2611dd7bc5982ffbc2e5df"
        },
        {
          "url": "https://git.kernel.org/stable/c/5ab4eba9b26a93605b4f2f2b688d6ba818d7331d"
        },
        {
          "url": "https://git.kernel.org/stable/c/af2b588abe006bd55ddd358c4c3b87523349c475"
        }
      ],
      "title": "drm/xe: Process deferred GGTT node removals on device unwind",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38355",
    "datePublished": "2025-07-25T12:47:26.994Z",
    "dateReserved": "2025-04-16T04:51:24.007Z",
    "dateUpdated": "2025-07-28T04:19:45.620Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38478 (GCVE-0-2025-38478)

Vulnerability from cvelistv5

Published

2025-07-28 11:21

Modified

2025-11-03 17:38

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: comedi: Fix initialization of data for instructions that write to subdevice Some Comedi subdevice instruction handlers are known to access instruction data elements beyond the first `insn->n` elements in some cases. The `do_insn_ioctl()` and `do_insnlist_ioctl()` functions allocate at least `MIN_SAMPLES` (16) data elements to deal with this, but they do not initialize all of that. For Comedi instruction codes that write to the subdevice, the first `insn->n` data elements are copied from user-space, but the remaining elements are left uninitialized. That could be a problem if the subdevice instruction handler reads the uninitialized data. Ensure that the first `MIN_SAMPLES` elements are initialized before calling these instruction handlers, filling the uncopied elements with 0. For `do_insnlist_ioctl()`, the same data buffer elements are used for handling a list of instructions, so ensure the first `MIN_SAMPLES` elements are initialized for each instruction that writes to the subdevice.

References

URL

Tags

	https://git.kernel.org/stable/c/6f38c6380c3b38a05032b8881e41137385a6ce02
	https://git.kernel.org/stable/c/13e4d9038a1e869445a996a3f604a84ef52fe8f4
	https://git.kernel.org/stable/c/020eed5681d0f9bced73970368078a92d6cfaa9c
	https://git.kernel.org/stable/c/d3436638738ace8f101af7bdee2eae1bc38e9b29
	https://git.kernel.org/stable/c/673ee92bd2d31055bca98a1d96b653f5284289c4
	https://git.kernel.org/stable/c/c42116dc70af6664526f7aa82cf937824ab42649
	https://git.kernel.org/stable/c/fe8713fb4e4e82a4f91910d9a41bf0613e69a0b9
	https://git.kernel.org/stable/c/46d8c744136ce2454aa4c35c138cc06817f92b8e

Impacted products

Vendor

Product

Version

Linux

Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4
Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4
Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4
Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4
Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4
Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4
Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4
Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4

Linux

Version: 2.6.29

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:38:46.621Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/comedi/comedi_fops.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6f38c6380c3b38a05032b8881e41137385a6ce02",
              "status": "affected",
              "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
              "versionType": "git"
            },
            {
              "lessThan": "13e4d9038a1e869445a996a3f604a84ef52fe8f4",
              "status": "affected",
              "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
              "versionType": "git"
            },
            {
              "lessThan": "020eed5681d0f9bced73970368078a92d6cfaa9c",
              "status": "affected",
              "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
              "versionType": "git"
            },
            {
              "lessThan": "d3436638738ace8f101af7bdee2eae1bc38e9b29",
              "status": "affected",
              "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
              "versionType": "git"
            },
            {
              "lessThan": "673ee92bd2d31055bca98a1d96b653f5284289c4",
              "status": "affected",
              "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
              "versionType": "git"
            },
            {
              "lessThan": "c42116dc70af6664526f7aa82cf937824ab42649",
              "status": "affected",
              "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
              "versionType": "git"
            },
            {
              "lessThan": "fe8713fb4e4e82a4f91910d9a41bf0613e69a0b9",
              "status": "affected",
              "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
              "versionType": "git"
            },
            {
              "lessThan": "46d8c744136ce2454aa4c35c138cc06817f92b8e",
              "status": "affected",
              "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/comedi/comedi_fops.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.29"
            },
            {
              "lessThan": "2.6.29",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.147",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.100",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.40",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.147",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.100",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.40",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.8",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: Fix initialization of data for instructions that write to subdevice\n\nSome Comedi subdevice instruction handlers are known to access\ninstruction data elements beyond the first `insn-\u003en` elements in some\ncases.  The `do_insn_ioctl()` and `do_insnlist_ioctl()` functions\nallocate at least `MIN_SAMPLES` (16) data elements to deal with this,\nbut they do not initialize all of that.  For Comedi instruction codes\nthat write to the subdevice, the first `insn-\u003en` data elements are\ncopied from user-space, but the remaining elements are left\nuninitialized.  That could be a problem if the subdevice instruction\nhandler reads the uninitialized data.  Ensure that the first\n`MIN_SAMPLES` elements are initialized before calling these instruction\nhandlers, filling the uncopied elements with 0.  For\n`do_insnlist_ioctl()`, the same data buffer elements are used for\nhandling a list of instructions, so ensure the first `MIN_SAMPLES`\nelements are initialized for each instruction that writes to the\nsubdevice."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-28T14:43:17.668Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6f38c6380c3b38a05032b8881e41137385a6ce02"
        },
        {
          "url": "https://git.kernel.org/stable/c/13e4d9038a1e869445a996a3f604a84ef52fe8f4"
        },
        {
          "url": "https://git.kernel.org/stable/c/020eed5681d0f9bced73970368078a92d6cfaa9c"
        },
        {
          "url": "https://git.kernel.org/stable/c/d3436638738ace8f101af7bdee2eae1bc38e9b29"
        },
        {
          "url": "https://git.kernel.org/stable/c/673ee92bd2d31055bca98a1d96b653f5284289c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/c42116dc70af6664526f7aa82cf937824ab42649"
        },
        {
          "url": "https://git.kernel.org/stable/c/fe8713fb4e4e82a4f91910d9a41bf0613e69a0b9"
        },
        {
          "url": "https://git.kernel.org/stable/c/46d8c744136ce2454aa4c35c138cc06817f92b8e"
        }
      ],
      "title": "comedi: Fix initialization of data for instructions that write to subdevice",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38478",
    "datePublished": "2025-07-28T11:21:44.210Z",
    "dateReserved": "2025-04-16T04:51:24.021Z",
    "dateUpdated": "2025-11-03T17:38:46.621Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37766 (GCVE-0-2025-37766)

Vulnerability from cvelistv5

Published

2025-05-01 13:07

Modified

2025-11-03 19:54

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm: Prevent division by zero The user can set any speed value. If speed is greater than UINT_MAX/8, division by zero is possible. Found by Linux Verification Center (linuxtesting.org) with SVACE.

References

URL

Tags

	https://git.kernel.org/stable/c/6b9f9b998b107c7539f148a013d789ddb860c3b9
	https://git.kernel.org/stable/c/ce773dd844ee19a605af27f11470887e0f2044a9
	https://git.kernel.org/stable/c/80814924260cea431a8fc6137d11cc8cb331a10c
	https://git.kernel.org/stable/c/ffd688804425579a472fbd2525bedb58b1d28bd9
	https://git.kernel.org/stable/c/068091b796480819bf70b159f17e222ad8bea900
	https://git.kernel.org/stable/c/42f7b5d12c28b2a601a98d10a80c6db1fe1a2900
	https://git.kernel.org/stable/c/affd2241927a1e74c0aecd50c2d920dc4213c56d
	https://git.kernel.org/stable/c/4e3d9508c056d7e0a56b58d5c81253e2a0d22b6c

Impacted products

Vendor

Product

Version

Linux

Version: 031db09017da532d4dc7bbba8c734cfc80f49f34
Version: 031db09017da532d4dc7bbba8c734cfc80f49f34
Version: 031db09017da532d4dc7bbba8c734cfc80f49f34
Version: 031db09017da532d4dc7bbba8c734cfc80f49f34
Version: 031db09017da532d4dc7bbba8c734cfc80f49f34
Version: 031db09017da532d4dc7bbba8c734cfc80f49f34
Version: 031db09017da532d4dc7bbba8c734cfc80f49f34
Version: 031db09017da532d4dc7bbba8c734cfc80f49f34

Linux

Version: 4.20

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:54:38.771Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_thermal.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6b9f9b998b107c7539f148a013d789ddb860c3b9",
              "status": "affected",
              "version": "031db09017da532d4dc7bbba8c734cfc80f49f34",
              "versionType": "git"
            },
            {
              "lessThan": "ce773dd844ee19a605af27f11470887e0f2044a9",
              "status": "affected",
              "version": "031db09017da532d4dc7bbba8c734cfc80f49f34",
              "versionType": "git"
            },
            {
              "lessThan": "80814924260cea431a8fc6137d11cc8cb331a10c",
              "status": "affected",
              "version": "031db09017da532d4dc7bbba8c734cfc80f49f34",
              "versionType": "git"
            },
            {
              "lessThan": "ffd688804425579a472fbd2525bedb58b1d28bd9",
              "status": "affected",
              "version": "031db09017da532d4dc7bbba8c734cfc80f49f34",
              "versionType": "git"
            },
            {
              "lessThan": "068091b796480819bf70b159f17e222ad8bea900",
              "status": "affected",
              "version": "031db09017da532d4dc7bbba8c734cfc80f49f34",
              "versionType": "git"
            },
            {
              "lessThan": "42f7b5d12c28b2a601a98d10a80c6db1fe1a2900",
              "status": "affected",
              "version": "031db09017da532d4dc7bbba8c734cfc80f49f34",
              "versionType": "git"
            },
            {
              "lessThan": "affd2241927a1e74c0aecd50c2d920dc4213c56d",
              "status": "affected",
              "version": "031db09017da532d4dc7bbba8c734cfc80f49f34",
              "versionType": "git"
            },
            {
              "lessThan": "4e3d9508c056d7e0a56b58d5c81253e2a0d22b6c",
              "status": "affected",
              "version": "031db09017da532d4dc7bbba8c734cfc80f49f34",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_thermal.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.20"
            },
            {
              "lessThan": "4.20",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.293",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.25",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.293",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.237",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.25",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.4",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: Prevent division by zero\n\nThe user can set any speed value.\nIf speed is greater than UINT_MAX/8, division by zero is possible.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:20:25.068Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6b9f9b998b107c7539f148a013d789ddb860c3b9"
        },
        {
          "url": "https://git.kernel.org/stable/c/ce773dd844ee19a605af27f11470887e0f2044a9"
        },
        {
          "url": "https://git.kernel.org/stable/c/80814924260cea431a8fc6137d11cc8cb331a10c"
        },
        {
          "url": "https://git.kernel.org/stable/c/ffd688804425579a472fbd2525bedb58b1d28bd9"
        },
        {
          "url": "https://git.kernel.org/stable/c/068091b796480819bf70b159f17e222ad8bea900"
        },
        {
          "url": "https://git.kernel.org/stable/c/42f7b5d12c28b2a601a98d10a80c6db1fe1a2900"
        },
        {
          "url": "https://git.kernel.org/stable/c/affd2241927a1e74c0aecd50c2d920dc4213c56d"
        },
        {
          "url": "https://git.kernel.org/stable/c/4e3d9508c056d7e0a56b58d5c81253e2a0d22b6c"
        }
      ],
      "title": "drm/amd/pm: Prevent division by zero",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37766",
    "datePublished": "2025-05-01T13:07:07.168Z",
    "dateReserved": "2025-04-16T04:51:23.939Z",
    "dateUpdated": "2025-11-03T19:54:38.771Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37844 (GCVE-0-2025-37844)

Vulnerability from cvelistv5

Published

2025-05-09 06:41

Modified

2025-11-03 19:56

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: cifs: avoid NULL pointer dereference in dbg call cifs_server_dbg() implies server to be non-NULL so move call under condition to avoid NULL pointer dereference. Found by Linux Verification Center (linuxtesting.org) with SVACE.

References

URL

Tags

	https://git.kernel.org/stable/c/ba3ce6c60cd5db258687dfeba9fc608f5e7cadf3
	https://git.kernel.org/stable/c/9c9000cb91b986eb7f75835340c67857ab97c09b
	https://git.kernel.org/stable/c/b2a1833e1c63e2585867ebeaf4dd41494dcede4b
	https://git.kernel.org/stable/c/864ba5c651b03830f36f0906c21af05b15c1aaa6
	https://git.kernel.org/stable/c/e0717385f5c51e290c2cd2ad4699a778316b5132
	https://git.kernel.org/stable/c/20048e658652e731f5cadf4a695925e570ca0ff9
	https://git.kernel.org/stable/c/6c14ee6af8f1f188b668afd6d003f7516a507b08
	https://git.kernel.org/stable/c/b4885bd5935bb26f0a414ad55679a372e53f9b9b

Impacted products

Vendor

Product

Version

Linux

Version: e79b0332ae06b4895dcecddf4bbc5d3917e9383c
Version: e79b0332ae06b4895dcecddf4bbc5d3917e9383c
Version: e79b0332ae06b4895dcecddf4bbc5d3917e9383c
Version: e79b0332ae06b4895dcecddf4bbc5d3917e9383c
Version: e79b0332ae06b4895dcecddf4bbc5d3917e9383c
Version: e79b0332ae06b4895dcecddf4bbc5d3917e9383c
Version: e79b0332ae06b4895dcecddf4bbc5d3917e9383c
Version: e79b0332ae06b4895dcecddf4bbc5d3917e9383c
Version: 53e83828d352304fec5e19751f38ed8c65e6ec2f

Linux

Version: 5.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:56:20.631Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/smb2misc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ba3ce6c60cd5db258687dfeba9fc608f5e7cadf3",
              "status": "affected",
              "version": "e79b0332ae06b4895dcecddf4bbc5d3917e9383c",
              "versionType": "git"
            },
            {
              "lessThan": "9c9000cb91b986eb7f75835340c67857ab97c09b",
              "status": "affected",
              "version": "e79b0332ae06b4895dcecddf4bbc5d3917e9383c",
              "versionType": "git"
            },
            {
              "lessThan": "b2a1833e1c63e2585867ebeaf4dd41494dcede4b",
              "status": "affected",
              "version": "e79b0332ae06b4895dcecddf4bbc5d3917e9383c",
              "versionType": "git"
            },
            {
              "lessThan": "864ba5c651b03830f36f0906c21af05b15c1aaa6",
              "status": "affected",
              "version": "e79b0332ae06b4895dcecddf4bbc5d3917e9383c",
              "versionType": "git"
            },
            {
              "lessThan": "e0717385f5c51e290c2cd2ad4699a778316b5132",
              "status": "affected",
              "version": "e79b0332ae06b4895dcecddf4bbc5d3917e9383c",
              "versionType": "git"
            },
            {
              "lessThan": "20048e658652e731f5cadf4a695925e570ca0ff9",
              "status": "affected",
              "version": "e79b0332ae06b4895dcecddf4bbc5d3917e9383c",
              "versionType": "git"
            },
            {
              "lessThan": "6c14ee6af8f1f188b668afd6d003f7516a507b08",
              "status": "affected",
              "version": "e79b0332ae06b4895dcecddf4bbc5d3917e9383c",
              "versionType": "git"
            },
            {
              "lessThan": "b4885bd5935bb26f0a414ad55679a372e53f9b9b",
              "status": "affected",
              "version": "e79b0332ae06b4895dcecddf4bbc5d3917e9383c",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "53e83828d352304fec5e19751f38ed8c65e6ec2f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/smb2misc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.237",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.24",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.12",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.6.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: avoid NULL pointer dereference in dbg call\n\ncifs_server_dbg() implies server to be non-NULL so\nmove call under condition to avoid NULL pointer dereference.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:22:08.214Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ba3ce6c60cd5db258687dfeba9fc608f5e7cadf3"
        },
        {
          "url": "https://git.kernel.org/stable/c/9c9000cb91b986eb7f75835340c67857ab97c09b"
        },
        {
          "url": "https://git.kernel.org/stable/c/b2a1833e1c63e2585867ebeaf4dd41494dcede4b"
        },
        {
          "url": "https://git.kernel.org/stable/c/864ba5c651b03830f36f0906c21af05b15c1aaa6"
        },
        {
          "url": "https://git.kernel.org/stable/c/e0717385f5c51e290c2cd2ad4699a778316b5132"
        },
        {
          "url": "https://git.kernel.org/stable/c/20048e658652e731f5cadf4a695925e570ca0ff9"
        },
        {
          "url": "https://git.kernel.org/stable/c/6c14ee6af8f1f188b668afd6d003f7516a507b08"
        },
        {
          "url": "https://git.kernel.org/stable/c/b4885bd5935bb26f0a414ad55679a372e53f9b9b"
        }
      ],
      "title": "cifs: avoid NULL pointer dereference in dbg call",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37844",
    "datePublished": "2025-05-09T06:41:53.224Z",
    "dateReserved": "2025-04-16T04:51:23.953Z",
    "dateUpdated": "2025-11-03T19:56:20.631Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38031 (GCVE-0-2025-38031)

Vulnerability from cvelistv5

Published

2025-06-18 09:33

Modified

2025-11-03 17:33

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: padata: do not leak refcount in reorder_work A recent patch that addressed a UAF introduced a reference count leak: the parallel_data refcount is incremented unconditionally, regardless of the return value of queue_work(). If the work item is already queued, the incremented refcount is never decremented. Fix this by checking the return value of queue_work() and decrementing the refcount when necessary. Resolves: Unreferenced object 0xffff9d9f421e3d80 (size 192): comm "cryptomgr_probe", pid 157, jiffies 4294694003 hex dump (first 32 bytes): 80 8b cf 41 9f 9d ff ff b8 97 e0 89 ff ff ff ff ...A............ d0 97 e0 89 ff ff ff ff 19 00 00 00 1f 88 23 00 ..............#. backtrace (crc 838fb36): __kmalloc_cache_noprof+0x284/0x320 padata_alloc_pd+0x20/0x1e0 padata_alloc_shell+0x3b/0xa0 0xffffffffc040a54d cryptomgr_probe+0x43/0xc0 kthread+0xf6/0x1f0 ret_from_fork+0x2f/0x50 ret_from_fork_asm+0x1a/0x30

References

URL

Tags

	https://git.kernel.org/stable/c/b9ad8e50e8589607e68e6c4cefa7f72bf35a2cb1
	https://git.kernel.org/stable/c/1a426abdf1c86882c9203dd8182f3b8274b89938
	https://git.kernel.org/stable/c/cceb15864e1612ebfbc10ec4e4dcd19a10c0056c
	https://git.kernel.org/stable/c/584a729615fa92f4de45480efb7e569d14be1516
	https://git.kernel.org/stable/c/5300e487487d7a2e3e1e6e9d8f03ed9452e4019e
	https://git.kernel.org/stable/c/1c65ae4988714716101555fe2b9830e33136d6fb
	https://git.kernel.org/stable/c/d6ebcde6d4ecf34f8495fb30516645db3aea8993

Impacted products

Vendor

Product

Version

Linux

Version: f4f1b1169fc3694f9bc3e28c6c68dbbf4cc744c0
Version: 4c6209efea2208597dbd3e52dc87a0d1a8f2dbe1
Version: 7000507bb0d2ceb545c0a690e0c707c897d102c2
Version: 6f45ef616775b0ce7889b0f6077fc8d681ab30bc
Version: 8ca38d0ca8c3d30dd18d311f1a7ec5cb56972cac
Version: dd7d37ccf6b11f3d95e797ebe4e9e886d0332600
Version: dd7d37ccf6b11f3d95e797ebe4e9e886d0332600
Version: a54091c24220a4cd847d5b4f36d678edacddbaf0

Linux

Version: 6.14

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:33:10.591Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/padata.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b9ad8e50e8589607e68e6c4cefa7f72bf35a2cb1",
              "status": "affected",
              "version": "f4f1b1169fc3694f9bc3e28c6c68dbbf4cc744c0",
              "versionType": "git"
            },
            {
              "lessThan": "1a426abdf1c86882c9203dd8182f3b8274b89938",
              "status": "affected",
              "version": "4c6209efea2208597dbd3e52dc87a0d1a8f2dbe1",
              "versionType": "git"
            },
            {
              "lessThan": "cceb15864e1612ebfbc10ec4e4dcd19a10c0056c",
              "status": "affected",
              "version": "7000507bb0d2ceb545c0a690e0c707c897d102c2",
              "versionType": "git"
            },
            {
              "lessThan": "584a729615fa92f4de45480efb7e569d14be1516",
              "status": "affected",
              "version": "6f45ef616775b0ce7889b0f6077fc8d681ab30bc",
              "versionType": "git"
            },
            {
              "lessThan": "5300e487487d7a2e3e1e6e9d8f03ed9452e4019e",
              "status": "affected",
              "version": "8ca38d0ca8c3d30dd18d311f1a7ec5cb56972cac",
              "versionType": "git"
            },
            {
              "lessThan": "1c65ae4988714716101555fe2b9830e33136d6fb",
              "status": "affected",
              "version": "dd7d37ccf6b11f3d95e797ebe4e9e886d0332600",
              "versionType": "git"
            },
            {
              "lessThan": "d6ebcde6d4ecf34f8495fb30516645db3aea8993",
              "status": "affected",
              "version": "dd7d37ccf6b11f3d95e797ebe4e9e886d0332600",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "a54091c24220a4cd847d5b4f36d678edacddbaf0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/padata.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.14"
            },
            {
              "lessThan": "6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.238",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.185",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.93",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.238",
                  "versionStartIncluding": "5.10.235",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.185",
                  "versionStartIncluding": "5.15.179",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.141",
                  "versionStartIncluding": "6.1.129",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.93",
                  "versionStartIncluding": "6.6.76",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.31",
                  "versionStartIncluding": "6.12.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.13.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npadata: do not leak refcount in reorder_work\n\nA recent patch that addressed a UAF introduced a reference count leak:\nthe parallel_data refcount is incremented unconditionally, regardless\nof the return value of queue_work(). If the work item is already queued,\nthe incremented refcount is never decremented.\n\nFix this by checking the return value of queue_work() and decrementing\nthe refcount when necessary.\n\nResolves:\n\nUnreferenced object 0xffff9d9f421e3d80 (size 192):\n  comm \"cryptomgr_probe\", pid 157, jiffies 4294694003\n  hex dump (first 32 bytes):\n    80 8b cf 41 9f 9d ff ff b8 97 e0 89 ff ff ff ff  ...A............\n    d0 97 e0 89 ff ff ff ff 19 00 00 00 1f 88 23 00  ..............#.\n  backtrace (crc 838fb36):\n    __kmalloc_cache_noprof+0x284/0x320\n    padata_alloc_pd+0x20/0x1e0\n    padata_alloc_shell+0x3b/0xa0\n    0xffffffffc040a54d\n    cryptomgr_probe+0x43/0xc0\n    kthread+0xf6/0x1f0\n    ret_from_fork+0x2f/0x50\n    ret_from_fork_asm+0x1a/0x30"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-18T09:33:18.882Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b9ad8e50e8589607e68e6c4cefa7f72bf35a2cb1"
        },
        {
          "url": "https://git.kernel.org/stable/c/1a426abdf1c86882c9203dd8182f3b8274b89938"
        },
        {
          "url": "https://git.kernel.org/stable/c/cceb15864e1612ebfbc10ec4e4dcd19a10c0056c"
        },
        {
          "url": "https://git.kernel.org/stable/c/584a729615fa92f4de45480efb7e569d14be1516"
        },
        {
          "url": "https://git.kernel.org/stable/c/5300e487487d7a2e3e1e6e9d8f03ed9452e4019e"
        },
        {
          "url": "https://git.kernel.org/stable/c/1c65ae4988714716101555fe2b9830e33136d6fb"
        },
        {
          "url": "https://git.kernel.org/stable/c/d6ebcde6d4ecf34f8495fb30516645db3aea8993"
        }
      ],
      "title": "padata: do not leak refcount in reorder_work",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38031",
    "datePublished": "2025-06-18T09:33:18.882Z",
    "dateReserved": "2025-04-16T04:51:23.978Z",
    "dateUpdated": "2025-11-03T17:33:10.591Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38051 (GCVE-0-2025-38051)

Vulnerability from cvelistv5

Published

2025-06-18 09:33

Modified

2025-11-03 17:33

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: smb: client: Fix use-after-free in cifs_fill_dirent There is a race condition in the readdir concurrency process, which may access the rsp buffer after it has been released, triggering the following KASAN warning. ================================================================== BUG: KASAN: slab-use-after-free in cifs_fill_dirent+0xb03/0xb60 [cifs] Read of size 4 at addr ffff8880099b819c by task a.out/342975 CPU: 2 UID: 0 PID: 342975 Comm: a.out Not tainted 6.15.0-rc6+ #240 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x53/0x70 print_report+0xce/0x640 kasan_report+0xb8/0xf0 cifs_fill_dirent+0xb03/0xb60 [cifs] cifs_readdir+0x12cb/0x3190 [cifs] iterate_dir+0x1a1/0x520 __x64_sys_getdents+0x134/0x220 do_syscall_64+0x4b/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f996f64b9f9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0d f7 c3 0c 00 f7 d8 64 89 8 RSP: 002b:00007f996f53de78 EFLAGS: 00000207 ORIG_RAX: 000000000000004e RAX: ffffffffffffffda RBX: 00007f996f53ecdc RCX: 00007f996f64b9f9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007f996f53dea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000207 R12: ffffffffffffff88 R13: 0000000000000000 R14: 00007ffc8cd9a500 R15: 00007f996f51e000 </TASK> Allocated by task 408: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0x117/0x3d0 mempool_alloc_noprof+0xf2/0x2c0 cifs_buf_get+0x36/0x80 [cifs] allocate_buffers+0x1d2/0x330 [cifs] cifs_demultiplex_thread+0x22b/0x2690 [cifs] kthread+0x394/0x720 ret_from_fork+0x34/0x70 ret_from_fork_asm+0x1a/0x30 Freed by task 342979: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x37/0x50 kmem_cache_free+0x2b8/0x500 cifs_buf_release+0x3c/0x70 [cifs] cifs_readdir+0x1c97/0x3190 [cifs] iterate_dir+0x1a1/0x520 __x64_sys_getdents64+0x134/0x220 do_syscall_64+0x4b/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e The buggy address belongs to the object at ffff8880099b8000 which belongs to the cache cifs_request of size 16588 The buggy address is located 412 bytes inside of freed 16588-byte region [ffff8880099b8000, ffff8880099bc0cc) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x99b8 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 anon flags: 0x80000000000040(head|node=0|zone=1) page_type: f5(slab) raw: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001 raw: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000 head: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001 head: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000 head: 0080000000000003 ffffea0000266e01 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880099b8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880099b8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880099b8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880099b8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880099b8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== POC is available in the link [1]. The problem triggering process is as follows: Process 1 Process 2 ----------------------------------- ---truncated---

References

URL

Tags

	https://git.kernel.org/stable/c/aee067e88d61eb72e966f094e4749c6b14e7008f
	https://git.kernel.org/stable/c/a24c2f05ac3c5b0aaa539d9d913826d2643dfd0e
	https://git.kernel.org/stable/c/1b197931fbc821bc7e9e91bf619400db563e3338
	https://git.kernel.org/stable/c/c8623231e0edfcccb7cc6add0288fa0f0594282f
	https://git.kernel.org/stable/c/73cadde98f67f76c5eba00ac0b72c453383cec8b
	https://git.kernel.org/stable/c/9bea368648ac46f8593a780760362e40291d22a9
	https://git.kernel.org/stable/c/9c9aafbacc183598f064902365e107b5e856531f
	https://git.kernel.org/stable/c/a7a8fe56e932a36f43e031b398aef92341bf5ea0

Impacted products

Vendor

Product

Version

Linux

Version: a364bc0b37f14ffd66c1f982af42990a9d77fa43
Version: a364bc0b37f14ffd66c1f982af42990a9d77fa43
Version: a364bc0b37f14ffd66c1f982af42990a9d77fa43
Version: a364bc0b37f14ffd66c1f982af42990a9d77fa43
Version: a364bc0b37f14ffd66c1f982af42990a9d77fa43
Version: a364bc0b37f14ffd66c1f982af42990a9d77fa43
Version: a364bc0b37f14ffd66c1f982af42990a9d77fa43
Version: a364bc0b37f14ffd66c1f982af42990a9d77fa43
Version: 0f3da51e7046e2eb28992ba65c22d058f571356c

Linux

Version: 2.6.28

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:33:23.156Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/readdir.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "aee067e88d61eb72e966f094e4749c6b14e7008f",
              "status": "affected",
              "version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43",
              "versionType": "git"
            },
            {
              "lessThan": "a24c2f05ac3c5b0aaa539d9d913826d2643dfd0e",
              "status": "affected",
              "version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43",
              "versionType": "git"
            },
            {
              "lessThan": "1b197931fbc821bc7e9e91bf619400db563e3338",
              "status": "affected",
              "version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43",
              "versionType": "git"
            },
            {
              "lessThan": "c8623231e0edfcccb7cc6add0288fa0f0594282f",
              "status": "affected",
              "version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43",
              "versionType": "git"
            },
            {
              "lessThan": "73cadde98f67f76c5eba00ac0b72c453383cec8b",
              "status": "affected",
              "version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43",
              "versionType": "git"
            },
            {
              "lessThan": "9bea368648ac46f8593a780760362e40291d22a9",
              "status": "affected",
              "version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43",
              "versionType": "git"
            },
            {
              "lessThan": "9c9aafbacc183598f064902365e107b5e856531f",
              "status": "affected",
              "version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43",
              "versionType": "git"
            },
            {
              "lessThan": "a7a8fe56e932a36f43e031b398aef92341bf5ea0",
              "status": "affected",
              "version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "0f3da51e7046e2eb28992ba65c22d058f571356c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/readdir.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.28"
            },
            {
              "lessThan": "2.6.28",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.294",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.238",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.185",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.93",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.294",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.238",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.185",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.141",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.93",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.31",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "2.6.27.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: Fix use-after-free in cifs_fill_dirent\n\nThere is a race condition in the readdir concurrency process, which may\naccess the rsp buffer after it has been released, triggering the\nfollowing KASAN warning.\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in cifs_fill_dirent+0xb03/0xb60 [cifs]\n Read of size 4 at addr ffff8880099b819c by task a.out/342975\n\n CPU: 2 UID: 0 PID: 342975 Comm: a.out Not tainted 6.15.0-rc6+ #240 PREEMPT(full)\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014\n Call Trace:\n  \u003cTASK\u003e\n  dump_stack_lvl+0x53/0x70\n  print_report+0xce/0x640\n  kasan_report+0xb8/0xf0\n  cifs_fill_dirent+0xb03/0xb60 [cifs]\n  cifs_readdir+0x12cb/0x3190 [cifs]\n  iterate_dir+0x1a1/0x520\n  __x64_sys_getdents+0x134/0x220\n  do_syscall_64+0x4b/0x110\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7f996f64b9f9\n Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89\n f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01\n f0 ff ff  0d f7 c3 0c 00 f7 d8 64 89 8\n RSP: 002b:00007f996f53de78 EFLAGS: 00000207 ORIG_RAX: 000000000000004e\n RAX: ffffffffffffffda RBX: 00007f996f53ecdc RCX: 00007f996f64b9f9\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003\n RBP: 00007f996f53dea0 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000207 R12: ffffffffffffff88\n R13: 0000000000000000 R14: 00007ffc8cd9a500 R15: 00007f996f51e000\n  \u003c/TASK\u003e\n\n Allocated by task 408:\n  kasan_save_stack+0x20/0x40\n  kasan_save_track+0x14/0x30\n  __kasan_slab_alloc+0x6e/0x70\n  kmem_cache_alloc_noprof+0x117/0x3d0\n  mempool_alloc_noprof+0xf2/0x2c0\n  cifs_buf_get+0x36/0x80 [cifs]\n  allocate_buffers+0x1d2/0x330 [cifs]\n  cifs_demultiplex_thread+0x22b/0x2690 [cifs]\n  kthread+0x394/0x720\n  ret_from_fork+0x34/0x70\n  ret_from_fork_asm+0x1a/0x30\n\n Freed by task 342979:\n  kasan_save_stack+0x20/0x40\n  kasan_save_track+0x14/0x30\n  kasan_save_free_info+0x3b/0x60\n  __kasan_slab_free+0x37/0x50\n  kmem_cache_free+0x2b8/0x500\n  cifs_buf_release+0x3c/0x70 [cifs]\n  cifs_readdir+0x1c97/0x3190 [cifs]\n  iterate_dir+0x1a1/0x520\n  __x64_sys_getdents64+0x134/0x220\n  do_syscall_64+0x4b/0x110\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n The buggy address belongs to the object at ffff8880099b8000\n  which belongs to the cache cifs_request of size 16588\n The buggy address is located 412 bytes inside of\n  freed 16588-byte region [ffff8880099b8000, ffff8880099bc0cc)\n\n The buggy address belongs to the physical page:\n page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x99b8\n head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n anon flags: 0x80000000000040(head|node=0|zone=1)\n page_type: f5(slab)\n raw: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001\n raw: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000\n head: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001\n head: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000\n head: 0080000000000003 ffffea0000266e01 00000000ffffffff 00000000ffffffff\n head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n  ffff8880099b8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n  ffff8880099b8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n \u003effff8880099b8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n                             ^\n  ffff8880099b8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n  ffff8880099b8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ==================================================================\n\nPOC is available in the link [1].\n\nThe problem triggering process is as follows:\n\nProcess 1                       Process 2\n-----------------------------------\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-18T09:33:32.805Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/aee067e88d61eb72e966f094e4749c6b14e7008f"
        },
        {
          "url": "https://git.kernel.org/stable/c/a24c2f05ac3c5b0aaa539d9d913826d2643dfd0e"
        },
        {
          "url": "https://git.kernel.org/stable/c/1b197931fbc821bc7e9e91bf619400db563e3338"
        },
        {
          "url": "https://git.kernel.org/stable/c/c8623231e0edfcccb7cc6add0288fa0f0594282f"
        },
        {
          "url": "https://git.kernel.org/stable/c/73cadde98f67f76c5eba00ac0b72c453383cec8b"
        },
        {
          "url": "https://git.kernel.org/stable/c/9bea368648ac46f8593a780760362e40291d22a9"
        },
        {
          "url": "https://git.kernel.org/stable/c/9c9aafbacc183598f064902365e107b5e856531f"
        },
        {
          "url": "https://git.kernel.org/stable/c/a7a8fe56e932a36f43e031b398aef92341bf5ea0"
        }
      ],
      "title": "smb: client: Fix use-after-free in cifs_fill_dirent",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38051",
    "datePublished": "2025-06-18T09:33:32.805Z",
    "dateReserved": "2025-04-16T04:51:23.979Z",
    "dateUpdated": "2025-11-03T17:33:23.156Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38063 (GCVE-0-2025-38063)

Vulnerability from cvelistv5

Published

2025-06-18 09:33

Modified

2025-11-03 17:33

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: dm: fix unconditional IO throttle caused by REQ_PREFLUSH When a bio with REQ_PREFLUSH is submitted to dm, __send_empty_flush() generates a flush_bio with REQ_OP_WRITE | REQ_PREFLUSH | REQ_SYNC, which causes the flush_bio to be throttled by wbt_wait(). An example from v5.4, similar problem also exists in upstream: crash> bt 2091206 PID: 2091206 TASK: ffff2050df92a300 CPU: 109 COMMAND: "kworker/u260:0" #0 [ffff800084a2f7f0] __switch_to at ffff80004008aeb8 #1 [ffff800084a2f820] __schedule at ffff800040bfa0c4 #2 [ffff800084a2f880] schedule at ffff800040bfa4b4 #3 [ffff800084a2f8a0] io_schedule at ffff800040bfa9c4 #4 [ffff800084a2f8c0] rq_qos_wait at ffff8000405925bc #5 [ffff800084a2f940] wbt_wait at ffff8000405bb3a0 #6 [ffff800084a2f9a0] __rq_qos_throttle at ffff800040592254 #7 [ffff800084a2f9c0] blk_mq_make_request at ffff80004057cf38 #8 [ffff800084a2fa60] generic_make_request at ffff800040570138 #9 [ffff800084a2fae0] submit_bio at ffff8000405703b4 #10 [ffff800084a2fb50] xlog_write_iclog at ffff800001280834 [xfs] #11 [ffff800084a2fbb0] xlog_sync at ffff800001280c3c [xfs] #12 [ffff800084a2fbf0] xlog_state_release_iclog at ffff800001280df4 [xfs] #13 [ffff800084a2fc10] xlog_write at ffff80000128203c [xfs] #14 [ffff800084a2fcd0] xlog_cil_push at ffff8000012846dc [xfs] #15 [ffff800084a2fda0] xlog_cil_push_work at ffff800001284a2c [xfs] #16 [ffff800084a2fdb0] process_one_work at ffff800040111d08 #17 [ffff800084a2fe00] worker_thread at ffff8000401121cc #18 [ffff800084a2fe70] kthread at ffff800040118de4 After commit 2def2845cc33 ("xfs: don't allow log IO to be throttled"), the metadata submitted by xlog_write_iclog() should not be throttled. But due to the existence of the dm layer, throttling flush_bio indirectly causes the metadata bio to be throttled. Fix this by conditionally adding REQ_IDLE to flush_bio.bi_opf, which makes wbt_should_throttle() return false to avoid wbt_wait().

References

URL

Tags

	https://git.kernel.org/stable/c/95d08924335f3b6f4ea0b92ebfe4fe0731c502d9
	https://git.kernel.org/stable/c/52aa28f7b1708d76e315d78b5ed397932a1a97c3
	https://git.kernel.org/stable/c/b55a97d1bd4083729a60d19beffe85d4c96680de
	https://git.kernel.org/stable/c/2858cda9a8d95e6deee7e3b0a26adde696a9a4f5
	https://git.kernel.org/stable/c/88f7f56d16f568f19e1a695af34a7f4a6ce537a6

Impacted products

Vendor

Product

Version

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:33:30.748Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/dm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "95d08924335f3b6f4ea0b92ebfe4fe0731c502d9",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "52aa28f7b1708d76e315d78b5ed397932a1a97c3",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "b55a97d1bd4083729a60d19beffe85d4c96680de",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "2858cda9a8d95e6deee7e3b0a26adde696a9a4f5",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "88f7f56d16f568f19e1a695af34a7f4a6ce537a6",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/dm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.93",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.141",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.93",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: fix unconditional IO throttle caused by REQ_PREFLUSH\n\nWhen a bio with REQ_PREFLUSH is submitted to dm, __send_empty_flush()\ngenerates a flush_bio with REQ_OP_WRITE | REQ_PREFLUSH | REQ_SYNC,\nwhich causes the flush_bio to be throttled by wbt_wait().\n\nAn example from v5.4, similar problem also exists in upstream:\n\n    crash\u003e bt 2091206\n    PID: 2091206  TASK: ffff2050df92a300  CPU: 109  COMMAND: \"kworker/u260:0\"\n     #0 [ffff800084a2f7f0] __switch_to at ffff80004008aeb8\n     #1 [ffff800084a2f820] __schedule at ffff800040bfa0c4\n     #2 [ffff800084a2f880] schedule at ffff800040bfa4b4\n     #3 [ffff800084a2f8a0] io_schedule at ffff800040bfa9c4\n     #4 [ffff800084a2f8c0] rq_qos_wait at ffff8000405925bc\n     #5 [ffff800084a2f940] wbt_wait at ffff8000405bb3a0\n     #6 [ffff800084a2f9a0] __rq_qos_throttle at ffff800040592254\n     #7 [ffff800084a2f9c0] blk_mq_make_request at ffff80004057cf38\n     #8 [ffff800084a2fa60] generic_make_request at ffff800040570138\n     #9 [ffff800084a2fae0] submit_bio at ffff8000405703b4\n    #10 [ffff800084a2fb50] xlog_write_iclog at ffff800001280834 [xfs]\n    #11 [ffff800084a2fbb0] xlog_sync at ffff800001280c3c [xfs]\n    #12 [ffff800084a2fbf0] xlog_state_release_iclog at ffff800001280df4 [xfs]\n    #13 [ffff800084a2fc10] xlog_write at ffff80000128203c [xfs]\n    #14 [ffff800084a2fcd0] xlog_cil_push at ffff8000012846dc [xfs]\n    #15 [ffff800084a2fda0] xlog_cil_push_work at ffff800001284a2c [xfs]\n    #16 [ffff800084a2fdb0] process_one_work at ffff800040111d08\n    #17 [ffff800084a2fe00] worker_thread at ffff8000401121cc\n    #18 [ffff800084a2fe70] kthread at ffff800040118de4\n\nAfter commit 2def2845cc33 (\"xfs: don\u0027t allow log IO to be throttled\"),\nthe metadata submitted by xlog_write_iclog() should not be throttled.\nBut due to the existence of the dm layer, throttling flush_bio indirectly\ncauses the metadata bio to be throttled.\n\nFix this by conditionally adding REQ_IDLE to flush_bio.bi_opf, which makes\nwbt_should_throttle() return false to avoid wbt_wait()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-18T09:33:41.977Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/95d08924335f3b6f4ea0b92ebfe4fe0731c502d9"
        },
        {
          "url": "https://git.kernel.org/stable/c/52aa28f7b1708d76e315d78b5ed397932a1a97c3"
        },
        {
          "url": "https://git.kernel.org/stable/c/b55a97d1bd4083729a60d19beffe85d4c96680de"
        },
        {
          "url": "https://git.kernel.org/stable/c/2858cda9a8d95e6deee7e3b0a26adde696a9a4f5"
        },
        {
          "url": "https://git.kernel.org/stable/c/88f7f56d16f568f19e1a695af34a7f4a6ce537a6"
        }
      ],
      "title": "dm: fix unconditional IO throttle caused by REQ_PREFLUSH",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38063",
    "datePublished": "2025-06-18T09:33:41.977Z",
    "dateReserved": "2025-04-16T04:51:23.979Z",
    "dateUpdated": "2025-11-03T17:33:30.748Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38317 (GCVE-0-2025-38317)

Vulnerability from cvelistv5

Published

2025-07-10 07:42

Modified

2025-07-28 04:18

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Fix buffer overflow in debugfs If the user tries to write more than 32 bytes then it results in memory corruption. Fortunately, this is debugfs so it's limited to root users.

References

URL

Tags

	https://git.kernel.org/stable/c/0c57aa8ef94cffc5c2d68230e19329a03e71a94f
	https://git.kernel.org/stable/c/8c4a200d03574bfcbf54fdb7ba5968b58ad2e0b3
	https://git.kernel.org/stable/c/8c7a5031a6b0d42e640fbd2d5d05f61f74e32dce

Impacted products

Vendor

Product

Version

Linux

Version: 3f73c24f28b317f22df7870c25ff82f1d625c6c2
Version: 3f73c24f28b317f22df7870c25ff82f1d625c6c2
Version: 3f73c24f28b317f22df7870c25ff82f1d625c6c2

Linux

Version: 6.11

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath12k/debugfs_htt_stats.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0c57aa8ef94cffc5c2d68230e19329a03e71a94f",
              "status": "affected",
              "version": "3f73c24f28b317f22df7870c25ff82f1d625c6c2",
              "versionType": "git"
            },
            {
              "lessThan": "8c4a200d03574bfcbf54fdb7ba5968b58ad2e0b3",
              "status": "affected",
              "version": "3f73c24f28b317f22df7870c25ff82f1d625c6c2",
              "versionType": "git"
            },
            {
              "lessThan": "8c7a5031a6b0d42e640fbd2d5d05f61f74e32dce",
              "status": "affected",
              "version": "3f73c24f28b317f22df7870c25ff82f1d625c6c2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath12k/debugfs_htt_stats.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Fix buffer overflow in debugfs\n\nIf the user tries to write more than 32 bytes then it results in memory\ncorruption.  Fortunately, this is debugfs so it\u0027s limited to root users."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:18:28.701Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0c57aa8ef94cffc5c2d68230e19329a03e71a94f"
        },
        {
          "url": "https://git.kernel.org/stable/c/8c4a200d03574bfcbf54fdb7ba5968b58ad2e0b3"
        },
        {
          "url": "https://git.kernel.org/stable/c/8c7a5031a6b0d42e640fbd2d5d05f61f74e32dce"
        }
      ],
      "title": "wifi: ath12k: Fix buffer overflow in debugfs",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38317",
    "datePublished": "2025-07-10T07:42:23.841Z",
    "dateReserved": "2025-04-16T04:51:24.004Z",
    "dateUpdated": "2025-07-28T04:18:28.701Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-43869 (GCVE-0-2024-43869)

Vulnerability from cvelistv5

Published

2024-08-21 00:06

Modified

2025-11-03 22:06

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: perf: Fix event leak upon exec and file release The perf pending task work is never waited upon the matching event release. In the case of a child event, released via free_event() directly, this can potentially result in a leaked event, such as in the following scenario that doesn't even require a weak IRQ work implementation to trigger: schedule() prepare_task_switch() =======> <NMI> perf_event_overflow() event->pending_sigtrap = ... irq_work_queue(&event->pending_irq) <======= </NMI> perf_event_task_sched_out() event_sched_out() event->pending_sigtrap = 0; atomic_long_inc_not_zero(&event->refcount) task_work_add(&event->pending_task) finish_lock_switch() =======> <IRQ> perf_pending_irq() //do nothing, rely on pending task work <======= </IRQ> begin_new_exec() perf_event_exit_task() perf_event_exit_event() // If is child event free_event() WARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1) // event is leaked Similar scenarios can also happen with perf_event_remove_on_exec() or simply against concurrent perf_event_release(). Fix this with synchonizing against the possibly remaining pending task work while freeing the event, just like is done with remaining pending IRQ work. This means that the pending task callback neither need nor should hold a reference to the event, preventing it from ever beeing freed.

References

URL

Tags

	https://git.kernel.org/stable/c/9ad46f1fef421d43cdab3a7d1744b2f43b54dae0
	https://git.kernel.org/stable/c/ed2c202dac55423a52d7e2290f2888bf08b8ee99
	https://git.kernel.org/stable/c/104e258a004037bc7dba9f6085c71dad6af57ad4
	https://git.kernel.org/stable/c/f34d8307a73a18de5320fcc6f40403146d061891
	https://git.kernel.org/stable/c/3a5465418f5fd970e86a86c7f4075be262682840

Impacted products

Vendor

Product

Version

Linux

Version: 8bffa95ac19ff27c8261904f89d36c7fcf215d59
Version: 517e6a301f34613bff24a8e35b5455884f2d83d8
Version: 517e6a301f34613bff24a8e35b5455884f2d83d8
Version: 517e6a301f34613bff24a8e35b5455884f2d83d8
Version: 517e6a301f34613bff24a8e35b5455884f2d83d8
Version: 78e1317a174edbfd1182599bf76c092a2877672c

Linux

Version: 6.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-43869",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T16:06:26.274126Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-12T17:33:18.868Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T22:06:17.395Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/perf_event.h",
            "kernel/events/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9ad46f1fef421d43cdab3a7d1744b2f43b54dae0",
              "status": "affected",
              "version": "8bffa95ac19ff27c8261904f89d36c7fcf215d59",
              "versionType": "git"
            },
            {
              "lessThan": "ed2c202dac55423a52d7e2290f2888bf08b8ee99",
              "status": "affected",
              "version": "517e6a301f34613bff24a8e35b5455884f2d83d8",
              "versionType": "git"
            },
            {
              "lessThan": "104e258a004037bc7dba9f6085c71dad6af57ad4",
              "status": "affected",
              "version": "517e6a301f34613bff24a8e35b5455884f2d83d8",
              "versionType": "git"
            },
            {
              "lessThan": "f34d8307a73a18de5320fcc6f40403146d061891",
              "status": "affected",
              "version": "517e6a301f34613bff24a8e35b5455884f2d83d8",
              "versionType": "git"
            },
            {
              "lessThan": "3a5465418f5fd970e86a86c7f4075be262682840",
              "status": "affected",
              "version": "517e6a301f34613bff24a8e35b5455884f2d83d8",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "78e1317a174edbfd1182599bf76c092a2877672c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/perf_event.h",
            "kernel/events/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.1"
            },
            {
              "lessThan": "6.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.165",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.10.*",
              "status": "unaffected",
              "version": "6.10.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.11",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.165",
                  "versionStartIncluding": "5.15.84",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.103",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.44",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10.3",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.0.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix event leak upon exec and file release\n\nThe perf pending task work is never waited upon the matching event\nrelease. In the case of a child event, released via free_event()\ndirectly, this can potentially result in a leaked event, such as in the\nfollowing scenario that doesn\u0027t even require a weak IRQ work\nimplementation to trigger:\n\nschedule()\n   prepare_task_switch()\n=======\u003e \u003cNMI\u003e\n      perf_event_overflow()\n         event-\u003epending_sigtrap = ...\n         irq_work_queue(\u0026event-\u003epending_irq)\n\u003c======= \u003c/NMI\u003e\n      perf_event_task_sched_out()\n          event_sched_out()\n              event-\u003epending_sigtrap = 0;\n              atomic_long_inc_not_zero(\u0026event-\u003erefcount)\n              task_work_add(\u0026event-\u003epending_task)\n   finish_lock_switch()\n=======\u003e \u003cIRQ\u003e\n   perf_pending_irq()\n      //do nothing, rely on pending task work\n\u003c======= \u003c/IRQ\u003e\n\nbegin_new_exec()\n   perf_event_exit_task()\n      perf_event_exit_event()\n         // If is child event\n         free_event()\n            WARN(atomic_long_cmpxchg(\u0026event-\u003erefcount, 1, 0) != 1)\n            // event is leaked\n\nSimilar scenarios can also happen with perf_event_remove_on_exec() or\nsimply against concurrent perf_event_release().\n\nFix this with synchonizing against the possibly remaining pending task\nwork while freeing the event, just like is done with remaining pending\nIRQ work. This means that the pending task callback neither need nor\nshould hold a reference to the event, preventing it from ever beeing\nfreed."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T12:58:15.693Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9ad46f1fef421d43cdab3a7d1744b2f43b54dae0"
        },
        {
          "url": "https://git.kernel.org/stable/c/ed2c202dac55423a52d7e2290f2888bf08b8ee99"
        },
        {
          "url": "https://git.kernel.org/stable/c/104e258a004037bc7dba9f6085c71dad6af57ad4"
        },
        {
          "url": "https://git.kernel.org/stable/c/f34d8307a73a18de5320fcc6f40403146d061891"
        },
        {
          "url": "https://git.kernel.org/stable/c/3a5465418f5fd970e86a86c7f4075be262682840"
        }
      ],
      "title": "perf: Fix event leak upon exec and file release",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-43869",
    "datePublished": "2024-08-21T00:06:20.807Z",
    "dateReserved": "2024-08-17T09:11:59.280Z",
    "dateUpdated": "2025-11-03T22:06:17.395Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37781 (GCVE-0-2025-37781)

Vulnerability from cvelistv5

Published

2025-05-01 13:07

Modified

2025-11-03 19:55

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: i2c: cros-ec-tunnel: defer probe if parent EC is not present When i2c-cros-ec-tunnel and the EC driver are built-in, the EC parent device will not be found, leading to NULL pointer dereference. That can also be reproduced by unbinding the controller driver and then loading i2c-cros-ec-tunnel module (or binding the device). [ 271.991245] BUG: kernel NULL pointer dereference, address: 0000000000000058 [ 271.998215] #PF: supervisor read access in kernel mode [ 272.003351] #PF: error_code(0x0000) - not-present page [ 272.008485] PGD 0 P4D 0 [ 272.011022] Oops: Oops: 0000 [#1] SMP NOPTI [ 272.015207] CPU: 0 UID: 0 PID: 3859 Comm: insmod Tainted: G S 6.15.0-rc1-00004-g44722359ed83 #30 PREEMPT(full) 3c7fb39a552e7d949de2ad921a7d6588d3a4fdc5 [ 272.030312] Tainted: [S]=CPU_OUT_OF_SPEC [ 272.034233] Hardware name: HP Berknip/Berknip, BIOS Google_Berknip.13434.356.0 05/17/2021 [ 272.042400] RIP: 0010:ec_i2c_probe+0x2b/0x1c0 [i2c_cros_ec_tunnel] [ 272.048577] Code: 1f 44 00 00 41 57 41 56 41 55 41 54 53 48 83 ec 10 65 48 8b 05 06 a0 6c e7 48 89 44 24 08 4c 8d 7f 10 48 8b 47 50 4c 8b 60 78 <49> 83 7c 24 58 00 0f 84 2f 01 00 00 48 89 fb be 30 06 00 00 4c 9 [ 272.067317] RSP: 0018:ffffa32082a03940 EFLAGS: 00010282 [ 272.072541] RAX: ffff969580b6a810 RBX: ffff969580b68c10 RCX: 0000000000000000 [ 272.079672] RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff969580b68c00 [ 272.086804] RBP: 00000000fffffdfb R08: 0000000000000000 R09: 0000000000000000 [ 272.093936] R10: 0000000000000000 R11: ffffffffc0600000 R12: 0000000000000000 [ 272.101067] R13: ffffffffa666fbb8 R14: ffffffffc05b5528 R15: ffff969580b68c10 [ 272.108198] FS: 00007b930906fc40(0000) GS:ffff969603149000(0000) knlGS:0000000000000000 [ 272.116282] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 272.122024] CR2: 0000000000000058 CR3: 000000012631c000 CR4: 00000000003506f0 [ 272.129155] Call Trace: [ 272.131606] <TASK> [ 272.133709] ? acpi_dev_pm_attach+0xdd/0x110 [ 272.137985] platform_probe+0x69/0xa0 [ 272.141652] really_probe+0x152/0x310 [ 272.145318] __driver_probe_device+0x77/0x110 [ 272.149678] driver_probe_device+0x1e/0x190 [ 272.153864] __driver_attach+0x10b/0x1e0 [ 272.157790] ? driver_attach+0x20/0x20 [ 272.161542] bus_for_each_dev+0x107/0x150 [ 272.165553] bus_add_driver+0x15d/0x270 [ 272.169392] driver_register+0x65/0x110 [ 272.173232] ? cleanup_module+0xa80/0xa80 [i2c_cros_ec_tunnel 3a00532f3f4af4a9eade753f86b0f8dd4e4e5698] [ 272.182617] do_one_initcall+0x110/0x350 [ 272.186543] ? security_kernfs_init_security+0x49/0xd0 [ 272.191682] ? __kernfs_new_node+0x1b9/0x240 [ 272.195954] ? security_kernfs_init_security+0x49/0xd0 [ 272.201093] ? __kernfs_new_node+0x1b9/0x240 [ 272.205365] ? kernfs_link_sibling+0x105/0x130 [ 272.209810] ? kernfs_next_descendant_post+0x1c/0xa0 [ 272.214773] ? kernfs_activate+0x57/0x70 [ 272.218699] ? kernfs_add_one+0x118/0x160 [ 272.222710] ? __kernfs_create_file+0x71/0xa0 [ 272.227069] ? sysfs_add_bin_file_mode_ns+0xd6/0x110 [ 272.232033] ? internal_create_group+0x453/0x4a0 [ 272.236651] ? __vunmap_range_noflush+0x214/0x2d0 [ 272.241355] ? __free_frozen_pages+0x1dc/0x420 [ 272.245799] ? free_vmap_area_noflush+0x10a/0x1c0 [ 272.250505] ? load_module+0x1509/0x16f0 [ 272.254431] do_init_module+0x60/0x230 [ 272.258181] __se_sys_finit_module+0x27a/0x370 [ 272.262627] do_syscall_64+0x6a/0xf0 [ 272.266206] ? do_syscall_64+0x76/0xf0 [ 272.269956] ? irqentry_exit_to_user_mode+0x79/0x90 [ 272.274836] entry_SYSCALL_64_after_hwframe+0x55/0x5d [ 272.279887] RIP: 0033:0x7b9309168d39 [ 272.283466] Code: 5b 41 5c 5d c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d af 40 0c 00 f7 d8 64 89 01 8 [ 272.302210] RSP: 002b:00007fff50f1a288 EFLAGS: 00000246 ORIG_RAX: 000 ---truncated---

References

URL

Tags

	https://git.kernel.org/stable/c/092de5ac8cb2eaa9593a765fa92ba39d8173f984
	https://git.kernel.org/stable/c/b66d4910a608427367c4e21499e149f085782df7
	https://git.kernel.org/stable/c/cd83035b6f2a102c2d5acd3bfb2a11ff967aaba6
	https://git.kernel.org/stable/c/3090cad5ccff8963b95160f4060068048a1e4c4c
	https://git.kernel.org/stable/c/e89bf1311d4497c6743f3021e9c481b16c3a41c9
	https://git.kernel.org/stable/c/1355b5ca4782be85a2ef7275e4c508f770d0fb27
	https://git.kernel.org/stable/c/da8edc9eb2516aface7f86be5fa6d09c0d07b9f8
	https://git.kernel.org/stable/c/424eafe65647a8d6c690284536e711977153195a

Impacted products

Vendor

Product

Version

Linux

Version: 9d230c9e4f4e67cb1c1cb9e0f6142da16b0f2796
Version: 9d230c9e4f4e67cb1c1cb9e0f6142da16b0f2796
Version: 9d230c9e4f4e67cb1c1cb9e0f6142da16b0f2796
Version: 9d230c9e4f4e67cb1c1cb9e0f6142da16b0f2796
Version: 9d230c9e4f4e67cb1c1cb9e0f6142da16b0f2796
Version: 9d230c9e4f4e67cb1c1cb9e0f6142da16b0f2796
Version: 9d230c9e4f4e67cb1c1cb9e0f6142da16b0f2796
Version: 9d230c9e4f4e67cb1c1cb9e0f6142da16b0f2796

Linux

Version: 3.16

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:55:00.980Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/i2c/busses/i2c-cros-ec-tunnel.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "092de5ac8cb2eaa9593a765fa92ba39d8173f984",
              "status": "affected",
              "version": "9d230c9e4f4e67cb1c1cb9e0f6142da16b0f2796",
              "versionType": "git"
            },
            {
              "lessThan": "b66d4910a608427367c4e21499e149f085782df7",
              "status": "affected",
              "version": "9d230c9e4f4e67cb1c1cb9e0f6142da16b0f2796",
              "versionType": "git"
            },
            {
              "lessThan": "cd83035b6f2a102c2d5acd3bfb2a11ff967aaba6",
              "status": "affected",
              "version": "9d230c9e4f4e67cb1c1cb9e0f6142da16b0f2796",
              "versionType": "git"
            },
            {
              "lessThan": "3090cad5ccff8963b95160f4060068048a1e4c4c",
              "status": "affected",
              "version": "9d230c9e4f4e67cb1c1cb9e0f6142da16b0f2796",
              "versionType": "git"
            },
            {
              "lessThan": "e89bf1311d4497c6743f3021e9c481b16c3a41c9",
              "status": "affected",
              "version": "9d230c9e4f4e67cb1c1cb9e0f6142da16b0f2796",
              "versionType": "git"
            },
            {
              "lessThan": "1355b5ca4782be85a2ef7275e4c508f770d0fb27",
              "status": "affected",
              "version": "9d230c9e4f4e67cb1c1cb9e0f6142da16b0f2796",
              "versionType": "git"
            },
            {
              "lessThan": "da8edc9eb2516aface7f86be5fa6d09c0d07b9f8",
              "status": "affected",
              "version": "9d230c9e4f4e67cb1c1cb9e0f6142da16b0f2796",
              "versionType": "git"
            },
            {
              "lessThan": "424eafe65647a8d6c690284536e711977153195a",
              "status": "affected",
              "version": "9d230c9e4f4e67cb1c1cb9e0f6142da16b0f2796",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/i2c/busses/i2c-cros-ec-tunnel.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.16"
            },
            {
              "lessThan": "3.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.293",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.25",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.293",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.237",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.25",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.4",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: cros-ec-tunnel: defer probe if parent EC is not present\n\nWhen i2c-cros-ec-tunnel and the EC driver are built-in, the EC parent\ndevice will not be found, leading to NULL pointer dereference.\n\nThat can also be reproduced by unbinding the controller driver and then\nloading i2c-cros-ec-tunnel module (or binding the device).\n\n[  271.991245] BUG: kernel NULL pointer dereference, address: 0000000000000058\n[  271.998215] #PF: supervisor read access in kernel mode\n[  272.003351] #PF: error_code(0x0000) - not-present page\n[  272.008485] PGD 0 P4D 0\n[  272.011022] Oops: Oops: 0000 [#1] SMP NOPTI\n[  272.015207] CPU: 0 UID: 0 PID: 3859 Comm: insmod Tainted: G S                  6.15.0-rc1-00004-g44722359ed83 #30 PREEMPT(full)  3c7fb39a552e7d949de2ad921a7d6588d3a4fdc5\n[  272.030312] Tainted: [S]=CPU_OUT_OF_SPEC\n[  272.034233] Hardware name: HP Berknip/Berknip, BIOS Google_Berknip.13434.356.0 05/17/2021\n[  272.042400] RIP: 0010:ec_i2c_probe+0x2b/0x1c0 [i2c_cros_ec_tunnel]\n[  272.048577] Code: 1f 44 00 00 41 57 41 56 41 55 41 54 53 48 83 ec 10 65 48 8b 05 06 a0 6c e7 48 89 44 24 08 4c 8d 7f 10 48 8b 47 50 4c 8b 60 78 \u003c49\u003e 83 7c 24 58 00 0f 84 2f 01 00 00 48 89 fb be 30 06 00 00 4c 9\n[  272.067317] RSP: 0018:ffffa32082a03940 EFLAGS: 00010282\n[  272.072541] RAX: ffff969580b6a810 RBX: ffff969580b68c10 RCX: 0000000000000000\n[  272.079672] RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff969580b68c00\n[  272.086804] RBP: 00000000fffffdfb R08: 0000000000000000 R09: 0000000000000000\n[  272.093936] R10: 0000000000000000 R11: ffffffffc0600000 R12: 0000000000000000\n[  272.101067] R13: ffffffffa666fbb8 R14: ffffffffc05b5528 R15: ffff969580b68c10\n[  272.108198] FS:  00007b930906fc40(0000) GS:ffff969603149000(0000) knlGS:0000000000000000\n[  272.116282] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  272.122024] CR2: 0000000000000058 CR3: 000000012631c000 CR4: 00000000003506f0\n[  272.129155] Call Trace:\n[  272.131606]  \u003cTASK\u003e\n[  272.133709]  ? acpi_dev_pm_attach+0xdd/0x110\n[  272.137985]  platform_probe+0x69/0xa0\n[  272.141652]  really_probe+0x152/0x310\n[  272.145318]  __driver_probe_device+0x77/0x110\n[  272.149678]  driver_probe_device+0x1e/0x190\n[  272.153864]  __driver_attach+0x10b/0x1e0\n[  272.157790]  ? driver_attach+0x20/0x20\n[  272.161542]  bus_for_each_dev+0x107/0x150\n[  272.165553]  bus_add_driver+0x15d/0x270\n[  272.169392]  driver_register+0x65/0x110\n[  272.173232]  ? cleanup_module+0xa80/0xa80 [i2c_cros_ec_tunnel 3a00532f3f4af4a9eade753f86b0f8dd4e4e5698]\n[  272.182617]  do_one_initcall+0x110/0x350\n[  272.186543]  ? security_kernfs_init_security+0x49/0xd0\n[  272.191682]  ? __kernfs_new_node+0x1b9/0x240\n[  272.195954]  ? security_kernfs_init_security+0x49/0xd0\n[  272.201093]  ? __kernfs_new_node+0x1b9/0x240\n[  272.205365]  ? kernfs_link_sibling+0x105/0x130\n[  272.209810]  ? kernfs_next_descendant_post+0x1c/0xa0\n[  272.214773]  ? kernfs_activate+0x57/0x70\n[  272.218699]  ? kernfs_add_one+0x118/0x160\n[  272.222710]  ? __kernfs_create_file+0x71/0xa0\n[  272.227069]  ? sysfs_add_bin_file_mode_ns+0xd6/0x110\n[  272.232033]  ? internal_create_group+0x453/0x4a0\n[  272.236651]  ? __vunmap_range_noflush+0x214/0x2d0\n[  272.241355]  ? __free_frozen_pages+0x1dc/0x420\n[  272.245799]  ? free_vmap_area_noflush+0x10a/0x1c0\n[  272.250505]  ? load_module+0x1509/0x16f0\n[  272.254431]  do_init_module+0x60/0x230\n[  272.258181]  __se_sys_finit_module+0x27a/0x370\n[  272.262627]  do_syscall_64+0x6a/0xf0\n[  272.266206]  ? do_syscall_64+0x76/0xf0\n[  272.269956]  ? irqentry_exit_to_user_mode+0x79/0x90\n[  272.274836]  entry_SYSCALL_64_after_hwframe+0x55/0x5d\n[  272.279887] RIP: 0033:0x7b9309168d39\n[  272.283466] Code: 5b 41 5c 5d c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d af 40 0c 00 f7 d8 64 89 01 8\n[  272.302210] RSP: 002b:00007fff50f1a288 EFLAGS: 00000246 ORIG_RAX: 000\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:20:45.177Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/092de5ac8cb2eaa9593a765fa92ba39d8173f984"
        },
        {
          "url": "https://git.kernel.org/stable/c/b66d4910a608427367c4e21499e149f085782df7"
        },
        {
          "url": "https://git.kernel.org/stable/c/cd83035b6f2a102c2d5acd3bfb2a11ff967aaba6"
        },
        {
          "url": "https://git.kernel.org/stable/c/3090cad5ccff8963b95160f4060068048a1e4c4c"
        },
        {
          "url": "https://git.kernel.org/stable/c/e89bf1311d4497c6743f3021e9c481b16c3a41c9"
        },
        {
          "url": "https://git.kernel.org/stable/c/1355b5ca4782be85a2ef7275e4c508f770d0fb27"
        },
        {
          "url": "https://git.kernel.org/stable/c/da8edc9eb2516aface7f86be5fa6d09c0d07b9f8"
        },
        {
          "url": "https://git.kernel.org/stable/c/424eafe65647a8d6c690284536e711977153195a"
        }
      ],
      "title": "i2c: cros-ec-tunnel: defer probe if parent EC is not present",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37781",
    "datePublished": "2025-05-01T13:07:18.390Z",
    "dateReserved": "2025-04-16T04:51:23.940Z",
    "dateUpdated": "2025-11-03T19:55:00.980Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38272 (GCVE-0-2025-38272)

Vulnerability from cvelistv5

Published

2025-07-10 07:41

Modified

2025-09-09 17:06

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net: dsa: b53: do not enable EEE on bcm63xx BCM63xx internal switches do not support EEE, but provide multiple RGMII ports where external PHYs may be connected. If one of these PHYs are EEE capable, we may try to enable EEE for the MACs, which then hangs the system on access of the (non-existent) EEE registers. Fix this by checking if the switch actually supports EEE before attempting to configure it.

References

URL

Tags

	https://git.kernel.org/stable/c/3fbe3f4c57fda09f32e13fa05f53a0cc6f500619
	https://git.kernel.org/stable/c/2dbccf1eb8c04b84ee3afdb1d6b787db02e7befc
	https://git.kernel.org/stable/c/1237c2d4a8db79dfd4369bff6930b0e385ed7d5c

Impacted products

Vendor

Product

Version

Linux

Version: 22256b0afb12333571ad11799fa68fd27e4f4e80
Version: 22256b0afb12333571ad11799fa68fd27e4f4e80
Version: 22256b0afb12333571ad11799fa68fd27e4f4e80

Linux

Version: 4.15

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/dsa/b53/b53_common.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3fbe3f4c57fda09f32e13fa05f53a0cc6f500619",
              "status": "affected",
              "version": "22256b0afb12333571ad11799fa68fd27e4f4e80",
              "versionType": "git"
            },
            {
              "lessThan": "2dbccf1eb8c04b84ee3afdb1d6b787db02e7befc",
              "status": "affected",
              "version": "22256b0afb12333571ad11799fa68fd27e4f4e80",
              "versionType": "git"
            },
            {
              "lessThan": "1237c2d4a8db79dfd4369bff6930b0e385ed7d5c",
              "status": "affected",
              "version": "22256b0afb12333571ad11799fa68fd27e4f4e80",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/dsa/b53/b53_common.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.15"
            },
            {
              "lessThan": "4.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.46",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.46",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: b53: do not enable EEE on bcm63xx\n\nBCM63xx internal switches do not support EEE, but provide multiple RGMII\nports where external PHYs may be connected. If one of these PHYs are EEE\ncapable, we may try to enable EEE for the MACs, which then hangs the\nsystem on access of the (non-existent) EEE registers.\n\nFix this by checking if the switch actually supports EEE before\nattempting to configure it."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-09T17:06:09.953Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3fbe3f4c57fda09f32e13fa05f53a0cc6f500619"
        },
        {
          "url": "https://git.kernel.org/stable/c/2dbccf1eb8c04b84ee3afdb1d6b787db02e7befc"
        },
        {
          "url": "https://git.kernel.org/stable/c/1237c2d4a8db79dfd4369bff6930b0e385ed7d5c"
        }
      ],
      "title": "net: dsa: b53: do not enable EEE on bcm63xx",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38272",
    "datePublished": "2025-07-10T07:41:53.766Z",
    "dateReserved": "2025-04-16T04:51:23.998Z",
    "dateUpdated": "2025-09-09T17:06:09.953Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38476 (GCVE-0-2025-38476)

Vulnerability from cvelistv5

Published

2025-07-28 11:21

Modified

2025-11-03 17:38

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: rpl: Fix use-after-free in rpl_do_srh_inline(). Running lwt_dst_cache_ref_loop.sh in selftest with KASAN triggers the splat below [0]. rpl_do_srh_inline() fetches ipv6_hdr(skb) and accesses it after skb_cow_head(), which is illegal as the header could be freed then. Let's fix it by making oldhdr to a local struct instead of a pointer. [0]: [root@fedora net]# ./lwt_dst_cache_ref_loop.sh ... TEST: rpl (input) [ 57.631529] ================================================================== BUG: KASAN: slab-use-after-free in rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174) Read of size 40 at addr ffff888122bf96d8 by task ping6/1543 CPU: 50 UID: 0 PID: 1543 Comm: ping6 Not tainted 6.16.0-rc5-01302-gfadd1e6231b1 #23 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: <IRQ> dump_stack_lvl (lib/dump_stack.c:122) print_report (mm/kasan/report.c:409 mm/kasan/report.c:521) kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:636) kasan_check_range (mm/kasan/generic.c:175 (discriminator 1) mm/kasan/generic.c:189 (discriminator 1)) __asan_memmove (mm/kasan/shadow.c:94 (discriminator 2)) rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174) rpl_input (net/ipv6/rpl_iptunnel.c:201 net/ipv6/rpl_iptunnel.c:282) lwtunnel_input (net/core/lwtunnel.c:459) ipv6_rcv (./include/net/dst.h:471 (discriminator 1) ./include/net/dst.h:469 (discriminator 1) net/ipv6/ip6_input.c:79 (discriminator 1) ./include/linux/netfilter.h:317 (discriminator 1) ./include/linux/netfilter.h:311 (discriminator 1) net/ipv6/ip6_input.c:311 (discriminator 1)) __netif_receive_skb_one_core (net/core/dev.c:5967) process_backlog (./include/linux/rcupdate.h:869 net/core/dev.c:6440) __napi_poll.constprop.0 (net/core/dev.c:7452) net_rx_action (net/core/dev.c:7518 net/core/dev.c:7643) handle_softirqs (kernel/softirq.c:579) do_softirq (kernel/softirq.c:480 (discriminator 20)) </IRQ> <TASK> __local_bh_enable_ip (kernel/softirq.c:407) __dev_queue_xmit (net/core/dev.c:4740) ip6_finish_output2 (./include/linux/netdevice.h:3358 ./include/net/neighbour.h:526 ./include/net/neighbour.h:540 net/ipv6/ip6_output.c:141) ip6_finish_output (net/ipv6/ip6_output.c:215 net/ipv6/ip6_output.c:226) ip6_output (./include/linux/netfilter.h:306 net/ipv6/ip6_output.c:248) ip6_send_skb (net/ipv6/ip6_output.c:1983) rawv6_sendmsg (net/ipv6/raw.c:588 net/ipv6/raw.c:918) __sys_sendto (net/socket.c:714 (discriminator 1) net/socket.c:729 (discriminator 1) net/socket.c:2228 (discriminator 1)) __x64_sys_sendto (net/socket.c:2231) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) RIP: 0033:0x7f68cffb2a06 Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08 RSP: 002b:00007ffefb7c53d0 EFLAGS: 00000202 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 0000564cd69f10a0 RCX: 00007f68cffb2a06 RDX: 0000000000000040 RSI: 0000564cd69f10a4 RDI: 0000000000000003 RBP: 00007ffefb7c53f0 R08: 0000564cd6a032ac R09: 000000000000001c R10: 0000000000000000 R11: 0000000000000202 R12: 0000564cd69f10a4 R13: 0000000000000040 R14: 00007ffefb7c66e0 R15: 0000564cd69f10a0 </TASK> Allocated by task 1543: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1)) __kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345) kmem_cache_alloc_node_noprof (./include/linux/kasan.h:250 mm/slub.c:4148 mm/slub.c:4197 mm/slub.c:4249) kmalloc_reserve (net/core/skbuff.c:581 (discriminator 88)) __alloc_skb (net/core/skbuff.c:669) __ip6_append_data (net/ipv6/ip6_output.c:1672 (discriminator 1)) ip6_ ---truncated---

References

URL

Tags

	https://git.kernel.org/stable/c/c09e21dfc08d8afb92d9ea3bee3457adbe3ef297
	https://git.kernel.org/stable/c/8ba6c2362b85089b8972ac5f20b24fc71a4b8ffc
	https://git.kernel.org/stable/c/e8101506ab86dd78f823b7028f2036a380f3a12a
	https://git.kernel.org/stable/c/62dcd9d6e61c39122d2f251a26829e2e55b0a11d
	https://git.kernel.org/stable/c/06ec83b6c792fde1f710c1de3e836da6e257c4c4
	https://git.kernel.org/stable/c/034b428aa3583373a5a20b1c5931bb2b3cae1f36
	https://git.kernel.org/stable/c/b640daa2822a39ff76e70200cb2b7b892b896dce

Impacted products

Vendor

Product

Version

Linux

Version: a7a29f9c361f8542604ef959ae6627f423b7a412
Version: a7a29f9c361f8542604ef959ae6627f423b7a412
Version: a7a29f9c361f8542604ef959ae6627f423b7a412
Version: a7a29f9c361f8542604ef959ae6627f423b7a412
Version: a7a29f9c361f8542604ef959ae6627f423b7a412
Version: a7a29f9c361f8542604ef959ae6627f423b7a412
Version: a7a29f9c361f8542604ef959ae6627f423b7a412

Linux

Version: 5.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:38:42.878Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/rpl_iptunnel.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c09e21dfc08d8afb92d9ea3bee3457adbe3ef297",
              "status": "affected",
              "version": "a7a29f9c361f8542604ef959ae6627f423b7a412",
              "versionType": "git"
            },
            {
              "lessThan": "8ba6c2362b85089b8972ac5f20b24fc71a4b8ffc",
              "status": "affected",
              "version": "a7a29f9c361f8542604ef959ae6627f423b7a412",
              "versionType": "git"
            },
            {
              "lessThan": "e8101506ab86dd78f823b7028f2036a380f3a12a",
              "status": "affected",
              "version": "a7a29f9c361f8542604ef959ae6627f423b7a412",
              "versionType": "git"
            },
            {
              "lessThan": "62dcd9d6e61c39122d2f251a26829e2e55b0a11d",
              "status": "affected",
              "version": "a7a29f9c361f8542604ef959ae6627f423b7a412",
              "versionType": "git"
            },
            {
              "lessThan": "06ec83b6c792fde1f710c1de3e836da6e257c4c4",
              "status": "affected",
              "version": "a7a29f9c361f8542604ef959ae6627f423b7a412",
              "versionType": "git"
            },
            {
              "lessThan": "034b428aa3583373a5a20b1c5931bb2b3cae1f36",
              "status": "affected",
              "version": "a7a29f9c361f8542604ef959ae6627f423b7a412",
              "versionType": "git"
            },
            {
              "lessThan": "b640daa2822a39ff76e70200cb2b7b892b896dce",
              "status": "affected",
              "version": "a7a29f9c361f8542604ef959ae6627f423b7a412",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/rpl_iptunnel.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.147",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.100",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.40",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.147",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.100",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.40",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.8",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrpl: Fix use-after-free in rpl_do_srh_inline().\n\nRunning lwt_dst_cache_ref_loop.sh in selftest with KASAN triggers\nthe splat below [0].\n\nrpl_do_srh_inline() fetches ipv6_hdr(skb) and accesses it after\nskb_cow_head(), which is illegal as the header could be freed then.\n\nLet\u0027s fix it by making oldhdr to a local struct instead of a pointer.\n\n[0]:\n[root@fedora net]# ./lwt_dst_cache_ref_loop.sh\n...\nTEST: rpl (input)\n[   57.631529] ==================================================================\nBUG: KASAN: slab-use-after-free in rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174)\nRead of size 40 at addr ffff888122bf96d8 by task ping6/1543\n\nCPU: 50 UID: 0 PID: 1543 Comm: ping6 Not tainted 6.16.0-rc5-01302-gfadd1e6231b1 #23 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nCall Trace:\n \u003cIRQ\u003e\n dump_stack_lvl (lib/dump_stack.c:122)\n print_report (mm/kasan/report.c:409 mm/kasan/report.c:521)\n kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:636)\n kasan_check_range (mm/kasan/generic.c:175 (discriminator 1) mm/kasan/generic.c:189 (discriminator 1))\n __asan_memmove (mm/kasan/shadow.c:94 (discriminator 2))\n rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174)\n rpl_input (net/ipv6/rpl_iptunnel.c:201 net/ipv6/rpl_iptunnel.c:282)\n lwtunnel_input (net/core/lwtunnel.c:459)\n ipv6_rcv (./include/net/dst.h:471 (discriminator 1) ./include/net/dst.h:469 (discriminator 1) net/ipv6/ip6_input.c:79 (discriminator 1) ./include/linux/netfilter.h:317 (discriminator 1) ./include/linux/netfilter.h:311 (discriminator 1) net/ipv6/ip6_input.c:311 (discriminator 1))\n __netif_receive_skb_one_core (net/core/dev.c:5967)\n process_backlog (./include/linux/rcupdate.h:869 net/core/dev.c:6440)\n __napi_poll.constprop.0 (net/core/dev.c:7452)\n net_rx_action (net/core/dev.c:7518 net/core/dev.c:7643)\n handle_softirqs (kernel/softirq.c:579)\n do_softirq (kernel/softirq.c:480 (discriminator 20))\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n __local_bh_enable_ip (kernel/softirq.c:407)\n __dev_queue_xmit (net/core/dev.c:4740)\n ip6_finish_output2 (./include/linux/netdevice.h:3358 ./include/net/neighbour.h:526 ./include/net/neighbour.h:540 net/ipv6/ip6_output.c:141)\n ip6_finish_output (net/ipv6/ip6_output.c:215 net/ipv6/ip6_output.c:226)\n ip6_output (./include/linux/netfilter.h:306 net/ipv6/ip6_output.c:248)\n ip6_send_skb (net/ipv6/ip6_output.c:1983)\n rawv6_sendmsg (net/ipv6/raw.c:588 net/ipv6/raw.c:918)\n __sys_sendto (net/socket.c:714 (discriminator 1) net/socket.c:729 (discriminator 1) net/socket.c:2228 (discriminator 1))\n __x64_sys_sendto (net/socket.c:2231)\n do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\nRIP: 0033:0x7f68cffb2a06\nCode: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 \u003c48\u003e 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08\nRSP: 002b:00007ffefb7c53d0 EFLAGS: 00000202 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 0000564cd69f10a0 RCX: 00007f68cffb2a06\nRDX: 0000000000000040 RSI: 0000564cd69f10a4 RDI: 0000000000000003\nRBP: 00007ffefb7c53f0 R08: 0000564cd6a032ac R09: 000000000000001c\nR10: 0000000000000000 R11: 0000000000000202 R12: 0000564cd69f10a4\nR13: 0000000000000040 R14: 00007ffefb7c66e0 R15: 0000564cd69f10a0\n \u003c/TASK\u003e\n\nAllocated by task 1543:\n kasan_save_stack (mm/kasan/common.c:48)\n kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1))\n __kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345)\n kmem_cache_alloc_node_noprof (./include/linux/kasan.h:250 mm/slub.c:4148 mm/slub.c:4197 mm/slub.c:4249)\n kmalloc_reserve (net/core/skbuff.c:581 (discriminator 88))\n __alloc_skb (net/core/skbuff.c:669)\n __ip6_append_data (net/ipv6/ip6_output.c:1672 (discriminator 1))\n ip6_\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-28T14:43:12.901Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c09e21dfc08d8afb92d9ea3bee3457adbe3ef297"
        },
        {
          "url": "https://git.kernel.org/stable/c/8ba6c2362b85089b8972ac5f20b24fc71a4b8ffc"
        },
        {
          "url": "https://git.kernel.org/stable/c/e8101506ab86dd78f823b7028f2036a380f3a12a"
        },
        {
          "url": "https://git.kernel.org/stable/c/62dcd9d6e61c39122d2f251a26829e2e55b0a11d"
        },
        {
          "url": "https://git.kernel.org/stable/c/06ec83b6c792fde1f710c1de3e836da6e257c4c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/034b428aa3583373a5a20b1c5931bb2b3cae1f36"
        },
        {
          "url": "https://git.kernel.org/stable/c/b640daa2822a39ff76e70200cb2b7b892b896dce"
        }
      ],
      "title": "rpl: Fix use-after-free in rpl_do_srh_inline().",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38476",
    "datePublished": "2025-07-28T11:21:37.175Z",
    "dateReserved": "2025-04-16T04:51:24.021Z",
    "dateUpdated": "2025-11-03T17:38:42.878Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38102 (GCVE-0-2025-38102)

Vulnerability from cvelistv5

Published

2025-07-03 08:35

Modified

2025-11-03 17:34

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify During our test, it is found that a warning can be trigger in try_grab_folio as follow: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1678 at mm/gup.c:147 try_grab_folio+0x106/0x130 Modules linked in: CPU: 0 UID: 0 PID: 1678 Comm: syz.3.31 Not tainted 6.15.0-rc5 #163 PREEMPT(undef) RIP: 0010:try_grab_folio+0x106/0x130 Call Trace: <TASK> follow_huge_pmd+0x240/0x8e0 follow_pmd_mask.constprop.0.isra.0+0x40b/0x5c0 follow_pud_mask.constprop.0.isra.0+0x14a/0x170 follow_page_mask+0x1c2/0x1f0 __get_user_pages+0x176/0x950 __gup_longterm_locked+0x15b/0x1060 ? gup_fast+0x120/0x1f0 gup_fast_fallback+0x17e/0x230 get_user_pages_fast+0x5f/0x80 vmci_host_unlocked_ioctl+0x21c/0xf80 RIP: 0033:0x54d2cd ---[ end trace 0000000000000000 ]--- Digging into the source, context->notify_page may init by get_user_pages_fast and can be seen in vmci_ctx_unset_notify which will try to put_page. However get_user_pages_fast is not finished here and lead to following try_grab_folio warning. The race condition is shown as follow: cpu0 cpu1 vmci_host_do_set_notify vmci_host_setup_notify get_user_pages_fast(uva, 1, FOLL_WRITE, &context->notify_page); lockless_pages_from_mm gup_pgd_range gup_huge_pmd // update &context->notify_page vmci_host_do_set_notify vmci_ctx_unset_notify notify_page = context->notify_page; if (notify_page) put_page(notify_page); // page is freed __gup_longterm_locked __get_user_pages follow_trans_huge_pmd try_grab_folio // warn here To slove this, use local variable page to make notify_page can be seen after finish get_user_pages_fast.

References

URL

Tags

	https://git.kernel.org/stable/c/74095bbbb19ca74a0368d857603a2438c88ca86c
	https://git.kernel.org/stable/c/468aec888f838ce5174b96e0cb4396790d6f60ca
	https://git.kernel.org/stable/c/b4209e4b778e4e57d0636e1c9fc07a924dbc6043
	https://git.kernel.org/stable/c/58a90db70aa6616411e5f69d1982d9b1dd97d774
	https://git.kernel.org/stable/c/6e3af836805ed1d7a699f76ec798626198917aa4
	https://git.kernel.org/stable/c/00ddc7dad55b7bbb78df80d6e174d0c4764dea0c
	https://git.kernel.org/stable/c/75b5313c80c39a26d27cbb602f968a05576c36f9
	https://git.kernel.org/stable/c/1bd6406fb5f36c2bb1e96e27d4c3e9f4d09edde4

Impacted products

Vendor

Product

Version

Linux

Version: a1d88436d53a75e950db15834b3d2f8c0c358fdc
Version: a1d88436d53a75e950db15834b3d2f8c0c358fdc
Version: a1d88436d53a75e950db15834b3d2f8c0c358fdc
Version: a1d88436d53a75e950db15834b3d2f8c0c358fdc
Version: a1d88436d53a75e950db15834b3d2f8c0c358fdc
Version: a1d88436d53a75e950db15834b3d2f8c0c358fdc
Version: a1d88436d53a75e950db15834b3d2f8c0c358fdc
Version: a1d88436d53a75e950db15834b3d2f8c0c358fdc

Linux

Version: 4.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:05.919Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/misc/vmw_vmci/vmci_host.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "74095bbbb19ca74a0368d857603a2438c88ca86c",
              "status": "affected",
              "version": "a1d88436d53a75e950db15834b3d2f8c0c358fdc",
              "versionType": "git"
            },
            {
              "lessThan": "468aec888f838ce5174b96e0cb4396790d6f60ca",
              "status": "affected",
              "version": "a1d88436d53a75e950db15834b3d2f8c0c358fdc",
              "versionType": "git"
            },
            {
              "lessThan": "b4209e4b778e4e57d0636e1c9fc07a924dbc6043",
              "status": "affected",
              "version": "a1d88436d53a75e950db15834b3d2f8c0c358fdc",
              "versionType": "git"
            },
            {
              "lessThan": "58a90db70aa6616411e5f69d1982d9b1dd97d774",
              "status": "affected",
              "version": "a1d88436d53a75e950db15834b3d2f8c0c358fdc",
              "versionType": "git"
            },
            {
              "lessThan": "6e3af836805ed1d7a699f76ec798626198917aa4",
              "status": "affected",
              "version": "a1d88436d53a75e950db15834b3d2f8c0c358fdc",
              "versionType": "git"
            },
            {
              "lessThan": "00ddc7dad55b7bbb78df80d6e174d0c4764dea0c",
              "status": "affected",
              "version": "a1d88436d53a75e950db15834b3d2f8c0c358fdc",
              "versionType": "git"
            },
            {
              "lessThan": "75b5313c80c39a26d27cbb602f968a05576c36f9",
              "status": "affected",
              "version": "a1d88436d53a75e950db15834b3d2f8c0c358fdc",
              "versionType": "git"
            },
            {
              "lessThan": "1bd6406fb5f36c2bb1e96e27d4c3e9f4d09edde4",
              "status": "affected",
              "version": "a1d88436d53a75e950db15834b3d2f8c0c358fdc",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/misc/vmw_vmci/vmci_host.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.0"
            },
            {
              "lessThan": "4.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nVMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify\n\nDuring our test, it is found that a warning can be trigger in try_grab_folio\nas follow:\n\n  ------------[ cut here ]------------\n  WARNING: CPU: 0 PID: 1678 at mm/gup.c:147 try_grab_folio+0x106/0x130\n  Modules linked in:\n  CPU: 0 UID: 0 PID: 1678 Comm: syz.3.31 Not tainted 6.15.0-rc5 #163 PREEMPT(undef)\n  RIP: 0010:try_grab_folio+0x106/0x130\n  Call Trace:\n   \u003cTASK\u003e\n   follow_huge_pmd+0x240/0x8e0\n   follow_pmd_mask.constprop.0.isra.0+0x40b/0x5c0\n   follow_pud_mask.constprop.0.isra.0+0x14a/0x170\n   follow_page_mask+0x1c2/0x1f0\n   __get_user_pages+0x176/0x950\n   __gup_longterm_locked+0x15b/0x1060\n   ? gup_fast+0x120/0x1f0\n   gup_fast_fallback+0x17e/0x230\n   get_user_pages_fast+0x5f/0x80\n   vmci_host_unlocked_ioctl+0x21c/0xf80\n  RIP: 0033:0x54d2cd\n  ---[ end trace 0000000000000000 ]---\n\nDigging into the source, context-\u003enotify_page may init by get_user_pages_fast\nand can be seen in vmci_ctx_unset_notify which will try to put_page. However\nget_user_pages_fast is not finished here and lead to following\ntry_grab_folio warning. The race condition is shown as follow:\n\ncpu0\t\t\tcpu1\nvmci_host_do_set_notify\nvmci_host_setup_notify\nget_user_pages_fast(uva, 1, FOLL_WRITE, \u0026context-\u003enotify_page);\nlockless_pages_from_mm\ngup_pgd_range\ngup_huge_pmd  // update \u0026context-\u003enotify_page\n\t\t\tvmci_host_do_set_notify\n\t\t\tvmci_ctx_unset_notify\n\t\t\tnotify_page = context-\u003enotify_page;\n\t\t\tif (notify_page)\n\t\t\tput_page(notify_page);\t// page is freed\n__gup_longterm_locked\n__get_user_pages\nfollow_trans_huge_pmd\ntry_grab_folio // warn here\n\nTo slove this, use local variable page to make notify_page can be seen\nafter finish get_user_pages_fast."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:12:16.696Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/74095bbbb19ca74a0368d857603a2438c88ca86c"
        },
        {
          "url": "https://git.kernel.org/stable/c/468aec888f838ce5174b96e0cb4396790d6f60ca"
        },
        {
          "url": "https://git.kernel.org/stable/c/b4209e4b778e4e57d0636e1c9fc07a924dbc6043"
        },
        {
          "url": "https://git.kernel.org/stable/c/58a90db70aa6616411e5f69d1982d9b1dd97d774"
        },
        {
          "url": "https://git.kernel.org/stable/c/6e3af836805ed1d7a699f76ec798626198917aa4"
        },
        {
          "url": "https://git.kernel.org/stable/c/00ddc7dad55b7bbb78df80d6e174d0c4764dea0c"
        },
        {
          "url": "https://git.kernel.org/stable/c/75b5313c80c39a26d27cbb602f968a05576c36f9"
        },
        {
          "url": "https://git.kernel.org/stable/c/1bd6406fb5f36c2bb1e96e27d4c3e9f4d09edde4"
        }
      ],
      "title": "VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38102",
    "datePublished": "2025-07-03T08:35:12.255Z",
    "dateReserved": "2025-04-16T04:51:23.985Z",
    "dateUpdated": "2025-11-03T17:34:05.919Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38182 (GCVE-0-2025-38182)

Vulnerability from cvelistv5

Published

2025-07-04 13:37

Modified

2025-07-28 04:14

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ublk: santizize the arguments from userspace when adding a device Sanity check the values for queue depth and number of queues we get from userspace when adding a device.

References

URL

Tags

	https://git.kernel.org/stable/c/3162d8235c8c4d585525cee8a59d1c180940a968
	https://git.kernel.org/stable/c/0f8df5d6f25ac17c52a8bc6418e60a3e63130550
	https://git.kernel.org/stable/c/e2b2b7cf6368580114851cb3932f2ad9fbf23386
	https://git.kernel.org/stable/c/8c8472855884355caf3d8e0c50adf825f83454b2

Impacted products

Vendor

Product

Version

Linux

Version: 71f28f3136aff5890cd56de78abc673f8393cad9
Version: 71f28f3136aff5890cd56de78abc673f8393cad9
Version: 71f28f3136aff5890cd56de78abc673f8393cad9
Version: 71f28f3136aff5890cd56de78abc673f8393cad9

Linux

Version: 6.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/block/ublk_drv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3162d8235c8c4d585525cee8a59d1c180940a968",
              "status": "affected",
              "version": "71f28f3136aff5890cd56de78abc673f8393cad9",
              "versionType": "git"
            },
            {
              "lessThan": "0f8df5d6f25ac17c52a8bc6418e60a3e63130550",
              "status": "affected",
              "version": "71f28f3136aff5890cd56de78abc673f8393cad9",
              "versionType": "git"
            },
            {
              "lessThan": "e2b2b7cf6368580114851cb3932f2ad9fbf23386",
              "status": "affected",
              "version": "71f28f3136aff5890cd56de78abc673f8393cad9",
              "versionType": "git"
            },
            {
              "lessThan": "8c8472855884355caf3d8e0c50adf825f83454b2",
              "status": "affected",
              "version": "71f28f3136aff5890cd56de78abc673f8393cad9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/block/ublk_drv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nublk: santizize the arguments from userspace when adding a device\n\nSanity check the values for queue depth and number of queues\nwe get from userspace when adding a device."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:14:24.803Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3162d8235c8c4d585525cee8a59d1c180940a968"
        },
        {
          "url": "https://git.kernel.org/stable/c/0f8df5d6f25ac17c52a8bc6418e60a3e63130550"
        },
        {
          "url": "https://git.kernel.org/stable/c/e2b2b7cf6368580114851cb3932f2ad9fbf23386"
        },
        {
          "url": "https://git.kernel.org/stable/c/8c8472855884355caf3d8e0c50adf825f83454b2"
        }
      ],
      "title": "ublk: santizize the arguments from userspace when adding a device",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38182",
    "datePublished": "2025-07-04T13:37:09.637Z",
    "dateReserved": "2025-04-16T04:51:23.992Z",
    "dateUpdated": "2025-07-28T04:14:24.803Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38428 (GCVE-0-2025-38428)

Vulnerability from cvelistv5

Published

2025-07-25 14:16

Modified

2025-11-03 17:37

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: Input: ims-pcu - check record size in ims_pcu_flash_firmware() The "len" variable comes from the firmware and we generally do trust firmware, but it's always better to double check. If the "len" is too large it could result in memory corruption when we do "memcpy(fragment->data, rec->data, len);"

References

URL

Tags

	https://git.kernel.org/stable/c/c1b9d140b0807c6aee4bb53e1bfa4e391e3dc204
	https://git.kernel.org/stable/c/d63706d9f73846106fde28b284f08e01b92ce9f1
	https://git.kernel.org/stable/c/e5a2481dc2a0b430f49276d7482793a8923631d6
	https://git.kernel.org/stable/c/8e03f1c7d50343bf21da54873301bc4fa647479f
	https://git.kernel.org/stable/c/17474a56acf708bf6b2d174c06ed26abad0a9fd6
	https://git.kernel.org/stable/c/5a8cd6ae8393e2eaebf51d420d5374821ef2af87
	https://git.kernel.org/stable/c/74661516daee1eadebede8dc607b6830530096ec
	https://git.kernel.org/stable/c/a95ef0199e80f3384eb992889322957d26c00102

Impacted products

Vendor

Product

Version

Linux

Version: 628329d52474323938a03826941e166bc7c8eff4
Version: 628329d52474323938a03826941e166bc7c8eff4
Version: 628329d52474323938a03826941e166bc7c8eff4
Version: 628329d52474323938a03826941e166bc7c8eff4
Version: 628329d52474323938a03826941e166bc7c8eff4
Version: 628329d52474323938a03826941e166bc7c8eff4
Version: 628329d52474323938a03826941e166bc7c8eff4
Version: 628329d52474323938a03826941e166bc7c8eff4

Linux

Version: 3.10

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:37:57.365Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/input/misc/ims-pcu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c1b9d140b0807c6aee4bb53e1bfa4e391e3dc204",
              "status": "affected",
              "version": "628329d52474323938a03826941e166bc7c8eff4",
              "versionType": "git"
            },
            {
              "lessThan": "d63706d9f73846106fde28b284f08e01b92ce9f1",
              "status": "affected",
              "version": "628329d52474323938a03826941e166bc7c8eff4",
              "versionType": "git"
            },
            {
              "lessThan": "e5a2481dc2a0b430f49276d7482793a8923631d6",
              "status": "affected",
              "version": "628329d52474323938a03826941e166bc7c8eff4",
              "versionType": "git"
            },
            {
              "lessThan": "8e03f1c7d50343bf21da54873301bc4fa647479f",
              "status": "affected",
              "version": "628329d52474323938a03826941e166bc7c8eff4",
              "versionType": "git"
            },
            {
              "lessThan": "17474a56acf708bf6b2d174c06ed26abad0a9fd6",
              "status": "affected",
              "version": "628329d52474323938a03826941e166bc7c8eff4",
              "versionType": "git"
            },
            {
              "lessThan": "5a8cd6ae8393e2eaebf51d420d5374821ef2af87",
              "status": "affected",
              "version": "628329d52474323938a03826941e166bc7c8eff4",
              "versionType": "git"
            },
            {
              "lessThan": "74661516daee1eadebede8dc607b6830530096ec",
              "status": "affected",
              "version": "628329d52474323938a03826941e166bc7c8eff4",
              "versionType": "git"
            },
            {
              "lessThan": "a95ef0199e80f3384eb992889322957d26c00102",
              "status": "affected",
              "version": "628329d52474323938a03826941e166bc7c8eff4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/input/misc/ims-pcu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.10"
            },
            {
              "lessThan": "3.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: ims-pcu - check record size in ims_pcu_flash_firmware()\n\nThe \"len\" variable comes from the firmware and we generally do\ntrust firmware, but it\u0027s always better to double check.  If the \"len\"\nis too large it could result in memory corruption when we do\n\"memcpy(fragment-\u003edata, rec-\u003edata, len);\""
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:21:53.615Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c1b9d140b0807c6aee4bb53e1bfa4e391e3dc204"
        },
        {
          "url": "https://git.kernel.org/stable/c/d63706d9f73846106fde28b284f08e01b92ce9f1"
        },
        {
          "url": "https://git.kernel.org/stable/c/e5a2481dc2a0b430f49276d7482793a8923631d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/8e03f1c7d50343bf21da54873301bc4fa647479f"
        },
        {
          "url": "https://git.kernel.org/stable/c/17474a56acf708bf6b2d174c06ed26abad0a9fd6"
        },
        {
          "url": "https://git.kernel.org/stable/c/5a8cd6ae8393e2eaebf51d420d5374821ef2af87"
        },
        {
          "url": "https://git.kernel.org/stable/c/74661516daee1eadebede8dc607b6830530096ec"
        },
        {
          "url": "https://git.kernel.org/stable/c/a95ef0199e80f3384eb992889322957d26c00102"
        }
      ],
      "title": "Input: ims-pcu - check record size in ims_pcu_flash_firmware()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38428",
    "datePublished": "2025-07-25T14:16:48.019Z",
    "dateReserved": "2025-04-16T04:51:24.015Z",
    "dateUpdated": "2025-11-03T17:37:57.365Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37970 (GCVE-0-2025-37970)

Vulnerability from cvelistv5

Published

2025-05-20 16:47

Modified

2025-11-03 19:57

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo Prevent st_lsm6dsx_read_fifo from falling in an infinite loop in case pattern_len is equal to zero and the device FIFO is not empty.

References

URL

Tags

	https://git.kernel.org/stable/c/f06a1a1954527cc4ed086d926c81ff236b2adde9
	https://git.kernel.org/stable/c/84e39f628a3a3333add99076e4d6c8b42b12d3a0
	https://git.kernel.org/stable/c/f3cf233c946531a92fe651ff2bd15ebbe60630a7
	https://git.kernel.org/stable/c/6c4a5000618a8c44200d455c92e2f2a4db264717
	https://git.kernel.org/stable/c/da33c4167b9cc1266a97215114cb74679f881d0c
	https://git.kernel.org/stable/c/a1cad8a3bca41dead9980615d35efc7bff1fd534
	https://git.kernel.org/stable/c/3bb6c02d6fe8347ce1785016d135ff539c20043c
	https://git.kernel.org/stable/c/159ca7f18129834b6f4c7eae67de48e96c752fc9

Impacted products

Vendor

Product

Version

Linux

Version: 290a6ce11d938be52634b3ce1bbc6b78be4d23c1
Version: 290a6ce11d938be52634b3ce1bbc6b78be4d23c1
Version: 290a6ce11d938be52634b3ce1bbc6b78be4d23c1
Version: 290a6ce11d938be52634b3ce1bbc6b78be4d23c1
Version: 290a6ce11d938be52634b3ce1bbc6b78be4d23c1
Version: 290a6ce11d938be52634b3ce1bbc6b78be4d23c1
Version: 290a6ce11d938be52634b3ce1bbc6b78be4d23c1
Version: 290a6ce11d938be52634b3ce1bbc6b78be4d23c1

Linux

Version: 4.11

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:57:53.930Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f06a1a1954527cc4ed086d926c81ff236b2adde9",
              "status": "affected",
              "version": "290a6ce11d938be52634b3ce1bbc6b78be4d23c1",
              "versionType": "git"
            },
            {
              "lessThan": "84e39f628a3a3333add99076e4d6c8b42b12d3a0",
              "status": "affected",
              "version": "290a6ce11d938be52634b3ce1bbc6b78be4d23c1",
              "versionType": "git"
            },
            {
              "lessThan": "f3cf233c946531a92fe651ff2bd15ebbe60630a7",
              "status": "affected",
              "version": "290a6ce11d938be52634b3ce1bbc6b78be4d23c1",
              "versionType": "git"
            },
            {
              "lessThan": "6c4a5000618a8c44200d455c92e2f2a4db264717",
              "status": "affected",
              "version": "290a6ce11d938be52634b3ce1bbc6b78be4d23c1",
              "versionType": "git"
            },
            {
              "lessThan": "da33c4167b9cc1266a97215114cb74679f881d0c",
              "status": "affected",
              "version": "290a6ce11d938be52634b3ce1bbc6b78be4d23c1",
              "versionType": "git"
            },
            {
              "lessThan": "a1cad8a3bca41dead9980615d35efc7bff1fd534",
              "status": "affected",
              "version": "290a6ce11d938be52634b3ce1bbc6b78be4d23c1",
              "versionType": "git"
            },
            {
              "lessThan": "3bb6c02d6fe8347ce1785016d135ff539c20043c",
              "status": "affected",
              "version": "290a6ce11d938be52634b3ce1bbc6b78be4d23c1",
              "versionType": "git"
            },
            {
              "lessThan": "159ca7f18129834b6f4c7eae67de48e96c752fc9",
              "status": "affected",
              "version": "290a6ce11d938be52634b3ce1bbc6b78be4d23c1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.11"
            },
            {
              "lessThan": "4.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.294",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.238",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.183",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.139",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.91",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.29",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.294",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.238",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.183",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.139",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.91",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.29",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.7",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo\n\nPrevent st_lsm6dsx_read_fifo from falling in an infinite loop in case\npattern_len is equal to zero and the device FIFO is not empty."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-04T12:57:37.458Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f06a1a1954527cc4ed086d926c81ff236b2adde9"
        },
        {
          "url": "https://git.kernel.org/stable/c/84e39f628a3a3333add99076e4d6c8b42b12d3a0"
        },
        {
          "url": "https://git.kernel.org/stable/c/f3cf233c946531a92fe651ff2bd15ebbe60630a7"
        },
        {
          "url": "https://git.kernel.org/stable/c/6c4a5000618a8c44200d455c92e2f2a4db264717"
        },
        {
          "url": "https://git.kernel.org/stable/c/da33c4167b9cc1266a97215114cb74679f881d0c"
        },
        {
          "url": "https://git.kernel.org/stable/c/a1cad8a3bca41dead9980615d35efc7bff1fd534"
        },
        {
          "url": "https://git.kernel.org/stable/c/3bb6c02d6fe8347ce1785016d135ff539c20043c"
        },
        {
          "url": "https://git.kernel.org/stable/c/159ca7f18129834b6f4c7eae67de48e96c752fc9"
        }
      ],
      "title": "iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37970",
    "datePublished": "2025-05-20T16:47:17.256Z",
    "dateReserved": "2025-04-16T04:51:23.975Z",
    "dateUpdated": "2025-11-03T19:57:53.930Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37747 (GCVE-0-2025-37747)

Vulnerability from cvelistv5

Published

2025-05-01 12:55

Modified

2025-05-26 05:20

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: perf: Fix hang while freeing sigtrap event Perf can hang while freeing a sigtrap event if a related deferred signal hadn't managed to be sent before the file got closed: perf_event_overflow() task_work_add(perf_pending_task) fput() task_work_add(____fput()) task_work_run() ____fput() perf_release() perf_event_release_kernel() _free_event() perf_pending_task_sync() task_work_cancel() -> FAILED rcuwait_wait_event() Once task_work_run() is running, the list of pending callbacks is removed from the task_struct and from this point on task_work_cancel() can't remove any pending and not yet started work items, hence the task_work_cancel() failure and the hang on rcuwait_wait_event(). Task work could be changed to remove one work at a time, so a work running on the current task can always cancel a pending one, however the wait / wake design is still subject to inverted dependencies when remote targets are involved, as pictured by Oleg: T1 T2 fd = perf_event_open(pid => T2->pid); fd = perf_event_open(pid => T1->pid); close(fd) close(fd) <IRQ> <IRQ> perf_event_overflow() perf_event_overflow() task_work_add(perf_pending_task) task_work_add(perf_pending_task) </IRQ> </IRQ> fput() fput() task_work_add(____fput()) task_work_add(____fput()) task_work_run() task_work_run() ____fput() ____fput() perf_release() perf_release() perf_event_release_kernel() perf_event_release_kernel() _free_event() _free_event() perf_pending_task_sync() perf_pending_task_sync() rcuwait_wait_event() rcuwait_wait_event() Therefore the only option left is to acquire the event reference count upon queueing the perf task work and release it from the task work, just like it was done before 3a5465418f5f ("perf: Fix event leak upon exec and file release") but without the leaks it fixed. Some adjustments are necessary to make it work: * A child event might dereference its parent upon freeing. Care must be taken to release the parent last. * Some places assuming the event doesn't have any reference held and therefore can be freed right away must instead put the reference and let the reference counting to its job.

References

URL

Tags

	https://git.kernel.org/stable/c/fa1827fa968c0674e9b6fca223fa9fb4da4493eb
	https://git.kernel.org/stable/c/665b87b8f8b3aeb49083ef3b65c4953e7753fc12
	https://git.kernel.org/stable/c/1267bd38f161c1a27d9b722de017027167a225a0
	https://git.kernel.org/stable/c/56799bc035658738f362acec3e7647bb84e68933

Impacted products

Vendor

Product

Version

Linux

Version: 3a5465418f5fd970e86a86c7f4075be262682840
Version: 3a5465418f5fd970e86a86c7f4075be262682840
Version: 3a5465418f5fd970e86a86c7f4075be262682840
Version: 3a5465418f5fd970e86a86c7f4075be262682840
Version: 9ad46f1fef421d43cdab3a7d1744b2f43b54dae0
Version: ed2c202dac55423a52d7e2290f2888bf08b8ee99
Version: 104e258a004037bc7dba9f6085c71dad6af57ad4
Version: f34d8307a73a18de5320fcc6f40403146d061891

Linux

Version: 6.11

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/perf_event.h",
            "kernel/events/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "fa1827fa968c0674e9b6fca223fa9fb4da4493eb",
              "status": "affected",
              "version": "3a5465418f5fd970e86a86c7f4075be262682840",
              "versionType": "git"
            },
            {
              "lessThan": "665b87b8f8b3aeb49083ef3b65c4953e7753fc12",
              "status": "affected",
              "version": "3a5465418f5fd970e86a86c7f4075be262682840",
              "versionType": "git"
            },
            {
              "lessThan": "1267bd38f161c1a27d9b722de017027167a225a0",
              "status": "affected",
              "version": "3a5465418f5fd970e86a86c7f4075be262682840",
              "versionType": "git"
            },
            {
              "lessThan": "56799bc035658738f362acec3e7647bb84e68933",
              "status": "affected",
              "version": "3a5465418f5fd970e86a86c7f4075be262682840",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "9ad46f1fef421d43cdab3a7d1744b2f43b54dae0",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "ed2c202dac55423a52d7e2290f2888bf08b8ee99",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "104e258a004037bc7dba9f6085c71dad6af57ad4",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "f34d8307a73a18de5320fcc6f40403146d061891",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/perf_event.h",
            "kernel/events/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.24",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.12",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.15.165",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.1.103",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.6.44",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.10.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix hang while freeing sigtrap event\n\nPerf can hang while freeing a sigtrap event if a related deferred\nsignal hadn\u0027t managed to be sent before the file got closed:\n\nperf_event_overflow()\n   task_work_add(perf_pending_task)\n\nfput()\n   task_work_add(____fput())\n\ntask_work_run()\n    ____fput()\n        perf_release()\n            perf_event_release_kernel()\n                _free_event()\n                    perf_pending_task_sync()\n                        task_work_cancel() -\u003e FAILED\n                        rcuwait_wait_event()\n\nOnce task_work_run() is running, the list of pending callbacks is\nremoved from the task_struct and from this point on task_work_cancel()\ncan\u0027t remove any pending and not yet started work items, hence the\ntask_work_cancel() failure and the hang on rcuwait_wait_event().\n\nTask work could be changed to remove one work at a time, so a work\nrunning on the current task can always cancel a pending one, however\nthe wait / wake design is still subject to inverted dependencies when\nremote targets are involved, as pictured by Oleg:\n\nT1                                                      T2\n\nfd = perf_event_open(pid =\u003e T2-\u003epid);                  fd = perf_event_open(pid =\u003e T1-\u003epid);\nclose(fd)                                              close(fd)\n    \u003cIRQ\u003e                                                  \u003cIRQ\u003e\n    perf_event_overflow()                                  perf_event_overflow()\n       task_work_add(perf_pending_task)                        task_work_add(perf_pending_task)\n    \u003c/IRQ\u003e                                                 \u003c/IRQ\u003e\n    fput()                                                 fput()\n        task_work_add(____fput())                              task_work_add(____fput())\n\n    task_work_run()                                        task_work_run()\n        ____fput()                                             ____fput()\n            perf_release()                                         perf_release()\n                perf_event_release_kernel()                            perf_event_release_kernel()\n                    _free_event()                                          _free_event()\n                        perf_pending_task_sync()                               perf_pending_task_sync()\n                            rcuwait_wait_event()                                   rcuwait_wait_event()\n\nTherefore the only option left is to acquire the event reference count\nupon queueing the perf task work and release it from the task work, just\nlike it was done before 3a5465418f5f (\"perf: Fix event leak upon exec and file release\")\nbut without the leaks it fixed.\n\nSome adjustments are necessary to make it work:\n\n* A child event might dereference its parent upon freeing. Care must be\n  taken to release the parent last.\n\n* Some places assuming the event doesn\u0027t have any reference held and\n  therefore can be freed right away must instead put the reference and\n  let the reference counting to its job."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:20:01.376Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/fa1827fa968c0674e9b6fca223fa9fb4da4493eb"
        },
        {
          "url": "https://git.kernel.org/stable/c/665b87b8f8b3aeb49083ef3b65c4953e7753fc12"
        },
        {
          "url": "https://git.kernel.org/stable/c/1267bd38f161c1a27d9b722de017027167a225a0"
        },
        {
          "url": "https://git.kernel.org/stable/c/56799bc035658738f362acec3e7647bb84e68933"
        }
      ],
      "title": "perf: Fix hang while freeing sigtrap event",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37747",
    "datePublished": "2025-05-01T12:55:54.028Z",
    "dateReserved": "2025-04-16T04:51:23.936Z",
    "dateUpdated": "2025-05-26T05:20:01.376Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-46984 (GCVE-0-2021-46984)

Vulnerability from cvelistv5

Published

2024-02-28 08:13

Modified

2025-05-04 07:01

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: kyber: fix out of bounds access when preempted __blk_mq_sched_bio_merge() gets the ctx and hctx for the current CPU and passes the hctx to ->bio_merge(). kyber_bio_merge() then gets the ctx for the current CPU again and uses that to get the corresponding Kyber context in the passed hctx. However, the thread may be preempted between the two calls to blk_mq_get_ctx(), and the ctx returned the second time may no longer correspond to the passed hctx. This "works" accidentally most of the time, but it can cause us to read garbage if the second ctx came from an hctx with more ctx's than the first one (i.e., if ctx->index_hw[hctx->type] > hctx->nr_ctx). This manifested as this UBSAN array index out of bounds error reported by Jakub: UBSAN: array-index-out-of-bounds in ../kernel/locking/qspinlock.c:130:9 index 13106 is out of range for type 'long unsigned int [128]' Call Trace: dump_stack+0xa4/0xe5 ubsan_epilogue+0x5/0x40 __ubsan_handle_out_of_bounds.cold.13+0x2a/0x34 queued_spin_lock_slowpath+0x476/0x480 do_raw_spin_lock+0x1c2/0x1d0 kyber_bio_merge+0x112/0x180 blk_mq_submit_bio+0x1f5/0x1100 submit_bio_noacct+0x7b0/0x870 submit_bio+0xc2/0x3a0 btrfs_map_bio+0x4f0/0x9d0 btrfs_submit_data_bio+0x24e/0x310 submit_one_bio+0x7f/0xb0 submit_extent_page+0xc4/0x440 __extent_writepage_io+0x2b8/0x5e0 __extent_writepage+0x28d/0x6e0 extent_write_cache_pages+0x4d7/0x7a0 extent_writepages+0xa2/0x110 do_writepages+0x8f/0x180 __writeback_single_inode+0x99/0x7f0 writeback_sb_inodes+0x34e/0x790 __writeback_inodes_wb+0x9e/0x120 wb_writeback+0x4d2/0x660 wb_workfn+0x64d/0xa10 process_one_work+0x53a/0xa80 worker_thread+0x69/0x5b0 kthread+0x20b/0x240 ret_from_fork+0x1f/0x30 Only Kyber uses the hctx, so fix it by passing the request_queue to ->bio_merge() instead. BFQ and mq-deadline just use that, and Kyber can map the queues itself to avoid the mismatch.

References

URL

Tags

	https://git.kernel.org/stable/c/0b6b4b90b74c27bea968c214d820ba4254b903a5
	https://git.kernel.org/stable/c/54dbe2d2c1fcabf650c7a8b747601da355cd7f9f
	https://git.kernel.org/stable/c/a287cd84e047045f5a4d4da793414e848de627c6
	https://git.kernel.org/stable/c/2ef3c76540c49167a0bc3d5f80d00fd1fc4586df
	https://git.kernel.org/stable/c/efed9a3337e341bd0989161b97453b52567bc59d

Impacted products

Vendor

Product

Version

Linux

Version: a6088845c2bf754d6cb2572b484180680b037804
Version: a6088845c2bf754d6cb2572b484180680b037804
Version: a6088845c2bf754d6cb2572b484180680b037804
Version: a6088845c2bf754d6cb2572b484180680b037804
Version: a6088845c2bf754d6cb2572b484180680b037804

Linux

Version: 4.18

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:24:37.898Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/0b6b4b90b74c27bea968c214d820ba4254b903a5"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/54dbe2d2c1fcabf650c7a8b747601da355cd7f9f"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/a287cd84e047045f5a4d4da793414e848de627c6"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/2ef3c76540c49167a0bc3d5f80d00fd1fc4586df"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/efed9a3337e341bd0989161b97453b52567bc59d"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-46984",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T16:01:11.596982Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:33:40.792Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "block/bfq-iosched.c",
            "block/blk-mq-sched.c",
            "block/kyber-iosched.c",
            "block/mq-deadline.c",
            "include/linux/elevator.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0b6b4b90b74c27bea968c214d820ba4254b903a5",
              "status": "affected",
              "version": "a6088845c2bf754d6cb2572b484180680b037804",
              "versionType": "git"
            },
            {
              "lessThan": "54dbe2d2c1fcabf650c7a8b747601da355cd7f9f",
              "status": "affected",
              "version": "a6088845c2bf754d6cb2572b484180680b037804",
              "versionType": "git"
            },
            {
              "lessThan": "a287cd84e047045f5a4d4da793414e848de627c6",
              "status": "affected",
              "version": "a6088845c2bf754d6cb2572b484180680b037804",
              "versionType": "git"
            },
            {
              "lessThan": "2ef3c76540c49167a0bc3d5f80d00fd1fc4586df",
              "status": "affected",
              "version": "a6088845c2bf754d6cb2572b484180680b037804",
              "versionType": "git"
            },
            {
              "lessThan": "efed9a3337e341bd0989161b97453b52567bc59d",
              "status": "affected",
              "version": "a6088845c2bf754d6cb2572b484180680b037804",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "block/bfq-iosched.c",
            "block/blk-mq-sched.c",
            "block/kyber-iosched.c",
            "block/mq-deadline.c",
            "include/linux/elevator.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.18"
            },
            {
              "lessThan": "4.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.38",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.11.*",
              "status": "unaffected",
              "version": "5.11.22",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.12.*",
              "status": "unaffected",
              "version": "5.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.120",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.38",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.11.22",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.12.5",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.13",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkyber: fix out of bounds access when preempted\n\n__blk_mq_sched_bio_merge() gets the ctx and hctx for the current CPU and\npasses the hctx to -\u003ebio_merge(). kyber_bio_merge() then gets the ctx\nfor the current CPU again and uses that to get the corresponding Kyber\ncontext in the passed hctx. However, the thread may be preempted between\nthe two calls to blk_mq_get_ctx(), and the ctx returned the second time\nmay no longer correspond to the passed hctx. This \"works\" accidentally\nmost of the time, but it can cause us to read garbage if the second ctx\ncame from an hctx with more ctx\u0027s than the first one (i.e., if\nctx-\u003eindex_hw[hctx-\u003etype] \u003e hctx-\u003enr_ctx).\n\nThis manifested as this UBSAN array index out of bounds error reported\nby Jakub:\n\nUBSAN: array-index-out-of-bounds in ../kernel/locking/qspinlock.c:130:9\nindex 13106 is out of range for type \u0027long unsigned int [128]\u0027\nCall Trace:\n dump_stack+0xa4/0xe5\n ubsan_epilogue+0x5/0x40\n __ubsan_handle_out_of_bounds.cold.13+0x2a/0x34\n queued_spin_lock_slowpath+0x476/0x480\n do_raw_spin_lock+0x1c2/0x1d0\n kyber_bio_merge+0x112/0x180\n blk_mq_submit_bio+0x1f5/0x1100\n submit_bio_noacct+0x7b0/0x870\n submit_bio+0xc2/0x3a0\n btrfs_map_bio+0x4f0/0x9d0\n btrfs_submit_data_bio+0x24e/0x310\n submit_one_bio+0x7f/0xb0\n submit_extent_page+0xc4/0x440\n __extent_writepage_io+0x2b8/0x5e0\n __extent_writepage+0x28d/0x6e0\n extent_write_cache_pages+0x4d7/0x7a0\n extent_writepages+0xa2/0x110\n do_writepages+0x8f/0x180\n __writeback_single_inode+0x99/0x7f0\n writeback_sb_inodes+0x34e/0x790\n __writeback_inodes_wb+0x9e/0x120\n wb_writeback+0x4d2/0x660\n wb_workfn+0x64d/0xa10\n process_one_work+0x53a/0xa80\n worker_thread+0x69/0x5b0\n kthread+0x20b/0x240\n ret_from_fork+0x1f/0x30\n\nOnly Kyber uses the hctx, so fix it by passing the request_queue to\n-\u003ebio_merge() instead. BFQ and mq-deadline just use that, and Kyber can\nmap the queues itself to avoid the mismatch."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:01:44.056Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0b6b4b90b74c27bea968c214d820ba4254b903a5"
        },
        {
          "url": "https://git.kernel.org/stable/c/54dbe2d2c1fcabf650c7a8b747601da355cd7f9f"
        },
        {
          "url": "https://git.kernel.org/stable/c/a287cd84e047045f5a4d4da793414e848de627c6"
        },
        {
          "url": "https://git.kernel.org/stable/c/2ef3c76540c49167a0bc3d5f80d00fd1fc4586df"
        },
        {
          "url": "https://git.kernel.org/stable/c/efed9a3337e341bd0989161b97453b52567bc59d"
        }
      ],
      "title": "kyber: fix out of bounds access when preempted",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-46984",
    "datePublished": "2024-02-28T08:13:12.835Z",
    "dateReserved": "2024-02-27T18:42:55.946Z",
    "dateUpdated": "2025-05-04T07:01:44.056Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38131 (GCVE-0-2025-38131)

Vulnerability from cvelistv5

Published

2025-07-03 08:35

Modified

2025-11-03 17:34

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: coresight: prevent deactivate active config while enabling the config While enable active config via cscfg_csdev_enable_active_config(), active config could be deactivated via configfs' sysfs interface. This could make UAF issue in below scenario: CPU0 CPU1 (sysfs enable) load module cscfg_load_config_sets() activate config. // sysfs (sys_active_cnt == 1) ... cscfg_csdev_enable_active_config() lock(csdev->cscfg_csdev_lock) // here load config activate by CPU1 unlock(csdev->cscfg_csdev_lock) deactivate config // sysfs (sys_activec_cnt == 0) cscfg_unload_config_sets() unload module // access to config_desc which freed // while unloading module. cscfg_csdev_enable_config To address this, use cscfg_config_desc's active_cnt as a reference count which will be holded when - activate the config. - enable the activated config. and put the module reference when config_active_cnt == 0.

References

URL

Tags

	https://git.kernel.org/stable/c/dfe8224c9c7a43d356eb9f74b06868aa05f90223
	https://git.kernel.org/stable/c/b3b4efa2e623aecaebd7c9b9e4171f5c659e9724
	https://git.kernel.org/stable/c/31028812724cef7bd57a51525ce58a32a6d73b22
	https://git.kernel.org/stable/c/ed42ee1ed05ff2f4c36938379057413a40c56680
	https://git.kernel.org/stable/c/408c97c4a5e0b634dcd15bf8b8808b382e888164

Impacted products

Vendor

Product

Version

Linux

Version: f8cce2ff3c04361b8843d8489620fda8880f668b
Version: f8cce2ff3c04361b8843d8489620fda8880f668b
Version: f8cce2ff3c04361b8843d8489620fda8880f668b
Version: f8cce2ff3c04361b8843d8489620fda8880f668b
Version: f8cce2ff3c04361b8843d8489620fda8880f668b

Linux

Version: 5.15

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:25.127Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/hwtracing/coresight/coresight-config.h",
            "drivers/hwtracing/coresight/coresight-syscfg.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "dfe8224c9c7a43d356eb9f74b06868aa05f90223",
              "status": "affected",
              "version": "f8cce2ff3c04361b8843d8489620fda8880f668b",
              "versionType": "git"
            },
            {
              "lessThan": "b3b4efa2e623aecaebd7c9b9e4171f5c659e9724",
              "status": "affected",
              "version": "f8cce2ff3c04361b8843d8489620fda8880f668b",
              "versionType": "git"
            },
            {
              "lessThan": "31028812724cef7bd57a51525ce58a32a6d73b22",
              "status": "affected",
              "version": "f8cce2ff3c04361b8843d8489620fda8880f668b",
              "versionType": "git"
            },
            {
              "lessThan": "ed42ee1ed05ff2f4c36938379057413a40c56680",
              "status": "affected",
              "version": "f8cce2ff3c04361b8843d8489620fda8880f668b",
              "versionType": "git"
            },
            {
              "lessThan": "408c97c4a5e0b634dcd15bf8b8808b382e888164",
              "status": "affected",
              "version": "f8cce2ff3c04361b8843d8489620fda8880f668b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/hwtracing/coresight/coresight-config.h",
            "drivers/hwtracing/coresight/coresight-syscfg.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncoresight: prevent deactivate active config while enabling the config\n\nWhile enable active config via cscfg_csdev_enable_active_config(),\nactive config could be deactivated via configfs\u0027 sysfs interface.\nThis could make UAF issue in below scenario:\n\nCPU0                                          CPU1\n(sysfs enable)                                load module\n                                              cscfg_load_config_sets()\n                                              activate config. // sysfs\n                                              (sys_active_cnt == 1)\n...\ncscfg_csdev_enable_active_config()\nlock(csdev-\u003ecscfg_csdev_lock)\n// here load config activate by CPU1\nunlock(csdev-\u003ecscfg_csdev_lock)\n\n                                              deactivate config // sysfs\n                                              (sys_activec_cnt == 0)\n                                              cscfg_unload_config_sets()\n                                              unload module\n\n// access to config_desc which freed\n// while unloading module.\ncscfg_csdev_enable_config\n\nTo address this, use cscfg_config_desc\u0027s active_cnt as a reference count\n which will be holded when\n    - activate the config.\n    - enable the activated config.\nand put the module reference when config_active_cnt == 0."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:13:00.836Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/dfe8224c9c7a43d356eb9f74b06868aa05f90223"
        },
        {
          "url": "https://git.kernel.org/stable/c/b3b4efa2e623aecaebd7c9b9e4171f5c659e9724"
        },
        {
          "url": "https://git.kernel.org/stable/c/31028812724cef7bd57a51525ce58a32a6d73b22"
        },
        {
          "url": "https://git.kernel.org/stable/c/ed42ee1ed05ff2f4c36938379057413a40c56680"
        },
        {
          "url": "https://git.kernel.org/stable/c/408c97c4a5e0b634dcd15bf8b8808b382e888164"
        }
      ],
      "title": "coresight: prevent deactivate active config while enabling the config",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38131",
    "datePublished": "2025-07-03T08:35:35.036Z",
    "dateReserved": "2025-04-16T04:51:23.987Z",
    "dateUpdated": "2025-11-03T17:34:25.127Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-42134 (GCVE-0-2024-42134)

Vulnerability from cvelistv5

Published

2024-07-30 07:46

Modified

2025-05-04 09:23

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: virtio-pci: Check if is_avq is NULL [bug] In the virtio_pci_common.c function vp_del_vqs, vp_dev->is_avq is involved to determine whether it is admin virtqueue, but this function vp_dev->is_avq may be empty. For installations, virtio_pci_legacy does not assign a value to vp_dev->is_avq. [fix] Check whether it is vp_dev->is_avq before use. [test] Test with virsh Attach device Before this patch, the following command would crash the guest system After applying the patch, everything seems to be working fine.

References

URL

Tags

	https://git.kernel.org/stable/c/5e2024b0b9b3d5709e3f7e9b92951d7e29154106
	https://git.kernel.org/stable/c/c8fae27d141a32a1624d0d0d5419d94252824498

Impacted products

Vendor

Product

Version

Linux

Version: fd27ef6b44bec26915c5b2b22c13856d9f0ba17a
Version: fd27ef6b44bec26915c5b2b22c13856d9f0ba17a

Linux

Version: 6.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T04:54:32.027Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/5e2024b0b9b3d5709e3f7e9b92951d7e29154106"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/c8fae27d141a32a1624d0d0d5419d94252824498"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-42134",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T16:16:15.915653Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:34:36.161Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/virtio/virtio_pci_common.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5e2024b0b9b3d5709e3f7e9b92951d7e29154106",
              "status": "affected",
              "version": "fd27ef6b44bec26915c5b2b22c13856d9f0ba17a",
              "versionType": "git"
            },
            {
              "lessThan": "c8fae27d141a32a1624d0d0d5419d94252824498",
              "status": "affected",
              "version": "fd27ef6b44bec26915c5b2b22c13856d9f0ba17a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/virtio/virtio_pci_common.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.9.*",
              "status": "unaffected",
              "version": "6.9.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.10",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.9.9",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-pci: Check if is_avq is NULL\n\n[bug]\nIn the virtio_pci_common.c function vp_del_vqs, vp_dev-\u003eis_avq is involved\nto determine whether it is admin virtqueue, but this function vp_dev-\u003eis_avq\n may be empty. For installations, virtio_pci_legacy does not assign a value\n to vp_dev-\u003eis_avq.\n\n[fix]\nCheck whether it is vp_dev-\u003eis_avq before use.\n\n[test]\nTest with virsh Attach device\nBefore this patch, the following command would crash the guest system\n\nAfter applying the patch, everything seems to be working fine."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:23:50.780Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5e2024b0b9b3d5709e3f7e9b92951d7e29154106"
        },
        {
          "url": "https://git.kernel.org/stable/c/c8fae27d141a32a1624d0d0d5419d94252824498"
        }
      ],
      "title": "virtio-pci: Check if is_avq is NULL",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-42134",
    "datePublished": "2024-07-30T07:46:29.331Z",
    "dateReserved": "2024-07-29T15:50:41.187Z",
    "dateUpdated": "2025-05-04T09:23:50.780Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38043 (GCVE-0-2025-38043)

Vulnerability from cvelistv5

Published

2025-06-18 09:33

Modified

2025-11-03 17:33

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: firmware: arm_ffa: Set dma_mask for ffa devices Set dma_mask for FFA devices, otherwise DMA allocation using the device pointer lead to following warning: WARNING: CPU: 1 PID: 1 at kernel/dma/mapping.c:597 dma_alloc_attrs+0xe0/0x124

References

URL

Tags

	https://git.kernel.org/stable/c/97bab02f0b64ba6bcdf6a8fae561db07f509aee9
	https://git.kernel.org/stable/c/c6aa1d6bd6ccff4ecdf064d288817657ec8532f0
	https://git.kernel.org/stable/c/e2de76c34a8a925efe80fccae4810427bc144ed0
	https://git.kernel.org/stable/c/3a3efeef64364c2a028cf0d03d68c831813a97fd
	https://git.kernel.org/stable/c/2e62c803feec1ef5847d8fa47dd0de039abfa378
	https://git.kernel.org/stable/c/cc0aac7ca17e0ea3ca84b552fc79f3e86fd07f53

Impacted products

Vendor

Product

Version

Linux

Version: e781858488b918e30a6ff28e9eab6058b787e3b3
Version: e781858488b918e30a6ff28e9eab6058b787e3b3
Version: e781858488b918e30a6ff28e9eab6058b787e3b3
Version: e781858488b918e30a6ff28e9eab6058b787e3b3
Version: e781858488b918e30a6ff28e9eab6058b787e3b3
Version: e781858488b918e30a6ff28e9eab6058b787e3b3

Linux

Version: 5.14

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:33:18.425Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/firmware/arm_ffa/bus.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "97bab02f0b64ba6bcdf6a8fae561db07f509aee9",
              "status": "affected",
              "version": "e781858488b918e30a6ff28e9eab6058b787e3b3",
              "versionType": "git"
            },
            {
              "lessThan": "c6aa1d6bd6ccff4ecdf064d288817657ec8532f0",
              "status": "affected",
              "version": "e781858488b918e30a6ff28e9eab6058b787e3b3",
              "versionType": "git"
            },
            {
              "lessThan": "e2de76c34a8a925efe80fccae4810427bc144ed0",
              "status": "affected",
              "version": "e781858488b918e30a6ff28e9eab6058b787e3b3",
              "versionType": "git"
            },
            {
              "lessThan": "3a3efeef64364c2a028cf0d03d68c831813a97fd",
              "status": "affected",
              "version": "e781858488b918e30a6ff28e9eab6058b787e3b3",
              "versionType": "git"
            },
            {
              "lessThan": "2e62c803feec1ef5847d8fa47dd0de039abfa378",
              "status": "affected",
              "version": "e781858488b918e30a6ff28e9eab6058b787e3b3",
              "versionType": "git"
            },
            {
              "lessThan": "cc0aac7ca17e0ea3ca84b552fc79f3e86fd07f53",
              "status": "affected",
              "version": "e781858488b918e30a6ff28e9eab6058b787e3b3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/firmware/arm_ffa/bus.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.14"
            },
            {
              "lessThan": "5.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.185",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.93",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.185",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.141",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.93",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.31",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_ffa: Set dma_mask for ffa devices\n\nSet dma_mask for FFA devices, otherwise DMA allocation using the device pointer\nlead to following warning:\n\nWARNING: CPU: 1 PID: 1 at kernel/dma/mapping.c:597 dma_alloc_attrs+0xe0/0x124"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-19T13:11:02.372Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/97bab02f0b64ba6bcdf6a8fae561db07f509aee9"
        },
        {
          "url": "https://git.kernel.org/stable/c/c6aa1d6bd6ccff4ecdf064d288817657ec8532f0"
        },
        {
          "url": "https://git.kernel.org/stable/c/e2de76c34a8a925efe80fccae4810427bc144ed0"
        },
        {
          "url": "https://git.kernel.org/stable/c/3a3efeef64364c2a028cf0d03d68c831813a97fd"
        },
        {
          "url": "https://git.kernel.org/stable/c/2e62c803feec1ef5847d8fa47dd0de039abfa378"
        },
        {
          "url": "https://git.kernel.org/stable/c/cc0aac7ca17e0ea3ca84b552fc79f3e86fd07f53"
        }
      ],
      "title": "firmware: arm_ffa: Set dma_mask for ffa devices",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38043",
    "datePublished": "2025-06-18T09:33:27.994Z",
    "dateReserved": "2025-04-16T04:51:23.978Z",
    "dateUpdated": "2025-11-03T17:33:18.425Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21997 (GCVE-0-2025-21997)

Vulnerability from cvelistv5

Published

2025-04-03 07:19

Modified

2025-11-03 19:40

Severity ?

5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: xsk: fix an integer overflow in xp_create_and_assign_umem() Since the i and pool->chunk_size variables are of type 'u32', their product can wrap around and then be cast to 'u64'. This can lead to two different XDP buffers pointing to the same memory area. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE.

References

URL

Tags

	https://git.kernel.org/stable/c/205649d642a5b376724f04f3a5b3586815e43d3b
	https://git.kernel.org/stable/c/b7b4be1fa43294b50b22e812715198629806678a
	https://git.kernel.org/stable/c/130290f44bce0eead2b827302109afc3fe189ddd
	https://git.kernel.org/stable/c/c7670c197b0f1a8726ad5c87bc2bf001a1fc1bbd
	https://git.kernel.org/stable/c/559847f56769037e5b2e0474d3dbff985b98083d

Impacted products

Vendor

Product

Version

Linux

Version: 94033cd8e73b8632bab7c8b7bb54caa4f5616db7
Version: 94033cd8e73b8632bab7c8b7bb54caa4f5616db7
Version: 94033cd8e73b8632bab7c8b7bb54caa4f5616db7
Version: 94033cd8e73b8632bab7c8b7bb54caa4f5616db7
Version: 94033cd8e73b8632bab7c8b7bb54caa4f5616db7

Linux

Version: 5.16

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21997",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T17:11:27.222499Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-190",
                "description": "CWE-190 Integer Overflow or Wraparound",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T17:11:29.711Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:40:39.282Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/xdp/xsk_buff_pool.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "205649d642a5b376724f04f3a5b3586815e43d3b",
              "status": "affected",
              "version": "94033cd8e73b8632bab7c8b7bb54caa4f5616db7",
              "versionType": "git"
            },
            {
              "lessThan": "b7b4be1fa43294b50b22e812715198629806678a",
              "status": "affected",
              "version": "94033cd8e73b8632bab7c8b7bb54caa4f5616db7",
              "versionType": "git"
            },
            {
              "lessThan": "130290f44bce0eead2b827302109afc3fe189ddd",
              "status": "affected",
              "version": "94033cd8e73b8632bab7c8b7bb54caa4f5616db7",
              "versionType": "git"
            },
            {
              "lessThan": "c7670c197b0f1a8726ad5c87bc2bf001a1fc1bbd",
              "status": "affected",
              "version": "94033cd8e73b8632bab7c8b7bb54caa4f5616db7",
              "versionType": "git"
            },
            {
              "lessThan": "559847f56769037e5b2e0474d3dbff985b98083d",
              "status": "affected",
              "version": "94033cd8e73b8632bab7c8b7bb54caa4f5616db7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/xdp/xsk_buff_pool.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.16"
            },
            {
              "lessThan": "5.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.132",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.85",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.21",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.132",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.85",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.21",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.9",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: fix an integer overflow in xp_create_and_assign_umem()\n\nSince the i and pool-\u003echunk_size variables are of type \u0027u32\u0027,\ntheir product can wrap around and then be cast to \u0027u64\u0027.\nThis can lead to two different XDP buffers pointing to the same\nmemory area.\n\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with SVACE."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:27:05.891Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/205649d642a5b376724f04f3a5b3586815e43d3b"
        },
        {
          "url": "https://git.kernel.org/stable/c/b7b4be1fa43294b50b22e812715198629806678a"
        },
        {
          "url": "https://git.kernel.org/stable/c/130290f44bce0eead2b827302109afc3fe189ddd"
        },
        {
          "url": "https://git.kernel.org/stable/c/c7670c197b0f1a8726ad5c87bc2bf001a1fc1bbd"
        },
        {
          "url": "https://git.kernel.org/stable/c/559847f56769037e5b2e0474d3dbff985b98083d"
        }
      ],
      "title": "xsk: fix an integer overflow in xp_create_and_assign_umem()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21997",
    "datePublished": "2025-04-03T07:19:00.583Z",
    "dateReserved": "2024-12-29T08:45:45.801Z",
    "dateUpdated": "2025-11-03T19:40:39.282Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-23151 (GCVE-0-2025-23151)

Vulnerability from cvelistv5

Published

2025-05-01 12:55

Modified

2025-11-03 19:42

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: bus: mhi: host: Fix race between unprepare and queue_buf A client driver may use mhi_unprepare_from_transfer() to quiesce incoming data during the client driver's tear down. The client driver might also be processing data at the same time, resulting in a call to mhi_queue_buf() which will invoke mhi_gen_tre(). If mhi_gen_tre() runs after mhi_unprepare_from_transfer() has torn down the channel, a panic will occur due to an invalid dereference leading to a page fault. This occurs because mhi_gen_tre() does not verify the channel state after locking it. Fix this by having mhi_gen_tre() confirm the channel state is valid, or return error to avoid accessing deinitialized data. [mani: added stable tag]

References

URL

Tags

	https://git.kernel.org/stable/c/899d0353ea69681f474b6bc9de32c663b89672da
	https://git.kernel.org/stable/c/3e7ecf181cbdde9753204ada3883ca1704d8702b
	https://git.kernel.org/stable/c/5f084993c90d9d0b4a52a349ede5120f992a7ca1
	https://git.kernel.org/stable/c/a77955f7704b2a00385e232cbcc1cb06b5c7a425
	https://git.kernel.org/stable/c/178e5657c8fd285125cc6743a81b513bce099760
	https://git.kernel.org/stable/c/ee1fce83ed56450087309b9b74ad9bcb2b010fa6
	https://git.kernel.org/stable/c/0686a818d77a431fc3ba2fab4b46bbb04e8c9380

Impacted products

Vendor

Product

Version

Linux

Version: 176ed1727badd2fad2158e2b214dcbc24f4be7a1
Version: 0b093176fd0967a5f56e2c86b0d48247f6c0fa0f
Version: ce16274a6b8d1483d0d8383272deb2bfd1b577ca
Version: b89b6a863dd53bc70d8e52d50f9cfaef8ef5e9c9
Version: b89b6a863dd53bc70d8e52d50f9cfaef8ef5e9c9
Version: b89b6a863dd53bc70d8e52d50f9cfaef8ef5e9c9
Version: b89b6a863dd53bc70d8e52d50f9cfaef8ef5e9c9
Version: 642adb03541673f3897f64bbb62856ffd73807f5

Linux

Version: 6.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:42:48.368Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/bus/mhi/host/main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "899d0353ea69681f474b6bc9de32c663b89672da",
              "status": "affected",
              "version": "176ed1727badd2fad2158e2b214dcbc24f4be7a1",
              "versionType": "git"
            },
            {
              "lessThan": "3e7ecf181cbdde9753204ada3883ca1704d8702b",
              "status": "affected",
              "version": "0b093176fd0967a5f56e2c86b0d48247f6c0fa0f",
              "versionType": "git"
            },
            {
              "lessThan": "5f084993c90d9d0b4a52a349ede5120f992a7ca1",
              "status": "affected",
              "version": "ce16274a6b8d1483d0d8383272deb2bfd1b577ca",
              "versionType": "git"
            },
            {
              "lessThan": "a77955f7704b2a00385e232cbcc1cb06b5c7a425",
              "status": "affected",
              "version": "b89b6a863dd53bc70d8e52d50f9cfaef8ef5e9c9",
              "versionType": "git"
            },
            {
              "lessThan": "178e5657c8fd285125cc6743a81b513bce099760",
              "status": "affected",
              "version": "b89b6a863dd53bc70d8e52d50f9cfaef8ef5e9c9",
              "versionType": "git"
            },
            {
              "lessThan": "ee1fce83ed56450087309b9b74ad9bcb2b010fa6",
              "status": "affected",
              "version": "b89b6a863dd53bc70d8e52d50f9cfaef8ef5e9c9",
              "versionType": "git"
            },
            {
              "lessThan": "0686a818d77a431fc3ba2fab4b46bbb04e8c9380",
              "status": "affected",
              "version": "b89b6a863dd53bc70d8e52d50f9cfaef8ef5e9c9",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "642adb03541673f3897f64bbb62856ffd73807f5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/bus/mhi/host/main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "5.15.149",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "versionStartIncluding": "6.1.76",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "6.6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.24",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.12",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.7.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: mhi: host: Fix race between unprepare and queue_buf\n\nA client driver may use mhi_unprepare_from_transfer() to quiesce\nincoming data during the client driver\u0027s tear down. The client driver\nmight also be processing data at the same time, resulting in a call to\nmhi_queue_buf() which will invoke mhi_gen_tre(). If mhi_gen_tre() runs\nafter mhi_unprepare_from_transfer() has torn down the channel, a panic\nwill occur due to an invalid dereference leading to a page fault.\n\nThis occurs because mhi_gen_tre() does not verify the channel state\nafter locking it. Fix this by having mhi_gen_tre() confirm the channel\nstate is valid, or return error to avoid accessing deinitialized data.\n\n[mani: added stable tag]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:19:33.101Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/899d0353ea69681f474b6bc9de32c663b89672da"
        },
        {
          "url": "https://git.kernel.org/stable/c/3e7ecf181cbdde9753204ada3883ca1704d8702b"
        },
        {
          "url": "https://git.kernel.org/stable/c/5f084993c90d9d0b4a52a349ede5120f992a7ca1"
        },
        {
          "url": "https://git.kernel.org/stable/c/a77955f7704b2a00385e232cbcc1cb06b5c7a425"
        },
        {
          "url": "https://git.kernel.org/stable/c/178e5657c8fd285125cc6743a81b513bce099760"
        },
        {
          "url": "https://git.kernel.org/stable/c/ee1fce83ed56450087309b9b74ad9bcb2b010fa6"
        },
        {
          "url": "https://git.kernel.org/stable/c/0686a818d77a431fc3ba2fab4b46bbb04e8c9380"
        }
      ],
      "title": "bus: mhi: host: Fix race between unprepare and queue_buf",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-23151",
    "datePublished": "2025-05-01T12:55:38.833Z",
    "dateReserved": "2025-01-11T14:28:41.513Z",
    "dateUpdated": "2025-11-03T19:42:48.368Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38268 (GCVE-0-2025-38268)

Vulnerability from cvelistv5

Published

2025-07-10 07:41

Modified

2025-07-28 04:16

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: typec: tcpm: move tcpm_queue_vdm_unlocked to asynchronous work A state check was previously added to tcpm_queue_vdm_unlocked to prevent a deadlock where the DisplayPort Alt Mode driver would be executing work and attempting to grab the tcpm_lock while the TCPM was holding the lock and attempting to unregister the altmode, blocking on the altmode driver's cancel_work_sync call. Because the state check isn't protected, there is a small window where the Alt Mode driver could determine that the TCPM is in a ready state and attempt to grab the lock while the TCPM grabs the lock and changes the TCPM state to one that causes the deadlock. The callstack is provided below: [110121.667392][ C7] Call trace: [110121.667396][ C7] __switch_to+0x174/0x338 [110121.667406][ C7] __schedule+0x608/0x9f0 [110121.667414][ C7] schedule+0x7c/0xe8 [110121.667423][ C7] kernfs_drain+0xb0/0x114 [110121.667431][ C7] __kernfs_remove+0x16c/0x20c [110121.667436][ C7] kernfs_remove_by_name_ns+0x74/0xe8 [110121.667442][ C7] sysfs_remove_group+0x84/0xe8 [110121.667450][ C7] sysfs_remove_groups+0x34/0x58 [110121.667458][ C7] device_remove_groups+0x10/0x20 [110121.667464][ C7] device_release_driver_internal+0x164/0x2e4 [110121.667475][ C7] device_release_driver+0x18/0x28 [110121.667484][ C7] bus_remove_device+0xec/0x118 [110121.667491][ C7] device_del+0x1e8/0x4ac [110121.667498][ C7] device_unregister+0x18/0x38 [110121.667504][ C7] typec_unregister_altmode+0x30/0x44 [110121.667515][ C7] tcpm_reset_port+0xac/0x370 [110121.667523][ C7] tcpm_snk_detach+0x84/0xb8 [110121.667529][ C7] run_state_machine+0x4c0/0x1b68 [110121.667536][ C7] tcpm_state_machine_work+0x94/0xe4 [110121.667544][ C7] kthread_worker_fn+0x10c/0x244 [110121.667552][ C7] kthread+0x104/0x1d4 [110121.667557][ C7] ret_from_fork+0x10/0x20 [110121.667689][ C7] Workqueue: events dp_altmode_work [110121.667697][ C7] Call trace: [110121.667701][ C7] __switch_to+0x174/0x338 [110121.667710][ C7] __schedule+0x608/0x9f0 [110121.667717][ C7] schedule+0x7c/0xe8 [110121.667725][ C7] schedule_preempt_disabled+0x24/0x40 [110121.667733][ C7] __mutex_lock+0x408/0xdac [110121.667741][ C7] __mutex_lock_slowpath+0x14/0x24 [110121.667748][ C7] mutex_lock+0x40/0xec [110121.667757][ C7] tcpm_altmode_enter+0x78/0xb4 [110121.667764][ C7] typec_altmode_enter+0xdc/0x10c [110121.667769][ C7] dp_altmode_work+0x68/0x164 [110121.667775][ C7] process_one_work+0x1e4/0x43c [110121.667783][ C7] worker_thread+0x25c/0x430 [110121.667789][ C7] kthread+0x104/0x1d4 [110121.667794][ C7] ret_from_fork+0x10/0x20 Change tcpm_queue_vdm_unlocked to queue for tcpm_queue_vdm_work, which can perform the state check while holding the TCPM lock while the Alt Mode lock is no longer held. This requires a new struct to hold the vdm data, altmode_vdm_event.

References

URL

Tags

	https://git.kernel.org/stable/c/7bdd712abefbec79176ab412d8c623e755c5d0ba
	https://git.kernel.org/stable/c/1970d34b48cbeceb0c765984c9a6bb204c77f16a
	https://git.kernel.org/stable/c/324d45e53f1a36c88bc649dc39e0c8300a41be0a

Impacted products

Vendor

Product

Version

Linux

Version: cdc9946ea6377e8e214b135ccc308c5e514ba25f
Version: cdc9946ea6377e8e214b135ccc308c5e514ba25f
Version: cdc9946ea6377e8e214b135ccc308c5e514ba25f

Linux

Version: 6.9

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/typec/tcpm/tcpm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7bdd712abefbec79176ab412d8c623e755c5d0ba",
              "status": "affected",
              "version": "cdc9946ea6377e8e214b135ccc308c5e514ba25f",
              "versionType": "git"
            },
            {
              "lessThan": "1970d34b48cbeceb0c765984c9a6bb204c77f16a",
              "status": "affected",
              "version": "cdc9946ea6377e8e214b135ccc308c5e514ba25f",
              "versionType": "git"
            },
            {
              "lessThan": "324d45e53f1a36c88bc649dc39e0c8300a41be0a",
              "status": "affected",
              "version": "cdc9946ea6377e8e214b135ccc308c5e514ba25f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/typec/tcpm/tcpm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.9"
            },
            {
              "lessThan": "6.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: tcpm: move tcpm_queue_vdm_unlocked to asynchronous work\n\nA state check was previously added to tcpm_queue_vdm_unlocked to\nprevent a deadlock where the DisplayPort Alt Mode driver would be\nexecuting work and attempting to grab the tcpm_lock while the TCPM\nwas holding the lock and attempting to unregister the altmode, blocking\non the altmode driver\u0027s cancel_work_sync call.\n\nBecause the state check isn\u0027t protected, there is a small window\nwhere the Alt Mode driver could determine that the TCPM is\nin a ready state and attempt to grab the lock while the\nTCPM grabs the lock and changes the TCPM state to one that\ncauses the deadlock. The callstack is provided below:\n\n[110121.667392][    C7] Call trace:\n[110121.667396][    C7]  __switch_to+0x174/0x338\n[110121.667406][    C7]  __schedule+0x608/0x9f0\n[110121.667414][    C7]  schedule+0x7c/0xe8\n[110121.667423][    C7]  kernfs_drain+0xb0/0x114\n[110121.667431][    C7]  __kernfs_remove+0x16c/0x20c\n[110121.667436][    C7]  kernfs_remove_by_name_ns+0x74/0xe8\n[110121.667442][    C7]  sysfs_remove_group+0x84/0xe8\n[110121.667450][    C7]  sysfs_remove_groups+0x34/0x58\n[110121.667458][    C7]  device_remove_groups+0x10/0x20\n[110121.667464][    C7]  device_release_driver_internal+0x164/0x2e4\n[110121.667475][    C7]  device_release_driver+0x18/0x28\n[110121.667484][    C7]  bus_remove_device+0xec/0x118\n[110121.667491][    C7]  device_del+0x1e8/0x4ac\n[110121.667498][    C7]  device_unregister+0x18/0x38\n[110121.667504][    C7]  typec_unregister_altmode+0x30/0x44\n[110121.667515][    C7]  tcpm_reset_port+0xac/0x370\n[110121.667523][    C7]  tcpm_snk_detach+0x84/0xb8\n[110121.667529][    C7]  run_state_machine+0x4c0/0x1b68\n[110121.667536][    C7]  tcpm_state_machine_work+0x94/0xe4\n[110121.667544][    C7]  kthread_worker_fn+0x10c/0x244\n[110121.667552][    C7]  kthread+0x104/0x1d4\n[110121.667557][    C7]  ret_from_fork+0x10/0x20\n\n[110121.667689][    C7] Workqueue: events dp_altmode_work\n[110121.667697][    C7] Call trace:\n[110121.667701][    C7]  __switch_to+0x174/0x338\n[110121.667710][    C7]  __schedule+0x608/0x9f0\n[110121.667717][    C7]  schedule+0x7c/0xe8\n[110121.667725][    C7]  schedule_preempt_disabled+0x24/0x40\n[110121.667733][    C7]  __mutex_lock+0x408/0xdac\n[110121.667741][    C7]  __mutex_lock_slowpath+0x14/0x24\n[110121.667748][    C7]  mutex_lock+0x40/0xec\n[110121.667757][    C7]  tcpm_altmode_enter+0x78/0xb4\n[110121.667764][    C7]  typec_altmode_enter+0xdc/0x10c\n[110121.667769][    C7]  dp_altmode_work+0x68/0x164\n[110121.667775][    C7]  process_one_work+0x1e4/0x43c\n[110121.667783][    C7]  worker_thread+0x25c/0x430\n[110121.667789][    C7]  kthread+0x104/0x1d4\n[110121.667794][    C7]  ret_from_fork+0x10/0x20\n\nChange tcpm_queue_vdm_unlocked to queue for tcpm_queue_vdm_work,\nwhich can perform the state check while holding the TCPM lock\nwhile the Alt Mode lock is no longer held. This requires a new\nstruct to hold the vdm data, altmode_vdm_event."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:16:48.451Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7bdd712abefbec79176ab412d8c623e755c5d0ba"
        },
        {
          "url": "https://git.kernel.org/stable/c/1970d34b48cbeceb0c765984c9a6bb204c77f16a"
        },
        {
          "url": "https://git.kernel.org/stable/c/324d45e53f1a36c88bc649dc39e0c8300a41be0a"
        }
      ],
      "title": "usb: typec: tcpm: move tcpm_queue_vdm_unlocked to asynchronous work",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38268",
    "datePublished": "2025-07-10T07:41:51.217Z",
    "dateReserved": "2025-04-16T04:51:23.998Z",
    "dateUpdated": "2025-07-28T04:16:48.451Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38023 (GCVE-0-2025-38023)

Vulnerability from cvelistv5

Published

2025-06-18 09:28

Modified

2025-11-03 19:58

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: nfs: handle failure of nfs_get_lock_context in unlock path When memory is insufficient, the allocation of nfs_lock_context in nfs_get_lock_context() fails and returns -ENOMEM. If we mistakenly treat an nfs4_unlockdata structure (whose l_ctx member has been set to -ENOMEM) as valid and proceed to execute rpc_run_task(), this will trigger a NULL pointer dereference in nfs4_locku_prepare. For example: BUG: kernel NULL pointer dereference, address: 000000000000000c PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP PTI CPU: 15 UID: 0 PID: 12 Comm: kworker/u64:0 Not tainted 6.15.0-rc2-dirty #60 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 Workqueue: rpciod rpc_async_schedule RIP: 0010:nfs4_locku_prepare+0x35/0xc2 Code: 89 f2 48 89 fd 48 c7 c7 68 69 ef b5 53 48 8b 8e 90 00 00 00 48 89 f3 RSP: 0018:ffffbbafc006bdb8 EFLAGS: 00010246 RAX: 000000000000004b RBX: ffff9b964fc1fa00 RCX: 0000000000000000 RDX: 0000000000000000 RSI: fffffffffffffff4 RDI: ffff9ba53fddbf40 RBP: ffff9ba539934000 R08: 0000000000000000 R09: ffffbbafc006bc38 R10: ffffffffb6b689c8 R11: 0000000000000003 R12: ffff9ba539934030 R13: 0000000000000001 R14: 0000000004248060 R15: ffffffffb56d1c30 FS: 0000000000000000(0000) GS:ffff9ba5881f0000(0000) knlGS:00000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000000c CR3: 000000093f244000 CR4: 00000000000006f0 Call Trace: <TASK> __rpc_execute+0xbc/0x480 rpc_async_schedule+0x2f/0x40 process_one_work+0x232/0x5d0 worker_thread+0x1da/0x3d0 ? __pfx_worker_thread+0x10/0x10 kthread+0x10d/0x240 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Modules linked in: CR2: 000000000000000c ---[ end trace 0000000000000000 ]--- Free the allocated nfs4_unlockdata when nfs_get_lock_context() fails and return NULL to terminate subsequent rpc_run_task, preventing NULL pointer dereference.

References

URL

Tags

	https://git.kernel.org/stable/c/db6f5ee1fc8f54d079d0751292c2fc2d78e3aad1
	https://git.kernel.org/stable/c/4c189fd40a09a03f9a900bedb2d9064f1734d72a
	https://git.kernel.org/stable/c/72f552e00c50f265896d3c19edc6696aa2910081
	https://git.kernel.org/stable/c/85fb7f8ca5f8c138579fdfc9b97b3083e6077d40
	https://git.kernel.org/stable/c/a6879a076b98c99c9fe747816fe1c29543442441
	https://git.kernel.org/stable/c/da824f1271633bcb515ca8084cda3eda4b3ace51
	https://git.kernel.org/stable/c/f601960af04d2ecb007c928ba153d34051acd9c1
	https://git.kernel.org/stable/c/c457dc1ec770a22636b473ce5d35614adfe97636

Impacted products

Vendor

Product

Version

Linux

Version: f30cb757f680f965ba8a2e53cb3588052a01aeb5
Version: f30cb757f680f965ba8a2e53cb3588052a01aeb5
Version: f30cb757f680f965ba8a2e53cb3588052a01aeb5
Version: f30cb757f680f965ba8a2e53cb3588052a01aeb5
Version: f30cb757f680f965ba8a2e53cb3588052a01aeb5
Version: f30cb757f680f965ba8a2e53cb3588052a01aeb5
Version: f30cb757f680f965ba8a2e53cb3588052a01aeb5
Version: f30cb757f680f965ba8a2e53cb3588052a01aeb5

Linux

Version: 4.12

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:58:22.071Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/nfs/nfs4proc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "db6f5ee1fc8f54d079d0751292c2fc2d78e3aad1",
              "status": "affected",
              "version": "f30cb757f680f965ba8a2e53cb3588052a01aeb5",
              "versionType": "git"
            },
            {
              "lessThan": "4c189fd40a09a03f9a900bedb2d9064f1734d72a",
              "status": "affected",
              "version": "f30cb757f680f965ba8a2e53cb3588052a01aeb5",
              "versionType": "git"
            },
            {
              "lessThan": "72f552e00c50f265896d3c19edc6696aa2910081",
              "status": "affected",
              "version": "f30cb757f680f965ba8a2e53cb3588052a01aeb5",
              "versionType": "git"
            },
            {
              "lessThan": "85fb7f8ca5f8c138579fdfc9b97b3083e6077d40",
              "status": "affected",
              "version": "f30cb757f680f965ba8a2e53cb3588052a01aeb5",
              "versionType": "git"
            },
            {
              "lessThan": "a6879a076b98c99c9fe747816fe1c29543442441",
              "status": "affected",
              "version": "f30cb757f680f965ba8a2e53cb3588052a01aeb5",
              "versionType": "git"
            },
            {
              "lessThan": "da824f1271633bcb515ca8084cda3eda4b3ace51",
              "status": "affected",
              "version": "f30cb757f680f965ba8a2e53cb3588052a01aeb5",
              "versionType": "git"
            },
            {
              "lessThan": "f601960af04d2ecb007c928ba153d34051acd9c1",
              "status": "affected",
              "version": "f30cb757f680f965ba8a2e53cb3588052a01aeb5",
              "versionType": "git"
            },
            {
              "lessThan": "c457dc1ec770a22636b473ce5d35614adfe97636",
              "status": "affected",
              "version": "f30cb757f680f965ba8a2e53cb3588052a01aeb5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/nfs/nfs4proc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.12"
            },
            {
              "lessThan": "4.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.294",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.238",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.184",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.92",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.294",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.238",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.184",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.140",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.92",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.30",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.8",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs: handle failure of nfs_get_lock_context in unlock path\n\nWhen memory is insufficient, the allocation of nfs_lock_context in\nnfs_get_lock_context() fails and returns -ENOMEM. If we mistakenly treat\nan nfs4_unlockdata structure (whose l_ctx member has been set to -ENOMEM)\nas valid and proceed to execute rpc_run_task(), this will trigger a NULL\npointer dereference in nfs4_locku_prepare. For example:\n\nBUG: kernel NULL pointer dereference, address: 000000000000000c\nPGD 0 P4D 0\nOops: Oops: 0000 [#1] SMP PTI\nCPU: 15 UID: 0 PID: 12 Comm: kworker/u64:0 Not tainted 6.15.0-rc2-dirty #60\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40\nWorkqueue: rpciod rpc_async_schedule\nRIP: 0010:nfs4_locku_prepare+0x35/0xc2\nCode: 89 f2 48 89 fd 48 c7 c7 68 69 ef b5 53 48 8b 8e 90 00 00 00 48 89 f3\nRSP: 0018:ffffbbafc006bdb8 EFLAGS: 00010246\nRAX: 000000000000004b RBX: ffff9b964fc1fa00 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: fffffffffffffff4 RDI: ffff9ba53fddbf40\nRBP: ffff9ba539934000 R08: 0000000000000000 R09: ffffbbafc006bc38\nR10: ffffffffb6b689c8 R11: 0000000000000003 R12: ffff9ba539934030\nR13: 0000000000000001 R14: 0000000004248060 R15: ffffffffb56d1c30\nFS: 0000000000000000(0000) GS:ffff9ba5881f0000(0000) knlGS:00000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000000000000c CR3: 000000093f244000 CR4: 00000000000006f0\nCall Trace:\n \u003cTASK\u003e\n __rpc_execute+0xbc/0x480\n rpc_async_schedule+0x2f/0x40\n process_one_work+0x232/0x5d0\n worker_thread+0x1da/0x3d0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x10d/0x240\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\nModules linked in:\nCR2: 000000000000000c\n---[ end trace 0000000000000000 ]---\n\nFree the allocated nfs4_unlockdata when nfs_get_lock_context() fails and\nreturn NULL to terminate subsequent rpc_run_task, preventing NULL pointer\ndereference."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-18T09:28:29.991Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/db6f5ee1fc8f54d079d0751292c2fc2d78e3aad1"
        },
        {
          "url": "https://git.kernel.org/stable/c/4c189fd40a09a03f9a900bedb2d9064f1734d72a"
        },
        {
          "url": "https://git.kernel.org/stable/c/72f552e00c50f265896d3c19edc6696aa2910081"
        },
        {
          "url": "https://git.kernel.org/stable/c/85fb7f8ca5f8c138579fdfc9b97b3083e6077d40"
        },
        {
          "url": "https://git.kernel.org/stable/c/a6879a076b98c99c9fe747816fe1c29543442441"
        },
        {
          "url": "https://git.kernel.org/stable/c/da824f1271633bcb515ca8084cda3eda4b3ace51"
        },
        {
          "url": "https://git.kernel.org/stable/c/f601960af04d2ecb007c928ba153d34051acd9c1"
        },
        {
          "url": "https://git.kernel.org/stable/c/c457dc1ec770a22636b473ce5d35614adfe97636"
        }
      ],
      "title": "nfs: handle failure of nfs_get_lock_context in unlock path",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38023",
    "datePublished": "2025-06-18T09:28:29.991Z",
    "dateReserved": "2025-04-16T04:51:23.977Z",
    "dateUpdated": "2025-11-03T19:58:22.071Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38122 (GCVE-0-2025-38122)

Vulnerability from cvelistv5

Published

2025-07-03 08:35

Modified

2025-11-03 17:34

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO gve_alloc_pending_packet() can return NULL, but gve_tx_add_skb_dqo() did not check for this case before dereferencing the returned pointer. Add a missing NULL check to prevent a potential NULL pointer dereference when allocation fails. This improves robustness in low-memory scenarios.

References

URL

Tags

	https://git.kernel.org/stable/c/ae98a1787fdcb0096d122bc80d93c3c7d812c04b
	https://git.kernel.org/stable/c/2e5ead9e4e91fbe7799bd38afd8904543be1cb51
	https://git.kernel.org/stable/c/7f6265fce3bd424ded666481b37f106d7915fb6b
	https://git.kernel.org/stable/c/a0319c9b1648a67511e947a596ca86888451c0a7
	https://git.kernel.org/stable/c/c741a7ef68023ac800054e2131c3e22e647fd7e3
	https://git.kernel.org/stable/c/12c331b29c7397ac3b03584e12902990693bc248

Impacted products

Vendor

Product

Version

Linux

Version: a57e5de476be0b4b7f42beb6a21c19ad9c577aa3
Version: a57e5de476be0b4b7f42beb6a21c19ad9c577aa3
Version: a57e5de476be0b4b7f42beb6a21c19ad9c577aa3
Version: a57e5de476be0b4b7f42beb6a21c19ad9c577aa3
Version: a57e5de476be0b4b7f42beb6a21c19ad9c577aa3
Version: a57e5de476be0b4b7f42beb6a21c19ad9c577aa3

Linux

Version: 5.14

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:22.190Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/google/gve/gve_tx_dqo.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ae98a1787fdcb0096d122bc80d93c3c7d812c04b",
              "status": "affected",
              "version": "a57e5de476be0b4b7f42beb6a21c19ad9c577aa3",
              "versionType": "git"
            },
            {
              "lessThan": "2e5ead9e4e91fbe7799bd38afd8904543be1cb51",
              "status": "affected",
              "version": "a57e5de476be0b4b7f42beb6a21c19ad9c577aa3",
              "versionType": "git"
            },
            {
              "lessThan": "7f6265fce3bd424ded666481b37f106d7915fb6b",
              "status": "affected",
              "version": "a57e5de476be0b4b7f42beb6a21c19ad9c577aa3",
              "versionType": "git"
            },
            {
              "lessThan": "a0319c9b1648a67511e947a596ca86888451c0a7",
              "status": "affected",
              "version": "a57e5de476be0b4b7f42beb6a21c19ad9c577aa3",
              "versionType": "git"
            },
            {
              "lessThan": "c741a7ef68023ac800054e2131c3e22e647fd7e3",
              "status": "affected",
              "version": "a57e5de476be0b4b7f42beb6a21c19ad9c577aa3",
              "versionType": "git"
            },
            {
              "lessThan": "12c331b29c7397ac3b03584e12902990693bc248",
              "status": "affected",
              "version": "a57e5de476be0b4b7f42beb6a21c19ad9c577aa3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/google/gve/gve_tx_dqo.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.14"
            },
            {
              "lessThan": "5.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngve: add missing NULL check for gve_alloc_pending_packet() in TX DQO\n\ngve_alloc_pending_packet() can return NULL, but gve_tx_add_skb_dqo()\ndid not check for this case before dereferencing the returned pointer.\n\nAdd a missing NULL check to prevent a potential NULL pointer\ndereference when allocation fails.\n\nThis improves robustness in low-memory scenarios."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:12:42.700Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ae98a1787fdcb0096d122bc80d93c3c7d812c04b"
        },
        {
          "url": "https://git.kernel.org/stable/c/2e5ead9e4e91fbe7799bd38afd8904543be1cb51"
        },
        {
          "url": "https://git.kernel.org/stable/c/7f6265fce3bd424ded666481b37f106d7915fb6b"
        },
        {
          "url": "https://git.kernel.org/stable/c/a0319c9b1648a67511e947a596ca86888451c0a7"
        },
        {
          "url": "https://git.kernel.org/stable/c/c741a7ef68023ac800054e2131c3e22e647fd7e3"
        },
        {
          "url": "https://git.kernel.org/stable/c/12c331b29c7397ac3b03584e12902990693bc248"
        }
      ],
      "title": "gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38122",
    "datePublished": "2025-07-03T08:35:28.582Z",
    "dateReserved": "2025-04-16T04:51:23.986Z",
    "dateUpdated": "2025-11-03T17:34:22.190Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37889 (GCVE-0-2025-37889)

Vulnerability from cvelistv5

Published

2025-05-09 06:45

Modified

2025-11-03 19:57

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ASoC: ops: Consistently treat platform_max as control value This reverts commit 9bdd10d57a88 ("ASoC: ops: Shift tested values in snd_soc_put_volsw() by +min"), and makes some additional related updates. There are two ways the platform_max could be interpreted; the maximum register value, or the maximum value the control can be set to. The patch moved from treating the value as a control value to a register one. When the patch was applied it was technically correct as snd_soc_limit_volume() also used the register interpretation. However, even then most of the other usages treated platform_max as a control value, and snd_soc_limit_volume() has since been updated to also do so in commit fb9ad24485087 ("ASoC: ops: add correct range check for limiting volume"). That patch however, missed updating snd_soc_put_volsw() back to the control interpretation, and fixing snd_soc_info_volsw_range(). The control interpretation makes more sense as limiting is typically done from the machine driver, so it is appropriate to use the customer facing representation rather than the internal codec representation. Update all the code to consistently use this interpretation of platform_max. Finally, also add some comments to the soc_mixer_control struct to hopefully avoid further patches switching between the two approaches.

References

URL

Tags

	https://git.kernel.org/stable/c/c402f184a053c8e7ca325e50f04bbbc1e4fee019
	https://git.kernel.org/stable/c/694110bc2407a61f02a770cbb5f39b51e4ec77c6
	https://git.kernel.org/stable/c/544055329560d4b64fe204fc6be325ebc24c72ca
	https://git.kernel.org/stable/c/a46a9371f8b9a0eeff53a21e11ed3b65f52d9cf6
	https://git.kernel.org/stable/c/296c8295ae34045da0214882628d49c1c060dd8a
	https://git.kernel.org/stable/c/0eba2a7e858907a746ba69cd002eb9eb4dbd7bf3

Impacted products

Vendor

Product

Version

Linux

Version: c11fc224e58e7972ffd05b8f25e9b1d6a0b8d562
Version: a50562146d6c7650029a115c96ef9aaa7648c344
Version: 395e52b7a1ad01e1b51adb09854a0aa5347428de
Version: fb9ad24485087e0f00d84bee7a5914640b2b9024
Version: fb9ad24485087e0f00d84bee7a5914640b2b9024
Version: fb9ad24485087e0f00d84bee7a5914640b2b9024

Linux

Version: 6.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:57:00.804Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/sound/soc.h",
            "sound/soc/soc-ops.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c402f184a053c8e7ca325e50f04bbbc1e4fee019",
              "status": "affected",
              "version": "c11fc224e58e7972ffd05b8f25e9b1d6a0b8d562",
              "versionType": "git"
            },
            {
              "lessThan": "694110bc2407a61f02a770cbb5f39b51e4ec77c6",
              "status": "affected",
              "version": "a50562146d6c7650029a115c96ef9aaa7648c344",
              "versionType": "git"
            },
            {
              "lessThan": "544055329560d4b64fe204fc6be325ebc24c72ca",
              "status": "affected",
              "version": "395e52b7a1ad01e1b51adb09854a0aa5347428de",
              "versionType": "git"
            },
            {
              "lessThan": "a46a9371f8b9a0eeff53a21e11ed3b65f52d9cf6",
              "status": "affected",
              "version": "fb9ad24485087e0f00d84bee7a5914640b2b9024",
              "versionType": "git"
            },
            {
              "lessThan": "296c8295ae34045da0214882628d49c1c060dd8a",
              "status": "affected",
              "version": "fb9ad24485087e0f00d84bee7a5914640b2b9024",
              "versionType": "git"
            },
            {
              "lessThan": "0eba2a7e858907a746ba69cd002eb9eb4dbd7bf3",
              "status": "affected",
              "version": "fb9ad24485087e0f00d84bee7a5914640b2b9024",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/sound/soc.h",
            "sound/soc/soc-ops.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.180",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.132",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.84",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.180",
                  "versionStartIncluding": "5.15.148",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.132",
                  "versionStartIncluding": "6.1.74",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.84",
                  "versionStartIncluding": "6.6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.20",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.8",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: ops: Consistently treat platform_max as control value\n\nThis reverts commit 9bdd10d57a88 (\"ASoC: ops: Shift tested values in\nsnd_soc_put_volsw() by +min\"), and makes some additional related\nupdates.\n\nThere are two ways the platform_max could be interpreted; the maximum\nregister value, or the maximum value the control can be set to. The\npatch moved from treating the value as a control value to a register\none. When the patch was applied it was technically correct as\nsnd_soc_limit_volume() also used the register interpretation. However,\neven then most of the other usages treated platform_max as a\ncontrol value, and snd_soc_limit_volume() has since been updated to\nalso do so in commit fb9ad24485087 (\"ASoC: ops: add correct range\ncheck for limiting volume\"). That patch however, missed updating\nsnd_soc_put_volsw() back to the control interpretation, and fixing\nsnd_soc_info_volsw_range(). The control interpretation makes more\nsense as limiting is typically done from the machine driver, so it is\nappropriate to use the customer facing representation rather than the\ninternal codec representation. Update all the code to consistently use\nthis interpretation of platform_max.\n\nFinally, also add some comments to the soc_mixer_control struct to\nhopefully avoid further patches switching between the two approaches."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-10T14:09:43.898Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c402f184a053c8e7ca325e50f04bbbc1e4fee019"
        },
        {
          "url": "https://git.kernel.org/stable/c/694110bc2407a61f02a770cbb5f39b51e4ec77c6"
        },
        {
          "url": "https://git.kernel.org/stable/c/544055329560d4b64fe204fc6be325ebc24c72ca"
        },
        {
          "url": "https://git.kernel.org/stable/c/a46a9371f8b9a0eeff53a21e11ed3b65f52d9cf6"
        },
        {
          "url": "https://git.kernel.org/stable/c/296c8295ae34045da0214882628d49c1c060dd8a"
        },
        {
          "url": "https://git.kernel.org/stable/c/0eba2a7e858907a746ba69cd002eb9eb4dbd7bf3"
        }
      ],
      "title": "ASoC: ops: Consistently treat platform_max as control value",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37889",
    "datePublished": "2025-05-09T06:45:50.868Z",
    "dateReserved": "2025-04-16T04:51:23.963Z",
    "dateUpdated": "2025-11-03T19:57:00.804Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38375 (GCVE-0-2025-38375)

Vulnerability from cvelistv5

Published

2025-07-25 12:53

Modified

2025-11-03 17:37

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: virtio-net: ensure the received length does not exceed allocated size In xdp_linearize_page, when reading the following buffers from the ring, we forget to check the received length with the true allocate size. This can lead to an out-of-bound read. This commit adds that missing check.

References

URL

Tags

	https://git.kernel.org/stable/c/773e95c268b5d859f51f7547559734fd2a57660c
	https://git.kernel.org/stable/c/ddc8649d363141fb3371dd81a73e1cb4ef8ed1e1
	https://git.kernel.org/stable/c/982beb7582c193544eb9c6083937ec5ac1c9d651
	https://git.kernel.org/stable/c/6aca3dad2145e864dfe4d1060f45eb1bac75dd58
	https://git.kernel.org/stable/c/80b971be4c37a4d23a7f1abc5ff33dc7733d649b
	https://git.kernel.org/stable/c/bc68bc3563344ccdc57d1961457cdeecab8f81ef
	https://git.kernel.org/stable/c/11f2d0e8be2b5e784ac45fa3da226492c3e506d8
	https://git.kernel.org/stable/c/315dbdd7cdf6aa533829774caaf4d25f1fd20e73

Impacted products

Vendor

Product

Version

Linux

Version: 4941d472bf95b4345d6e38906fcf354e74afa311
Version: 4941d472bf95b4345d6e38906fcf354e74afa311
Version: 4941d472bf95b4345d6e38906fcf354e74afa311
Version: 4941d472bf95b4345d6e38906fcf354e74afa311
Version: 4941d472bf95b4345d6e38906fcf354e74afa311
Version: 4941d472bf95b4345d6e38906fcf354e74afa311
Version: 4941d472bf95b4345d6e38906fcf354e74afa311
Version: 4941d472bf95b4345d6e38906fcf354e74afa311

Linux

Version: 4.14

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:37:12.435Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/virtio_net.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "773e95c268b5d859f51f7547559734fd2a57660c",
              "status": "affected",
              "version": "4941d472bf95b4345d6e38906fcf354e74afa311",
              "versionType": "git"
            },
            {
              "lessThan": "ddc8649d363141fb3371dd81a73e1cb4ef8ed1e1",
              "status": "affected",
              "version": "4941d472bf95b4345d6e38906fcf354e74afa311",
              "versionType": "git"
            },
            {
              "lessThan": "982beb7582c193544eb9c6083937ec5ac1c9d651",
              "status": "affected",
              "version": "4941d472bf95b4345d6e38906fcf354e74afa311",
              "versionType": "git"
            },
            {
              "lessThan": "6aca3dad2145e864dfe4d1060f45eb1bac75dd58",
              "status": "affected",
              "version": "4941d472bf95b4345d6e38906fcf354e74afa311",
              "versionType": "git"
            },
            {
              "lessThan": "80b971be4c37a4d23a7f1abc5ff33dc7733d649b",
              "status": "affected",
              "version": "4941d472bf95b4345d6e38906fcf354e74afa311",
              "versionType": "git"
            },
            {
              "lessThan": "bc68bc3563344ccdc57d1961457cdeecab8f81ef",
              "status": "affected",
              "version": "4941d472bf95b4345d6e38906fcf354e74afa311",
              "versionType": "git"
            },
            {
              "lessThan": "11f2d0e8be2b5e784ac45fa3da226492c3e506d8",
              "status": "affected",
              "version": "4941d472bf95b4345d6e38906fcf354e74afa311",
              "versionType": "git"
            },
            {
              "lessThan": "315dbdd7cdf6aa533829774caaf4d25f1fd20e73",
              "status": "affected",
              "version": "4941d472bf95b4345d6e38906fcf354e74afa311",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/virtio_net.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.14"
            },
            {
              "lessThan": "4.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.189",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.144",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.97",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.37",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.189",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.144",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.97",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.37",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.6",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-net: ensure the received length does not exceed allocated size\n\nIn xdp_linearize_page, when reading the following buffers from the ring,\nwe forget to check the received length with the true allocate size. This\ncan lead to an out-of-bound read. This commit adds that missing check."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-28T14:43:06.603Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/773e95c268b5d859f51f7547559734fd2a57660c"
        },
        {
          "url": "https://git.kernel.org/stable/c/ddc8649d363141fb3371dd81a73e1cb4ef8ed1e1"
        },
        {
          "url": "https://git.kernel.org/stable/c/982beb7582c193544eb9c6083937ec5ac1c9d651"
        },
        {
          "url": "https://git.kernel.org/stable/c/6aca3dad2145e864dfe4d1060f45eb1bac75dd58"
        },
        {
          "url": "https://git.kernel.org/stable/c/80b971be4c37a4d23a7f1abc5ff33dc7733d649b"
        },
        {
          "url": "https://git.kernel.org/stable/c/bc68bc3563344ccdc57d1961457cdeecab8f81ef"
        },
        {
          "url": "https://git.kernel.org/stable/c/11f2d0e8be2b5e784ac45fa3da226492c3e506d8"
        },
        {
          "url": "https://git.kernel.org/stable/c/315dbdd7cdf6aa533829774caaf4d25f1fd20e73"
        }
      ],
      "title": "virtio-net: ensure the received length does not exceed allocated size",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38375",
    "datePublished": "2025-07-25T12:53:17.629Z",
    "dateReserved": "2025-04-16T04:51:24.009Z",
    "dateUpdated": "2025-11-03T17:37:12.435Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-23147 (GCVE-0-2025-23147)

Vulnerability from cvelistv5

Published

2025-05-01 12:55

Modified

2025-11-03 19:42

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: i3c: Add NULL pointer check in i3c_master_queue_ibi() The I3C master driver may receive an IBI from a target device that has not been probed yet. In such cases, the master calls `i3c_master_queue_ibi()` to queue an IBI work task, leading to "Unable to handle kernel read from unreadable memory" and resulting in a kernel panic. Typical IBI handling flow: 1. The I3C master scans target devices and probes their respective drivers. 2. The target device driver calls `i3c_device_request_ibi()` to enable IBI and assigns `dev->ibi = ibi`. 3. The I3C master receives an IBI from the target device and calls `i3c_master_queue_ibi()` to queue the target device driver’s IBI handler task. However, since target device events are asynchronous to the I3C probe sequence, step 3 may occur before step 2, causing `dev->ibi` to be `NULL`, leading to a kernel panic. Add a NULL pointer check in `i3c_master_queue_ibi()` to prevent accessing an uninitialized `dev->ibi`, ensuring stability.

References

URL

Tags

	https://git.kernel.org/stable/c/1b54faa5f47fa7c642179744aeff03f0810dc62e
	https://git.kernel.org/stable/c/09359e7c8751961937cb5fc50220969b0a4e1058
	https://git.kernel.org/stable/c/3ba402610843d7d15c7f3966a461deeeaff7fba4
	https://git.kernel.org/stable/c/d83b0c03ef8fbea2f03029a1cc1f5041f0e1d47f
	https://git.kernel.org/stable/c/6871a676aa534e8f218279672e0445c725f81026
	https://git.kernel.org/stable/c/e6bba328578feb58c614c11868c259b40484c5fa
	https://git.kernel.org/stable/c/fe4a4fc179b7898055555a11685915473588392e
	https://git.kernel.org/stable/c/ff9d61db59bb27d16d3f872bff2620d50856b80c
	https://git.kernel.org/stable/c/bd496a44f041da9ef3afe14d1d6193d460424e91

Impacted products

Vendor

Product

Version

Linux

Version: 3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0
Version: 3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0
Version: 3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0
Version: 3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0
Version: 3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0
Version: 3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0
Version: 3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0
Version: 3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0
Version: 3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0

Linux

Version: 5.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:42:41.362Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/i3c/master.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1b54faa5f47fa7c642179744aeff03f0810dc62e",
              "status": "affected",
              "version": "3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0",
              "versionType": "git"
            },
            {
              "lessThan": "09359e7c8751961937cb5fc50220969b0a4e1058",
              "status": "affected",
              "version": "3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0",
              "versionType": "git"
            },
            {
              "lessThan": "3ba402610843d7d15c7f3966a461deeeaff7fba4",
              "status": "affected",
              "version": "3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0",
              "versionType": "git"
            },
            {
              "lessThan": "d83b0c03ef8fbea2f03029a1cc1f5041f0e1d47f",
              "status": "affected",
              "version": "3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0",
              "versionType": "git"
            },
            {
              "lessThan": "6871a676aa534e8f218279672e0445c725f81026",
              "status": "affected",
              "version": "3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0",
              "versionType": "git"
            },
            {
              "lessThan": "e6bba328578feb58c614c11868c259b40484c5fa",
              "status": "affected",
              "version": "3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0",
              "versionType": "git"
            },
            {
              "lessThan": "fe4a4fc179b7898055555a11685915473588392e",
              "status": "affected",
              "version": "3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0",
              "versionType": "git"
            },
            {
              "lessThan": "ff9d61db59bb27d16d3f872bff2620d50856b80c",
              "status": "affected",
              "version": "3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0",
              "versionType": "git"
            },
            {
              "lessThan": "bd496a44f041da9ef3afe14d1d6193d460424e91",
              "status": "affected",
              "version": "3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/i3c/master.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.0"
            },
            {
              "lessThan": "5.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.293",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.293",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.237",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.24",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.12",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: Add NULL pointer check in i3c_master_queue_ibi()\n\nThe I3C master driver may receive an IBI from a target device that has not\nbeen probed yet. In such cases, the master calls `i3c_master_queue_ibi()`\nto queue an IBI work task, leading to \"Unable to handle kernel read from\nunreadable memory\" and resulting in a kernel panic.\n\nTypical IBI handling flow:\n1. The I3C master scans target devices and probes their respective drivers.\n2. The target device driver calls `i3c_device_request_ibi()` to enable IBI\n   and assigns `dev-\u003eibi = ibi`.\n3. The I3C master receives an IBI from the target device and calls\n   `i3c_master_queue_ibi()` to queue the target device driver\u2019s IBI\n   handler task.\n\nHowever, since target device events are asynchronous to the I3C probe\nsequence, step 3 may occur before step 2, causing `dev-\u003eibi` to be `NULL`,\nleading to a kernel panic.\n\nAdd a NULL pointer check in `i3c_master_queue_ibi()` to prevent accessing\nan uninitialized `dev-\u003eibi`, ensuring stability."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:19:28.025Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1b54faa5f47fa7c642179744aeff03f0810dc62e"
        },
        {
          "url": "https://git.kernel.org/stable/c/09359e7c8751961937cb5fc50220969b0a4e1058"
        },
        {
          "url": "https://git.kernel.org/stable/c/3ba402610843d7d15c7f3966a461deeeaff7fba4"
        },
        {
          "url": "https://git.kernel.org/stable/c/d83b0c03ef8fbea2f03029a1cc1f5041f0e1d47f"
        },
        {
          "url": "https://git.kernel.org/stable/c/6871a676aa534e8f218279672e0445c725f81026"
        },
        {
          "url": "https://git.kernel.org/stable/c/e6bba328578feb58c614c11868c259b40484c5fa"
        },
        {
          "url": "https://git.kernel.org/stable/c/fe4a4fc179b7898055555a11685915473588392e"
        },
        {
          "url": "https://git.kernel.org/stable/c/ff9d61db59bb27d16d3f872bff2620d50856b80c"
        },
        {
          "url": "https://git.kernel.org/stable/c/bd496a44f041da9ef3afe14d1d6193d460424e91"
        }
      ],
      "title": "i3c: Add NULL pointer check in i3c_master_queue_ibi()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-23147",
    "datePublished": "2025-05-01T12:55:36.099Z",
    "dateReserved": "2025-01-11T14:28:41.513Z",
    "dateUpdated": "2025-11-03T19:42:41.362Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38186 (GCVE-0-2025-38186)

Vulnerability from cvelistv5

Published

2025-07-04 13:37

Modified

2025-07-28 04:14

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix double invocation of bnxt_ulp_stop()/bnxt_ulp_start() Before the commit under the Fixes tag below, bnxt_ulp_stop() and bnxt_ulp_start() were always invoked in pairs. After that commit, the new bnxt_ulp_restart() can be invoked after bnxt_ulp_stop() has been called. This may result in the RoCE driver's aux driver .suspend() method being invoked twice. The 2nd bnxt_re_suspend() call will crash when it dereferences a NULL pointer: (NULL ib_device): Handle device suspend call BUG: kernel NULL pointer dereference, address: 0000000000000b78 PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP PTI CPU: 20 UID: 0 PID: 181 Comm: kworker/u96:5 Tainted: G S 6.15.0-rc1 #4 PREEMPT(voluntary) Tainted: [S]=CPU_OUT_OF_SPEC Hardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.4.3 01/17/2017 Workqueue: bnxt_pf_wq bnxt_sp_task [bnxt_en] RIP: 0010:bnxt_re_suspend+0x45/0x1f0 [bnxt_re] Code: 8b 05 a7 3c 5b f5 48 89 44 24 18 31 c0 49 8b 5c 24 08 4d 8b 2c 24 e8 ea 06 0a f4 48 c7 c6 04 60 52 c0 48 89 df e8 1b ce f9 ff <48> 8b 83 78 0b 00 00 48 8b 80 38 03 00 00 a8 40 0f 85 b5 00 00 00 RSP: 0018:ffffa2e84084fd88 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000001 RDX: 0000000000000000 RSI: ffffffffb4b6b934 RDI: 00000000ffffffff RBP: ffffa1760954c9c0 R08: 0000000000000000 R09: c0000000ffffdfff R10: 0000000000000001 R11: ffffa2e84084fb50 R12: ffffa176031ef070 R13: ffffa17609775000 R14: ffffa17603adc180 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffffa17daa397000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000b78 CR3: 00000004aaa30003 CR4: 00000000003706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> bnxt_ulp_stop+0x69/0x90 [bnxt_en] bnxt_sp_task+0x678/0x920 [bnxt_en] ? __schedule+0x514/0xf50 process_scheduled_works+0x9d/0x400 worker_thread+0x11c/0x260 ? __pfx_worker_thread+0x10/0x10 kthread+0xfe/0x1e0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2b/0x40 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 Check the BNXT_EN_FLAG_ULP_STOPPED flag and do not proceed if the flag is already set. This will preserve the original symmetrical bnxt_ulp_stop() and bnxt_ulp_start(). Also, inside bnxt_ulp_start(), clear the BNXT_EN_FLAG_ULP_STOPPED flag after taking the mutex to avoid any race condition. And for symmetry, only proceed in bnxt_ulp_start() if the BNXT_EN_FLAG_ULP_STOPPED is set.

References

URL

Tags

	https://git.kernel.org/stable/c/6f2cd309492924b8afd2c62aebff815c1119d124
	https://git.kernel.org/stable/c/cca4ffd4a5b768752b91f6f75d77928e47886913
	https://git.kernel.org/stable/c/1e9ac33fa271be0d2480fd732f9642d81542500b

Impacted products

Vendor

Product

Version

Linux

Version: 3c163f35bd50314d4e70ed9e83e1d8d83c473325
Version: 3c163f35bd50314d4e70ed9e83e1d8d83c473325
Version: 3c163f35bd50314d4e70ed9e83e1d8d83c473325

Linux

Version: 6.10

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6f2cd309492924b8afd2c62aebff815c1119d124",
              "status": "affected",
              "version": "3c163f35bd50314d4e70ed9e83e1d8d83c473325",
              "versionType": "git"
            },
            {
              "lessThan": "cca4ffd4a5b768752b91f6f75d77928e47886913",
              "status": "affected",
              "version": "3c163f35bd50314d4e70ed9e83e1d8d83c473325",
              "versionType": "git"
            },
            {
              "lessThan": "1e9ac33fa271be0d2480fd732f9642d81542500b",
              "status": "affected",
              "version": "3c163f35bd50314d4e70ed9e83e1d8d83c473325",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Fix double invocation of bnxt_ulp_stop()/bnxt_ulp_start()\n\nBefore the commit under the Fixes tag below, bnxt_ulp_stop() and\nbnxt_ulp_start() were always invoked in pairs.  After that commit,\nthe new bnxt_ulp_restart() can be invoked after bnxt_ulp_stop()\nhas been called.  This may result in the RoCE driver\u0027s aux driver\n.suspend() method being invoked twice.  The 2nd bnxt_re_suspend()\ncall will crash when it dereferences a NULL pointer:\n\n(NULL ib_device): Handle device suspend call\nBUG: kernel NULL pointer dereference, address: 0000000000000b78\nPGD 0 P4D 0\nOops: Oops: 0000 [#1] SMP PTI\nCPU: 20 UID: 0 PID: 181 Comm: kworker/u96:5 Tainted: G S                  6.15.0-rc1 #4 PREEMPT(voluntary)\nTainted: [S]=CPU_OUT_OF_SPEC\nHardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.4.3 01/17/2017\nWorkqueue: bnxt_pf_wq bnxt_sp_task [bnxt_en]\nRIP: 0010:bnxt_re_suspend+0x45/0x1f0 [bnxt_re]\nCode: 8b 05 a7 3c 5b f5 48 89 44 24 18 31 c0 49 8b 5c 24 08 4d 8b 2c 24 e8 ea 06 0a f4 48 c7 c6 04 60 52 c0 48 89 df e8 1b ce f9 ff \u003c48\u003e 8b 83 78 0b 00 00 48 8b 80 38 03 00 00 a8 40 0f 85 b5 00 00 00\nRSP: 0018:ffffa2e84084fd88 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000001\nRDX: 0000000000000000 RSI: ffffffffb4b6b934 RDI: 00000000ffffffff\nRBP: ffffa1760954c9c0 R08: 0000000000000000 R09: c0000000ffffdfff\nR10: 0000000000000001 R11: ffffa2e84084fb50 R12: ffffa176031ef070\nR13: ffffa17609775000 R14: ffffa17603adc180 R15: 0000000000000000\nFS:  0000000000000000(0000) GS:ffffa17daa397000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000b78 CR3: 00000004aaa30003 CR4: 00000000003706f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\u003cTASK\u003e\nbnxt_ulp_stop+0x69/0x90 [bnxt_en]\nbnxt_sp_task+0x678/0x920 [bnxt_en]\n? __schedule+0x514/0xf50\nprocess_scheduled_works+0x9d/0x400\nworker_thread+0x11c/0x260\n? __pfx_worker_thread+0x10/0x10\nkthread+0xfe/0x1e0\n? __pfx_kthread+0x10/0x10\nret_from_fork+0x2b/0x40\n? __pfx_kthread+0x10/0x10\nret_from_fork_asm+0x1a/0x30\n\nCheck the BNXT_EN_FLAG_ULP_STOPPED flag and do not proceed if the flag\nis already set.  This will preserve the original symmetrical\nbnxt_ulp_stop() and bnxt_ulp_start().\n\nAlso, inside bnxt_ulp_start(), clear the BNXT_EN_FLAG_ULP_STOPPED\nflag after taking the mutex to avoid any race condition.  And for\nsymmetry, only proceed in bnxt_ulp_start() if the\nBNXT_EN_FLAG_ULP_STOPPED is set."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:14:31.116Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6f2cd309492924b8afd2c62aebff815c1119d124"
        },
        {
          "url": "https://git.kernel.org/stable/c/cca4ffd4a5b768752b91f6f75d77928e47886913"
        },
        {
          "url": "https://git.kernel.org/stable/c/1e9ac33fa271be0d2480fd732f9642d81542500b"
        }
      ],
      "title": "bnxt_en: Fix double invocation of bnxt_ulp_stop()/bnxt_ulp_start()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38186",
    "datePublished": "2025-07-04T13:37:12.484Z",
    "dateReserved": "2025-04-16T04:51:23.992Z",
    "dateUpdated": "2025-07-28T04:14:31.116Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-37979 (GCVE-0-2025-37979)

Vulnerability from cvelistv5

Published

2025-05-20 16:58

Modified

2025-11-03 19:57

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: Fix sc7280 lpass potential buffer overflow Case values introduced in commit 5f78e1fb7a3e ("ASoC: qcom: Add driver support for audioreach solution") cause out of bounds access in arrays of sc7280 driver data (e.g. in case of RX_CODEC_DMA_RX_0 in sc7280_snd_hw_params()). Redefine LPASS_MAX_PORTS to consider the maximum possible port id for q6dsp as sc7280 driver utilizes some of those values. Found by Linux Verification Center (linuxtesting.org) with SVACE.

References

URL

Tags

	https://git.kernel.org/stable/c/d78888853eb53f47ae16cf3aa5d0444d0331b9f8
	https://git.kernel.org/stable/c/a12c14577882b1f2b4cff0f86265682f16e97b0c
	https://git.kernel.org/stable/c/c0ce01e0ff8a0d61a7b089ab309cdc12bc527c39
	https://git.kernel.org/stable/c/b807b7c81a6d066757a94af7b8fa5b6a37e4d0b3
	https://git.kernel.org/stable/c/a31a4934b31faea76e735bab17e63d02fcd8e029

Impacted products

Vendor

Product

Version

Linux

Version: 77d0ffef793da818741127f4905a3e3d45d05ac7
Version: 77d0ffef793da818741127f4905a3e3d45d05ac7
Version: 77d0ffef793da818741127f4905a3e3d45d05ac7
Version: 77d0ffef793da818741127f4905a3e3d45d05ac7
Version: 77d0ffef793da818741127f4905a3e3d45d05ac7

Linux

Version: 5.18

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:57:56.701Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/soc/qcom/lpass.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d78888853eb53f47ae16cf3aa5d0444d0331b9f8",
              "status": "affected",
              "version": "77d0ffef793da818741127f4905a3e3d45d05ac7",
              "versionType": "git"
            },
            {
              "lessThan": "a12c14577882b1f2b4cff0f86265682f16e97b0c",
              "status": "affected",
              "version": "77d0ffef793da818741127f4905a3e3d45d05ac7",
              "versionType": "git"
            },
            {
              "lessThan": "c0ce01e0ff8a0d61a7b089ab309cdc12bc527c39",
              "status": "affected",
              "version": "77d0ffef793da818741127f4905a3e3d45d05ac7",
              "versionType": "git"
            },
            {
              "lessThan": "b807b7c81a6d066757a94af7b8fa5b6a37e4d0b3",
              "status": "affected",
              "version": "77d0ffef793da818741127f4905a3e3d45d05ac7",
              "versionType": "git"
            },
            {
              "lessThan": "a31a4934b31faea76e735bab17e63d02fcd8e029",
              "status": "affected",
              "version": "77d0ffef793da818741127f4905a3e3d45d05ac7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "sound/soc/qcom/lpass.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.18"
            },
            {
              "lessThan": "5.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.136",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.25",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.136",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.25",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.4",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: qcom: Fix sc7280 lpass potential buffer overflow\n\nCase values introduced in commit\n5f78e1fb7a3e (\"ASoC: qcom: Add driver support for audioreach solution\")\ncause out of bounds access in arrays of sc7280 driver data (e.g. in case\nof RX_CODEC_DMA_RX_0 in sc7280_snd_hw_params()).\n\nRedefine LPASS_MAX_PORTS to consider the maximum possible port id for\nq6dsp as sc7280 driver utilizes some of those values.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:24:59.634Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d78888853eb53f47ae16cf3aa5d0444d0331b9f8"
        },
        {
          "url": "https://git.kernel.org/stable/c/a12c14577882b1f2b4cff0f86265682f16e97b0c"
        },
        {
          "url": "https://git.kernel.org/stable/c/c0ce01e0ff8a0d61a7b089ab309cdc12bc527c39"
        },
        {
          "url": "https://git.kernel.org/stable/c/b807b7c81a6d066757a94af7b8fa5b6a37e4d0b3"
        },
        {
          "url": "https://git.kernel.org/stable/c/a31a4934b31faea76e735bab17e63d02fcd8e029"
        }
      ],
      "title": "ASoC: qcom: Fix sc7280 lpass potential buffer overflow",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37979",
    "datePublished": "2025-05-20T16:58:22.103Z",
    "dateReserved": "2025-04-16T04:51:23.975Z",
    "dateUpdated": "2025-11-03T19:57:56.701Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21701 (GCVE-0-2025-21701)

Vulnerability from cvelistv5

Published

2025-02-13 15:05

Modified

2025-11-03 19:35

Severity ?

7.4 (High) - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: net: avoid race between device unregistration and ethnl ops The following trace can be seen if a device is being unregistered while its number of channels are being modified. DEBUG_LOCKS_WARN_ON(lock->magic != lock) WARNING: CPU: 3 PID: 3754 at kernel/locking/mutex.c:564 __mutex_lock+0xc8a/0x1120 CPU: 3 UID: 0 PID: 3754 Comm: ethtool Not tainted 6.13.0-rc6+ #771 RIP: 0010:__mutex_lock+0xc8a/0x1120 Call Trace: <TASK> ethtool_check_max_channel+0x1ea/0x880 ethnl_set_channels+0x3c3/0xb10 ethnl_default_set_doit+0x306/0x650 genl_family_rcv_msg_doit+0x1e3/0x2c0 genl_rcv_msg+0x432/0x6f0 netlink_rcv_skb+0x13d/0x3b0 genl_rcv+0x28/0x40 netlink_unicast+0x42e/0x720 netlink_sendmsg+0x765/0xc20 __sys_sendto+0x3ac/0x420 __x64_sys_sendto+0xe0/0x1c0 do_syscall_64+0x95/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e This is because unregister_netdevice_many_notify might run before the rtnl lock section of ethnl operations, eg. set_channels in the above example. In this example the rss lock would be destroyed by the device unregistration path before being used again, but in general running ethnl operations while dismantle has started is not a good idea. Fix this by denying any operation on devices being unregistered. A check was already there in ethnl_ops_begin, but not wide enough. Note that the same issue cannot be seen on the ioctl version (__dev_ethtool) because the device reference is retrieved from within the rtnl lock section there. Once dismantle started, the net device is unlisted and no reference will be found.

References

URL

Tags

	https://git.kernel.org/stable/c/26bc6076798aa4dc83a07d0a386f9e57c94e8517
	https://git.kernel.org/stable/c/b1cb37a31a482df3dd35a6ac166282dac47664f4
	https://git.kernel.org/stable/c/2f29127e94ae9fdc7497331003d6860e9551cdf3
	https://git.kernel.org/stable/c/b382ab9b885cbb665e0e70a727f101c981b4edf3
	https://git.kernel.org/stable/c/4dc880245f9b529fa8f476b5553c799d2848b47b
	https://git.kernel.org/stable/c/12e070eb6964b341b41677fd260af5a305316a1f

Impacted products

Vendor

Product

Version

Linux

Version: cfd719f04267108f5f5bf802b9d7de69e99a99f9
Version: dde91ccfa25fd58f64c397d91b81a4b393100ffa
Version: dde91ccfa25fd58f64c397d91b81a4b393100ffa
Version: dde91ccfa25fd58f64c397d91b81a4b393100ffa
Version: dde91ccfa25fd58f64c397d91b81a4b393100ffa
Version: dde91ccfa25fd58f64c397d91b81a4b393100ffa
Version: 7c26da3be1e9843a15b5318f90db8a564479d2ac

Linux

Version: 5.16

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.4,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21701",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-02T19:15:24.731894Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-362",
                "description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-02T19:16:21.196Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:35:47.886Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ethtool/netlink.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "26bc6076798aa4dc83a07d0a386f9e57c94e8517",
              "status": "affected",
              "version": "cfd719f04267108f5f5bf802b9d7de69e99a99f9",
              "versionType": "git"
            },
            {
              "lessThan": "b1cb37a31a482df3dd35a6ac166282dac47664f4",
              "status": "affected",
              "version": "dde91ccfa25fd58f64c397d91b81a4b393100ffa",
              "versionType": "git"
            },
            {
              "lessThan": "2f29127e94ae9fdc7497331003d6860e9551cdf3",
              "status": "affected",
              "version": "dde91ccfa25fd58f64c397d91b81a4b393100ffa",
              "versionType": "git"
            },
            {
              "lessThan": "b382ab9b885cbb665e0e70a727f101c981b4edf3",
              "status": "affected",
              "version": "dde91ccfa25fd58f64c397d91b81a4b393100ffa",
              "versionType": "git"
            },
            {
              "lessThan": "4dc880245f9b529fa8f476b5553c799d2848b47b",
              "status": "affected",
              "version": "dde91ccfa25fd58f64c397d91b81a4b393100ffa",
              "versionType": "git"
            },
            {
              "lessThan": "12e070eb6964b341b41677fd260af5a305316a1f",
              "status": "affected",
              "version": "dde91ccfa25fd58f64c397d91b81a4b393100ffa",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "7c26da3be1e9843a15b5318f90db8a564479d2ac",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ethtool/netlink.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.16"
            },
            {
              "lessThan": "5.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.15.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.10.87",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: avoid race between device unregistration and ethnl ops\n\nThe following trace can be seen if a device is being unregistered while\nits number of channels are being modified.\n\n  DEBUG_LOCKS_WARN_ON(lock-\u003emagic != lock)\n  WARNING: CPU: 3 PID: 3754 at kernel/locking/mutex.c:564 __mutex_lock+0xc8a/0x1120\n  CPU: 3 UID: 0 PID: 3754 Comm: ethtool Not tainted 6.13.0-rc6+ #771\n  RIP: 0010:__mutex_lock+0xc8a/0x1120\n  Call Trace:\n   \u003cTASK\u003e\n   ethtool_check_max_channel+0x1ea/0x880\n   ethnl_set_channels+0x3c3/0xb10\n   ethnl_default_set_doit+0x306/0x650\n   genl_family_rcv_msg_doit+0x1e3/0x2c0\n   genl_rcv_msg+0x432/0x6f0\n   netlink_rcv_skb+0x13d/0x3b0\n   genl_rcv+0x28/0x40\n   netlink_unicast+0x42e/0x720\n   netlink_sendmsg+0x765/0xc20\n   __sys_sendto+0x3ac/0x420\n   __x64_sys_sendto+0xe0/0x1c0\n   do_syscall_64+0x95/0x180\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThis is because unregister_netdevice_many_notify might run before the\nrtnl lock section of ethnl operations, eg. set_channels in the above\nexample. In this example the rss lock would be destroyed by the device\nunregistration path before being used again, but in general running\nethnl operations while dismantle has started is not a good idea.\n\nFix this by denying any operation on devices being unregistered. A check\nwas already there in ethnl_ops_begin, but not wide enough.\n\nNote that the same issue cannot be seen on the ioctl version\n(__dev_ethtool) because the device reference is retrieved from within\nthe rtnl lock section there. Once dismantle started, the net device is\nunlisted and no reference will be found."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:06:18.444Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/26bc6076798aa4dc83a07d0a386f9e57c94e8517"
        },
        {
          "url": "https://git.kernel.org/stable/c/b1cb37a31a482df3dd35a6ac166282dac47664f4"
        },
        {
          "url": "https://git.kernel.org/stable/c/2f29127e94ae9fdc7497331003d6860e9551cdf3"
        },
        {
          "url": "https://git.kernel.org/stable/c/b382ab9b885cbb665e0e70a727f101c981b4edf3"
        },
        {
          "url": "https://git.kernel.org/stable/c/4dc880245f9b529fa8f476b5553c799d2848b47b"
        },
        {
          "url": "https://git.kernel.org/stable/c/12e070eb6964b341b41677fd260af5a305316a1f"
        }
      ],
      "title": "net: avoid race between device unregistration and ethnl ops",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21701",
    "datePublished": "2025-02-13T15:05:46.483Z",
    "dateReserved": "2024-12-29T08:45:45.748Z",
    "dateUpdated": "2025-11-03T19:35:47.886Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38011 (GCVE-0-2025-38011)

Vulnerability from cvelistv5

Published

2025-06-18 09:28

Modified

2025-07-15 15:43

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: csa unmap use uninterruptible lock After process exit to unmap csa and free GPU vm, if signal is accepted and then waiting to take vm lock is interrupted and return, it causes memory leaking and below warning backtrace. Change to use uninterruptible wait lock fix the issue. WARNING: CPU: 69 PID: 167800 at amd/amdgpu/amdgpu_kms.c:1525 amdgpu_driver_postclose_kms+0x294/0x2a0 [amdgpu] Call Trace: <TASK> drm_file_free.part.0+0x1da/0x230 [drm] drm_close_helper.isra.0+0x65/0x70 [drm] drm_release+0x6a/0x120 [drm] amdgpu_drm_release+0x51/0x60 [amdgpu] __fput+0x9f/0x280 ____fput+0xe/0x20 task_work_run+0x67/0xa0 do_exit+0x217/0x3c0 do_group_exit+0x3b/0xb0 get_signal+0x14a/0x8d0 arch_do_signal_or_restart+0xde/0x100 exit_to_user_mode_loop+0xc1/0x1a0 exit_to_user_mode_prepare+0xf4/0x100 syscall_exit_to_user_mode+0x17/0x40 do_syscall_64+0x69/0xc0 (cherry picked from commit 7dbbfb3c171a6f63b01165958629c9c26abf38ab)

References

URL

Tags

	https://git.kernel.org/stable/c/8d71c3231b33e24a911b8f2d8c3a17ee40aa32d5
	https://git.kernel.org/stable/c/a1adc8d9a0d219d4e88672c30dbc9ea960d73136
	https://git.kernel.org/stable/c/a0fa7873f2f869087b1e7793f7fac3713a1e3afe

Impacted products

Vendor

Product

Version

Linux

Version: 8a206685d36f6f0c6b72637f920ef973ea9cc936
Version: 8a206685d36f6f0c6b72637f920ef973ea9cc936
Version: 8a206685d36f6f0c6b72637f920ef973ea9cc936

Linux

Version: 6.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8d71c3231b33e24a911b8f2d8c3a17ee40aa32d5",
              "status": "affected",
              "version": "8a206685d36f6f0c6b72637f920ef973ea9cc936",
              "versionType": "git"
            },
            {
              "lessThan": "a1adc8d9a0d219d4e88672c30dbc9ea960d73136",
              "status": "affected",
              "version": "8a206685d36f6f0c6b72637f920ef973ea9cc936",
              "versionType": "git"
            },
            {
              "lessThan": "a0fa7873f2f869087b1e7793f7fac3713a1e3afe",
              "status": "affected",
              "version": "8a206685d36f6f0c6b72637f920ef973ea9cc936",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.30",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.8",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: csa unmap use uninterruptible lock\n\nAfter process exit to unmap csa and free GPU vm, if signal is accepted\nand then waiting to take vm lock is interrupted and return, it causes\nmemory leaking and below warning backtrace.\n\nChange to use uninterruptible wait lock fix the issue.\n\nWARNING: CPU: 69 PID: 167800 at amd/amdgpu/amdgpu_kms.c:1525\n amdgpu_driver_postclose_kms+0x294/0x2a0 [amdgpu]\n Call Trace:\n  \u003cTASK\u003e\n  drm_file_free.part.0+0x1da/0x230 [drm]\n  drm_close_helper.isra.0+0x65/0x70 [drm]\n  drm_release+0x6a/0x120 [drm]\n  amdgpu_drm_release+0x51/0x60 [amdgpu]\n  __fput+0x9f/0x280\n  ____fput+0xe/0x20\n  task_work_run+0x67/0xa0\n  do_exit+0x217/0x3c0\n  do_group_exit+0x3b/0xb0\n  get_signal+0x14a/0x8d0\n  arch_do_signal_or_restart+0xde/0x100\n  exit_to_user_mode_loop+0xc1/0x1a0\n  exit_to_user_mode_prepare+0xf4/0x100\n  syscall_exit_to_user_mode+0x17/0x40\n  do_syscall_64+0x69/0xc0\n\n(cherry picked from commit 7dbbfb3c171a6f63b01165958629c9c26abf38ab)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-15T15:43:52.921Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8d71c3231b33e24a911b8f2d8c3a17ee40aa32d5"
        },
        {
          "url": "https://git.kernel.org/stable/c/a1adc8d9a0d219d4e88672c30dbc9ea960d73136"
        },
        {
          "url": "https://git.kernel.org/stable/c/a0fa7873f2f869087b1e7793f7fac3713a1e3afe"
        }
      ],
      "title": "drm/amdgpu: csa unmap use uninterruptible lock",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38011",
    "datePublished": "2025-06-18T09:28:21.453Z",
    "dateReserved": "2025-04-16T04:51:23.977Z",
    "dateUpdated": "2025-07-15T15:43:52.921Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38475 (GCVE-0-2025-38475)

Vulnerability from cvelistv5

Published

2025-07-28 11:21

Modified

2025-07-28 11:21

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: smc: Fix various oops due to inet_sock type confusion. syzbot reported weird splats [0][1] in cipso_v4_sock_setattr() while freeing inet_sk(sk)->inet_opt. The address was freed multiple times even though it was read-only memory. cipso_v4_sock_setattr() did nothing wrong, and the root cause was type confusion. The cited commit made it possible to create smc_sock as an INET socket. The issue is that struct smc_sock does not have struct inet_sock as the first member but hijacks AF_INET and AF_INET6 sk_family, which confuses various places. In this case, inet_sock.inet_opt was actually smc_sock.clcsk_data_ready(), which is an address of a function in the text segment. $ pahole -C inet_sock vmlinux struct inet_sock { ... struct ip_options_rcu * inet_opt; /* 784 8 */ $ pahole -C smc_sock vmlinux struct smc_sock { ... void (*clcsk_data_ready)(struct sock *); /* 784 8 */ The same issue for another field was reported before. [2][3] At that time, an ugly hack was suggested [4], but it makes both INET and SMC code error-prone and hard to change. Also, yet another variant was fixed by a hacky commit 98d4435efcbf3 ("net/smc: prevent NULL pointer dereference in txopt_get"). Instead of papering over the root cause by such hacks, we should not allow non-INET socket to reuse the INET infra. Let's add inet_sock as the first member of smc_sock. [0]: kvfree_call_rcu(): Double-freed call. rcu_head 000000006921da73 WARNING: CPU: 0 PID: 6718 at mm/slab_common.c:1956 kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955 Modules linked in: CPU: 0 UID: 0 PID: 6718 Comm: syz.0.17 Tainted: G W 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPT Tainted: [W]=WARN Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955 lr : kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955 sp : ffff8000a03a7730 x29: ffff8000a03a7730 x28: 00000000fffffff5 x27: 1fffe000184823d3 x26: dfff800000000000 x25: ffff0000c2411e9e x24: ffff0000dd88da00 x23: ffff8000891ac9a0 x22: 00000000ffffffea x21: ffff8000891ac9a0 x20: ffff8000891ac9a0 x19: ffff80008afc2480 x18: 00000000ffffffff x17: 0000000000000000 x16: ffff80008ae642c8 x15: ffff700011ede14c x14: 1ffff00011ede14c x13: 0000000000000004 x12: ffffffffffffffff x11: ffff700011ede14c x10: 0000000000ff0100 x9 : 5fa3c1ffaf0ff000 x8 : 5fa3c1ffaf0ff000 x7 : 0000000000000001 x6 : 0000000000000001 x5 : ffff8000a03a7078 x4 : ffff80008f766c20 x3 : ffff80008054d360 x2 : 0000000000000000 x1 : 0000000000000201 x0 : 0000000000000000 Call trace: kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955 (P) cipso_v4_sock_setattr+0x2f0/0x3f4 net/ipv4/cipso_ipv4.c:1914 netlbl_sock_setattr+0x240/0x334 net/netlabel/netlabel_kapi.c:1000 smack_netlbl_add+0xa8/0x158 security/smack/smack_lsm.c:2581 smack_inode_setsecurity+0x378/0x430 security/smack/smack_lsm.c:2912 security_inode_setsecurity+0x118/0x3c0 security/security.c:2706 __vfs_setxattr_noperm+0x174/0x5c4 fs/xattr.c:251 __vfs_setxattr_locked+0x1ec/0x218 fs/xattr.c:295 vfs_setxattr+0x158/0x2ac fs/xattr.c:321 do_setxattr fs/xattr.c:636 [inline] file_setxattr+0x1b8/0x294 fs/xattr.c:646 path_setxattrat+0x2ac/0x320 fs/xattr.c:711 __do_sys_fsetxattr fs/xattr.c:761 [inline] __se_sys_fsetxattr fs/xattr.c:758 [inline] __arm64_sys_fsetxattr+0xc0/0xdc fs/xattr.c:758 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 [ ---truncated---

References

URL

Tags

	https://git.kernel.org/stable/c/5b02e397929e5b13b969ef1f8e43c7951e2864f5
	https://git.kernel.org/stable/c/67a167a6b8b45607bc34aa541d1c75097d18d460
	https://git.kernel.org/stable/c/60ada4fe644edaa6c2da97364184b0425e8aeaf5

Impacted products

Vendor

Product

Version

Linux

Version: d25a92ccae6bed02327b63d138e12e7806830f78
Version: d25a92ccae6bed02327b63d138e12e7806830f78
Version: d25a92ccae6bed02327b63d138e12e7806830f78

Linux

Version: 6.11

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/smc/af_smc.c",
            "net/smc/smc.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5b02e397929e5b13b969ef1f8e43c7951e2864f5",
              "status": "affected",
              "version": "d25a92ccae6bed02327b63d138e12e7806830f78",
              "versionType": "git"
            },
            {
              "lessThan": "67a167a6b8b45607bc34aa541d1c75097d18d460",
              "status": "affected",
              "version": "d25a92ccae6bed02327b63d138e12e7806830f78",
              "versionType": "git"
            },
            {
              "lessThan": "60ada4fe644edaa6c2da97364184b0425e8aeaf5",
              "status": "affected",
              "version": "d25a92ccae6bed02327b63d138e12e7806830f78",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/smc/af_smc.c",
            "net/smc/smc.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.40",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.40",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.8",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmc: Fix various oops due to inet_sock type confusion.\n\nsyzbot reported weird splats [0][1] in cipso_v4_sock_setattr() while\nfreeing inet_sk(sk)-\u003einet_opt.\n\nThe address was freed multiple times even though it was read-only memory.\n\ncipso_v4_sock_setattr() did nothing wrong, and the root cause was type\nconfusion.\n\nThe cited commit made it possible to create smc_sock as an INET socket.\n\nThe issue is that struct smc_sock does not have struct inet_sock as the\nfirst member but hijacks AF_INET and AF_INET6 sk_family, which confuses\nvarious places.\n\nIn this case, inet_sock.inet_opt was actually smc_sock.clcsk_data_ready(),\nwhich is an address of a function in the text segment.\n\n  $ pahole -C inet_sock vmlinux\n  struct inet_sock {\n  ...\n          struct ip_options_rcu *    inet_opt;             /*   784     8 */\n\n  $ pahole -C smc_sock vmlinux\n  struct smc_sock {\n  ...\n          void                       (*clcsk_data_ready)(struct sock *); /*   784     8 */\n\nThe same issue for another field was reported before. [2][3]\n\nAt that time, an ugly hack was suggested [4], but it makes both INET\nand SMC code error-prone and hard to change.\n\nAlso, yet another variant was fixed by a hacky commit 98d4435efcbf3\n(\"net/smc: prevent NULL pointer dereference in txopt_get\").\n\nInstead of papering over the root cause by such hacks, we should not\nallow non-INET socket to reuse the INET infra.\n\nLet\u0027s add inet_sock as the first member of smc_sock.\n\n[0]:\nkvfree_call_rcu(): Double-freed call. rcu_head 000000006921da73\nWARNING: CPU: 0 PID: 6718 at mm/slab_common.c:1956 kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955\nModules linked in:\nCPU: 0 UID: 0 PID: 6718 Comm: syz.0.17 Tainted: G        W           6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPT\nTainted: [W]=WARN\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955\nlr : kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955\nsp : ffff8000a03a7730\nx29: ffff8000a03a7730 x28: 00000000fffffff5 x27: 1fffe000184823d3\nx26: dfff800000000000 x25: ffff0000c2411e9e x24: ffff0000dd88da00\nx23: ffff8000891ac9a0 x22: 00000000ffffffea x21: ffff8000891ac9a0\nx20: ffff8000891ac9a0 x19: ffff80008afc2480 x18: 00000000ffffffff\nx17: 0000000000000000 x16: ffff80008ae642c8 x15: ffff700011ede14c\nx14: 1ffff00011ede14c x13: 0000000000000004 x12: ffffffffffffffff\nx11: ffff700011ede14c x10: 0000000000ff0100 x9 : 5fa3c1ffaf0ff000\nx8 : 5fa3c1ffaf0ff000 x7 : 0000000000000001 x6 : 0000000000000001\nx5 : ffff8000a03a7078 x4 : ffff80008f766c20 x3 : ffff80008054d360\nx2 : 0000000000000000 x1 : 0000000000000201 x0 : 0000000000000000\nCall trace:\n kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955 (P)\n cipso_v4_sock_setattr+0x2f0/0x3f4 net/ipv4/cipso_ipv4.c:1914\n netlbl_sock_setattr+0x240/0x334 net/netlabel/netlabel_kapi.c:1000\n smack_netlbl_add+0xa8/0x158 security/smack/smack_lsm.c:2581\n smack_inode_setsecurity+0x378/0x430 security/smack/smack_lsm.c:2912\n security_inode_setsecurity+0x118/0x3c0 security/security.c:2706\n __vfs_setxattr_noperm+0x174/0x5c4 fs/xattr.c:251\n __vfs_setxattr_locked+0x1ec/0x218 fs/xattr.c:295\n vfs_setxattr+0x158/0x2ac fs/xattr.c:321\n do_setxattr fs/xattr.c:636 [inline]\n file_setxattr+0x1b8/0x294 fs/xattr.c:646\n path_setxattrat+0x2ac/0x320 fs/xattr.c:711\n __do_sys_fsetxattr fs/xattr.c:761 [inline]\n __se_sys_fsetxattr fs/xattr.c:758 [inline]\n __arm64_sys_fsetxattr+0xc0/0xdc fs/xattr.c:758\n __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49\n el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132\n do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151\n el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879\n el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898\n el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600\n\n[\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T11:21:36.293Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5b02e397929e5b13b969ef1f8e43c7951e2864f5"
        },
        {
          "url": "https://git.kernel.org/stable/c/67a167a6b8b45607bc34aa541d1c75097d18d460"
        },
        {
          "url": "https://git.kernel.org/stable/c/60ada4fe644edaa6c2da97364184b0425e8aeaf5"
        }
      ],
      "title": "smc: Fix various oops due to inet_sock type confusion.",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38475",
    "datePublished": "2025-07-28T11:21:36.293Z",
    "dateReserved": "2025-04-16T04:51:24.021Z",
    "dateUpdated": "2025-07-28T11:21:36.293Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-36349 (GCVE-0-2024-36349)

Vulnerability from cvelistv5

Published

2025-07-08 16:42

Modified

2025-07-09 14:00

Severity ?

3.8 (Low) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

CWE

CWE-1420 - Exposure of Sensitive Information during Transient Execution

Summary

A transient execution vulnerability in some AMD processors may allow a user process to infer TSC_AUX even when such a read is disabled, potentially resulting in information leakage.

References

URL

Tags

https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7029.html

Impacted products

Vendor

Product

Version

AMD

AMD EPYC™ 7002 Series Processors

Version: all

AMD	AMD EPYC™ 7003 Series Processors	Version: all
AMD	AMD EPYC™ 9004 Series Processors	Version: all
AMD	AMD EPYC™ 8004 Series Processors	Version: all
AMD	AMD EPYC™ 4004 Series Processors	Version: all
AMD	AMD EPYC™ 9V64H Processor	Version: all
AMD	AMD Ryzen™ 5000 Series Desktop Processors	Version: all
AMD	AMD Ryzen™ 5000 Series Desktop Processor with Radeon™ Graphics	Version: all
AMD	AMD Ryzen™ 3000 Series Desktop Processors	Version: all
AMD	AMD Athlon™ 3000 Series Desktop Processors with Radeon™ Graphics	Version: all
AMD	AMD Ryzen™ 7000 Series Desktop Processors	Version: all
AMD	AMD Ryzen™ 4000 Series Desktop Processor with Radeon™ Graphics	Version: all
AMD	AMD Ryzen™ 8000 Series Processor with Radeon™ Graphics	Version: all
AMD	AMD Ryzen™ Threadripper™ 3000 Series Processors	Version: all
AMD	AMD Ryzen™ Threadripper™ PRO 7000 WX-Series Processors	Version: all
AMD	AMD Ryzen™ Threadripper™ PRO 3000WX Series Processors	Version: all
AMD	AMD Ryzen™ Threadripper™ PRO 5000WX- Series Desktop Processors	Version: all
AMD	AMD Ryzen™ 7020 Series Processors with Radeon™ Graphics	Version: all
AMD	AMD Ryzen™ 6000 Series Processor with Radeon™ Graphics	Version: all
AMD	AMD Ryzen™ 7035 Series Processor with Radeon™ Graphics	Version: all
AMD	AMD Ryzen™ 7000 Series Processors with Radeon™ Graphics	Version: all
AMD	AMD Ryzen™ 7040 Series Processors with Radeon™ Graphics	Version: all
AMD	AMD Ryzen™ 8040 Series Mobile Processors with Radeon™ Graphics	Version: all
AMD	AMD Ryzen™ 7000 Series Mobile Processors	Version: all
AMD	AMD EPYC™ Embedded 7002 Series Processors	Version: all
AMD	AMD EPYC™ Embedded 7003 Series Processors	Version: all
AMD	AMD EPYC™ Embedded 8004 Series Processors	Version: all
AMD	AMD EPYC™ Embedded 9004 Series Processors	Version: all
AMD	AMD Ryzen™ Embedded 5000 Series Processors	Version: all
AMD	AMD Ryzen™ Embedded 7000 Series Processors	Version: all
AMD	AMD Ryzen™ Embedded V2000 Series Processors	Version: all
AMD	AMD Ryzen™ Embedded V3000 Series Processors	Version: all
AMD	AMD EPYC™ 7002 Series Processors	Version: all
AMD	AMD Athlon™ 3000 Series Mobile Processors with Radeon™ Graphics	Version: all
AMD	AMD Ryzen™ 3000 Series Mobile Processor with Radeon™ Graphics	Version: all
AMD	AMD Ryzen™ 7000 Series Mobile Processors	Version: all
AMD	AMD EPYC™ Embedded 3000 Series Processors	Version: all
AMD	AMD Ryzen™ Embedded R1000 Series Processors	Version: all
AMD	AMD Ryzen™ Embedded R2000 Series Processors	Version: all
AMD	AMD Ryzen™ Embedded V1000 Series Processors	Version: all

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-36349",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-09T14:00:30.310556Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-09T14:00:36.439Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "AMD EPYC\u2122 7002 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD EPYC\u2122 7003 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD EPYC\u2122 9004 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD EPYC\u2122 8004 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD EPYC\u2122 4004 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD EPYC\u2122 9V64H Processor",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 5000 Series Desktop Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 5000 Series Desktop Processor with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 3000 Series Desktop Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Athlon\u2122 3000 Series Desktop Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 7000 Series Desktop Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 4000 Series Desktop Processor with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 8000 Series Processor with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 Threadripper\u2122 3000 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 Threadripper\u2122 PRO 7000 WX-Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 Threadripper\u2122 PRO 3000WX Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 Threadripper\u2122 PRO 5000WX- Series Desktop Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 7020 Series Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 6000 Series Processor with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 7035 Series Processor with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 7000 Series Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 7040 Series Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 8040 Series Mobile Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 7000 Series Mobile Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD EPYC\u2122 Embedded 7002 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD EPYC\u2122 Embedded 7003 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD EPYC\u2122 Embedded 8004 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD EPYC\u2122 Embedded 9004 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 Embedded 5000 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 Embedded 7000 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 Embedded V2000 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 Embedded V3000 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD EPYC\u2122 7002 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Athlon\u2122 3000 Series Mobile  Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 3000 Series Mobile Processor with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 7000 Series Mobile Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD EPYC\u2122  Embedded 3000 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122  Embedded R1000 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122  Embedded R2000 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122  Embedded V1000 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        }
      ],
      "datePublic": "2025-07-08T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A transient execution vulnerability in some AMD processors may allow a user process to infer TSC_AUX even when such a read is disabled, potentially resulting in information leakage.\u003cbr\u003e"
            }
          ],
          "value": "A transient execution vulnerability in some AMD processors may allow a user process to infer TSC_AUX even when such a read is disabled, potentially resulting in information leakage."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 3.8,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1420",
              "description": "CWE-1420  Exposure of Sensitive Information during Transient Execution",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-08T16:42:17.471Z",
        "orgId": "b58fc414-a1e4-4f92-9d70-1add41838648",
        "shortName": "AMD"
      },
      "references": [
        {
          "url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7029.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b58fc414-a1e4-4f92-9d70-1add41838648",
    "assignerShortName": "AMD",
    "cveId": "CVE-2024-36349",
    "datePublished": "2025-07-08T16:42:17.471Z",
    "dateReserved": "2024-05-23T19:44:50.000Z",
    "dateUpdated": "2025-07-09T14:00:36.439Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38197 (GCVE-0-2025-38197)

Vulnerability from cvelistv5

Published

2025-07-04 13:37

Modified

2025-11-03 17:35

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: platform/x86: dell_rbu: Fix list usage Pass the correct list head to list_for_each_entry*() when looping through the packet list. Without this patch, reading the packet data via sysfs will show the data incorrectly (because it starts at the wrong packet), and clearing the packet list will result in a NULL pointer dereference.

References

URL

Tags

	https://git.kernel.org/stable/c/5e8c658acd1b7c186aeffa46bf08795e121f401a
	https://git.kernel.org/stable/c/07d7b8e7ef7d1f812a6211ed531947c56d09e95e
	https://git.kernel.org/stable/c/a7b477b64ef5e37cb08dd536ae07c46f9f28262e
	https://git.kernel.org/stable/c/f3b840fb1508a80cd8a0efb5c886ae1995a88b24
	https://git.kernel.org/stable/c/4d71f2c1e5263a9f042faa71d59515709869dc79
	https://git.kernel.org/stable/c/32d05e6cc3a7bf6c8f16f7b7ef8fe80eca0c233e
	https://git.kernel.org/stable/c/61ce04601e0d8265ec6d2ffa6df5a7e1bce64854

Impacted products

Vendor

Product

Version

Linux

Version: d19f359fbdc6b5d49e9b9a0db27a996b28a2ded3
Version: d19f359fbdc6b5d49e9b9a0db27a996b28a2ded3
Version: d19f359fbdc6b5d49e9b9a0db27a996b28a2ded3
Version: d19f359fbdc6b5d49e9b9a0db27a996b28a2ded3
Version: d19f359fbdc6b5d49e9b9a0db27a996b28a2ded3
Version: d19f359fbdc6b5d49e9b9a0db27a996b28a2ded3
Version: d19f359fbdc6b5d49e9b9a0db27a996b28a2ded3

Linux

Version: 5.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:35:21.012Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/platform/x86/dell/dell_rbu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5e8c658acd1b7c186aeffa46bf08795e121f401a",
              "status": "affected",
              "version": "d19f359fbdc6b5d49e9b9a0db27a996b28a2ded3",
              "versionType": "git"
            },
            {
              "lessThan": "07d7b8e7ef7d1f812a6211ed531947c56d09e95e",
              "status": "affected",
              "version": "d19f359fbdc6b5d49e9b9a0db27a996b28a2ded3",
              "versionType": "git"
            },
            {
              "lessThan": "a7b477b64ef5e37cb08dd536ae07c46f9f28262e",
              "status": "affected",
              "version": "d19f359fbdc6b5d49e9b9a0db27a996b28a2ded3",
              "versionType": "git"
            },
            {
              "lessThan": "f3b840fb1508a80cd8a0efb5c886ae1995a88b24",
              "status": "affected",
              "version": "d19f359fbdc6b5d49e9b9a0db27a996b28a2ded3",
              "versionType": "git"
            },
            {
              "lessThan": "4d71f2c1e5263a9f042faa71d59515709869dc79",
              "status": "affected",
              "version": "d19f359fbdc6b5d49e9b9a0db27a996b28a2ded3",
              "versionType": "git"
            },
            {
              "lessThan": "32d05e6cc3a7bf6c8f16f7b7ef8fe80eca0c233e",
              "status": "affected",
              "version": "d19f359fbdc6b5d49e9b9a0db27a996b28a2ded3",
              "versionType": "git"
            },
            {
              "lessThan": "61ce04601e0d8265ec6d2ffa6df5a7e1bce64854",
              "status": "affected",
              "version": "d19f359fbdc6b5d49e9b9a0db27a996b28a2ded3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/platform/x86/dell/dell_rbu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: dell_rbu: Fix list usage\n\nPass the correct list head to list_for_each_entry*() when looping through\nthe packet list.\n\nWithout this patch, reading the packet data via sysfs will show the data\nincorrectly (because it starts at the wrong packet), and clearing the\npacket list will result in a NULL pointer dereference."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:14:50.992Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5e8c658acd1b7c186aeffa46bf08795e121f401a"
        },
        {
          "url": "https://git.kernel.org/stable/c/07d7b8e7ef7d1f812a6211ed531947c56d09e95e"
        },
        {
          "url": "https://git.kernel.org/stable/c/a7b477b64ef5e37cb08dd536ae07c46f9f28262e"
        },
        {
          "url": "https://git.kernel.org/stable/c/f3b840fb1508a80cd8a0efb5c886ae1995a88b24"
        },
        {
          "url": "https://git.kernel.org/stable/c/4d71f2c1e5263a9f042faa71d59515709869dc79"
        },
        {
          "url": "https://git.kernel.org/stable/c/32d05e6cc3a7bf6c8f16f7b7ef8fe80eca0c233e"
        },
        {
          "url": "https://git.kernel.org/stable/c/61ce04601e0d8265ec6d2ffa6df5a7e1bce64854"
        }
      ],
      "title": "platform/x86: dell_rbu: Fix list usage",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38197",
    "datePublished": "2025-07-04T13:37:19.926Z",
    "dateReserved": "2025-04-16T04:51:23.993Z",
    "dateUpdated": "2025-11-03T17:35:21.012Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38462 (GCVE-0-2025-38462)

Vulnerability from cvelistv5

Published

2025-07-25 15:27

Modified

2025-11-03 17:38

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: vsock: Fix transport_{g2h,h2g} TOCTOU vsock_find_cid() and vsock_dev_do_ioctl() may race with module unload. transport_{g2h,h2g} may become NULL after the NULL check. Introduce vsock_transport_local_cid() to protect from a potential null-ptr-deref. KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f] RIP: 0010:vsock_find_cid+0x47/0x90 Call Trace: __vsock_bind+0x4b2/0x720 vsock_bind+0x90/0xe0 __sys_bind+0x14d/0x1e0 __x64_sys_bind+0x6e/0xc0 do_syscall_64+0x92/0x1c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f] RIP: 0010:vsock_dev_do_ioctl.isra.0+0x58/0xf0 Call Trace: __x64_sys_ioctl+0x12d/0x190 do_syscall_64+0x92/0x1c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53

References

URL

Tags

	https://git.kernel.org/stable/c/c5496ee685c48ed1cc183cd4263602579bb4a615
	https://git.kernel.org/stable/c/80d7dc15805a93d520a249ac6d13d4f4df161c1b
	https://git.kernel.org/stable/c/5752d8dbb3dfd7f1a9faf0f65377e60826ea9a17
	https://git.kernel.org/stable/c/401239811fa728fcdd53e360a91f157ffd23e1f4
	https://git.kernel.org/stable/c/3734d78210cceb2ee5615719a62a5c55ed381ff8
	https://git.kernel.org/stable/c/6a1bcab67bea797d83aa9dd948a0ac6ed52d121d
	https://git.kernel.org/stable/c/209fd720838aaf1420416494c5505096478156b4

Impacted products

Vendor

Product

Version

Linux

Version: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a
Version: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a
Version: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a
Version: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a
Version: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a
Version: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a
Version: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a

Linux

Version: 5.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:38:23.677Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/vmw_vsock/af_vsock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c5496ee685c48ed1cc183cd4263602579bb4a615",
              "status": "affected",
              "version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
              "versionType": "git"
            },
            {
              "lessThan": "80d7dc15805a93d520a249ac6d13d4f4df161c1b",
              "status": "affected",
              "version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
              "versionType": "git"
            },
            {
              "lessThan": "5752d8dbb3dfd7f1a9faf0f65377e60826ea9a17",
              "status": "affected",
              "version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
              "versionType": "git"
            },
            {
              "lessThan": "401239811fa728fcdd53e360a91f157ffd23e1f4",
              "status": "affected",
              "version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
              "versionType": "git"
            },
            {
              "lessThan": "3734d78210cceb2ee5615719a62a5c55ed381ff8",
              "status": "affected",
              "version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
              "versionType": "git"
            },
            {
              "lessThan": "6a1bcab67bea797d83aa9dd948a0ac6ed52d121d",
              "status": "affected",
              "version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
              "versionType": "git"
            },
            {
              "lessThan": "209fd720838aaf1420416494c5505096478156b4",
              "status": "affected",
              "version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/vmw_vsock/af_vsock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.5"
            },
            {
              "lessThan": "5.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.189",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.146",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.99",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.189",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.146",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.99",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.39",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.7",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: Fix transport_{g2h,h2g} TOCTOU\n\nvsock_find_cid() and vsock_dev_do_ioctl() may race with module unload.\ntransport_{g2h,h2g} may become NULL after the NULL check.\n\nIntroduce vsock_transport_local_cid() to protect from a potential\nnull-ptr-deref.\n\nKASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f]\nRIP: 0010:vsock_find_cid+0x47/0x90\nCall Trace:\n __vsock_bind+0x4b2/0x720\n vsock_bind+0x90/0xe0\n __sys_bind+0x14d/0x1e0\n __x64_sys_bind+0x6e/0xc0\n do_syscall_64+0x92/0x1c0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nKASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f]\nRIP: 0010:vsock_dev_do_ioctl.isra.0+0x58/0xf0\nCall Trace:\n __x64_sys_ioctl+0x12d/0x190\n do_syscall_64+0x92/0x1c0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:23:09.298Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c5496ee685c48ed1cc183cd4263602579bb4a615"
        },
        {
          "url": "https://git.kernel.org/stable/c/80d7dc15805a93d520a249ac6d13d4f4df161c1b"
        },
        {
          "url": "https://git.kernel.org/stable/c/5752d8dbb3dfd7f1a9faf0f65377e60826ea9a17"
        },
        {
          "url": "https://git.kernel.org/stable/c/401239811fa728fcdd53e360a91f157ffd23e1f4"
        },
        {
          "url": "https://git.kernel.org/stable/c/3734d78210cceb2ee5615719a62a5c55ed381ff8"
        },
        {
          "url": "https://git.kernel.org/stable/c/6a1bcab67bea797d83aa9dd948a0ac6ed52d121d"
        },
        {
          "url": "https://git.kernel.org/stable/c/209fd720838aaf1420416494c5505096478156b4"
        }
      ],
      "title": "vsock: Fix transport_{g2h,h2g} TOCTOU",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38462",
    "datePublished": "2025-07-25T15:27:45.168Z",
    "dateReserved": "2025-04-16T04:51:24.020Z",
    "dateUpdated": "2025-11-03T17:38:23.677Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37927 (GCVE-0-2025-37927)

Vulnerability from cvelistv5

Published

2025-05-20 15:21

Modified

2025-11-03 19:57

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid There is a string parsing logic error which can lead to an overflow of hid or uid buffers. Comparing ACPIID_LEN against a total string length doesn't take into account the lengths of individual hid and uid buffers so the check is insufficient in some cases. For example if the length of hid string is 4 and the length of the uid string is 260, the length of str will be equal to ACPIID_LEN + 1 but uid string will overflow uid buffer which size is 256. The same applies to the hid string with length 13 and uid string with length 250. Check the length of hid and uid strings separately to prevent buffer overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE.

References

URL

Tags

	https://git.kernel.org/stable/c/2b65060c84ee4d8dc64fae6d2728b528e9e832e1
	https://git.kernel.org/stable/c/a65ebfed65fa62797ec1f5f1dcf7adb157a2de1e
	https://git.kernel.org/stable/c/466d9da267079a8d3b69fa72dfa3a732e1f6dbb5
	https://git.kernel.org/stable/c/c3f37faa71f5d26dd2144b3f2b14525ec8f5e41f
	https://git.kernel.org/stable/c/13d67528e1ae4486e9ab24b70122fab104c73c29
	https://git.kernel.org/stable/c/10d901a95f8e766e5aa0bb9a983fb41271f64718
	https://git.kernel.org/stable/c/c8bdfc0297965bb13fa439d36ca9c4f7c8447f0f
	https://git.kernel.org/stable/c/8dee308e4c01dea48fc104d37f92d5b58c50b96c

Impacted products

Vendor

Product

Version

Linux

Version: ca3bf5d47cec8b7614bcb2e9132c40081d6d81db
Version: ca3bf5d47cec8b7614bcb2e9132c40081d6d81db
Version: ca3bf5d47cec8b7614bcb2e9132c40081d6d81db
Version: ca3bf5d47cec8b7614bcb2e9132c40081d6d81db
Version: ca3bf5d47cec8b7614bcb2e9132c40081d6d81db
Version: ca3bf5d47cec8b7614bcb2e9132c40081d6d81db
Version: ca3bf5d47cec8b7614bcb2e9132c40081d6d81db
Version: ca3bf5d47cec8b7614bcb2e9132c40081d6d81db

Linux

Version: 4.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:57:24.753Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/iommu/amd/init.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2b65060c84ee4d8dc64fae6d2728b528e9e832e1",
              "status": "affected",
              "version": "ca3bf5d47cec8b7614bcb2e9132c40081d6d81db",
              "versionType": "git"
            },
            {
              "lessThan": "a65ebfed65fa62797ec1f5f1dcf7adb157a2de1e",
              "status": "affected",
              "version": "ca3bf5d47cec8b7614bcb2e9132c40081d6d81db",
              "versionType": "git"
            },
            {
              "lessThan": "466d9da267079a8d3b69fa72dfa3a732e1f6dbb5",
              "status": "affected",
              "version": "ca3bf5d47cec8b7614bcb2e9132c40081d6d81db",
              "versionType": "git"
            },
            {
              "lessThan": "c3f37faa71f5d26dd2144b3f2b14525ec8f5e41f",
              "status": "affected",
              "version": "ca3bf5d47cec8b7614bcb2e9132c40081d6d81db",
              "versionType": "git"
            },
            {
              "lessThan": "13d67528e1ae4486e9ab24b70122fab104c73c29",
              "status": "affected",
              "version": "ca3bf5d47cec8b7614bcb2e9132c40081d6d81db",
              "versionType": "git"
            },
            {
              "lessThan": "10d901a95f8e766e5aa0bb9a983fb41271f64718",
              "status": "affected",
              "version": "ca3bf5d47cec8b7614bcb2e9132c40081d6d81db",
              "versionType": "git"
            },
            {
              "lessThan": "c8bdfc0297965bb13fa439d36ca9c4f7c8447f0f",
              "status": "affected",
              "version": "ca3bf5d47cec8b7614bcb2e9132c40081d6d81db",
              "versionType": "git"
            },
            {
              "lessThan": "8dee308e4c01dea48fc104d37f92d5b58c50b96c",
              "status": "affected",
              "version": "ca3bf5d47cec8b7614bcb2e9132c40081d6d81db",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/iommu/amd/init.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.7"
            },
            {
              "lessThan": "4.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.294",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.238",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.182",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.138",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.90",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.28",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.294",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.238",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.182",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.138",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.90",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.28",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.6",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid\n\nThere is a string parsing logic error which can lead to an overflow of hid\nor uid buffers. Comparing ACPIID_LEN against a total string length doesn\u0027t\ntake into account the lengths of individual hid and uid buffers so the\ncheck is insufficient in some cases. For example if the length of hid\nstring is 4 and the length of the uid string is 260, the length of str\nwill be equal to ACPIID_LEN + 1 but uid string will overflow uid buffer\nwhich size is 256.\n\nThe same applies to the hid string with length 13 and uid string with\nlength 250.\n\nCheck the length of hid and uid strings separately to prevent\nbuffer overflow.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-04T12:57:31.199Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2b65060c84ee4d8dc64fae6d2728b528e9e832e1"
        },
        {
          "url": "https://git.kernel.org/stable/c/a65ebfed65fa62797ec1f5f1dcf7adb157a2de1e"
        },
        {
          "url": "https://git.kernel.org/stable/c/466d9da267079a8d3b69fa72dfa3a732e1f6dbb5"
        },
        {
          "url": "https://git.kernel.org/stable/c/c3f37faa71f5d26dd2144b3f2b14525ec8f5e41f"
        },
        {
          "url": "https://git.kernel.org/stable/c/13d67528e1ae4486e9ab24b70122fab104c73c29"
        },
        {
          "url": "https://git.kernel.org/stable/c/10d901a95f8e766e5aa0bb9a983fb41271f64718"
        },
        {
          "url": "https://git.kernel.org/stable/c/c8bdfc0297965bb13fa439d36ca9c4f7c8447f0f"
        },
        {
          "url": "https://git.kernel.org/stable/c/8dee308e4c01dea48fc104d37f92d5b58c50b96c"
        }
      ],
      "title": "iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37927",
    "datePublished": "2025-05-20T15:21:53.973Z",
    "dateReserved": "2025-04-16T04:51:23.969Z",
    "dateUpdated": "2025-11-03T19:57:24.753Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-58098 (GCVE-0-2024-58098)

Vulnerability from cvelistv5

Published

2025-05-05 14:53

Modified

2025-05-09 08:06

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: bpf: track changes_pkt_data property for global functions When processing calls to certain helpers, verifier invalidates all packet pointers in a current state. For example, consider the following program: __attribute__((__noinline__)) long skb_pull_data(struct __sk_buff *sk, __u32 len) { return bpf_skb_pull_data(sk, len); } SEC("tc") int test_invalidate_checks(struct __sk_buff *sk) { int *p = (void *)(long)sk->data; if ((void *)(p + 1) > (void *)(long)sk->data_end) return TCX_DROP; skb_pull_data(sk, 0); *p = 42; return TCX_PASS; } After a call to bpf_skb_pull_data() the pointer 'p' can't be used safely. See function filter.c:bpf_helper_changes_pkt_data() for a list of such helpers. At the moment verifier invalidates packet pointers when processing helper function calls, and does not traverse global sub-programs when processing calls to global sub-programs. This means that calls to helpers done from global sub-programs do not invalidate pointers in the caller state. E.g. the program above is unsafe, but is not rejected by verifier. This commit fixes the omission by computing field bpf_subprog_info->changes_pkt_data for each sub-program before main verification pass. changes_pkt_data should be set if: - subprogram calls helper for which bpf_helper_changes_pkt_data returns true; - subprogram calls a global function, for which bpf_subprog_info->changes_pkt_data should be set. The verifier.c:check_cfg() pass is modified to compute this information. The commit relies on depth first instruction traversal done by check_cfg() and absence of recursive function calls: - check_cfg() would eventually visit every call to subprogram S in a state when S is fully explored; - when S is fully explored: - every direct helper call within S is explored (and thus changes_pkt_data is set if needed); - every call to subprogram S1 called by S was visited with S1 fully explored (and thus S inherits changes_pkt_data from S1). The downside of such approach is that dead code elimination is not taken into account: if a helper call inside global function is dead because of current configuration, verifier would conservatively assume that the call occurs for the purpose of the changes_pkt_data computation.

References

URL

Tags

	https://git.kernel.org/stable/c/79751e9227a5910c0e5a2c7186877d91821d957d
	https://git.kernel.org/stable/c/1d572c60488b52882b719ed273767ee3b280413d
	https://git.kernel.org/stable/c/51081a3f25c742da5a659d7fc6fd77ebfdd555be

Impacted products

Vendor

Product

Version

Linux

Version: 51c39bb1d5d105a02e29aa7960f0a395086e6342
Version: 51c39bb1d5d105a02e29aa7960f0a395086e6342
Version: 51c39bb1d5d105a02e29aa7960f0a395086e6342

Linux

Version: 5.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/bpf_verifier.h",
            "kernel/bpf/verifier.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "79751e9227a5910c0e5a2c7186877d91821d957d",
              "status": "affected",
              "version": "51c39bb1d5d105a02e29aa7960f0a395086e6342",
              "versionType": "git"
            },
            {
              "lessThan": "1d572c60488b52882b719ed273767ee3b280413d",
              "status": "affected",
              "version": "51c39bb1d5d105a02e29aa7960f0a395086e6342",
              "versionType": "git"
            },
            {
              "lessThan": "51081a3f25c742da5a659d7fc6fd77ebfdd555be",
              "status": "affected",
              "version": "51c39bb1d5d105a02e29aa7960f0a395086e6342",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/bpf_verifier.h",
            "kernel/bpf/verifier.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.6"
            },
            {
              "lessThan": "5.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.90",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.25",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.90",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.25",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: track changes_pkt_data property for global functions\n\nWhen processing calls to certain helpers, verifier invalidates all\npacket pointers in a current state. For example, consider the\nfollowing program:\n\n    __attribute__((__noinline__))\n    long skb_pull_data(struct __sk_buff *sk, __u32 len)\n    {\n        return bpf_skb_pull_data(sk, len);\n    }\n\n    SEC(\"tc\")\n    int test_invalidate_checks(struct __sk_buff *sk)\n    {\n        int *p = (void *)(long)sk-\u003edata;\n        if ((void *)(p + 1) \u003e (void *)(long)sk-\u003edata_end) return TCX_DROP;\n        skb_pull_data(sk, 0);\n        *p = 42;\n        return TCX_PASS;\n    }\n\nAfter a call to bpf_skb_pull_data() the pointer \u0027p\u0027 can\u0027t be used\nsafely. See function filter.c:bpf_helper_changes_pkt_data() for a list\nof such helpers.\n\nAt the moment verifier invalidates packet pointers when processing\nhelper function calls, and does not traverse global sub-programs when\nprocessing calls to global sub-programs. This means that calls to\nhelpers done from global sub-programs do not invalidate pointers in\nthe caller state. E.g. the program above is unsafe, but is not\nrejected by verifier.\n\nThis commit fixes the omission by computing field\nbpf_subprog_info-\u003echanges_pkt_data for each sub-program before main\nverification pass.\nchanges_pkt_data should be set if:\n- subprogram calls helper for which bpf_helper_changes_pkt_data\n  returns true;\n- subprogram calls a global function,\n  for which bpf_subprog_info-\u003echanges_pkt_data should be set.\n\nThe verifier.c:check_cfg() pass is modified to compute this\ninformation. The commit relies on depth first instruction traversal\ndone by check_cfg() and absence of recursive function calls:\n- check_cfg() would eventually visit every call to subprogram S in a\n  state when S is fully explored;\n- when S is fully explored:\n  - every direct helper call within S is explored\n    (and thus changes_pkt_data is set if needed);\n  - every call to subprogram S1 called by S was visited with S1 fully\n    explored (and thus S inherits changes_pkt_data from S1).\n\nThe downside of such approach is that dead code elimination is not\ntaken into account: if a helper call inside global function is dead\nbecause of current configuration, verifier would conservatively assume\nthat the call occurs for the purpose of the changes_pkt_data\ncomputation."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-09T08:06:08.048Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/79751e9227a5910c0e5a2c7186877d91821d957d"
        },
        {
          "url": "https://git.kernel.org/stable/c/1d572c60488b52882b719ed273767ee3b280413d"
        },
        {
          "url": "https://git.kernel.org/stable/c/51081a3f25c742da5a659d7fc6fd77ebfdd555be"
        }
      ],
      "title": "bpf: track changes_pkt_data property for global functions",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58098",
    "datePublished": "2025-05-05T14:53:32.417Z",
    "dateReserved": "2025-03-06T15:52:09.189Z",
    "dateUpdated": "2025-05-09T08:06:08.048Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-37765 (GCVE-0-2025-37765)

Vulnerability from cvelistv5

Published

2025-05-01 13:07

Modified

2025-11-03 19:54

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: prime: fix ttm_bo_delayed_delete oops Fix an oops in ttm_bo_delayed_delete which results from dererencing a dangling pointer: Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b7b: 0000 [#1] PREEMPT SMP CPU: 4 UID: 0 PID: 1082 Comm: kworker/u65:2 Not tainted 6.14.0-rc4-00267-g505460b44513-dirty #216 Hardware name: LENOVO 82N6/LNVNB161216, BIOS GKCN65WW 01/16/2024 Workqueue: ttm ttm_bo_delayed_delete [ttm] RIP: 0010:dma_resv_iter_first_unlocked+0x55/0x290 Code: 31 f6 48 c7 c7 00 2b fa aa e8 97 bd 52 ff e8 a2 c1 53 00 5a 85 c0 74 48 e9 88 01 00 00 4c 89 63 20 4d 85 e4 0f 84 30 01 00 00 <41> 8b 44 24 10 c6 43 2c 01 48 89 df 89 43 28 e8 97 fd ff ff 4c 8b RSP: 0018:ffffbf9383473d60 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffffbf9383473d88 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffbf9383473d78 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 6b6b6b6b6b6b6b6b R13: ffffa003bbf78580 R14: ffffa003a6728040 R15: 00000000000383cc FS: 0000000000000000(0000) GS:ffffa00991c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000758348024dd0 CR3: 000000012c259000 CR4: 0000000000f50ef0 PKRU: 55555554 Call Trace: <TASK> ? __die_body.cold+0x19/0x26 ? die_addr+0x3d/0x70 ? exc_general_protection+0x159/0x460 ? asm_exc_general_protection+0x27/0x30 ? dma_resv_iter_first_unlocked+0x55/0x290 dma_resv_wait_timeout+0x56/0x100 ttm_bo_delayed_delete+0x69/0xb0 [ttm] process_one_work+0x217/0x5c0 worker_thread+0x1c8/0x3d0 ? apply_wqattrs_cleanup.part.0+0xc0/0xc0 kthread+0x10b/0x240 ? kthreads_online_cpu+0x140/0x140 ret_from_fork+0x40/0x70 ? kthreads_online_cpu+0x140/0x140 ret_from_fork_asm+0x11/0x20 </TASK> The cause of this is: - drm_prime_gem_destroy calls dma_buf_put(dma_buf) which releases the reference to the shared dma_buf. The reference count is 0, so the dma_buf is destroyed, which in turn decrements the corresponding amdgpu_bo reference count to 0, and the amdgpu_bo is destroyed - calling drm_gem_object_release then dma_resv_fini (which destroys the reservation object), then finally freeing the amdgpu_bo. - nouveau_bo obj->bo.base.resv is now a dangling pointer to the memory formerly allocated to the amdgpu_bo. - nouveau_gem_object_del calls ttm_bo_put(&nvbo->bo) which calls ttm_bo_release, which schedules ttm_bo_delayed_delete. - ttm_bo_delayed_delete runs and dereferences the dangling resv pointer, resulting in a general protection fault. Fix this by moving the drm_prime_gem_destroy call from nouveau_gem_object_del to nouveau_bo_del_ttm. This ensures that it will be run after ttm_bo_delayed_delete.

References

URL

Tags

	https://git.kernel.org/stable/c/706868a1a1072cffd8bd63f7e161d79141099849
	https://git.kernel.org/stable/c/47761deabb69a5df0c2c4ec400d80bb3e072bd2e
	https://git.kernel.org/stable/c/ada78110b2d3ec88b398a49703bd336d4cee7a08
	https://git.kernel.org/stable/c/12b038d521c75e3521522503becf3bc162628469
	https://git.kernel.org/stable/c/31e94c7989572f96926673614a3b958915a13ca9
	https://git.kernel.org/stable/c/6e2c805996a49998d31ac522beb1534ca417e761
	https://git.kernel.org/stable/c/6b95947ee780f4e1fb26413a1437d05bcb99712b
	https://git.kernel.org/stable/c/8ec0fbb28d049273bfd4f1e7a5ae4c74884beed3

Impacted products

Vendor

Product

Version

Linux

Version: 22b33e8ed0e38b8ddcf082e35580f2e67a3a0262
Version: 22b33e8ed0e38b8ddcf082e35580f2e67a3a0262
Version: 22b33e8ed0e38b8ddcf082e35580f2e67a3a0262
Version: 22b33e8ed0e38b8ddcf082e35580f2e67a3a0262
Version: 22b33e8ed0e38b8ddcf082e35580f2e67a3a0262
Version: 22b33e8ed0e38b8ddcf082e35580f2e67a3a0262
Version: 22b33e8ed0e38b8ddcf082e35580f2e67a3a0262
Version: 22b33e8ed0e38b8ddcf082e35580f2e67a3a0262

Linux

Version: 3.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:54:35.995Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/nouveau/nouveau_bo.c",
            "drivers/gpu/drm/nouveau/nouveau_gem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "706868a1a1072cffd8bd63f7e161d79141099849",
              "status": "affected",
              "version": "22b33e8ed0e38b8ddcf082e35580f2e67a3a0262",
              "versionType": "git"
            },
            {
              "lessThan": "47761deabb69a5df0c2c4ec400d80bb3e072bd2e",
              "status": "affected",
              "version": "22b33e8ed0e38b8ddcf082e35580f2e67a3a0262",
              "versionType": "git"
            },
            {
              "lessThan": "ada78110b2d3ec88b398a49703bd336d4cee7a08",
              "status": "affected",
              "version": "22b33e8ed0e38b8ddcf082e35580f2e67a3a0262",
              "versionType": "git"
            },
            {
              "lessThan": "12b038d521c75e3521522503becf3bc162628469",
              "status": "affected",
              "version": "22b33e8ed0e38b8ddcf082e35580f2e67a3a0262",
              "versionType": "git"
            },
            {
              "lessThan": "31e94c7989572f96926673614a3b958915a13ca9",
              "status": "affected",
              "version": "22b33e8ed0e38b8ddcf082e35580f2e67a3a0262",
              "versionType": "git"
            },
            {
              "lessThan": "6e2c805996a49998d31ac522beb1534ca417e761",
              "status": "affected",
              "version": "22b33e8ed0e38b8ddcf082e35580f2e67a3a0262",
              "versionType": "git"
            },
            {
              "lessThan": "6b95947ee780f4e1fb26413a1437d05bcb99712b",
              "status": "affected",
              "version": "22b33e8ed0e38b8ddcf082e35580f2e67a3a0262",
              "versionType": "git"
            },
            {
              "lessThan": "8ec0fbb28d049273bfd4f1e7a5ae4c74884beed3",
              "status": "affected",
              "version": "22b33e8ed0e38b8ddcf082e35580f2e67a3a0262",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/nouveau/nouveau_bo.c",
            "drivers/gpu/drm/nouveau/nouveau_gem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.5"
            },
            {
              "lessThan": "3.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.293",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.25",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.293",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.237",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.25",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.4",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau: prime: fix ttm_bo_delayed_delete oops\n\nFix an oops in ttm_bo_delayed_delete which results from dererencing a\ndangling pointer:\n\nOops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b7b: 0000 [#1] PREEMPT SMP\nCPU: 4 UID: 0 PID: 1082 Comm: kworker/u65:2 Not tainted 6.14.0-rc4-00267-g505460b44513-dirty #216\nHardware name: LENOVO 82N6/LNVNB161216, BIOS GKCN65WW 01/16/2024\nWorkqueue: ttm ttm_bo_delayed_delete [ttm]\nRIP: 0010:dma_resv_iter_first_unlocked+0x55/0x290\nCode: 31 f6 48 c7 c7 00 2b fa aa e8 97 bd 52 ff e8 a2 c1 53 00 5a 85 c0 74 48 e9 88 01 00 00 4c 89 63 20 4d 85 e4 0f 84 30 01 00 00 \u003c41\u003e 8b 44 24 10 c6 43 2c 01 48 89 df 89 43 28 e8 97 fd ff ff 4c 8b\nRSP: 0018:ffffbf9383473d60 EFLAGS: 00010202\nRAX: 0000000000000001 RBX: ffffbf9383473d88 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: ffffbf9383473d78 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 6b6b6b6b6b6b6b6b\nR13: ffffa003bbf78580 R14: ffffa003a6728040 R15: 00000000000383cc\nFS:  0000000000000000(0000) GS:ffffa00991c00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000758348024dd0 CR3: 000000012c259000 CR4: 0000000000f50ef0\nPKRU: 55555554\nCall Trace:\n \u003cTASK\u003e\n ? __die_body.cold+0x19/0x26\n ? die_addr+0x3d/0x70\n ? exc_general_protection+0x159/0x460\n ? asm_exc_general_protection+0x27/0x30\n ? dma_resv_iter_first_unlocked+0x55/0x290\n dma_resv_wait_timeout+0x56/0x100\n ttm_bo_delayed_delete+0x69/0xb0 [ttm]\n process_one_work+0x217/0x5c0\n worker_thread+0x1c8/0x3d0\n ? apply_wqattrs_cleanup.part.0+0xc0/0xc0\n kthread+0x10b/0x240\n ? kthreads_online_cpu+0x140/0x140\n ret_from_fork+0x40/0x70\n ? kthreads_online_cpu+0x140/0x140\n ret_from_fork_asm+0x11/0x20\n \u003c/TASK\u003e\n\nThe cause of this is:\n\n- drm_prime_gem_destroy calls dma_buf_put(dma_buf) which releases the\n  reference to the shared dma_buf. The reference count is 0, so the\n  dma_buf is destroyed, which in turn decrements the corresponding\n  amdgpu_bo reference count to 0, and the amdgpu_bo is destroyed -\n  calling drm_gem_object_release then dma_resv_fini (which destroys the\n  reservation object), then finally freeing the amdgpu_bo.\n\n- nouveau_bo obj-\u003ebo.base.resv is now a dangling pointer to the memory\n  formerly allocated to the amdgpu_bo.\n\n- nouveau_gem_object_del calls ttm_bo_put(\u0026nvbo-\u003ebo) which calls\n  ttm_bo_release, which schedules ttm_bo_delayed_delete.\n\n- ttm_bo_delayed_delete runs and dereferences the dangling resv pointer,\n  resulting in a general protection fault.\n\nFix this by moving the drm_prime_gem_destroy call from\nnouveau_gem_object_del to nouveau_bo_del_ttm. This ensures that it will\nbe run after ttm_bo_delayed_delete."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:20:23.788Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/706868a1a1072cffd8bd63f7e161d79141099849"
        },
        {
          "url": "https://git.kernel.org/stable/c/47761deabb69a5df0c2c4ec400d80bb3e072bd2e"
        },
        {
          "url": "https://git.kernel.org/stable/c/ada78110b2d3ec88b398a49703bd336d4cee7a08"
        },
        {
          "url": "https://git.kernel.org/stable/c/12b038d521c75e3521522503becf3bc162628469"
        },
        {
          "url": "https://git.kernel.org/stable/c/31e94c7989572f96926673614a3b958915a13ca9"
        },
        {
          "url": "https://git.kernel.org/stable/c/6e2c805996a49998d31ac522beb1534ca417e761"
        },
        {
          "url": "https://git.kernel.org/stable/c/6b95947ee780f4e1fb26413a1437d05bcb99712b"
        },
        {
          "url": "https://git.kernel.org/stable/c/8ec0fbb28d049273bfd4f1e7a5ae4c74884beed3"
        }
      ],
      "title": "drm/nouveau: prime: fix ttm_bo_delayed_delete oops",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37765",
    "datePublished": "2025-05-01T13:07:06.498Z",
    "dateReserved": "2025-04-16T04:51:23.939Z",
    "dateUpdated": "2025-11-03T19:54:35.995Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38143 (GCVE-0-2025-38143)

Vulnerability from cvelistv5

Published

2025-07-03 08:35

Modified

2025-11-03 17:34

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: backlight: pm8941: Add NULL check in wled_configure() devm_kasprintf() returns NULL when memory allocation fails. Currently, wled_configure() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue.

References

URL

Tags

	https://git.kernel.org/stable/c/6a56446595730a5e3f06a30902e23cb037d28146
	https://git.kernel.org/stable/c/9d06ac32c202142da40904180f2669ed4f5073ac
	https://git.kernel.org/stable/c/21528806560510458378ea52c37e35b0773afaea
	https://git.kernel.org/stable/c/fde314445332015273c8f51d2659885c606fe135
	https://git.kernel.org/stable/c/1be2000b703b02e149f8f2061054489f6c18c972
	https://git.kernel.org/stable/c/4a715be3fe80b68fa55cb3569af3d294be101626
	https://git.kernel.org/stable/c/e12d3e1624a02706cdd3628bbf5668827214fa33

Impacted products

Vendor

Product

Version

Linux

Version: f86b77583d88c8402e8d89a339d96f847318f8a8
Version: f86b77583d88c8402e8d89a339d96f847318f8a8
Version: f86b77583d88c8402e8d89a339d96f847318f8a8
Version: f86b77583d88c8402e8d89a339d96f847318f8a8
Version: f86b77583d88c8402e8d89a339d96f847318f8a8
Version: f86b77583d88c8402e8d89a339d96f847318f8a8
Version: f86b77583d88c8402e8d89a339d96f847318f8a8

Linux

Version: 5.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:33.856Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/video/backlight/qcom-wled.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6a56446595730a5e3f06a30902e23cb037d28146",
              "status": "affected",
              "version": "f86b77583d88c8402e8d89a339d96f847318f8a8",
              "versionType": "git"
            },
            {
              "lessThan": "9d06ac32c202142da40904180f2669ed4f5073ac",
              "status": "affected",
              "version": "f86b77583d88c8402e8d89a339d96f847318f8a8",
              "versionType": "git"
            },
            {
              "lessThan": "21528806560510458378ea52c37e35b0773afaea",
              "status": "affected",
              "version": "f86b77583d88c8402e8d89a339d96f847318f8a8",
              "versionType": "git"
            },
            {
              "lessThan": "fde314445332015273c8f51d2659885c606fe135",
              "status": "affected",
              "version": "f86b77583d88c8402e8d89a339d96f847318f8a8",
              "versionType": "git"
            },
            {
              "lessThan": "1be2000b703b02e149f8f2061054489f6c18c972",
              "status": "affected",
              "version": "f86b77583d88c8402e8d89a339d96f847318f8a8",
              "versionType": "git"
            },
            {
              "lessThan": "4a715be3fe80b68fa55cb3569af3d294be101626",
              "status": "affected",
              "version": "f86b77583d88c8402e8d89a339d96f847318f8a8",
              "versionType": "git"
            },
            {
              "lessThan": "e12d3e1624a02706cdd3628bbf5668827214fa33",
              "status": "affected",
              "version": "f86b77583d88c8402e8d89a339d96f847318f8a8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/video/backlight/qcom-wled.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.0"
            },
            {
              "lessThan": "5.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbacklight: pm8941: Add NULL check in wled_configure()\n\ndevm_kasprintf() returns NULL when memory allocation fails. Currently,\nwled_configure() does not check for this case, which results in a NULL\npointer dereference.\n\nAdd NULL check after devm_kasprintf() to prevent this issue."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:13:23.772Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6a56446595730a5e3f06a30902e23cb037d28146"
        },
        {
          "url": "https://git.kernel.org/stable/c/9d06ac32c202142da40904180f2669ed4f5073ac"
        },
        {
          "url": "https://git.kernel.org/stable/c/21528806560510458378ea52c37e35b0773afaea"
        },
        {
          "url": "https://git.kernel.org/stable/c/fde314445332015273c8f51d2659885c606fe135"
        },
        {
          "url": "https://git.kernel.org/stable/c/1be2000b703b02e149f8f2061054489f6c18c972"
        },
        {
          "url": "https://git.kernel.org/stable/c/4a715be3fe80b68fa55cb3569af3d294be101626"
        },
        {
          "url": "https://git.kernel.org/stable/c/e12d3e1624a02706cdd3628bbf5668827214fa33"
        }
      ],
      "title": "backlight: pm8941: Add NULL check in wled_configure()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38143",
    "datePublished": "2025-07-03T08:35:44.224Z",
    "dateReserved": "2025-04-16T04:51:23.987Z",
    "dateUpdated": "2025-11-03T17:34:33.856Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37923 (GCVE-0-2025-37923)

Vulnerability from cvelistv5

Published

2025-05-20 15:21

Modified

2025-11-03 19:57

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: tracing: Fix oob write in trace_seq_to_buffer() syzbot reported this bug: ================================================================== BUG: KASAN: slab-out-of-bounds in trace_seq_to_buffer kernel/trace/trace.c:1830 [inline] BUG: KASAN: slab-out-of-bounds in tracing_splice_read_pipe+0x6be/0xdd0 kernel/trace/trace.c:6822 Write of size 4507 at addr ffff888032b6b000 by task syz.2.320/7260 CPU: 1 UID: 0 PID: 7260 Comm: syz.2.320 Not tainted 6.15.0-rc1-syzkaller-00301-g3bde70a2c827 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189 __asan_memcpy+0x3c/0x60 mm/kasan/shadow.c:106 trace_seq_to_buffer kernel/trace/trace.c:1830 [inline] tracing_splice_read_pipe+0x6be/0xdd0 kernel/trace/trace.c:6822 .... ================================================================== It has been reported that trace_seq_to_buffer() tries to copy more data than PAGE_SIZE to buf. Therefore, to prevent this, we should use the smaller of trace_seq_used(&iter->seq) and PAGE_SIZE as an argument.

References

URL

Tags

	https://git.kernel.org/stable/c/f4b0174e9f18aaba59ee6ffdaf8827a7f94eb606
	https://git.kernel.org/stable/c/665ce421041890571852422487f4c613d1824ba9
	https://git.kernel.org/stable/c/1a3f9482b50b74fa9421bff8ceecfefd0dc06f8f
	https://git.kernel.org/stable/c/441021e5b3c7d9bd1b963590652c415929f3b157
	https://git.kernel.org/stable/c/056ebbddb8faf4ddf83d005454dd78fc25c2d897
	https://git.kernel.org/stable/c/1f27a3e93b8d674b24b27fcdbc6f72743cd96c0d
	https://git.kernel.org/stable/c/c5d2b66c5ef5037b4b4360e5447605ff00ba1bd4
	https://git.kernel.org/stable/c/f5178c41bb43444a6008150fe6094497135d07cb

Impacted products

Vendor

Product

Version

Linux

Version: 3c56819b14b00dd449bd776303e61f8532fad09f
Version: 3c56819b14b00dd449bd776303e61f8532fad09f
Version: 3c56819b14b00dd449bd776303e61f8532fad09f
Version: 3c56819b14b00dd449bd776303e61f8532fad09f
Version: 3c56819b14b00dd449bd776303e61f8532fad09f
Version: 3c56819b14b00dd449bd776303e61f8532fad09f
Version: 3c56819b14b00dd449bd776303e61f8532fad09f
Version: 3c56819b14b00dd449bd776303e61f8532fad09f

Linux

Version: 2.6.30

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:57:21.994Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/trace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f4b0174e9f18aaba59ee6ffdaf8827a7f94eb606",
              "status": "affected",
              "version": "3c56819b14b00dd449bd776303e61f8532fad09f",
              "versionType": "git"
            },
            {
              "lessThan": "665ce421041890571852422487f4c613d1824ba9",
              "status": "affected",
              "version": "3c56819b14b00dd449bd776303e61f8532fad09f",
              "versionType": "git"
            },
            {
              "lessThan": "1a3f9482b50b74fa9421bff8ceecfefd0dc06f8f",
              "status": "affected",
              "version": "3c56819b14b00dd449bd776303e61f8532fad09f",
              "versionType": "git"
            },
            {
              "lessThan": "441021e5b3c7d9bd1b963590652c415929f3b157",
              "status": "affected",
              "version": "3c56819b14b00dd449bd776303e61f8532fad09f",
              "versionType": "git"
            },
            {
              "lessThan": "056ebbddb8faf4ddf83d005454dd78fc25c2d897",
              "status": "affected",
              "version": "3c56819b14b00dd449bd776303e61f8532fad09f",
              "versionType": "git"
            },
            {
              "lessThan": "1f27a3e93b8d674b24b27fcdbc6f72743cd96c0d",
              "status": "affected",
              "version": "3c56819b14b00dd449bd776303e61f8532fad09f",
              "versionType": "git"
            },
            {
              "lessThan": "c5d2b66c5ef5037b4b4360e5447605ff00ba1bd4",
              "status": "affected",
              "version": "3c56819b14b00dd449bd776303e61f8532fad09f",
              "versionType": "git"
            },
            {
              "lessThan": "f5178c41bb43444a6008150fe6094497135d07cb",
              "status": "affected",
              "version": "3c56819b14b00dd449bd776303e61f8532fad09f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/trace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.30"
            },
            {
              "lessThan": "2.6.30",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.294",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.238",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.182",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.138",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.90",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.28",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.294",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.238",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.182",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.138",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.90",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.28",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.6",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix oob write in trace_seq_to_buffer()\n\nsyzbot reported this bug:\n==================================================================\nBUG: KASAN: slab-out-of-bounds in trace_seq_to_buffer kernel/trace/trace.c:1830 [inline]\nBUG: KASAN: slab-out-of-bounds in tracing_splice_read_pipe+0x6be/0xdd0 kernel/trace/trace.c:6822\nWrite of size 4507 at addr ffff888032b6b000 by task syz.2.320/7260\n\nCPU: 1 UID: 0 PID: 7260 Comm: syz.2.320 Not tainted 6.15.0-rc1-syzkaller-00301-g3bde70a2c827 #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:408 [inline]\n print_report+0xc3/0x670 mm/kasan/report.c:521\n kasan_report+0xe0/0x110 mm/kasan/report.c:634\n check_region_inline mm/kasan/generic.c:183 [inline]\n kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189\n __asan_memcpy+0x3c/0x60 mm/kasan/shadow.c:106\n trace_seq_to_buffer kernel/trace/trace.c:1830 [inline]\n tracing_splice_read_pipe+0x6be/0xdd0 kernel/trace/trace.c:6822\n ....\n==================================================================\n\nIt has been reported that trace_seq_to_buffer() tries to copy more data\nthan PAGE_SIZE to buf. Therefore, to prevent this, we should use the\nsmaller of trace_seq_used(\u0026iter-\u003eseq) and PAGE_SIZE as an argument."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-04T12:57:30.148Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f4b0174e9f18aaba59ee6ffdaf8827a7f94eb606"
        },
        {
          "url": "https://git.kernel.org/stable/c/665ce421041890571852422487f4c613d1824ba9"
        },
        {
          "url": "https://git.kernel.org/stable/c/1a3f9482b50b74fa9421bff8ceecfefd0dc06f8f"
        },
        {
          "url": "https://git.kernel.org/stable/c/441021e5b3c7d9bd1b963590652c415929f3b157"
        },
        {
          "url": "https://git.kernel.org/stable/c/056ebbddb8faf4ddf83d005454dd78fc25c2d897"
        },
        {
          "url": "https://git.kernel.org/stable/c/1f27a3e93b8d674b24b27fcdbc6f72743cd96c0d"
        },
        {
          "url": "https://git.kernel.org/stable/c/c5d2b66c5ef5037b4b4360e5447605ff00ba1bd4"
        },
        {
          "url": "https://git.kernel.org/stable/c/f5178c41bb43444a6008150fe6094497135d07cb"
        }
      ],
      "title": "tracing: Fix oob write in trace_seq_to_buffer()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37923",
    "datePublished": "2025-05-20T15:21:51.927Z",
    "dateReserved": "2025-04-16T04:51:23.969Z",
    "dateUpdated": "2025-11-03T19:57:21.994Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38286 (GCVE-0-2025-38286)

Vulnerability from cvelistv5

Published

2025-07-10 07:42

Modified

2025-11-03 17:36

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: pinctrl: at91: Fix possible out-of-boundary access at91_gpio_probe() doesn't check that given OF alias is not available or something went wrong when trying to get it. This might have consequences when accessing gpio_chips array with that value as an index. Note, that BUG() can be compiled out and hence won't actually perform the required checks.

References

URL

Tags

	https://git.kernel.org/stable/c/264a5cf0c422e65c94447a1ebebfac7c92690670
	https://git.kernel.org/stable/c/db5665cbfd766db7d8cd0e5fd6e3c0b412916774
	https://git.kernel.org/stable/c/2ecafe59668d2506a68459a9d169ebe41a147a41
	https://git.kernel.org/stable/c/f1c1fdc41fbf7e308ced9c86f3f66345a3f6f478
	https://git.kernel.org/stable/c/eb435bc4c74acbb286cec773deac13d117d3ef39
	https://git.kernel.org/stable/c/e02e12d6a7ab76c83849a4122785650dc7edef65
	https://git.kernel.org/stable/c/288c39286f759314ee8fb3a80a858179b4f306da
	https://git.kernel.org/stable/c/762ef7d1e6eefad9896560bfcb9bcf7f1b6df9c1

Impacted products

Vendor

Product

Version

Linux

Version: 6732ae5cb47c4f9a72727585956f2a5e069d1637
Version: 6732ae5cb47c4f9a72727585956f2a5e069d1637
Version: 6732ae5cb47c4f9a72727585956f2a5e069d1637
Version: 6732ae5cb47c4f9a72727585956f2a5e069d1637
Version: 6732ae5cb47c4f9a72727585956f2a5e069d1637
Version: 6732ae5cb47c4f9a72727585956f2a5e069d1637
Version: 6732ae5cb47c4f9a72727585956f2a5e069d1637
Version: 6732ae5cb47c4f9a72727585956f2a5e069d1637

Linux

Version: 3.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:36:15.628Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/pinctrl/pinctrl-at91.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "264a5cf0c422e65c94447a1ebebfac7c92690670",
              "status": "affected",
              "version": "6732ae5cb47c4f9a72727585956f2a5e069d1637",
              "versionType": "git"
            },
            {
              "lessThan": "db5665cbfd766db7d8cd0e5fd6e3c0b412916774",
              "status": "affected",
              "version": "6732ae5cb47c4f9a72727585956f2a5e069d1637",
              "versionType": "git"
            },
            {
              "lessThan": "2ecafe59668d2506a68459a9d169ebe41a147a41",
              "status": "affected",
              "version": "6732ae5cb47c4f9a72727585956f2a5e069d1637",
              "versionType": "git"
            },
            {
              "lessThan": "f1c1fdc41fbf7e308ced9c86f3f66345a3f6f478",
              "status": "affected",
              "version": "6732ae5cb47c4f9a72727585956f2a5e069d1637",
              "versionType": "git"
            },
            {
              "lessThan": "eb435bc4c74acbb286cec773deac13d117d3ef39",
              "status": "affected",
              "version": "6732ae5cb47c4f9a72727585956f2a5e069d1637",
              "versionType": "git"
            },
            {
              "lessThan": "e02e12d6a7ab76c83849a4122785650dc7edef65",
              "status": "affected",
              "version": "6732ae5cb47c4f9a72727585956f2a5e069d1637",
              "versionType": "git"
            },
            {
              "lessThan": "288c39286f759314ee8fb3a80a858179b4f306da",
              "status": "affected",
              "version": "6732ae5cb47c4f9a72727585956f2a5e069d1637",
              "versionType": "git"
            },
            {
              "lessThan": "762ef7d1e6eefad9896560bfcb9bcf7f1b6df9c1",
              "status": "affected",
              "version": "6732ae5cb47c4f9a72727585956f2a5e069d1637",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/pinctrl/pinctrl-at91.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.8"
            },
            {
              "lessThan": "3.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: at91: Fix possible out-of-boundary access\n\nat91_gpio_probe() doesn\u0027t check that given OF alias is not available or\nsomething went wrong when trying to get it. This might have consequences\nwhen accessing gpio_chips array with that value as an index. Note, that\nBUG() can be compiled out and hence won\u0027t actually perform the required\nchecks."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:17:29.124Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/264a5cf0c422e65c94447a1ebebfac7c92690670"
        },
        {
          "url": "https://git.kernel.org/stable/c/db5665cbfd766db7d8cd0e5fd6e3c0b412916774"
        },
        {
          "url": "https://git.kernel.org/stable/c/2ecafe59668d2506a68459a9d169ebe41a147a41"
        },
        {
          "url": "https://git.kernel.org/stable/c/f1c1fdc41fbf7e308ced9c86f3f66345a3f6f478"
        },
        {
          "url": "https://git.kernel.org/stable/c/eb435bc4c74acbb286cec773deac13d117d3ef39"
        },
        {
          "url": "https://git.kernel.org/stable/c/e02e12d6a7ab76c83849a4122785650dc7edef65"
        },
        {
          "url": "https://git.kernel.org/stable/c/288c39286f759314ee8fb3a80a858179b4f306da"
        },
        {
          "url": "https://git.kernel.org/stable/c/762ef7d1e6eefad9896560bfcb9bcf7f1b6df9c1"
        }
      ],
      "title": "pinctrl: at91: Fix possible out-of-boundary access",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38286",
    "datePublished": "2025-07-10T07:42:03.409Z",
    "dateReserved": "2025-04-16T04:51:24.000Z",
    "dateUpdated": "2025-11-03T17:36:15.628Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38293 (GCVE-0-2025-38293)

Vulnerability from cvelistv5

Published

2025-07-10 07:42

Modified

2025-11-03 17:36

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix node corruption in ar->arvifs list In current WLAN recovery code flow, ath11k_core_halt() only reinitializes the "arvifs" list head. This will cause the list node immediately following the list head to become an invalid list node. Because the prev of that node still points to the list head "arvifs", but the next of the list head "arvifs" no longer points to that list node. When a WLAN recovery occurs during the execution of a vif removal, and it happens before the spin_lock_bh(&ar->data_lock) in ath11k_mac_op_remove_interface(), list_del() will detect the previously mentioned situation, thereby triggering a kernel panic. The fix is to remove and reinitialize all vif list nodes from the list head "arvifs" during WLAN halt. The reinitialization is to make the list nodes valid, ensuring that the list_del() in ath11k_mac_op_remove_interface() can execute normally. Call trace: __list_del_entry_valid_or_report+0xb8/0xd0 ath11k_mac_op_remove_interface+0xb0/0x27c [ath11k] drv_remove_interface+0x48/0x194 [mac80211] ieee80211_do_stop+0x6e0/0x844 [mac80211] ieee80211_stop+0x44/0x17c [mac80211] __dev_close_many+0xac/0x150 __dev_change_flags+0x194/0x234 dev_change_flags+0x24/0x6c devinet_ioctl+0x3a0/0x670 inet_ioctl+0x200/0x248 sock_do_ioctl+0x60/0x118 sock_ioctl+0x274/0x35c __arm64_sys_ioctl+0xac/0xf0 invoke_syscall+0x48/0x114 ... Tested-on: QCA6698AQ hw2.1 PCI WLAN.HSP.1.1-04591-QCAHSPSWPL_V1_V2_SILICONZ_IOE-1

References

URL

Tags

	https://git.kernel.org/stable/c/6c139015b597e570dd5962934e9f9a2f4cc8ef48
	https://git.kernel.org/stable/c/f9507cf2dd0e1ed5028c0e8240da6fe5fd3110d3
	https://git.kernel.org/stable/c/b0974ed82e6ad5ff246fd90a5b14f3e7be4f2924
	https://git.kernel.org/stable/c/f50ba7e7b607f2d00618799312e7fdb76a1ff48e
	https://git.kernel.org/stable/c/f5d77d0d41ea7a204d47288d0cf0404a52b5890e
	https://git.kernel.org/stable/c/6d6cb27fe146061f2512e904618f5e005bb7bb6a
	https://git.kernel.org/stable/c/31e98e277ae47f56632e4d663b1d4fd12ba33ea8

Impacted products

Vendor

Product

Version

Linux

Version: d5c65159f2895379e11ca13f62feabe93278985d
Version: d5c65159f2895379e11ca13f62feabe93278985d
Version: d5c65159f2895379e11ca13f62feabe93278985d
Version: d5c65159f2895379e11ca13f62feabe93278985d
Version: d5c65159f2895379e11ca13f62feabe93278985d
Version: d5c65159f2895379e11ca13f62feabe93278985d
Version: d5c65159f2895379e11ca13f62feabe93278985d

Linux

Version: 5.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:36:17.536Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath11k/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6c139015b597e570dd5962934e9f9a2f4cc8ef48",
              "status": "affected",
              "version": "d5c65159f2895379e11ca13f62feabe93278985d",
              "versionType": "git"
            },
            {
              "lessThan": "f9507cf2dd0e1ed5028c0e8240da6fe5fd3110d3",
              "status": "affected",
              "version": "d5c65159f2895379e11ca13f62feabe93278985d",
              "versionType": "git"
            },
            {
              "lessThan": "b0974ed82e6ad5ff246fd90a5b14f3e7be4f2924",
              "status": "affected",
              "version": "d5c65159f2895379e11ca13f62feabe93278985d",
              "versionType": "git"
            },
            {
              "lessThan": "f50ba7e7b607f2d00618799312e7fdb76a1ff48e",
              "status": "affected",
              "version": "d5c65159f2895379e11ca13f62feabe93278985d",
              "versionType": "git"
            },
            {
              "lessThan": "f5d77d0d41ea7a204d47288d0cf0404a52b5890e",
              "status": "affected",
              "version": "d5c65159f2895379e11ca13f62feabe93278985d",
              "versionType": "git"
            },
            {
              "lessThan": "6d6cb27fe146061f2512e904618f5e005bb7bb6a",
              "status": "affected",
              "version": "d5c65159f2895379e11ca13f62feabe93278985d",
              "versionType": "git"
            },
            {
              "lessThan": "31e98e277ae47f56632e4d663b1d4fd12ba33ea8",
              "status": "affected",
              "version": "d5c65159f2895379e11ca13f62feabe93278985d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath11k/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.6"
            },
            {
              "lessThan": "5.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: fix node corruption in ar-\u003earvifs list\n\nIn current WLAN recovery code flow, ath11k_core_halt() only\nreinitializes the \"arvifs\" list head. This will cause the\nlist node immediately following the list head to become an\ninvalid list node. Because the prev of that node still points\nto the list head \"arvifs\", but the next of the list head \"arvifs\"\nno longer points to that list node.\n\nWhen a WLAN recovery occurs during the execution of a vif\nremoval, and it happens before the spin_lock_bh(\u0026ar-\u003edata_lock)\nin ath11k_mac_op_remove_interface(), list_del() will detect the\npreviously mentioned situation, thereby triggering a kernel panic.\n\nThe fix is to remove and reinitialize all vif list nodes from the\nlist head \"arvifs\" during WLAN halt. The reinitialization is to make\nthe list nodes valid, ensuring that the list_del() in\nath11k_mac_op_remove_interface() can execute normally.\n\nCall trace:\n__list_del_entry_valid_or_report+0xb8/0xd0\nath11k_mac_op_remove_interface+0xb0/0x27c [ath11k]\ndrv_remove_interface+0x48/0x194 [mac80211]\nieee80211_do_stop+0x6e0/0x844 [mac80211]\nieee80211_stop+0x44/0x17c [mac80211]\n__dev_close_many+0xac/0x150\n__dev_change_flags+0x194/0x234\ndev_change_flags+0x24/0x6c\ndevinet_ioctl+0x3a0/0x670\ninet_ioctl+0x200/0x248\nsock_do_ioctl+0x60/0x118\nsock_ioctl+0x274/0x35c\n__arm64_sys_ioctl+0xac/0xf0\ninvoke_syscall+0x48/0x114\n...\n\nTested-on: QCA6698AQ hw2.1 PCI WLAN.HSP.1.1-04591-QCAHSPSWPL_V1_V2_SILICONZ_IOE-1"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:17:44.372Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6c139015b597e570dd5962934e9f9a2f4cc8ef48"
        },
        {
          "url": "https://git.kernel.org/stable/c/f9507cf2dd0e1ed5028c0e8240da6fe5fd3110d3"
        },
        {
          "url": "https://git.kernel.org/stable/c/b0974ed82e6ad5ff246fd90a5b14f3e7be4f2924"
        },
        {
          "url": "https://git.kernel.org/stable/c/f50ba7e7b607f2d00618799312e7fdb76a1ff48e"
        },
        {
          "url": "https://git.kernel.org/stable/c/f5d77d0d41ea7a204d47288d0cf0404a52b5890e"
        },
        {
          "url": "https://git.kernel.org/stable/c/6d6cb27fe146061f2512e904618f5e005bb7bb6a"
        },
        {
          "url": "https://git.kernel.org/stable/c/31e98e277ae47f56632e4d663b1d4fd12ba33ea8"
        }
      ],
      "title": "wifi: ath11k: fix node corruption in ar-\u003earvifs list",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38293",
    "datePublished": "2025-07-10T07:42:08.230Z",
    "dateReserved": "2025-04-16T04:51:24.001Z",
    "dateUpdated": "2025-11-03T17:36:17.536Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38386 (GCVE-0-2025-38386)

Vulnerability from cvelistv5

Published

2025-07-25 12:53

Modified

2025-11-03 17:37

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ACPICA: Refuse to evaluate a method if arguments are missing As reported in [1], a platform firmware update that increased the number of method parameters and forgot to update a least one of its callers, caused ACPICA to crash due to use-after-free. Since this a result of a clear AML issue that arguably cannot be fixed up by the interpreter (it cannot produce missing data out of thin air), address it by making ACPICA refuse to evaluate a method if the caller attempts to pass fewer arguments than expected to it.

References

URL

Tags

	https://git.kernel.org/stable/c/b49d224d1830c46e20adce2a239c454cdab426f1
	https://git.kernel.org/stable/c/2219e49857ffd6aea1b1ca5214d3270f84623a16
	https://git.kernel.org/stable/c/ab1e8491c19eb2ea0fda81ef28e841c7cb6399f5
	https://git.kernel.org/stable/c/4305d936abde795c2ef6ba916de8f00a50f64d2d
	https://git.kernel.org/stable/c/d547779e72cea9865b732cd45393c4cd02b3598e
	https://git.kernel.org/stable/c/18ff4ed6a33a7e3f2097710eacc96bea7696e803
	https://git.kernel.org/stable/c/c9e4da550ae196132b990bd77ed3d8f2d9747f87
	https://git.kernel.org/stable/c/6fcab2791543924d438e7fa49276d0998b0a069f

Impacted products

Vendor

Product

Version

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:37:19.069Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/acpi/acpica/dsmethod.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b49d224d1830c46e20adce2a239c454cdab426f1",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "2219e49857ffd6aea1b1ca5214d3270f84623a16",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ab1e8491c19eb2ea0fda81ef28e841c7cb6399f5",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "4305d936abde795c2ef6ba916de8f00a50f64d2d",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "d547779e72cea9865b732cd45393c4cd02b3598e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "18ff4ed6a33a7e3f2097710eacc96bea7696e803",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "c9e4da550ae196132b990bd77ed3d8f2d9747f87",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "6fcab2791543924d438e7fa49276d0998b0a069f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/acpi/acpica/dsmethod.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.187",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.144",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.97",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.37",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.187",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.144",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.97",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.37",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: Refuse to evaluate a method if arguments are missing\n\nAs reported in [1], a platform firmware update that increased the number\nof method parameters and forgot to update a least one of its callers,\ncaused ACPICA to crash due to use-after-free.\n\nSince this a result of a clear AML issue that arguably cannot be fixed\nup by the interpreter (it cannot produce missing data out of thin air),\naddress it by making ACPICA refuse to evaluate a method if the caller\nattempts to pass fewer arguments than expected to it."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:20:47.364Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b49d224d1830c46e20adce2a239c454cdab426f1"
        },
        {
          "url": "https://git.kernel.org/stable/c/2219e49857ffd6aea1b1ca5214d3270f84623a16"
        },
        {
          "url": "https://git.kernel.org/stable/c/ab1e8491c19eb2ea0fda81ef28e841c7cb6399f5"
        },
        {
          "url": "https://git.kernel.org/stable/c/4305d936abde795c2ef6ba916de8f00a50f64d2d"
        },
        {
          "url": "https://git.kernel.org/stable/c/d547779e72cea9865b732cd45393c4cd02b3598e"
        },
        {
          "url": "https://git.kernel.org/stable/c/18ff4ed6a33a7e3f2097710eacc96bea7696e803"
        },
        {
          "url": "https://git.kernel.org/stable/c/c9e4da550ae196132b990bd77ed3d8f2d9747f87"
        },
        {
          "url": "https://git.kernel.org/stable/c/6fcab2791543924d438e7fa49276d0998b0a069f"
        }
      ],
      "title": "ACPICA: Refuse to evaluate a method if arguments are missing",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38386",
    "datePublished": "2025-07-25T12:53:27.229Z",
    "dateReserved": "2025-04-16T04:51:24.010Z",
    "dateUpdated": "2025-11-03T17:37:19.069Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38393 (GCVE-0-2025-38393)

Vulnerability from cvelistv5

Published

2025-07-25 12:53

Modified

2025-11-03 17:37

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN We found a few different systems hung up in writeback waiting on the same page lock, and one task waiting on the NFS_LAYOUT_DRAIN bit in pnfs_update_layout(), however the pnfs_layout_hdr's plh_outstanding count was zero. It seems most likely that this is another race between the waiter and waker similar to commit ed0172af5d6f ("SUNRPC: Fix a race to wake a sync task"). Fix it up by applying the advised barrier.

References

URL

Tags

	https://git.kernel.org/stable/c/08287df60bac5b008b6bcdb03053988335d3d282
	https://git.kernel.org/stable/c/8846fd02c98da8b79e6343a20e6071be6f372180
	https://git.kernel.org/stable/c/e4b13885e7ef1e64e45268feef1e5f0707c47e72
	https://git.kernel.org/stable/c/8ca65fa71024a1767a59ffbc6a6e2278af84735e
	https://git.kernel.org/stable/c/864a54c1243ed3ca60baa4bc492dede1361f4c83
	https://git.kernel.org/stable/c/1f4da20080718f258e189a2c5f515385fa393da6
	https://git.kernel.org/stable/c/c01776287414ca43412d1319d2877cbad65444ac

Impacted products

Vendor

Product

Version

Linux

Version: 8acc3e228e1c90bd410f73597a4549e0409f22d6
Version: ec23a86e060cbe30b62eb2955adc97c92d80cc4c
Version: 880265c77ac415090090d1fe72a188fee71cb458
Version: 880265c77ac415090090d1fe72a188fee71cb458
Version: 880265c77ac415090090d1fe72a188fee71cb458
Version: 880265c77ac415090090d1fe72a188fee71cb458
Version: 880265c77ac415090090d1fe72a188fee71cb458
Version: f133819e24e78f3aaaa00e9fa2b816d5f73fd172

Linux

Version: 5.19

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:37:26.857Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/nfs/pnfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "08287df60bac5b008b6bcdb03053988335d3d282",
              "status": "affected",
              "version": "8acc3e228e1c90bd410f73597a4549e0409f22d6",
              "versionType": "git"
            },
            {
              "lessThan": "8846fd02c98da8b79e6343a20e6071be6f372180",
              "status": "affected",
              "version": "ec23a86e060cbe30b62eb2955adc97c92d80cc4c",
              "versionType": "git"
            },
            {
              "lessThan": "e4b13885e7ef1e64e45268feef1e5f0707c47e72",
              "status": "affected",
              "version": "880265c77ac415090090d1fe72a188fee71cb458",
              "versionType": "git"
            },
            {
              "lessThan": "8ca65fa71024a1767a59ffbc6a6e2278af84735e",
              "status": "affected",
              "version": "880265c77ac415090090d1fe72a188fee71cb458",
              "versionType": "git"
            },
            {
              "lessThan": "864a54c1243ed3ca60baa4bc492dede1361f4c83",
              "status": "affected",
              "version": "880265c77ac415090090d1fe72a188fee71cb458",
              "versionType": "git"
            },
            {
              "lessThan": "1f4da20080718f258e189a2c5f515385fa393da6",
              "status": "affected",
              "version": "880265c77ac415090090d1fe72a188fee71cb458",
              "versionType": "git"
            },
            {
              "lessThan": "c01776287414ca43412d1319d2877cbad65444ac",
              "status": "affected",
              "version": "880265c77ac415090090d1fe72a188fee71cb458",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "f133819e24e78f3aaaa00e9fa2b816d5f73fd172",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/nfs/pnfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.19"
            },
            {
              "lessThan": "5.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.187",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.144",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.97",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.37",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "5.10.124",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.187",
                  "versionStartIncluding": "5.15.49",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.144",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.97",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.37",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.6",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.18.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN\n\nWe found a few different systems hung up in writeback waiting on the same\npage lock, and one task waiting on the NFS_LAYOUT_DRAIN bit in\npnfs_update_layout(), however the pnfs_layout_hdr\u0027s plh_outstanding count\nwas zero.\n\nIt seems most likely that this is another race between the waiter and waker\nsimilar to commit ed0172af5d6f (\"SUNRPC: Fix a race to wake a sync task\").\nFix it up by applying the advised barrier."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:20:57.805Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/08287df60bac5b008b6bcdb03053988335d3d282"
        },
        {
          "url": "https://git.kernel.org/stable/c/8846fd02c98da8b79e6343a20e6071be6f372180"
        },
        {
          "url": "https://git.kernel.org/stable/c/e4b13885e7ef1e64e45268feef1e5f0707c47e72"
        },
        {
          "url": "https://git.kernel.org/stable/c/8ca65fa71024a1767a59ffbc6a6e2278af84735e"
        },
        {
          "url": "https://git.kernel.org/stable/c/864a54c1243ed3ca60baa4bc492dede1361f4c83"
        },
        {
          "url": "https://git.kernel.org/stable/c/1f4da20080718f258e189a2c5f515385fa393da6"
        },
        {
          "url": "https://git.kernel.org/stable/c/c01776287414ca43412d1319d2877cbad65444ac"
        }
      ],
      "title": "NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38393",
    "datePublished": "2025-07-25T12:53:38.104Z",
    "dateReserved": "2025-04-16T04:51:24.011Z",
    "dateUpdated": "2025-11-03T17:37:26.857Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37788 (GCVE-0-2025-37788)

Vulnerability from cvelistv5

Published

2025-05-01 13:07

Modified

2025-11-03 19:55

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path In the for loop used to allocate the loc_array and bmap for each port, a memory leak is possible when the allocation for loc_array succeeds, but the allocation for bmap fails. This is because when the control flow goes to the label free_eth_finfo, only the allocations starting from (i-1)th iteration are freed. Fix that by freeing the loc_array in the bmap allocation error path.

References

URL

Tags

	https://git.kernel.org/stable/c/e9de08e15aee35b96064960f95997bb6c1209c4b
	https://git.kernel.org/stable/c/118d05b530343cd9322607b9719405ba254a4183
	https://git.kernel.org/stable/c/fa2d7708955e4f8212fd69bab1da604e60cb0b15
	https://git.kernel.org/stable/c/08aa59c0be768596467552c129e9f82166779a67
	https://git.kernel.org/stable/c/dafb6e433ab2333b67be05433dc9c6ccbc7b1284
	https://git.kernel.org/stable/c/76deedea08899885f076aba0bb80bd1276446822
	https://git.kernel.org/stable/c/00ffb3724ce743578163f5ade2884374554ca021

Impacted products

Vendor

Product

Version

Linux

Version: d915c299f1da68a7dbb43895b8741c7b916c9d08
Version: d915c299f1da68a7dbb43895b8741c7b916c9d08
Version: d915c299f1da68a7dbb43895b8741c7b916c9d08
Version: d915c299f1da68a7dbb43895b8741c7b916c9d08
Version: d915c299f1da68a7dbb43895b8741c7b916c9d08
Version: d915c299f1da68a7dbb43895b8741c7b916c9d08
Version: d915c299f1da68a7dbb43895b8741c7b916c9d08

Linux

Version: 5.9

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:55:12.029Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e9de08e15aee35b96064960f95997bb6c1209c4b",
              "status": "affected",
              "version": "d915c299f1da68a7dbb43895b8741c7b916c9d08",
              "versionType": "git"
            },
            {
              "lessThan": "118d05b530343cd9322607b9719405ba254a4183",
              "status": "affected",
              "version": "d915c299f1da68a7dbb43895b8741c7b916c9d08",
              "versionType": "git"
            },
            {
              "lessThan": "fa2d7708955e4f8212fd69bab1da604e60cb0b15",
              "status": "affected",
              "version": "d915c299f1da68a7dbb43895b8741c7b916c9d08",
              "versionType": "git"
            },
            {
              "lessThan": "08aa59c0be768596467552c129e9f82166779a67",
              "status": "affected",
              "version": "d915c299f1da68a7dbb43895b8741c7b916c9d08",
              "versionType": "git"
            },
            {
              "lessThan": "dafb6e433ab2333b67be05433dc9c6ccbc7b1284",
              "status": "affected",
              "version": "d915c299f1da68a7dbb43895b8741c7b916c9d08",
              "versionType": "git"
            },
            {
              "lessThan": "76deedea08899885f076aba0bb80bd1276446822",
              "status": "affected",
              "version": "d915c299f1da68a7dbb43895b8741c7b916c9d08",
              "versionType": "git"
            },
            {
              "lessThan": "00ffb3724ce743578163f5ade2884374554ca021",
              "status": "affected",
              "version": "d915c299f1da68a7dbb43895b8741c7b916c9d08",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.9"
            },
            {
              "lessThan": "5.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.25",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.237",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.25",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.4",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path\n\nIn the for loop used to allocate the loc_array and bmap for each port, a\nmemory leak is possible when the allocation for loc_array succeeds,\nbut the allocation for bmap fails. This is because when the control flow\ngoes to the label free_eth_finfo, only the allocations starting from\n(i-1)th iteration are freed.\n\nFix that by freeing the loc_array in the bmap allocation error path."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:20:54.392Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e9de08e15aee35b96064960f95997bb6c1209c4b"
        },
        {
          "url": "https://git.kernel.org/stable/c/118d05b530343cd9322607b9719405ba254a4183"
        },
        {
          "url": "https://git.kernel.org/stable/c/fa2d7708955e4f8212fd69bab1da604e60cb0b15"
        },
        {
          "url": "https://git.kernel.org/stable/c/08aa59c0be768596467552c129e9f82166779a67"
        },
        {
          "url": "https://git.kernel.org/stable/c/dafb6e433ab2333b67be05433dc9c6ccbc7b1284"
        },
        {
          "url": "https://git.kernel.org/stable/c/76deedea08899885f076aba0bb80bd1276446822"
        },
        {
          "url": "https://git.kernel.org/stable/c/00ffb3724ce743578163f5ade2884374554ca021"
        }
      ],
      "title": "cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37788",
    "datePublished": "2025-05-01T13:07:22.208Z",
    "dateReserved": "2025-04-16T04:51:23.940Z",
    "dateUpdated": "2025-11-03T19:55:12.029Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37969 (GCVE-0-2025-37969)

Vulnerability from cvelistv5

Published

2025-05-20 16:47

Modified

2025-11-03 19:57

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo Prevent st_lsm6dsx_read_tagged_fifo from falling in an infinite loop in case pattern_len is equal to zero and the device FIFO is not empty.

References

URL

Tags

	https://git.kernel.org/stable/c/4db7d923a8c298788181b796f71adf6ca499f966
	https://git.kernel.org/stable/c/76727a1d81afde77d21ea8feaeb12d34605be6f4
	https://git.kernel.org/stable/c/35b8c0a284983b71d92d082c54b7eb655ed4194f
	https://git.kernel.org/stable/c/16857370b3a30663515956b3bd27f3def6a2cf06
	https://git.kernel.org/stable/c/9ce662851380fe2018e36e15c0bdcb1ad177ed95
	https://git.kernel.org/stable/c/dadf9116108315f2eb14c7415c7805f392c476b4
	https://git.kernel.org/stable/c/9ddb4cf2192c213e4dba1733bbcdc94cf6d85bf7
	https://git.kernel.org/stable/c/8114ef86e2058e2554111b793596f17bee23fa15

Impacted products

Vendor

Product

Version

Linux

Version: 801a6e0af0c6cedca2e99155e343ad385a50f08e
Version: 801a6e0af0c6cedca2e99155e343ad385a50f08e
Version: 801a6e0af0c6cedca2e99155e343ad385a50f08e
Version: 801a6e0af0c6cedca2e99155e343ad385a50f08e
Version: 801a6e0af0c6cedca2e99155e343ad385a50f08e
Version: 801a6e0af0c6cedca2e99155e343ad385a50f08e
Version: 801a6e0af0c6cedca2e99155e343ad385a50f08e
Version: 801a6e0af0c6cedca2e99155e343ad385a50f08e

Linux

Version: 4.20

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:57:52.556Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4db7d923a8c298788181b796f71adf6ca499f966",
              "status": "affected",
              "version": "801a6e0af0c6cedca2e99155e343ad385a50f08e",
              "versionType": "git"
            },
            {
              "lessThan": "76727a1d81afde77d21ea8feaeb12d34605be6f4",
              "status": "affected",
              "version": "801a6e0af0c6cedca2e99155e343ad385a50f08e",
              "versionType": "git"
            },
            {
              "lessThan": "35b8c0a284983b71d92d082c54b7eb655ed4194f",
              "status": "affected",
              "version": "801a6e0af0c6cedca2e99155e343ad385a50f08e",
              "versionType": "git"
            },
            {
              "lessThan": "16857370b3a30663515956b3bd27f3def6a2cf06",
              "status": "affected",
              "version": "801a6e0af0c6cedca2e99155e343ad385a50f08e",
              "versionType": "git"
            },
            {
              "lessThan": "9ce662851380fe2018e36e15c0bdcb1ad177ed95",
              "status": "affected",
              "version": "801a6e0af0c6cedca2e99155e343ad385a50f08e",
              "versionType": "git"
            },
            {
              "lessThan": "dadf9116108315f2eb14c7415c7805f392c476b4",
              "status": "affected",
              "version": "801a6e0af0c6cedca2e99155e343ad385a50f08e",
              "versionType": "git"
            },
            {
              "lessThan": "9ddb4cf2192c213e4dba1733bbcdc94cf6d85bf7",
              "status": "affected",
              "version": "801a6e0af0c6cedca2e99155e343ad385a50f08e",
              "versionType": "git"
            },
            {
              "lessThan": "8114ef86e2058e2554111b793596f17bee23fa15",
              "status": "affected",
              "version": "801a6e0af0c6cedca2e99155e343ad385a50f08e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.20"
            },
            {
              "lessThan": "4.20",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.294",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.238",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.183",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.139",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.91",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.29",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.294",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.238",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.183",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.139",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.91",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.29",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.7",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo\n\nPrevent st_lsm6dsx_read_tagged_fifo from falling in an infinite loop in\ncase pattern_len is equal to zero and the device FIFO is not empty."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-04T12:57:36.458Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4db7d923a8c298788181b796f71adf6ca499f966"
        },
        {
          "url": "https://git.kernel.org/stable/c/76727a1d81afde77d21ea8feaeb12d34605be6f4"
        },
        {
          "url": "https://git.kernel.org/stable/c/35b8c0a284983b71d92d082c54b7eb655ed4194f"
        },
        {
          "url": "https://git.kernel.org/stable/c/16857370b3a30663515956b3bd27f3def6a2cf06"
        },
        {
          "url": "https://git.kernel.org/stable/c/9ce662851380fe2018e36e15c0bdcb1ad177ed95"
        },
        {
          "url": "https://git.kernel.org/stable/c/dadf9116108315f2eb14c7415c7805f392c476b4"
        },
        {
          "url": "https://git.kernel.org/stable/c/9ddb4cf2192c213e4dba1733bbcdc94cf6d85bf7"
        },
        {
          "url": "https://git.kernel.org/stable/c/8114ef86e2058e2554111b793596f17bee23fa15"
        }
      ],
      "title": "iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37969",
    "datePublished": "2025-05-20T16:47:16.641Z",
    "dateReserved": "2025-04-16T04:51:23.975Z",
    "dateUpdated": "2025-11-03T19:57:52.556Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38283 (GCVE-0-2025-38283)

Vulnerability from cvelistv5

Published

2025-07-10 07:42

Modified

2025-07-28 04:17

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: hisi_acc_vfio_pci: bugfix live migration function without VF device driver If the VF device driver is not loaded in the Guest OS and we attempt to perform device data migration, the address of the migrated data will be NULL. The live migration recovery operation on the destination side will access a null address value, which will cause access errors. Therefore, live migration of VMs without added VF device drivers does not require device data migration. In addition, when the queue address data obtained by the destination is empty, device queue recovery processing will not be performed.

References

URL

Tags

	https://git.kernel.org/stable/c/b5ef128926cd34dffa2a66607b9c82b902581ef8
	https://git.kernel.org/stable/c/59a834592dd200969fdf3c61be1cb0615c647e45
	https://git.kernel.org/stable/c/53e8e8e909f7c3a77857d09d2b733a42547f57ee
	https://git.kernel.org/stable/c/2777a40998deb36f96b6afc48bd397cf58a4edf0

Impacted products

Vendor

Product

Version

Linux

Version: b0eed085903e7758532696d64397901a75bba8ba
Version: b0eed085903e7758532696d64397901a75bba8ba
Version: b0eed085903e7758532696d64397901a75bba8ba
Version: b0eed085903e7758532696d64397901a75bba8ba

Linux

Version: 5.18

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b5ef128926cd34dffa2a66607b9c82b902581ef8",
              "status": "affected",
              "version": "b0eed085903e7758532696d64397901a75bba8ba",
              "versionType": "git"
            },
            {
              "lessThan": "59a834592dd200969fdf3c61be1cb0615c647e45",
              "status": "affected",
              "version": "b0eed085903e7758532696d64397901a75bba8ba",
              "versionType": "git"
            },
            {
              "lessThan": "53e8e8e909f7c3a77857d09d2b733a42547f57ee",
              "status": "affected",
              "version": "b0eed085903e7758532696d64397901a75bba8ba",
              "versionType": "git"
            },
            {
              "lessThan": "2777a40998deb36f96b6afc48bd397cf58a4edf0",
              "status": "affected",
              "version": "b0eed085903e7758532696d64397901a75bba8ba",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.18"
            },
            {
              "lessThan": "5.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhisi_acc_vfio_pci: bugfix live migration function without VF device driver\n\nIf the VF device driver is not loaded in the Guest OS and we attempt to\nperform device data migration, the address of the migrated data will\nbe NULL.\nThe live migration recovery operation on the destination side will\naccess a null address value, which will cause access errors.\n\nTherefore, live migration of VMs without added VF device drivers\ndoes not require device data migration.\nIn addition, when the queue address data obtained by the destination\nis empty, device queue recovery processing will not be performed."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:17:15.094Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b5ef128926cd34dffa2a66607b9c82b902581ef8"
        },
        {
          "url": "https://git.kernel.org/stable/c/59a834592dd200969fdf3c61be1cb0615c647e45"
        },
        {
          "url": "https://git.kernel.org/stable/c/53e8e8e909f7c3a77857d09d2b733a42547f57ee"
        },
        {
          "url": "https://git.kernel.org/stable/c/2777a40998deb36f96b6afc48bd397cf58a4edf0"
        }
      ],
      "title": "hisi_acc_vfio_pci: bugfix live migration function without VF device driver",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38283",
    "datePublished": "2025-07-10T07:42:01.018Z",
    "dateReserved": "2025-04-16T04:51:24.000Z",
    "dateUpdated": "2025-07-28T04:17:15.094Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38430 (GCVE-0-2025-38430)

Vulnerability from cvelistv5

Published

2025-07-25 14:16

Modified

2025-11-03 17:37

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request If the request being processed is not a v4 compound request, then examining the cstate can have undefined results. This patch adds a check that the rpc procedure being executed (rq_procinfo) is the NFSPROC4_COMPOUND procedure.

References

URL

Tags

	https://git.kernel.org/stable/c/bf78a2706ce975981eb5167f2d3b609eb5d24c19
	https://git.kernel.org/stable/c/b1d0323a09a29f81572c7391e0d80d78724729c9
	https://git.kernel.org/stable/c/425efc6b3292a3c79bfee4a1661cf043dcd9cf2f
	https://git.kernel.org/stable/c/64a723b0281ecaa59d31aad73ef8e408a84cb603
	https://git.kernel.org/stable/c/e7e943ddd1c6731812357a28e7954ade3a7d8517
	https://git.kernel.org/stable/c/7a75a956692aa64211a9e95781af1ec461642de4
	https://git.kernel.org/stable/c/2c54bd5a380ebf646fb9efbc4ae782ff3a83a5af
	https://git.kernel.org/stable/c/1244f0b2c3cecd3f349a877006e67c9492b41807

Impacted products

Vendor

Product

Version

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:37:59.266Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/nfsd/nfs4proc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "bf78a2706ce975981eb5167f2d3b609eb5d24c19",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "b1d0323a09a29f81572c7391e0d80d78724729c9",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "425efc6b3292a3c79bfee4a1661cf043dcd9cf2f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "64a723b0281ecaa59d31aad73ef8e408a84cb603",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "e7e943ddd1c6731812357a28e7954ade3a7d8517",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "7a75a956692aa64211a9e95781af1ec461642de4",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "2c54bd5a380ebf646fb9efbc4ae782ff3a83a5af",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "1244f0b2c3cecd3f349a877006e67c9492b41807",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/nfsd/nfs4proc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: nfsd4_spo_must_allow() must check this is a v4 compound request\n\nIf the request being processed is not a v4 compound request, then\nexamining the cstate can have undefined results.\n\nThis patch adds a check that the rpc procedure being executed\n(rq_procinfo) is the NFSPROC4_COMPOUND procedure."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:22:01.846Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/bf78a2706ce975981eb5167f2d3b609eb5d24c19"
        },
        {
          "url": "https://git.kernel.org/stable/c/b1d0323a09a29f81572c7391e0d80d78724729c9"
        },
        {
          "url": "https://git.kernel.org/stable/c/425efc6b3292a3c79bfee4a1661cf043dcd9cf2f"
        },
        {
          "url": "https://git.kernel.org/stable/c/64a723b0281ecaa59d31aad73ef8e408a84cb603"
        },
        {
          "url": "https://git.kernel.org/stable/c/e7e943ddd1c6731812357a28e7954ade3a7d8517"
        },
        {
          "url": "https://git.kernel.org/stable/c/7a75a956692aa64211a9e95781af1ec461642de4"
        },
        {
          "url": "https://git.kernel.org/stable/c/2c54bd5a380ebf646fb9efbc4ae782ff3a83a5af"
        },
        {
          "url": "https://git.kernel.org/stable/c/1244f0b2c3cecd3f349a877006e67c9492b41807"
        }
      ],
      "title": "nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38430",
    "datePublished": "2025-07-25T14:16:49.443Z",
    "dateReserved": "2025-04-16T04:51:24.015Z",
    "dateUpdated": "2025-11-03T17:37:59.266Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-23149 (GCVE-0-2025-23149)

Vulnerability from cvelistv5

Published

2025-05-01 12:55

Modified

2025-05-26 05:19

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: tpm: do not start chip while suspended Checking TPM_CHIP_FLAG_SUSPENDED after the call to tpm_find_get_ops() can lead to a spurious tpm_chip_start() call: [35985.503771] i2c i2c-1: Transfer while suspended [35985.503796] WARNING: CPU: 0 PID: 74 at drivers/i2c/i2c-core.h:56 __i2c_transfer+0xbe/0x810 [35985.503802] Modules linked in: [35985.503808] CPU: 0 UID: 0 PID: 74 Comm: hwrng Tainted: G W 6.13.0-next-20250203-00005-gfa0cb5642941 #19 9c3d7f78192f2d38e32010ac9c90fdc71109ef6f [35985.503814] Tainted: [W]=WARN [35985.503817] Hardware name: Google Morphius/Morphius, BIOS Google_Morphius.13434.858.0 10/26/2023 [35985.503819] RIP: 0010:__i2c_transfer+0xbe/0x810 [35985.503825] Code: 30 01 00 00 4c 89 f7 e8 40 fe d8 ff 48 8b 93 80 01 00 00 48 85 d2 75 03 49 8b 16 48 c7 c7 0a fb 7c a7 48 89 c6 e8 32 ad b0 fe <0f> 0b b8 94 ff ff ff e9 33 04 00 00 be 02 00 00 00 83 fd 02 0f 5 [35985.503828] RSP: 0018:ffffa106c0333d30 EFLAGS: 00010246 [35985.503833] RAX: 074ba64aa20f7000 RBX: ffff8aa4c1167120 RCX: 0000000000000000 [35985.503836] RDX: 0000000000000000 RSI: ffffffffa77ab0e4 RDI: 0000000000000001 [35985.503838] RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000 [35985.503841] R10: 0000000000000004 R11: 00000001000313d5 R12: ffff8aa4c10f1820 [35985.503843] R13: ffff8aa4c0e243c0 R14: ffff8aa4c1167250 R15: ffff8aa4c1167120 [35985.503846] FS: 0000000000000000(0000) GS:ffff8aa4eae00000(0000) knlGS:0000000000000000 [35985.503849] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [35985.503852] CR2: 00007fab0aaf1000 CR3: 0000000105328000 CR4: 00000000003506f0 [35985.503855] Call Trace: [35985.503859] <TASK> [35985.503863] ? __warn+0xd4/0x260 [35985.503868] ? __i2c_transfer+0xbe/0x810 [35985.503874] ? report_bug+0xf3/0x210 [35985.503882] ? handle_bug+0x63/0xb0 [35985.503887] ? exc_invalid_op+0x16/0x50 [35985.503892] ? asm_exc_invalid_op+0x16/0x20 [35985.503904] ? __i2c_transfer+0xbe/0x810 [35985.503913] tpm_cr50_i2c_transfer_message+0x24/0xf0 [35985.503920] tpm_cr50_i2c_read+0x8e/0x120 [35985.503928] tpm_cr50_request_locality+0x75/0x170 [35985.503935] tpm_chip_start+0x116/0x160 [35985.503942] tpm_try_get_ops+0x57/0x90 [35985.503948] tpm_find_get_ops+0x26/0xd0 [35985.503955] tpm_get_random+0x2d/0x80 Don't move forward with tpm_chip_start() inside tpm_try_get_ops(), unless TPM_CHIP_FLAG_SUSPENDED is not set. tpm_find_get_ops() will return NULL in such a failure case.

References

URL

Tags

	https://git.kernel.org/stable/c/1404dff1e11bf927b70ac25e1de97bed9742ede4
	https://git.kernel.org/stable/c/f3cb81cb96d587f9f235a11789d1ec0992643078
	https://git.kernel.org/stable/c/e74e2394eed90aff5c3a08c1f51f476d4de71d02
	https://git.kernel.org/stable/c/f1044e995b64d70ef90ef6f2b89955b127497702
	https://git.kernel.org/stable/c/17d253af4c2c8a2acf84bb55a0c2045f150b7dfd

Impacted products

Vendor

Product

Version

Linux

Version: cfaf83501a0cbb104499c5b0892ee5ebde4e967f
Version: 9265fed6db601ee2ec47577815387458ef4f047a
Version: 9265fed6db601ee2ec47577815387458ef4f047a
Version: 9265fed6db601ee2ec47577815387458ef4f047a
Version: 9265fed6db601ee2ec47577815387458ef4f047a
Version: bc203fe416abdd1c29da594565a7c3c4e979488e

Linux

Version: 6.12

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/char/tpm/tpm-chip.c",
            "drivers/char/tpm/tpm-interface.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1404dff1e11bf927b70ac25e1de97bed9742ede4",
              "status": "affected",
              "version": "cfaf83501a0cbb104499c5b0892ee5ebde4e967f",
              "versionType": "git"
            },
            {
              "lessThan": "f3cb81cb96d587f9f235a11789d1ec0992643078",
              "status": "affected",
              "version": "9265fed6db601ee2ec47577815387458ef4f047a",
              "versionType": "git"
            },
            {
              "lessThan": "e74e2394eed90aff5c3a08c1f51f476d4de71d02",
              "status": "affected",
              "version": "9265fed6db601ee2ec47577815387458ef4f047a",
              "versionType": "git"
            },
            {
              "lessThan": "f1044e995b64d70ef90ef6f2b89955b127497702",
              "status": "affected",
              "version": "9265fed6db601ee2ec47577815387458ef4f047a",
              "versionType": "git"
            },
            {
              "lessThan": "17d253af4c2c8a2acf84bb55a0c2045f150b7dfd",
              "status": "affected",
              "version": "9265fed6db601ee2ec47577815387458ef4f047a",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "bc203fe416abdd1c29da594565a7c3c4e979488e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/char/tpm/tpm-chip.c",
            "drivers/char/tpm/tpm-interface.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.12"
            },
            {
              "lessThan": "6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "6.6.64",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.24",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.12",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.11.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntpm: do not start chip while suspended\n\nChecking TPM_CHIP_FLAG_SUSPENDED after the call to tpm_find_get_ops() can\nlead to a spurious tpm_chip_start() call:\n\n[35985.503771] i2c i2c-1: Transfer while suspended\n[35985.503796] WARNING: CPU: 0 PID: 74 at drivers/i2c/i2c-core.h:56 __i2c_transfer+0xbe/0x810\n[35985.503802] Modules linked in:\n[35985.503808] CPU: 0 UID: 0 PID: 74 Comm: hwrng Tainted: G        W          6.13.0-next-20250203-00005-gfa0cb5642941 #19 9c3d7f78192f2d38e32010ac9c90fdc71109ef6f\n[35985.503814] Tainted: [W]=WARN\n[35985.503817] Hardware name: Google Morphius/Morphius, BIOS Google_Morphius.13434.858.0 10/26/2023\n[35985.503819] RIP: 0010:__i2c_transfer+0xbe/0x810\n[35985.503825] Code: 30 01 00 00 4c 89 f7 e8 40 fe d8 ff 48 8b 93 80 01 00 00 48 85 d2 75 03 49 8b 16 48 c7 c7 0a fb 7c a7 48 89 c6 e8 32 ad b0 fe \u003c0f\u003e 0b b8 94 ff ff ff e9 33 04 00 00 be 02 00 00 00 83 fd 02 0f 5\n[35985.503828] RSP: 0018:ffffa106c0333d30 EFLAGS: 00010246\n[35985.503833] RAX: 074ba64aa20f7000 RBX: ffff8aa4c1167120 RCX: 0000000000000000\n[35985.503836] RDX: 0000000000000000 RSI: ffffffffa77ab0e4 RDI: 0000000000000001\n[35985.503838] RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000\n[35985.503841] R10: 0000000000000004 R11: 00000001000313d5 R12: ffff8aa4c10f1820\n[35985.503843] R13: ffff8aa4c0e243c0 R14: ffff8aa4c1167250 R15: ffff8aa4c1167120\n[35985.503846] FS:  0000000000000000(0000) GS:ffff8aa4eae00000(0000) knlGS:0000000000000000\n[35985.503849] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[35985.503852] CR2: 00007fab0aaf1000 CR3: 0000000105328000 CR4: 00000000003506f0\n[35985.503855] Call Trace:\n[35985.503859]  \u003cTASK\u003e\n[35985.503863]  ? __warn+0xd4/0x260\n[35985.503868]  ? __i2c_transfer+0xbe/0x810\n[35985.503874]  ? report_bug+0xf3/0x210\n[35985.503882]  ? handle_bug+0x63/0xb0\n[35985.503887]  ? exc_invalid_op+0x16/0x50\n[35985.503892]  ? asm_exc_invalid_op+0x16/0x20\n[35985.503904]  ? __i2c_transfer+0xbe/0x810\n[35985.503913]  tpm_cr50_i2c_transfer_message+0x24/0xf0\n[35985.503920]  tpm_cr50_i2c_read+0x8e/0x120\n[35985.503928]  tpm_cr50_request_locality+0x75/0x170\n[35985.503935]  tpm_chip_start+0x116/0x160\n[35985.503942]  tpm_try_get_ops+0x57/0x90\n[35985.503948]  tpm_find_get_ops+0x26/0xd0\n[35985.503955]  tpm_get_random+0x2d/0x80\n\nDon\u0027t move forward with tpm_chip_start() inside tpm_try_get_ops(), unless\nTPM_CHIP_FLAG_SUSPENDED is not set. tpm_find_get_ops() will return NULL in\nsuch a failure case."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:19:30.523Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1404dff1e11bf927b70ac25e1de97bed9742ede4"
        },
        {
          "url": "https://git.kernel.org/stable/c/f3cb81cb96d587f9f235a11789d1ec0992643078"
        },
        {
          "url": "https://git.kernel.org/stable/c/e74e2394eed90aff5c3a08c1f51f476d4de71d02"
        },
        {
          "url": "https://git.kernel.org/stable/c/f1044e995b64d70ef90ef6f2b89955b127497702"
        },
        {
          "url": "https://git.kernel.org/stable/c/17d253af4c2c8a2acf84bb55a0c2045f150b7dfd"
        }
      ],
      "title": "tpm: do not start chip while suspended",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-23149",
    "datePublished": "2025-05-01T12:55:37.428Z",
    "dateReserved": "2025-01-11T14:28:41.513Z",
    "dateUpdated": "2025-05-26T05:19:30.523Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56742 (GCVE-0-2024-56742)

Vulnerability from cvelistv5

Published

2024-12-29 11:30

Modified

2025-05-04 10:03

Severity ?

3.3 (Low) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Summary

In the Linux kernel, the following vulnerability has been resolved: vfio/mlx5: Fix an unwind issue in mlx5vf_add_migration_pages() Fix an unwind issue in mlx5vf_add_migration_pages(). If a set of pages is allocated but fails to be added to the SG table, they need to be freed to prevent a memory leak. Any pages successfully added to the SG table will be freed as part of mlx5vf_free_data_buffer().

References

URL

Tags

	https://git.kernel.org/stable/c/769fe4ce444b646b0bf6ac308de80686c730c7df
	https://git.kernel.org/stable/c/c44f1b2ddfa81c8d7f8e9b6bc76c427bc00e69d5
	https://git.kernel.org/stable/c/22e87bf3f77c18f5982c19ffe2732ef0c7a25f16

Impacted products

Vendor

Product

Version

Linux

Version: 6fadb021266d03c5fd7bca2cfa1607efd246dad1
Version: 6fadb021266d03c5fd7bca2cfa1607efd246dad1
Version: 6fadb021266d03c5fd7bca2cfa1607efd246dad1

Linux

Version: 5.18

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "LOW",
              "baseScore": 3.3,
              "baseSeverity": "LOW",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56742",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-17T20:10:22.255813Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-401",
                "description": "CWE-401 Missing Release of Memory after Effective Lifetime",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-17T20:15:52.281Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/vfio/pci/mlx5/cmd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "769fe4ce444b646b0bf6ac308de80686c730c7df",
              "status": "affected",
              "version": "6fadb021266d03c5fd7bca2cfa1607efd246dad1",
              "versionType": "git"
            },
            {
              "lessThan": "c44f1b2ddfa81c8d7f8e9b6bc76c427bc00e69d5",
              "status": "affected",
              "version": "6fadb021266d03c5fd7bca2cfa1607efd246dad1",
              "versionType": "git"
            },
            {
              "lessThan": "22e87bf3f77c18f5982c19ffe2732ef0c7a25f16",
              "status": "affected",
              "version": "6fadb021266d03c5fd7bca2cfa1607efd246dad1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/vfio/pci/mlx5/cmd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.18"
            },
            {
              "lessThan": "5.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.11",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.2",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/mlx5: Fix an unwind issue in mlx5vf_add_migration_pages()\n\nFix an unwind issue in mlx5vf_add_migration_pages().\n\nIf a set of pages is allocated but fails to be added to the SG table,\nthey need to be freed to prevent a memory leak.\n\nAny pages successfully added to the SG table will be freed as part of\nmlx5vf_free_data_buffer()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:03:39.195Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/769fe4ce444b646b0bf6ac308de80686c730c7df"
        },
        {
          "url": "https://git.kernel.org/stable/c/c44f1b2ddfa81c8d7f8e9b6bc76c427bc00e69d5"
        },
        {
          "url": "https://git.kernel.org/stable/c/22e87bf3f77c18f5982c19ffe2732ef0c7a25f16"
        }
      ],
      "title": "vfio/mlx5: Fix an unwind issue in mlx5vf_add_migration_pages()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56742",
    "datePublished": "2024-12-29T11:30:10.538Z",
    "dateReserved": "2024-12-29T11:26:39.758Z",
    "dateUpdated": "2025-05-04T10:03:39.195Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38203 (GCVE-0-2025-38203)

Vulnerability from cvelistv5

Published

2025-07-04 13:37

Modified

2025-11-03 17:35

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: jfs: Fix null-ptr-deref in jfs_ioc_trim [ Syzkaller Report ] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000087: 0000 [#1 KASAN: null-ptr-deref in range [0x0000000000000438-0x000000000000043f] CPU: 2 UID: 0 PID: 10614 Comm: syz-executor.0 Not tainted 6.13.0-rc6-gfbfd64d25c7a-dirty #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Sched_ext: serialise (enabled+all), task: runnable_at=-30ms RIP: 0010:jfs_ioc_trim+0x34b/0x8f0 Code: e7 e8 59 a4 87 fe 4d 8b 24 24 4d 8d bc 24 38 04 00 00 48 8d 93 90 82 fe ff 4c 89 ff 31 f6 RSP: 0018:ffffc900055f7cd0 EFLAGS: 00010206 RAX: 0000000000000087 RBX: 00005866a9e67ff8 RCX: 000000000000000a RDX: 0000000000000001 RSI: 0000000000000004 RDI: 0000000000000001 RBP: dffffc0000000000 R08: ffff88807c180003 R09: 1ffff1100f830000 R10: dffffc0000000000 R11: ffffed100f830001 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000438 FS: 00007fe520225640(0000) GS:ffff8880b7e80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005593c91b2c88 CR3: 000000014927c000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? __die_body+0x61/0xb0 ? die_addr+0xb1/0xe0 ? exc_general_protection+0x333/0x510 ? asm_exc_general_protection+0x26/0x30 ? jfs_ioc_trim+0x34b/0x8f0 jfs_ioctl+0x3c8/0x4f0 ? __pfx_jfs_ioctl+0x10/0x10 ? __pfx_jfs_ioctl+0x10/0x10 __se_sys_ioctl+0x269/0x350 ? __pfx___se_sys_ioctl+0x10/0x10 ? do_syscall_64+0xfb/0x210 do_syscall_64+0xee/0x210 ? syscall_exit_to_user_mode+0x1e0/0x330 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe51f4903ad Code: c3 e8 a7 2b 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d RSP: 002b:00007fe5202250c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fe51f5cbf80 RCX: 00007fe51f4903ad RDX: 0000000020000680 RSI: 00000000c0185879 RDI: 0000000000000005 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe520225640 R13: 000000000000000e R14: 00007fe51f44fca0 R15: 00007fe52021d000 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:jfs_ioc_trim+0x34b/0x8f0 Code: e7 e8 59 a4 87 fe 4d 8b 24 24 4d 8d bc 24 38 04 00 00 48 8d 93 90 82 fe ff 4c 89 ff 31 f6 RSP: 0018:ffffc900055f7cd0 EFLAGS: 00010206 RAX: 0000000000000087 RBX: 00005866a9e67ff8 RCX: 000000000000000a RDX: 0000000000000001 RSI: 0000000000000004 RDI: 0000000000000001 RBP: dffffc0000000000 R08: ffff88807c180003 R09: 1ffff1100f830000 R10: dffffc0000000000 R11: ffffed100f830001 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000438 FS: 00007fe520225640(0000) GS:ffff8880b7e80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005593c91b2c88 CR3: 000000014927c000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Kernel panic - not syncing: Fatal exception [ Analysis ] We believe that we have found a concurrency bug in the `fs/jfs` module that results in a null pointer dereference. There is a closely related issue which has been fixed: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d6c1b3599b2feb5c7291f5ac3a36e5fa7cedb234 ... but, unfortunately, the accepted patch appears to still be susceptible to a null pointer dereference under some interleavings. To trigger the bug, we think that `JFS_SBI(ipbmap->i_sb)->bmap` is set to NULL in `dbFreeBits` and then dereferenced in `jfs_ioc_trim`. This bug manifests quite rarely under normal circumstances, but is triggereable from a syz-program.

References

URL

Tags

	https://git.kernel.org/stable/c/0d50231d473f89024158dc62624930de45d13718
	https://git.kernel.org/stable/c/a9d41c925069c950e18160e12a7e10e0f58c56fb
	https://git.kernel.org/stable/c/4a8cb9908b51500a76f5156423bd295df53bff89
	https://git.kernel.org/stable/c/9806ae34d7d661c372247cd36f83bfa0523d60ed
	https://git.kernel.org/stable/c/a4685408ff6c3e2af366ad9a7274f45ff3f394ee

Impacted products

Vendor

Product

Version

Linux

Version: b40c2e665cd552eae5fbdbb878bc29a34357668e
Version: b40c2e665cd552eae5fbdbb878bc29a34357668e
Version: b40c2e665cd552eae5fbdbb878bc29a34357668e
Version: b40c2e665cd552eae5fbdbb878bc29a34357668e
Version: b40c2e665cd552eae5fbdbb878bc29a34357668e

Linux

Version: 3.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:35:25.733Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/jfs/jfs_discard.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0d50231d473f89024158dc62624930de45d13718",
              "status": "affected",
              "version": "b40c2e665cd552eae5fbdbb878bc29a34357668e",
              "versionType": "git"
            },
            {
              "lessThan": "a9d41c925069c950e18160e12a7e10e0f58c56fb",
              "status": "affected",
              "version": "b40c2e665cd552eae5fbdbb878bc29a34357668e",
              "versionType": "git"
            },
            {
              "lessThan": "4a8cb9908b51500a76f5156423bd295df53bff89",
              "status": "affected",
              "version": "b40c2e665cd552eae5fbdbb878bc29a34357668e",
              "versionType": "git"
            },
            {
              "lessThan": "9806ae34d7d661c372247cd36f83bfa0523d60ed",
              "status": "affected",
              "version": "b40c2e665cd552eae5fbdbb878bc29a34357668e",
              "versionType": "git"
            },
            {
              "lessThan": "a4685408ff6c3e2af366ad9a7274f45ff3f394ee",
              "status": "affected",
              "version": "b40c2e665cd552eae5fbdbb878bc29a34357668e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/jfs/jfs_discard.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.7"
            },
            {
              "lessThan": "3.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "3.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "3.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "3.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "3.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "3.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: Fix null-ptr-deref in jfs_ioc_trim\n\n[ Syzkaller Report ]\n\nOops: general protection fault, probably for non-canonical address\n0xdffffc0000000087: 0000 [#1\nKASAN: null-ptr-deref in range [0x0000000000000438-0x000000000000043f]\nCPU: 2 UID: 0 PID: 10614 Comm: syz-executor.0 Not tainted\n6.13.0-rc6-gfbfd64d25c7a-dirty #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nSched_ext: serialise (enabled+all), task: runnable_at=-30ms\nRIP: 0010:jfs_ioc_trim+0x34b/0x8f0\nCode: e7 e8 59 a4 87 fe 4d 8b 24 24 4d 8d bc 24 38 04 00 00 48 8d 93\n90 82 fe ff 4c 89 ff 31 f6\nRSP: 0018:ffffc900055f7cd0 EFLAGS: 00010206\nRAX: 0000000000000087 RBX: 00005866a9e67ff8 RCX: 000000000000000a\nRDX: 0000000000000001 RSI: 0000000000000004 RDI: 0000000000000001\nRBP: dffffc0000000000 R08: ffff88807c180003 R09: 1ffff1100f830000\nR10: dffffc0000000000 R11: ffffed100f830001 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000438\nFS:  00007fe520225640(0000) GS:ffff8880b7e80000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005593c91b2c88 CR3: 000000014927c000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\u003cTASK\u003e\n? __die_body+0x61/0xb0\n? die_addr+0xb1/0xe0\n? exc_general_protection+0x333/0x510\n? asm_exc_general_protection+0x26/0x30\n? jfs_ioc_trim+0x34b/0x8f0\njfs_ioctl+0x3c8/0x4f0\n? __pfx_jfs_ioctl+0x10/0x10\n? __pfx_jfs_ioctl+0x10/0x10\n__se_sys_ioctl+0x269/0x350\n? __pfx___se_sys_ioctl+0x10/0x10\n? do_syscall_64+0xfb/0x210\ndo_syscall_64+0xee/0x210\n? syscall_exit_to_user_mode+0x1e0/0x330\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fe51f4903ad\nCode: c3 e8 a7 2b 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48\n89 f7 48 89 d6 48 89 ca 4d\nRSP: 002b:00007fe5202250c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007fe51f5cbf80 RCX: 00007fe51f4903ad\nRDX: 0000000020000680 RSI: 00000000c0185879 RDI: 0000000000000005\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007fe520225640\nR13: 000000000000000e R14: 00007fe51f44fca0 R15: 00007fe52021d000\n\u003c/TASK\u003e\nModules linked in:\n---[ end trace 0000000000000000 ]---\nRIP: 0010:jfs_ioc_trim+0x34b/0x8f0\nCode: e7 e8 59 a4 87 fe 4d 8b 24 24 4d 8d bc 24 38 04 00 00 48 8d 93\n90 82 fe ff 4c 89 ff 31 f6\nRSP: 0018:ffffc900055f7cd0 EFLAGS: 00010206\nRAX: 0000000000000087 RBX: 00005866a9e67ff8 RCX: 000000000000000a\nRDX: 0000000000000001 RSI: 0000000000000004 RDI: 0000000000000001\nRBP: dffffc0000000000 R08: ffff88807c180003 R09: 1ffff1100f830000\nR10: dffffc0000000000 R11: ffffed100f830001 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000438\nFS:  00007fe520225640(0000) GS:ffff8880b7e80000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005593c91b2c88 CR3: 000000014927c000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nKernel panic - not syncing: Fatal exception\n\n[ Analysis ]\n\nWe believe that we have found a concurrency bug in the `fs/jfs` module\nthat results in a null pointer dereference. There is a closely related\nissue which has been fixed:\n\nhttps://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d6c1b3599b2feb5c7291f5ac3a36e5fa7cedb234\n\n... but, unfortunately, the accepted patch appears to still be\nsusceptible to a null pointer dereference under some interleavings.\n\nTo trigger the bug, we think that `JFS_SBI(ipbmap-\u003ei_sb)-\u003ebmap` is set\nto NULL in `dbFreeBits` and then dereferenced in `jfs_ioc_trim`. This\nbug manifests quite rarely under normal circumstances, but is\ntriggereable from a syz-program."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:14:59.793Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0d50231d473f89024158dc62624930de45d13718"
        },
        {
          "url": "https://git.kernel.org/stable/c/a9d41c925069c950e18160e12a7e10e0f58c56fb"
        },
        {
          "url": "https://git.kernel.org/stable/c/4a8cb9908b51500a76f5156423bd295df53bff89"
        },
        {
          "url": "https://git.kernel.org/stable/c/9806ae34d7d661c372247cd36f83bfa0523d60ed"
        },
        {
          "url": "https://git.kernel.org/stable/c/a4685408ff6c3e2af366ad9a7274f45ff3f394ee"
        }
      ],
      "title": "jfs: Fix null-ptr-deref in jfs_ioc_trim",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38203",
    "datePublished": "2025-07-04T13:37:23.975Z",
    "dateReserved": "2025-04-16T04:51:23.994Z",
    "dateUpdated": "2025-11-03T17:35:25.733Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-23159 (GCVE-0-2025-23159)

Vulnerability from cvelistv5

Published

2025-05-01 12:55

Modified

2025-11-03 19:42

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: media: venus: hfi: add a check to handle OOB in sfr region sfr->buf_size is in shared memory and can be modified by malicious user. OOB write is possible when the size is made higher than actual sfr data buffer. Cap the size to allocated size for such cases.

References

URL

Tags

	https://git.kernel.org/stable/c/4dd109038d513b92d4d33524ffc89ba32e02ba48
	https://git.kernel.org/stable/c/8879397c0da5e5ec1515262995e82cdfd61b282a
	https://git.kernel.org/stable/c/1b8fb257234e7d2d4b3f48af07c5aa5e11c71634
	https://git.kernel.org/stable/c/4e95233af57715d81830fe82b408c633edff59f4
	https://git.kernel.org/stable/c/5af611c70fb889d46d2f654b8996746e59556750
	https://git.kernel.org/stable/c/530f623f56a6680792499a8404083e17f8ec51f4
	https://git.kernel.org/stable/c/a062d8de0be5525ec8c52f070acf7607ec8cbfe4
	https://git.kernel.org/stable/c/d78a8388a27b265fcb2b8d064f088168ac9356b0
	https://git.kernel.org/stable/c/f4b211714bcc70effa60c34d9fa613d182e3ef1e

Impacted products

Vendor

Product

Version

Linux

Version: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb
Version: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb
Version: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb
Version: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb
Version: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb
Version: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb
Version: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb
Version: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb
Version: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb

Linux

Version: 4.13

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:42:59.661Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/platform/qcom/venus/hfi_venus.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4dd109038d513b92d4d33524ffc89ba32e02ba48",
              "status": "affected",
              "version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
              "versionType": "git"
            },
            {
              "lessThan": "8879397c0da5e5ec1515262995e82cdfd61b282a",
              "status": "affected",
              "version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
              "versionType": "git"
            },
            {
              "lessThan": "1b8fb257234e7d2d4b3f48af07c5aa5e11c71634",
              "status": "affected",
              "version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
              "versionType": "git"
            },
            {
              "lessThan": "4e95233af57715d81830fe82b408c633edff59f4",
              "status": "affected",
              "version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
              "versionType": "git"
            },
            {
              "lessThan": "5af611c70fb889d46d2f654b8996746e59556750",
              "status": "affected",
              "version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
              "versionType": "git"
            },
            {
              "lessThan": "530f623f56a6680792499a8404083e17f8ec51f4",
              "status": "affected",
              "version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
              "versionType": "git"
            },
            {
              "lessThan": "a062d8de0be5525ec8c52f070acf7607ec8cbfe4",
              "status": "affected",
              "version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
              "versionType": "git"
            },
            {
              "lessThan": "d78a8388a27b265fcb2b8d064f088168ac9356b0",
              "status": "affected",
              "version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
              "versionType": "git"
            },
            {
              "lessThan": "f4b211714bcc70effa60c34d9fa613d182e3ef1e",
              "status": "affected",
              "version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/platform/qcom/venus/hfi_venus.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.13"
            },
            {
              "lessThan": "4.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.293",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.293",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.237",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.24",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.12",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: venus: hfi: add a check to handle OOB in sfr region\n\nsfr-\u003ebuf_size is in shared memory and can be modified by malicious user.\nOOB write is possible when the size is made higher than actual sfr data\nbuffer. Cap the size to allocated size for such cases."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:19:43.236Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4dd109038d513b92d4d33524ffc89ba32e02ba48"
        },
        {
          "url": "https://git.kernel.org/stable/c/8879397c0da5e5ec1515262995e82cdfd61b282a"
        },
        {
          "url": "https://git.kernel.org/stable/c/1b8fb257234e7d2d4b3f48af07c5aa5e11c71634"
        },
        {
          "url": "https://git.kernel.org/stable/c/4e95233af57715d81830fe82b408c633edff59f4"
        },
        {
          "url": "https://git.kernel.org/stable/c/5af611c70fb889d46d2f654b8996746e59556750"
        },
        {
          "url": "https://git.kernel.org/stable/c/530f623f56a6680792499a8404083e17f8ec51f4"
        },
        {
          "url": "https://git.kernel.org/stable/c/a062d8de0be5525ec8c52f070acf7607ec8cbfe4"
        },
        {
          "url": "https://git.kernel.org/stable/c/d78a8388a27b265fcb2b8d064f088168ac9356b0"
        },
        {
          "url": "https://git.kernel.org/stable/c/f4b211714bcc70effa60c34d9fa613d182e3ef1e"
        }
      ],
      "title": "media: venus: hfi: add a check to handle OOB in sfr region",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-23159",
    "datePublished": "2025-05-01T12:55:44.695Z",
    "dateReserved": "2025-01-11T14:28:41.515Z",
    "dateUpdated": "2025-11-03T19:42:59.661Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37772 (GCVE-0-2025-37772)

Vulnerability from cvelistv5

Published

2025-05-01 13:07

Modified

2025-11-03 19:54

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/cma: Fix workqueue crash in cma_netevent_work_handler struct rdma_cm_id has member "struct work_struct net_work" that is reused for enqueuing cma_netevent_work_handler()s onto cma_wq. Below crash[1] can occur if more than one call to cma_netevent_callback() occurs in quick succession, which further enqueues cma_netevent_work_handler()s for the same rdma_cm_id, overwriting any previously queued work-item(s) that was just scheduled to run i.e. there is no guarantee the queued work item may run between two successive calls to cma_netevent_callback() and the 2nd INIT_WORK would overwrite the 1st work item (for the same rdma_cm_id), despite grabbing id_table_lock during enqueue. Also drgn analysis [2] indicates the work item was likely overwritten. Fix this by moving the INIT_WORK() to __rdma_create_id(), so that it doesn't race with any existing queue_work() or its worker thread. [1] Trimmed crash stack: ============================================= BUG: kernel NULL pointer dereference, address: 0000000000000008 kworker/u256:6 ... 6.12.0-0... Workqueue: cma_netevent_work_handler [rdma_cm] (rdma_cm) RIP: 0010:process_one_work+0xba/0x31a Call Trace: worker_thread+0x266/0x3a0 kthread+0xcf/0x100 ret_from_fork+0x31/0x50 ret_from_fork_asm+0x1a/0x30 ============================================= [2] drgn crash analysis: >>> trace = prog.crashed_thread().stack_trace() >>> trace (0) crash_setup_regs (./arch/x86/include/asm/kexec.h:111:15) (1) __crash_kexec (kernel/crash_core.c:122:4) (2) panic (kernel/panic.c:399:3) (3) oops_end (arch/x86/kernel/dumpstack.c:382:3) ... (8) process_one_work (kernel/workqueue.c:3168:2) (9) process_scheduled_works (kernel/workqueue.c:3310:3) (10) worker_thread (kernel/workqueue.c:3391:4) (11) kthread (kernel/kthread.c:389:9) Line workqueue.c:3168 for this kernel version is in process_one_work(): 3168 strscpy(worker->desc, pwq->wq->name, WORKER_DESC_LEN); >>> trace[8]["work"] *(struct work_struct *)0xffff92577d0a21d8 = { .data = (atomic_long_t){ .counter = (s64)536870912, <=== Note }, .entry = (struct list_head){ .next = (struct list_head *)0xffff924d075924c0, .prev = (struct list_head *)0xffff924d075924c0, }, .func = (work_func_t)cma_netevent_work_handler+0x0 = 0xffffffffc2cec280, } Suspicion is that pwq is NULL: >>> trace[8]["pwq"] (struct pool_workqueue *)<absent> In process_one_work(), pwq is assigned from: struct pool_workqueue *pwq = get_work_pwq(work); and get_work_pwq() is: static struct pool_workqueue *get_work_pwq(struct work_struct *work) { unsigned long data = atomic_long_read(&work->data); if (data & WORK_STRUCT_PWQ) return work_struct_pwq(data); else return NULL; } WORK_STRUCT_PWQ is 0x4: >>> print(repr(prog['WORK_STRUCT_PWQ'])) Object(prog, 'enum work_flags', value=4) But work->data is 536870912 which is 0x20000000. So, get_work_pwq() returns NULL and we crash in process_one_work(): 3168 strscpy(worker->desc, pwq->wq->name, WORKER_DESC_LEN); =============================================

References

URL

Tags

	https://git.kernel.org/stable/c/51003b2c872c63d28bcf5fbcc52cf7b05615f7b7
	https://git.kernel.org/stable/c/c2b169fc7a12665d8a675c1ff14bca1b9c63fb9a
	https://git.kernel.org/stable/c/d23fd7a539ac078df119707110686a5b226ee3bb
	https://git.kernel.org/stable/c/b172a4a0de254f1fcce7591833a9a63547c2f447
	https://git.kernel.org/stable/c/45f5dcdd049719fb999393b30679605f16ebce14

Impacted products

Vendor

Product

Version

Linux

Version: 925d046e7e52c71c3531199ce137e141807ef740
Version: 925d046e7e52c71c3531199ce137e141807ef740
Version: 925d046e7e52c71c3531199ce137e141807ef740
Version: 925d046e7e52c71c3531199ce137e141807ef740
Version: 925d046e7e52c71c3531199ce137e141807ef740

Linux

Version: 6.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:54:49.961Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/core/cma.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "51003b2c872c63d28bcf5fbcc52cf7b05615f7b7",
              "status": "affected",
              "version": "925d046e7e52c71c3531199ce137e141807ef740",
              "versionType": "git"
            },
            {
              "lessThan": "c2b169fc7a12665d8a675c1ff14bca1b9c63fb9a",
              "status": "affected",
              "version": "925d046e7e52c71c3531199ce137e141807ef740",
              "versionType": "git"
            },
            {
              "lessThan": "d23fd7a539ac078df119707110686a5b226ee3bb",
              "status": "affected",
              "version": "925d046e7e52c71c3531199ce137e141807ef740",
              "versionType": "git"
            },
            {
              "lessThan": "b172a4a0de254f1fcce7591833a9a63547c2f447",
              "status": "affected",
              "version": "925d046e7e52c71c3531199ce137e141807ef740",
              "versionType": "git"
            },
            {
              "lessThan": "45f5dcdd049719fb999393b30679605f16ebce14",
              "status": "affected",
              "version": "925d046e7e52c71c3531199ce137e141807ef740",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/core/cma.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.25",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.25",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.4",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/cma: Fix workqueue crash in cma_netevent_work_handler\n\nstruct rdma_cm_id has member \"struct work_struct net_work\"\nthat is reused for enqueuing cma_netevent_work_handler()s\nonto cma_wq.\n\nBelow crash[1] can occur if more than one call to\ncma_netevent_callback() occurs in quick succession,\nwhich further enqueues cma_netevent_work_handler()s for the\nsame rdma_cm_id, overwriting any previously queued work-item(s)\nthat was just scheduled to run i.e. there is no guarantee\nthe queued work item may run between two successive calls\nto cma_netevent_callback() and the 2nd INIT_WORK would overwrite\nthe 1st work item (for the same rdma_cm_id), despite grabbing\nid_table_lock during enqueue.\n\nAlso drgn analysis [2] indicates the work item was likely overwritten.\n\nFix this by moving the INIT_WORK() to __rdma_create_id(),\nso that it doesn\u0027t race with any existing queue_work() or\nits worker thread.\n\n[1] Trimmed crash stack:\n=============================================\nBUG: kernel NULL pointer dereference, address: 0000000000000008\nkworker/u256:6 ... 6.12.0-0...\nWorkqueue:  cma_netevent_work_handler [rdma_cm] (rdma_cm)\nRIP: 0010:process_one_work+0xba/0x31a\nCall Trace:\n worker_thread+0x266/0x3a0\n kthread+0xcf/0x100\n ret_from_fork+0x31/0x50\n ret_from_fork_asm+0x1a/0x30\n=============================================\n\n[2] drgn crash analysis:\n\n\u003e\u003e\u003e trace = prog.crashed_thread().stack_trace()\n\u003e\u003e\u003e trace\n(0)  crash_setup_regs (./arch/x86/include/asm/kexec.h:111:15)\n(1)  __crash_kexec (kernel/crash_core.c:122:4)\n(2)  panic (kernel/panic.c:399:3)\n(3)  oops_end (arch/x86/kernel/dumpstack.c:382:3)\n...\n(8)  process_one_work (kernel/workqueue.c:3168:2)\n(9)  process_scheduled_works (kernel/workqueue.c:3310:3)\n(10) worker_thread (kernel/workqueue.c:3391:4)\n(11) kthread (kernel/kthread.c:389:9)\n\nLine workqueue.c:3168 for this kernel version is in process_one_work():\n3168\tstrscpy(worker-\u003edesc, pwq-\u003ewq-\u003ename, WORKER_DESC_LEN);\n\n\u003e\u003e\u003e trace[8][\"work\"]\n*(struct work_struct *)0xffff92577d0a21d8 = {\n\t.data = (atomic_long_t){\n\t\t.counter = (s64)536870912,    \u003c=== Note\n\t},\n\t.entry = (struct list_head){\n\t\t.next = (struct list_head *)0xffff924d075924c0,\n\t\t.prev = (struct list_head *)0xffff924d075924c0,\n\t},\n\t.func = (work_func_t)cma_netevent_work_handler+0x0 = 0xffffffffc2cec280,\n}\n\nSuspicion is that pwq is NULL:\n\u003e\u003e\u003e trace[8][\"pwq\"]\n(struct pool_workqueue *)\u003cabsent\u003e\n\nIn process_one_work(), pwq is assigned from:\nstruct pool_workqueue *pwq = get_work_pwq(work);\n\nand get_work_pwq() is:\nstatic struct pool_workqueue *get_work_pwq(struct work_struct *work)\n{\n \tunsigned long data = atomic_long_read(\u0026work-\u003edata);\n\n \tif (data \u0026 WORK_STRUCT_PWQ)\n \t\treturn work_struct_pwq(data);\n \telse\n \t\treturn NULL;\n}\n\nWORK_STRUCT_PWQ is 0x4:\n\u003e\u003e\u003e print(repr(prog[\u0027WORK_STRUCT_PWQ\u0027]))\nObject(prog, \u0027enum work_flags\u0027, value=4)\n\nBut work-\u003edata is 536870912 which is 0x20000000.\nSo, get_work_pwq() returns NULL and we crash in process_one_work():\n3168\tstrscpy(worker-\u003edesc, pwq-\u003ewq-\u003ename, WORKER_DESC_LEN);\n============================================="
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:20:33.472Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/51003b2c872c63d28bcf5fbcc52cf7b05615f7b7"
        },
        {
          "url": "https://git.kernel.org/stable/c/c2b169fc7a12665d8a675c1ff14bca1b9c63fb9a"
        },
        {
          "url": "https://git.kernel.org/stable/c/d23fd7a539ac078df119707110686a5b226ee3bb"
        },
        {
          "url": "https://git.kernel.org/stable/c/b172a4a0de254f1fcce7591833a9a63547c2f447"
        },
        {
          "url": "https://git.kernel.org/stable/c/45f5dcdd049719fb999393b30679605f16ebce14"
        }
      ],
      "title": "RDMA/cma: Fix workqueue crash in cma_netevent_work_handler",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37772",
    "datePublished": "2025-05-01T13:07:12.168Z",
    "dateReserved": "2025-04-16T04:51:23.939Z",
    "dateUpdated": "2025-11-03T19:54:49.961Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38027 (GCVE-0-2025-38027)

Vulnerability from cvelistv5

Published

2025-06-18 09:28

Modified

2025-11-03 19:58

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: regulator: max20086: fix invalid memory access max20086_parse_regulators_dt() calls of_regulator_match() using an array of struct of_regulator_match allocated on the stack for the matches argument. of_regulator_match() calls devm_of_regulator_put_matches(), which calls devres_alloc() to allocate a struct devm_of_regulator_matches which will be de-allocated using devm_of_regulator_put_matches(). struct devm_of_regulator_matches is populated with the stack allocated matches array. If the device fails to probe, devm_of_regulator_put_matches() will be called and will try to call of_node_put() on that stack pointer, generating the following dmesg entries: max20086 6-0028: Failed to read DEVICE_ID reg: -121 kobject: '\xc0$\xa5\x03' (000000002cebcb7a): is not initialized, yet kobject_put() is being called. Followed by a stack trace matching the call flow described above. Switch to allocating the matches array using devm_kcalloc() to avoid accessing the stack pointer long after it's out of scope. This also has the advantage of allowing multiple max20086 to probe without overriding the data stored inside the global of_regulator_match.

References

URL

Tags

	https://git.kernel.org/stable/c/6ba30f7aa2c550b2ac04f16b81a19a8c045b8660
	https://git.kernel.org/stable/c/7bddac8603d4e396872c2fbf4403ec08e7b1d7c8
	https://git.kernel.org/stable/c/d2a9a92bb4cc7568cff68241b0051dc7268bdc68
	https://git.kernel.org/stable/c/5578ab04bd7732f470fc614bbc0a924900399fb8
	https://git.kernel.org/stable/c/6b0cd72757c69bc2d45da42b41023e288d02e772

Impacted products

Vendor

Product

Version

Linux

Version: bfff546aae50ae68ed395bf0e0848188d27b0ba3
Version: bfff546aae50ae68ed395bf0e0848188d27b0ba3
Version: bfff546aae50ae68ed395bf0e0848188d27b0ba3
Version: bfff546aae50ae68ed395bf0e0848188d27b0ba3
Version: bfff546aae50ae68ed395bf0e0848188d27b0ba3

Linux

Version: 5.17

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:58:24.832Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/regulator/max20086-regulator.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6ba30f7aa2c550b2ac04f16b81a19a8c045b8660",
              "status": "affected",
              "version": "bfff546aae50ae68ed395bf0e0848188d27b0ba3",
              "versionType": "git"
            },
            {
              "lessThan": "7bddac8603d4e396872c2fbf4403ec08e7b1d7c8",
              "status": "affected",
              "version": "bfff546aae50ae68ed395bf0e0848188d27b0ba3",
              "versionType": "git"
            },
            {
              "lessThan": "d2a9a92bb4cc7568cff68241b0051dc7268bdc68",
              "status": "affected",
              "version": "bfff546aae50ae68ed395bf0e0848188d27b0ba3",
              "versionType": "git"
            },
            {
              "lessThan": "5578ab04bd7732f470fc614bbc0a924900399fb8",
              "status": "affected",
              "version": "bfff546aae50ae68ed395bf0e0848188d27b0ba3",
              "versionType": "git"
            },
            {
              "lessThan": "6b0cd72757c69bc2d45da42b41023e288d02e772",
              "status": "affected",
              "version": "bfff546aae50ae68ed395bf0e0848188d27b0ba3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/regulator/max20086-regulator.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.17"
            },
            {
              "lessThan": "5.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.92",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.140",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.92",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.30",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.8",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: max20086: fix invalid memory access\n\nmax20086_parse_regulators_dt() calls of_regulator_match() using an\narray of struct of_regulator_match allocated on the stack for the\nmatches argument.\n\nof_regulator_match() calls devm_of_regulator_put_matches(), which calls\ndevres_alloc() to allocate a struct devm_of_regulator_matches which will\nbe de-allocated using devm_of_regulator_put_matches().\n\nstruct devm_of_regulator_matches is populated with the stack allocated\nmatches array.\n\nIf the device fails to probe, devm_of_regulator_put_matches() will be\ncalled and will try to call of_node_put() on that stack pointer,\ngenerating the following dmesg entries:\n\nmax20086 6-0028: Failed to read DEVICE_ID reg: -121\nkobject: \u0027\\xc0$\\xa5\\x03\u0027 (000000002cebcb7a): is not initialized, yet\nkobject_put() is being called.\n\nFollowed by a stack trace matching the call flow described above.\n\nSwitch to allocating the matches array using devm_kcalloc() to\navoid accessing the stack pointer long after it\u0027s out of scope.\n\nThis also has the advantage of allowing multiple max20086 to probe\nwithout overriding the data stored inside the global of_regulator_match."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-18T09:28:32.546Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6ba30f7aa2c550b2ac04f16b81a19a8c045b8660"
        },
        {
          "url": "https://git.kernel.org/stable/c/7bddac8603d4e396872c2fbf4403ec08e7b1d7c8"
        },
        {
          "url": "https://git.kernel.org/stable/c/d2a9a92bb4cc7568cff68241b0051dc7268bdc68"
        },
        {
          "url": "https://git.kernel.org/stable/c/5578ab04bd7732f470fc614bbc0a924900399fb8"
        },
        {
          "url": "https://git.kernel.org/stable/c/6b0cd72757c69bc2d45da42b41023e288d02e772"
        }
      ],
      "title": "regulator: max20086: fix invalid memory access",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38027",
    "datePublished": "2025-06-18T09:28:32.546Z",
    "dateReserved": "2025-04-16T04:51:23.978Z",
    "dateUpdated": "2025-11-03T19:58:24.832Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37851 (GCVE-0-2025-37851)

Vulnerability from cvelistv5

Published

2025-05-09 06:41

Modified

2025-11-03 19:56

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: fbdev: omapfb: Add 'plane' value check Function dispc_ovl_setup is not intended to work with the value OMAP_DSS_WB of the enum parameter plane. The value of this parameter is initialized in dss_init_overlays and in the current state of the code it cannot take this value so it's not a real problem. For the purposes of defensive coding it wouldn't be superfluous to check the parameter value, because some functions down the call stack process this value correctly and some not. For example, in dispc_ovl_setup_global_alpha it may lead to buffer overflow. Add check for this value. Found by Linux Verification Center (linuxtesting.org) with SVACE static analysis tool.

References

URL

Tags

	https://git.kernel.org/stable/c/a570efb4d877adbf3db2dc95487f2ba6bfdd148a
	https://git.kernel.org/stable/c/cdf41d72e8b015d9ea68f5a1c0a79624e7c312aa
	https://git.kernel.org/stable/c/09dbf22fd68c2f1a81ab89670ffa1ec3033436c4
	https://git.kernel.org/stable/c/660a53a0694d1f3789802509fe729dd4656fc5e0
	https://git.kernel.org/stable/c/fda15c5b96b883d62fb2d84a3a1422aa87717897
	https://git.kernel.org/stable/c/52eafaa56f8f6d6a0cdff9282b25b4acbde34edc
	https://git.kernel.org/stable/c/9b0a41589ee70529b20e1e0108d03f10c649bdc4
	https://git.kernel.org/stable/c/4efd8ef5e40f2c7a4a91a5a9f03140bfa827da89
	https://git.kernel.org/stable/c/3e411827f31db7f938a30a3c7a7599839401ec30

Impacted products

Vendor

Product

Version

Linux

Version: 559d67018950ced65c73358cd69c4bdd2b0c5dd6
Version: 559d67018950ced65c73358cd69c4bdd2b0c5dd6
Version: 559d67018950ced65c73358cd69c4bdd2b0c5dd6
Version: 559d67018950ced65c73358cd69c4bdd2b0c5dd6
Version: 559d67018950ced65c73358cd69c4bdd2b0c5dd6
Version: 559d67018950ced65c73358cd69c4bdd2b0c5dd6
Version: 559d67018950ced65c73358cd69c4bdd2b0c5dd6
Version: 559d67018950ced65c73358cd69c4bdd2b0c5dd6
Version: 559d67018950ced65c73358cd69c4bdd2b0c5dd6

Linux

Version: 2.6.33

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:56:27.631Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/video/fbdev/omap2/omapfb/dss/dispc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a570efb4d877adbf3db2dc95487f2ba6bfdd148a",
              "status": "affected",
              "version": "559d67018950ced65c73358cd69c4bdd2b0c5dd6",
              "versionType": "git"
            },
            {
              "lessThan": "cdf41d72e8b015d9ea68f5a1c0a79624e7c312aa",
              "status": "affected",
              "version": "559d67018950ced65c73358cd69c4bdd2b0c5dd6",
              "versionType": "git"
            },
            {
              "lessThan": "09dbf22fd68c2f1a81ab89670ffa1ec3033436c4",
              "status": "affected",
              "version": "559d67018950ced65c73358cd69c4bdd2b0c5dd6",
              "versionType": "git"
            },
            {
              "lessThan": "660a53a0694d1f3789802509fe729dd4656fc5e0",
              "status": "affected",
              "version": "559d67018950ced65c73358cd69c4bdd2b0c5dd6",
              "versionType": "git"
            },
            {
              "lessThan": "fda15c5b96b883d62fb2d84a3a1422aa87717897",
              "status": "affected",
              "version": "559d67018950ced65c73358cd69c4bdd2b0c5dd6",
              "versionType": "git"
            },
            {
              "lessThan": "52eafaa56f8f6d6a0cdff9282b25b4acbde34edc",
              "status": "affected",
              "version": "559d67018950ced65c73358cd69c4bdd2b0c5dd6",
              "versionType": "git"
            },
            {
              "lessThan": "9b0a41589ee70529b20e1e0108d03f10c649bdc4",
              "status": "affected",
              "version": "559d67018950ced65c73358cd69c4bdd2b0c5dd6",
              "versionType": "git"
            },
            {
              "lessThan": "4efd8ef5e40f2c7a4a91a5a9f03140bfa827da89",
              "status": "affected",
              "version": "559d67018950ced65c73358cd69c4bdd2b0c5dd6",
              "versionType": "git"
            },
            {
              "lessThan": "3e411827f31db7f938a30a3c7a7599839401ec30",
              "status": "affected",
              "version": "559d67018950ced65c73358cd69c4bdd2b0c5dd6",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/video/fbdev/omap2/omapfb/dss/dispc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.33"
            },
            {
              "lessThan": "2.6.33",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.293",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.293",
                  "versionStartIncluding": "2.6.33",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.237",
                  "versionStartIncluding": "2.6.33",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "2.6.33",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "versionStartIncluding": "2.6.33",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "2.6.33",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.24",
                  "versionStartIncluding": "2.6.33",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.12",
                  "versionStartIncluding": "2.6.33",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "versionStartIncluding": "2.6.33",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "2.6.33",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: omapfb: Add \u0027plane\u0027 value check\n\nFunction dispc_ovl_setup is not intended to work with the value OMAP_DSS_WB\nof the enum parameter plane.\n\nThe value of this parameter is initialized in dss_init_overlays and in the\ncurrent state of the code it cannot take this value so it\u0027s not a real\nproblem.\n\nFor the purposes of defensive coding it wouldn\u0027t be superfluous to check\nthe parameter value, because some functions down the call stack process\nthis value correctly and some not.\n\nFor example, in dispc_ovl_setup_global_alpha it may lead to buffer\noverflow.\n\nAdd check for this value.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE static\nanalysis tool."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:22:17.231Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a570efb4d877adbf3db2dc95487f2ba6bfdd148a"
        },
        {
          "url": "https://git.kernel.org/stable/c/cdf41d72e8b015d9ea68f5a1c0a79624e7c312aa"
        },
        {
          "url": "https://git.kernel.org/stable/c/09dbf22fd68c2f1a81ab89670ffa1ec3033436c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/660a53a0694d1f3789802509fe729dd4656fc5e0"
        },
        {
          "url": "https://git.kernel.org/stable/c/fda15c5b96b883d62fb2d84a3a1422aa87717897"
        },
        {
          "url": "https://git.kernel.org/stable/c/52eafaa56f8f6d6a0cdff9282b25b4acbde34edc"
        },
        {
          "url": "https://git.kernel.org/stable/c/9b0a41589ee70529b20e1e0108d03f10c649bdc4"
        },
        {
          "url": "https://git.kernel.org/stable/c/4efd8ef5e40f2c7a4a91a5a9f03140bfa827da89"
        },
        {
          "url": "https://git.kernel.org/stable/c/3e411827f31db7f938a30a3c7a7599839401ec30"
        }
      ],
      "title": "fbdev: omapfb: Add \u0027plane\u0027 value check",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37851",
    "datePublished": "2025-05-09T06:41:58.466Z",
    "dateReserved": "2025-04-16T04:51:23.955Z",
    "dateUpdated": "2025-11-03T19:56:27.631Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38387 (GCVE-0-2025-38387)

Vulnerability from cvelistv5

Published

2025-07-25 12:53

Modified

2025-11-03 17:37

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert The obj_event may be loaded immediately after inserted, then if the list_head is not initialized then we may get a poisonous pointer. This fixes the crash below: mlx5_core 0000:03:00.0: MLX5E: StrdRq(1) RqSz(8) StrdSz(2048) RxCqeCmprss(0 enhanced) mlx5_core.sf mlx5_core.sf.4: firmware version: 32.38.3056 mlx5_core 0000:03:00.0 en3f0pf0sf2002: renamed from eth0 mlx5_core.sf mlx5_core.sf.4: Rate limit: 127 rates are supported, range: 0Mbps to 195312Mbps IPv6: ADDRCONF(NETDEV_CHANGE): en3f0pf0sf2002: link becomes ready Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060 Mem abort info: ESR = 0x96000006 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 Data abort info: ISV = 0, ISS = 0x00000006 CM = 0, WnR = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=00000007760fb000 [0000000000000060] pgd=000000076f6d7003, p4d=000000076f6d7003, pud=0000000777841003, pmd=0000000000000000 Internal error: Oops: 96000006 [#1] SMP Modules linked in: ipmb_host(OE) act_mirred(E) cls_flower(E) sch_ingress(E) mptcp_diag(E) udp_diag(E) raw_diag(E) unix_diag(E) tcp_diag(E) inet_diag(E) binfmt_misc(E) bonding(OE) rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) isofs(E) cdrom(E) mst_pciconf(OE) ib_umad(OE) mlx5_ib(OE) ipmb_dev_int(OE) mlx5_core(OE) kpatch_15237886(OEK) mlxdevm(OE) auxiliary(OE) ib_uverbs(OE) ib_core(OE) psample(E) mlxfw(OE) tls(E) sunrpc(E) vfat(E) fat(E) crct10dif_ce(E) ghash_ce(E) sha1_ce(E) sbsa_gwdt(E) virtio_console(E) ext4(E) mbcache(E) jbd2(E) xfs(E) libcrc32c(E) mmc_block(E) virtio_net(E) net_failover(E) failover(E) sha2_ce(E) sha256_arm64(E) nvme(OE) nvme_core(OE) gpio_mlxbf3(OE) mlx_compat(OE) mlxbf_pmc(OE) i2c_mlxbf(OE) sdhci_of_dwcmshc(OE) pinctrl_mlxbf3(OE) mlxbf_pka(OE) gpio_generic(E) i2c_core(E) mmc_core(E) mlxbf_gige(OE) vitesse(E) pwr_mlxbf(OE) mlxbf_tmfifo(OE) micrel(E) mlxbf_bootctl(OE) virtio_ring(E) virtio(E) ipmi_devintf(E) ipmi_msghandler(E) [last unloaded: mst_pci] CPU: 11 PID: 20913 Comm: rte-worker-11 Kdump: loaded Tainted: G OE K 5.10.134-13.1.an8.aarch64 #1 Hardware name: https://www.mellanox.com BlueField-3 SmartNIC Main Card/BlueField-3 SmartNIC Main Card, BIOS 4.2.2.12968 Oct 26 2023 pstate: a0400089 (NzCv daIf +PAN -UAO -TCO BTYPE=--) pc : dispatch_event_fd+0x68/0x300 [mlx5_ib] lr : devx_event_notifier+0xcc/0x228 [mlx5_ib] sp : ffff80001005bcf0 x29: ffff80001005bcf0 x28: 0000000000000001 x27: ffff244e0740a1d8 x26: ffff244e0740a1d0 x25: ffffda56beff5ae0 x24: ffffda56bf911618 x23: ffff244e0596a480 x22: ffff244e0596a480 x21: ffff244d8312ad90 x20: ffff244e0596a480 x19: fffffffffffffff0 x18: 0000000000000000 x17: 0000000000000000 x16: ffffda56be66d620 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000040 x10: ffffda56bfcafb50 x9 : ffffda5655c25f2c x8 : 0000000000000010 x7 : 0000000000000000 x6 : ffff24545a2e24b8 x5 : 0000000000000003 x4 : ffff80001005bd28 x3 : 0000000000000000 x2 : 0000000000000000 x1 : ffff244e0596a480 x0 : ffff244d8312ad90 Call trace: dispatch_event_fd+0x68/0x300 [mlx5_ib] devx_event_notifier+0xcc/0x228 [mlx5_ib] atomic_notifier_call_chain+0x58/0x80 mlx5_eq_async_int+0x148/0x2b0 [mlx5_core] atomic_notifier_call_chain+0x58/0x80 irq_int_handler+0x20/0x30 [mlx5_core] __handle_irq_event_percpu+0x60/0x220 handle_irq_event_percpu+0x3c/0x90 handle_irq_event+0x58/0x158 handle_fasteoi_irq+0xfc/0x188 generic_handle_irq+0x34/0x48 ...

References

URL

Tags

	https://git.kernel.org/stable/c/716b555fc0580c2aa4c2c32ae4401c7e3ad9873e
	https://git.kernel.org/stable/c/972e968aac0dce8fe8faad54f6106de576695d8e
	https://git.kernel.org/stable/c/00ed215f593876385451423924fe0358c556179c
	https://git.kernel.org/stable/c/9a28377a96fb299c180dd9cf0be3b0a038a52d4e
	https://git.kernel.org/stable/c/23a3b32a274a8d6f33480d0eff436eb100981651
	https://git.kernel.org/stable/c/93fccfa71c66a4003b3d2fef3a38de7307e14a4e
	https://git.kernel.org/stable/c/e8069711139249994450c214cec152b917b959e0
	https://git.kernel.org/stable/c/8edab8a72d67742f87e9dc2e2b0cdfddda5dc29a

Impacted products

Vendor

Product

Version

Linux

Version: 7597385371425febdaa8c6a1da3625d4ffff16f5
Version: 7597385371425febdaa8c6a1da3625d4ffff16f5
Version: 7597385371425febdaa8c6a1da3625d4ffff16f5
Version: 7597385371425febdaa8c6a1da3625d4ffff16f5
Version: 7597385371425febdaa8c6a1da3625d4ffff16f5
Version: 7597385371425febdaa8c6a1da3625d4ffff16f5
Version: 7597385371425febdaa8c6a1da3625d4ffff16f5
Version: 7597385371425febdaa8c6a1da3625d4ffff16f5

Linux

Version: 5.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:37:21.001Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/mlx5/devx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "716b555fc0580c2aa4c2c32ae4401c7e3ad9873e",
              "status": "affected",
              "version": "7597385371425febdaa8c6a1da3625d4ffff16f5",
              "versionType": "git"
            },
            {
              "lessThan": "972e968aac0dce8fe8faad54f6106de576695d8e",
              "status": "affected",
              "version": "7597385371425febdaa8c6a1da3625d4ffff16f5",
              "versionType": "git"
            },
            {
              "lessThan": "00ed215f593876385451423924fe0358c556179c",
              "status": "affected",
              "version": "7597385371425febdaa8c6a1da3625d4ffff16f5",
              "versionType": "git"
            },
            {
              "lessThan": "9a28377a96fb299c180dd9cf0be3b0a038a52d4e",
              "status": "affected",
              "version": "7597385371425febdaa8c6a1da3625d4ffff16f5",
              "versionType": "git"
            },
            {
              "lessThan": "23a3b32a274a8d6f33480d0eff436eb100981651",
              "status": "affected",
              "version": "7597385371425febdaa8c6a1da3625d4ffff16f5",
              "versionType": "git"
            },
            {
              "lessThan": "93fccfa71c66a4003b3d2fef3a38de7307e14a4e",
              "status": "affected",
              "version": "7597385371425febdaa8c6a1da3625d4ffff16f5",
              "versionType": "git"
            },
            {
              "lessThan": "e8069711139249994450c214cec152b917b959e0",
              "status": "affected",
              "version": "7597385371425febdaa8c6a1da3625d4ffff16f5",
              "versionType": "git"
            },
            {
              "lessThan": "8edab8a72d67742f87e9dc2e2b0cdfddda5dc29a",
              "status": "affected",
              "version": "7597385371425febdaa8c6a1da3625d4ffff16f5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/mlx5/devx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.3"
            },
            {
              "lessThan": "5.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.187",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.144",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.97",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.37",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.187",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.144",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.97",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.37",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.6",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Initialize obj_event-\u003eobj_sub_list before xa_insert\n\nThe obj_event may be loaded immediately after inserted, then if the\nlist_head is not initialized then we may get a poisonous pointer.  This\nfixes the crash below:\n\n mlx5_core 0000:03:00.0: MLX5E: StrdRq(1) RqSz(8) StrdSz(2048) RxCqeCmprss(0 enhanced)\n mlx5_core.sf mlx5_core.sf.4: firmware version: 32.38.3056\n mlx5_core 0000:03:00.0 en3f0pf0sf2002: renamed from eth0\n mlx5_core.sf mlx5_core.sf.4: Rate limit: 127 rates are supported, range: 0Mbps to 195312Mbps\n IPv6: ADDRCONF(NETDEV_CHANGE): en3f0pf0sf2002: link becomes ready\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060\n Mem abort info:\n   ESR = 0x96000006\n   EC = 0x25: DABT (current EL), IL = 32 bits\n   SET = 0, FnV = 0\n   EA = 0, S1PTW = 0\n Data abort info:\n   ISV = 0, ISS = 0x00000006\n   CM = 0, WnR = 0\n user pgtable: 4k pages, 48-bit VAs, pgdp=00000007760fb000\n [0000000000000060] pgd=000000076f6d7003, p4d=000000076f6d7003, pud=0000000777841003, pmd=0000000000000000\n Internal error: Oops: 96000006 [#1] SMP\n Modules linked in: ipmb_host(OE) act_mirred(E) cls_flower(E) sch_ingress(E) mptcp_diag(E) udp_diag(E) raw_diag(E) unix_diag(E) tcp_diag(E) inet_diag(E) binfmt_misc(E) bonding(OE) rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) isofs(E) cdrom(E) mst_pciconf(OE) ib_umad(OE) mlx5_ib(OE) ipmb_dev_int(OE) mlx5_core(OE) kpatch_15237886(OEK) mlxdevm(OE) auxiliary(OE) ib_uverbs(OE) ib_core(OE) psample(E) mlxfw(OE) tls(E) sunrpc(E) vfat(E) fat(E) crct10dif_ce(E) ghash_ce(E) sha1_ce(E) sbsa_gwdt(E) virtio_console(E) ext4(E) mbcache(E) jbd2(E) xfs(E) libcrc32c(E) mmc_block(E) virtio_net(E) net_failover(E) failover(E) sha2_ce(E) sha256_arm64(E) nvme(OE) nvme_core(OE) gpio_mlxbf3(OE) mlx_compat(OE) mlxbf_pmc(OE) i2c_mlxbf(OE) sdhci_of_dwcmshc(OE) pinctrl_mlxbf3(OE) mlxbf_pka(OE) gpio_generic(E) i2c_core(E) mmc_core(E) mlxbf_gige(OE) vitesse(E) pwr_mlxbf(OE) mlxbf_tmfifo(OE) micrel(E) mlxbf_bootctl(OE) virtio_ring(E) virtio(E) ipmi_devintf(E) ipmi_msghandler(E)\n  [last unloaded: mst_pci]\n CPU: 11 PID: 20913 Comm: rte-worker-11 Kdump: loaded Tainted: G           OE K   5.10.134-13.1.an8.aarch64 #1\n Hardware name: https://www.mellanox.com BlueField-3 SmartNIC Main Card/BlueField-3 SmartNIC Main Card, BIOS 4.2.2.12968 Oct 26 2023\n pstate: a0400089 (NzCv daIf +PAN -UAO -TCO BTYPE=--)\n pc : dispatch_event_fd+0x68/0x300 [mlx5_ib]\n lr : devx_event_notifier+0xcc/0x228 [mlx5_ib]\n sp : ffff80001005bcf0\n x29: ffff80001005bcf0 x28: 0000000000000001\n x27: ffff244e0740a1d8 x26: ffff244e0740a1d0\n x25: ffffda56beff5ae0 x24: ffffda56bf911618\n x23: ffff244e0596a480 x22: ffff244e0596a480\n x21: ffff244d8312ad90 x20: ffff244e0596a480\n x19: fffffffffffffff0 x18: 0000000000000000\n x17: 0000000000000000 x16: ffffda56be66d620\n x15: 0000000000000000 x14: 0000000000000000\n x13: 0000000000000000 x12: 0000000000000000\n x11: 0000000000000040 x10: ffffda56bfcafb50\n x9 : ffffda5655c25f2c x8 : 0000000000000010\n x7 : 0000000000000000 x6 : ffff24545a2e24b8\n x5 : 0000000000000003 x4 : ffff80001005bd28\n x3 : 0000000000000000 x2 : 0000000000000000\n x1 : ffff244e0596a480 x0 : ffff244d8312ad90\n Call trace:\n  dispatch_event_fd+0x68/0x300 [mlx5_ib]\n  devx_event_notifier+0xcc/0x228 [mlx5_ib]\n  atomic_notifier_call_chain+0x58/0x80\n  mlx5_eq_async_int+0x148/0x2b0 [mlx5_core]\n  atomic_notifier_call_chain+0x58/0x80\n  irq_int_handler+0x20/0x30 [mlx5_core]\n  __handle_irq_event_percpu+0x60/0x220\n  handle_irq_event_percpu+0x3c/0x90\n  handle_irq_event+0x58/0x158\n  handle_fasteoi_irq+0xfc/0x188\n  generic_handle_irq+0x34/0x48\n  ..."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:20:48.794Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/716b555fc0580c2aa4c2c32ae4401c7e3ad9873e"
        },
        {
          "url": "https://git.kernel.org/stable/c/972e968aac0dce8fe8faad54f6106de576695d8e"
        },
        {
          "url": "https://git.kernel.org/stable/c/00ed215f593876385451423924fe0358c556179c"
        },
        {
          "url": "https://git.kernel.org/stable/c/9a28377a96fb299c180dd9cf0be3b0a038a52d4e"
        },
        {
          "url": "https://git.kernel.org/stable/c/23a3b32a274a8d6f33480d0eff436eb100981651"
        },
        {
          "url": "https://git.kernel.org/stable/c/93fccfa71c66a4003b3d2fef3a38de7307e14a4e"
        },
        {
          "url": "https://git.kernel.org/stable/c/e8069711139249994450c214cec152b917b959e0"
        },
        {
          "url": "https://git.kernel.org/stable/c/8edab8a72d67742f87e9dc2e2b0cdfddda5dc29a"
        }
      ],
      "title": "RDMA/mlx5: Initialize obj_event-\u003eobj_sub_list before xa_insert",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38387",
    "datePublished": "2025-07-25T12:53:27.945Z",
    "dateReserved": "2025-04-16T04:51:24.011Z",
    "dateUpdated": "2025-11-03T17:37:21.001Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38040 (GCVE-0-2025-38040)

Vulnerability from cvelistv5

Published

2025-06-18 09:33

Modified

2025-11-03 17:33

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: serial: mctrl_gpio: split disable_ms into sync and no_sync APIs The following splat has been observed on a SAMA5D27 platform using atmel_serial: BUG: sleeping function called from invalid context at kernel/irq/manage.c:738 in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 27, name: kworker/u5:0 preempt_count: 1, expected: 0 INFO: lockdep is turned off. irq event stamp: 0 hardirqs last enabled at (0): [<00000000>] 0x0 hardirqs last disabled at (0): [<c01588f0>] copy_process+0x1c4c/0x7bec softirqs last enabled at (0): [<c0158944>] copy_process+0x1ca0/0x7bec softirqs last disabled at (0): [<00000000>] 0x0 CPU: 0 UID: 0 PID: 27 Comm: kworker/u5:0 Not tainted 6.13.0-rc7+ #74 Hardware name: Atmel SAMA5 Workqueue: hci0 hci_power_on [bluetooth] Call trace: unwind_backtrace from show_stack+0x18/0x1c show_stack from dump_stack_lvl+0x44/0x70 dump_stack_lvl from __might_resched+0x38c/0x598 __might_resched from disable_irq+0x1c/0x48 disable_irq from mctrl_gpio_disable_ms+0x74/0xc0 mctrl_gpio_disable_ms from atmel_disable_ms.part.0+0x80/0x1f4 atmel_disable_ms.part.0 from atmel_set_termios+0x764/0x11e8 atmel_set_termios from uart_change_line_settings+0x15c/0x994 uart_change_line_settings from uart_set_termios+0x2b0/0x668 uart_set_termios from tty_set_termios+0x600/0x8ec tty_set_termios from ttyport_set_flow_control+0x188/0x1e0 ttyport_set_flow_control from wilc_setup+0xd0/0x524 [hci_wilc] wilc_setup [hci_wilc] from hci_dev_open_sync+0x330/0x203c [bluetooth] hci_dev_open_sync [bluetooth] from hci_dev_do_open+0x40/0xb0 [bluetooth] hci_dev_do_open [bluetooth] from hci_power_on+0x12c/0x664 [bluetooth] hci_power_on [bluetooth] from process_one_work+0x998/0x1a38 process_one_work from worker_thread+0x6e0/0xfb4 worker_thread from kthread+0x3d4/0x484 kthread from ret_from_fork+0x14/0x28 This warning is emitted when trying to toggle, at the highest level, some flow control (with serdev_device_set_flow_control) in a device driver. At the lowest level, the atmel_serial driver is using serial_mctrl_gpio lib to enable/disable the corresponding IRQs accordingly. The warning emitted by CONFIG_DEBUG_ATOMIC_SLEEP is due to disable_irq (called in mctrl_gpio_disable_ms) being possibly called in some atomic context (some tty drivers perform modem lines configuration in regions protected by port lock). Split mctrl_gpio_disable_ms into two differents APIs, a non-blocking one and a blocking one. Replace mctrl_gpio_disable_ms calls with the relevant version depending on whether the call is protected by some port lock.

References

URL

Tags

	https://git.kernel.org/stable/c/68435c1fa3db696db4f480385db9e50e26691d0d
	https://git.kernel.org/stable/c/c504c11b94d6e4ad818ca5578dffa8ff29ad0f20
	https://git.kernel.org/stable/c/e6a46719a2369eb5186d4f7e6c0478720ca1ec3d
	https://git.kernel.org/stable/c/7187ec6b0b9ff22ebac2c3bb4178b7dbbdc0a55a
	https://git.kernel.org/stable/c/1bd2aad57da95f7f2d2bb52f7ad15c0f4993a685

Impacted products

Vendor

Product

Version

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:33:17.475Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "Documentation/driver-api/serial/driver.rst",
            "drivers/tty/serial/8250/8250_port.c",
            "drivers/tty/serial/atmel_serial.c",
            "drivers/tty/serial/imx.c",
            "drivers/tty/serial/serial_mctrl_gpio.c",
            "drivers/tty/serial/serial_mctrl_gpio.h",
            "drivers/tty/serial/sh-sci.c",
            "drivers/tty/serial/stm32-usart.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "68435c1fa3db696db4f480385db9e50e26691d0d",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "c504c11b94d6e4ad818ca5578dffa8ff29ad0f20",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "e6a46719a2369eb5186d4f7e6c0478720ca1ec3d",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "7187ec6b0b9ff22ebac2c3bb4178b7dbbdc0a55a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "1bd2aad57da95f7f2d2bb52f7ad15c0f4993a685",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "Documentation/driver-api/serial/driver.rst",
            "drivers/tty/serial/8250/8250_port.c",
            "drivers/tty/serial/atmel_serial.c",
            "drivers/tty/serial/imx.c",
            "drivers/tty/serial/serial_mctrl_gpio.c",
            "drivers/tty/serial/serial_mctrl_gpio.h",
            "drivers/tty/serial/sh-sci.c",
            "drivers/tty/serial/stm32-usart.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.93",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.141",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.93",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: mctrl_gpio: split disable_ms into sync and no_sync APIs\n\nThe following splat has been observed on a SAMA5D27 platform using\natmel_serial:\n\nBUG: sleeping function called from invalid context at kernel/irq/manage.c:738\nin_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 27, name: kworker/u5:0\npreempt_count: 1, expected: 0\nINFO: lockdep is turned off.\nirq event stamp: 0\nhardirqs last  enabled at (0): [\u003c00000000\u003e] 0x0\nhardirqs last disabled at (0): [\u003cc01588f0\u003e] copy_process+0x1c4c/0x7bec\nsoftirqs last  enabled at (0): [\u003cc0158944\u003e] copy_process+0x1ca0/0x7bec\nsoftirqs last disabled at (0): [\u003c00000000\u003e] 0x0\nCPU: 0 UID: 0 PID: 27 Comm: kworker/u5:0 Not tainted 6.13.0-rc7+ #74\nHardware name: Atmel SAMA5\nWorkqueue: hci0 hci_power_on [bluetooth]\nCall trace:\n  unwind_backtrace from show_stack+0x18/0x1c\n  show_stack from dump_stack_lvl+0x44/0x70\n  dump_stack_lvl from __might_resched+0x38c/0x598\n  __might_resched from disable_irq+0x1c/0x48\n  disable_irq from mctrl_gpio_disable_ms+0x74/0xc0\n  mctrl_gpio_disable_ms from atmel_disable_ms.part.0+0x80/0x1f4\n  atmel_disable_ms.part.0 from atmel_set_termios+0x764/0x11e8\n  atmel_set_termios from uart_change_line_settings+0x15c/0x994\n  uart_change_line_settings from uart_set_termios+0x2b0/0x668\n  uart_set_termios from tty_set_termios+0x600/0x8ec\n  tty_set_termios from ttyport_set_flow_control+0x188/0x1e0\n  ttyport_set_flow_control from wilc_setup+0xd0/0x524 [hci_wilc]\n  wilc_setup [hci_wilc] from hci_dev_open_sync+0x330/0x203c [bluetooth]\n  hci_dev_open_sync [bluetooth] from hci_dev_do_open+0x40/0xb0 [bluetooth]\n  hci_dev_do_open [bluetooth] from hci_power_on+0x12c/0x664 [bluetooth]\n  hci_power_on [bluetooth] from process_one_work+0x998/0x1a38\n  process_one_work from worker_thread+0x6e0/0xfb4\n  worker_thread from kthread+0x3d4/0x484\n  kthread from ret_from_fork+0x14/0x28\n\nThis warning is emitted when trying to toggle, at the highest level,\nsome flow control (with serdev_device_set_flow_control) in a device\ndriver. At the lowest level, the atmel_serial driver is using\nserial_mctrl_gpio lib to enable/disable the corresponding IRQs\naccordingly.  The warning emitted by CONFIG_DEBUG_ATOMIC_SLEEP is due to\ndisable_irq (called in mctrl_gpio_disable_ms) being possibly called in\nsome atomic context (some tty drivers perform modem lines configuration\nin regions protected by port lock).\n\nSplit mctrl_gpio_disable_ms into two differents APIs, a non-blocking one\nand a blocking one. Replace mctrl_gpio_disable_ms calls with the\nrelevant version depending on whether the call is protected by some port\nlock."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-18T09:33:25.720Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/68435c1fa3db696db4f480385db9e50e26691d0d"
        },
        {
          "url": "https://git.kernel.org/stable/c/c504c11b94d6e4ad818ca5578dffa8ff29ad0f20"
        },
        {
          "url": "https://git.kernel.org/stable/c/e6a46719a2369eb5186d4f7e6c0478720ca1ec3d"
        },
        {
          "url": "https://git.kernel.org/stable/c/7187ec6b0b9ff22ebac2c3bb4178b7dbbdc0a55a"
        },
        {
          "url": "https://git.kernel.org/stable/c/1bd2aad57da95f7f2d2bb52f7ad15c0f4993a685"
        }
      ],
      "title": "serial: mctrl_gpio: split disable_ms into sync and no_sync APIs",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38040",
    "datePublished": "2025-06-18T09:33:25.720Z",
    "dateReserved": "2025-04-16T04:51:23.978Z",
    "dateUpdated": "2025-11-03T17:33:17.475Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37968 (GCVE-0-2025-37968)

Vulnerability from cvelistv5

Published

2025-05-20 16:47

Modified

2025-11-03 17:32

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: iio: light: opt3001: fix deadlock due to concurrent flag access The threaded IRQ function in this driver is reading the flag twice: once to lock a mutex and once to unlock it. Even though the code setting the flag is designed to prevent it, there are subtle cases where the flag could be true at the mutex_lock stage and false at the mutex_unlock stage. This results in the mutex not being unlocked, resulting in a deadlock. Fix it by making the opt3001_irq() code generally more robust, reading the flag into a variable and using the variable value at both stages.

References

URL

Tags

	https://git.kernel.org/stable/c/a9c56ccb7cddfca754291fb24b108a5350a5fbe9
	https://git.kernel.org/stable/c/957e8be112636d9bc692917286e81e54bd87decc
	https://git.kernel.org/stable/c/1d7def97e7eb65865ccc01bbdf4eb9e6bbe8a5b5
	https://git.kernel.org/stable/c/748ebd8e61d0bc182c331b8df3887af7285c8a8f
	https://git.kernel.org/stable/c/e791bf216c9e236b34dabf514ec0ede140cca719
	https://git.kernel.org/stable/c/7ca84f6a22d50bf8b31efe9eb05f9859947266d7
	https://git.kernel.org/stable/c/2c95c8f0959d0a72575eabf2ff888f47ed6d8b77
	https://git.kernel.org/stable/c/f063a28002e3350088b4577c5640882bf4ea17ea

Impacted products

Vendor

Product

Version

Linux

Version: 94a9b7b1809f56cfaa080e70ec49b6979563a237
Version: 94a9b7b1809f56cfaa080e70ec49b6979563a237
Version: 94a9b7b1809f56cfaa080e70ec49b6979563a237
Version: 94a9b7b1809f56cfaa080e70ec49b6979563a237
Version: 94a9b7b1809f56cfaa080e70ec49b6979563a237
Version: 94a9b7b1809f56cfaa080e70ec49b6979563a237
Version: 94a9b7b1809f56cfaa080e70ec49b6979563a237
Version: 94a9b7b1809f56cfaa080e70ec49b6979563a237

Linux

Version: 4.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:32:49.287Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/iio/light/opt3001.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a9c56ccb7cddfca754291fb24b108a5350a5fbe9",
              "status": "affected",
              "version": "94a9b7b1809f56cfaa080e70ec49b6979563a237",
              "versionType": "git"
            },
            {
              "lessThan": "957e8be112636d9bc692917286e81e54bd87decc",
              "status": "affected",
              "version": "94a9b7b1809f56cfaa080e70ec49b6979563a237",
              "versionType": "git"
            },
            {
              "lessThan": "1d7def97e7eb65865ccc01bbdf4eb9e6bbe8a5b5",
              "status": "affected",
              "version": "94a9b7b1809f56cfaa080e70ec49b6979563a237",
              "versionType": "git"
            },
            {
              "lessThan": "748ebd8e61d0bc182c331b8df3887af7285c8a8f",
              "status": "affected",
              "version": "94a9b7b1809f56cfaa080e70ec49b6979563a237",
              "versionType": "git"
            },
            {
              "lessThan": "e791bf216c9e236b34dabf514ec0ede140cca719",
              "status": "affected",
              "version": "94a9b7b1809f56cfaa080e70ec49b6979563a237",
              "versionType": "git"
            },
            {
              "lessThan": "7ca84f6a22d50bf8b31efe9eb05f9859947266d7",
              "status": "affected",
              "version": "94a9b7b1809f56cfaa080e70ec49b6979563a237",
              "versionType": "git"
            },
            {
              "lessThan": "2c95c8f0959d0a72575eabf2ff888f47ed6d8b77",
              "status": "affected",
              "version": "94a9b7b1809f56cfaa080e70ec49b6979563a237",
              "versionType": "git"
            },
            {
              "lessThan": "f063a28002e3350088b4577c5640882bf4ea17ea",
              "status": "affected",
              "version": "94a9b7b1809f56cfaa080e70ec49b6979563a237",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/iio/light/opt3001.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.3"
            },
            {
              "lessThan": "4.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.299",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.243",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.192",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.151",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.105",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.299",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.243",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.192",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.151",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.105",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.30",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.7",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: light: opt3001: fix deadlock due to concurrent flag access\n\nThe threaded IRQ function in this driver is reading the flag twice: once to\nlock a mutex and once to unlock it. Even though the code setting the flag\nis designed to prevent it, there are subtle cases where the flag could be\ntrue at the mutex_lock stage and false at the mutex_unlock stage. This\nresults in the mutex not being unlocked, resulting in a deadlock.\n\nFix it by making the opt3001_irq() code generally more robust, reading the\nflag into a variable and using the variable value at both stages."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-09T17:06:05.365Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a9c56ccb7cddfca754291fb24b108a5350a5fbe9"
        },
        {
          "url": "https://git.kernel.org/stable/c/957e8be112636d9bc692917286e81e54bd87decc"
        },
        {
          "url": "https://git.kernel.org/stable/c/1d7def97e7eb65865ccc01bbdf4eb9e6bbe8a5b5"
        },
        {
          "url": "https://git.kernel.org/stable/c/748ebd8e61d0bc182c331b8df3887af7285c8a8f"
        },
        {
          "url": "https://git.kernel.org/stable/c/e791bf216c9e236b34dabf514ec0ede140cca719"
        },
        {
          "url": "https://git.kernel.org/stable/c/7ca84f6a22d50bf8b31efe9eb05f9859947266d7"
        },
        {
          "url": "https://git.kernel.org/stable/c/2c95c8f0959d0a72575eabf2ff888f47ed6d8b77"
        },
        {
          "url": "https://git.kernel.org/stable/c/f063a28002e3350088b4577c5640882bf4ea17ea"
        }
      ],
      "title": "iio: light: opt3001: fix deadlock due to concurrent flag access",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37968",
    "datePublished": "2025-05-20T16:47:16.051Z",
    "dateReserved": "2025-04-16T04:51:23.974Z",
    "dateUpdated": "2025-11-03T17:32:49.287Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37865 (GCVE-0-2025-37865)

Vulnerability from cvelistv5

Published

2025-05-09 06:43

Modified

2025-11-03 19:56

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net: dsa: mv88e6xxx: fix -ENOENT when deleting VLANs and MST is unsupported Russell King reports that on the ZII dev rev B, deleting a bridge VLAN from a user port fails with -ENOENT: https://lore.kernel.org/netdev/Z_lQXNP0s5-IiJzd@shell.armlinux.org.uk/ This comes from mv88e6xxx_port_vlan_leave() -> mv88e6xxx_mst_put(), which tries to find an MST entry in &chip->msts associated with the SID, but fails and returns -ENOENT as such. But we know that this chip does not support MST at all, so that is not surprising. The question is why does the guard in mv88e6xxx_mst_put() not exit early: if (!sid) return 0; And the answer seems to be simple: the sid comes from vlan.sid which supposedly was previously populated by mv88e6xxx_vtu_get(). But some chip->info->ops->vtu_getnext() implementations do not populate vlan.sid, for example see mv88e6185_g1_vtu_getnext(). In that case, later in mv88e6xxx_port_vlan_leave() we are using a garbage sid which is just residual stack memory. Testing for sid == 0 covers all cases of a non-bridge VLAN or a bridge VLAN mapped to the default MSTI. For some chips, SID 0 is valid and installed by mv88e6xxx_stu_setup(). A chip which does not support the STU would implicitly only support mapping all VLANs to the default MSTI, so although SID 0 is not valid, it would be sufficient, if we were to zero-initialize the vlan structure, to fix the bug, due to the coincidence that a test for vlan.sid == 0 already exists and leads to the same (correct) behavior. Another option which would be sufficient would be to add a test for mv88e6xxx_has_stu() inside mv88e6xxx_mst_put(), symmetric to the one which already exists in mv88e6xxx_mst_get(). But that placement means the caller will have to dereference vlan.sid, which means it will access uninitialized memory, which is not nice even if it ignores it later. So we end up making both modifications, in order to not rely just on the sid == 0 coincidence, but also to avoid having uninitialized structure fields which might get temporarily accessed.

References

URL

Tags

	https://git.kernel.org/stable/c/35cde75c08a1fa1a5ac0467afe2709caceeef002
	https://git.kernel.org/stable/c/afae9087301471970254a9180e5a26d3d8e8af09
	https://git.kernel.org/stable/c/9ee6d3a368ed34f2457863da3085c676e9e37a3d
	https://git.kernel.org/stable/c/9da4acbd60664271d34a627f7f63cd5bad8eba74
	https://git.kernel.org/stable/c/ea08dfc35f83cfc73493c52f63ae4f2e29edfe8d

Impacted products

Vendor

Product

Version

Linux

Version: acaf4d2e36b3466334af4d3ee6ac254c3316165c
Version: acaf4d2e36b3466334af4d3ee6ac254c3316165c
Version: acaf4d2e36b3466334af4d3ee6ac254c3316165c
Version: acaf4d2e36b3466334af4d3ee6ac254c3316165c
Version: acaf4d2e36b3466334af4d3ee6ac254c3316165c

Linux

Version: 5.18

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:56:42.851Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/dsa/mv88e6xxx/chip.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "35cde75c08a1fa1a5ac0467afe2709caceeef002",
              "status": "affected",
              "version": "acaf4d2e36b3466334af4d3ee6ac254c3316165c",
              "versionType": "git"
            },
            {
              "lessThan": "afae9087301471970254a9180e5a26d3d8e8af09",
              "status": "affected",
              "version": "acaf4d2e36b3466334af4d3ee6ac254c3316165c",
              "versionType": "git"
            },
            {
              "lessThan": "9ee6d3a368ed34f2457863da3085c676e9e37a3d",
              "status": "affected",
              "version": "acaf4d2e36b3466334af4d3ee6ac254c3316165c",
              "versionType": "git"
            },
            {
              "lessThan": "9da4acbd60664271d34a627f7f63cd5bad8eba74",
              "status": "affected",
              "version": "acaf4d2e36b3466334af4d3ee6ac254c3316165c",
              "versionType": "git"
            },
            {
              "lessThan": "ea08dfc35f83cfc73493c52f63ae4f2e29edfe8d",
              "status": "affected",
              "version": "acaf4d2e36b3466334af4d3ee6ac254c3316165c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/dsa/mv88e6xxx/chip.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.18"
            },
            {
              "lessThan": "5.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.25",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.25",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.4",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: mv88e6xxx: fix -ENOENT when deleting VLANs and MST is unsupported\n\nRussell King reports that on the ZII dev rev B, deleting a bridge VLAN\nfrom a user port fails with -ENOENT:\nhttps://lore.kernel.org/netdev/Z_lQXNP0s5-IiJzd@shell.armlinux.org.uk/\n\nThis comes from mv88e6xxx_port_vlan_leave() -\u003e mv88e6xxx_mst_put(),\nwhich tries to find an MST entry in \u0026chip-\u003emsts associated with the SID,\nbut fails and returns -ENOENT as such.\n\nBut we know that this chip does not support MST at all, so that is not\nsurprising. The question is why does the guard in mv88e6xxx_mst_put()\nnot exit early:\n\n\tif (!sid)\n\t\treturn 0;\n\nAnd the answer seems to be simple: the sid comes from vlan.sid which\nsupposedly was previously populated by mv88e6xxx_vtu_get().\nBut some chip-\u003einfo-\u003eops-\u003evtu_getnext() implementations do not populate\nvlan.sid, for example see mv88e6185_g1_vtu_getnext(). In that case,\nlater in mv88e6xxx_port_vlan_leave() we are using a garbage sid which is\njust residual stack memory.\n\nTesting for sid == 0 covers all cases of a non-bridge VLAN or a bridge\nVLAN mapped to the default MSTI. For some chips, SID 0 is valid and\ninstalled by mv88e6xxx_stu_setup(). A chip which does not support the\nSTU would implicitly only support mapping all VLANs to the default MSTI,\nso although SID 0 is not valid, it would be sufficient, if we were to\nzero-initialize the vlan structure, to fix the bug, due to the\ncoincidence that a test for vlan.sid == 0 already exists and leads to\nthe same (correct) behavior.\n\nAnother option which would be sufficient would be to add a test for\nmv88e6xxx_has_stu() inside mv88e6xxx_mst_put(), symmetric to the one\nwhich already exists in mv88e6xxx_mst_get(). But that placement means\nthe caller will have to dereference vlan.sid, which means it will access\nuninitialized memory, which is not nice even if it ignores it later.\n\nSo we end up making both modifications, in order to not rely just on the\nsid == 0 coincidence, but also to avoid having uninitialized structure\nfields which might get temporarily accessed."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:22:35.989Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/35cde75c08a1fa1a5ac0467afe2709caceeef002"
        },
        {
          "url": "https://git.kernel.org/stable/c/afae9087301471970254a9180e5a26d3d8e8af09"
        },
        {
          "url": "https://git.kernel.org/stable/c/9ee6d3a368ed34f2457863da3085c676e9e37a3d"
        },
        {
          "url": "https://git.kernel.org/stable/c/9da4acbd60664271d34a627f7f63cd5bad8eba74"
        },
        {
          "url": "https://git.kernel.org/stable/c/ea08dfc35f83cfc73493c52f63ae4f2e29edfe8d"
        }
      ],
      "title": "net: dsa: mv88e6xxx: fix -ENOENT when deleting VLANs and MST is unsupported",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37865",
    "datePublished": "2025-05-09T06:43:55.486Z",
    "dateReserved": "2025-04-16T04:51:23.958Z",
    "dateUpdated": "2025-11-03T19:56:42.851Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38080 (GCVE-0-2025-38080)

Vulnerability from cvelistv5

Published

2025-06-18 09:33

Modified

2025-07-11 17:21

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Increase block_sequence array size [Why] It's possible to generate more than 50 steps in hwss_build_fast_sequence, for example with a 6-pipe asic where all pipes are in one MPC chain. This overflows the block_sequence buffer and corrupts block_sequence_steps, causing a crash. [How] Expand block_sequence to 100 items. A naive upper bound on the possible number of steps for a 6-pipe asic, ignoring the potential for steps to be mutually exclusive, is 91 with current code, therefore 100 is sufficient.

References

URL

Tags

	https://git.kernel.org/stable/c/de67e80ab48f1f23663831007a2fa3c1471a7757
	https://git.kernel.org/stable/c/e55c5704b12eeea27e212bfab8f7e51ad3e8ac1f
	https://git.kernel.org/stable/c/bf1666072e7482317cf2302621766482a21a62c7
	https://git.kernel.org/stable/c/3a7810c212bcf2f722671dadf4b23ff70a7d23ee

Impacted products

Vendor

Product

Version

Linux

Version: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c
Version: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c
Version: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c
Version: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c

Linux

Version: 4.15

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/display/dc/inc/core_types.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "de67e80ab48f1f23663831007a2fa3c1471a7757",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            },
            {
              "lessThan": "e55c5704b12eeea27e212bfab8f7e51ad3e8ac1f",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            },
            {
              "lessThan": "bf1666072e7482317cf2302621766482a21a62c7",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            },
            {
              "lessThan": "3a7810c212bcf2f722671dadf4b23ff70a7d23ee",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/display/dc/inc/core_types.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.15"
            },
            {
              "lessThan": "4.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.93",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.93",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.31",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Increase block_sequence array size\n\n[Why]\nIt\u0027s possible to generate more than 50 steps in hwss_build_fast_sequence,\nfor example with a 6-pipe asic where all pipes are in one MPC chain. This\noverflows the block_sequence buffer and corrupts block_sequence_steps,\ncausing a crash.\n\n[How]\nExpand block_sequence to 100 items. A naive upper bound on the possible\nnumber of steps for a 6-pipe asic, ignoring the potential for steps to be\nmutually exclusive, is 91 with current code, therefore 100 is sufficient."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-11T17:21:43.246Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/de67e80ab48f1f23663831007a2fa3c1471a7757"
        },
        {
          "url": "https://git.kernel.org/stable/c/e55c5704b12eeea27e212bfab8f7e51ad3e8ac1f"
        },
        {
          "url": "https://git.kernel.org/stable/c/bf1666072e7482317cf2302621766482a21a62c7"
        },
        {
          "url": "https://git.kernel.org/stable/c/3a7810c212bcf2f722671dadf4b23ff70a7d23ee"
        }
      ],
      "title": "drm/amd/display: Increase block_sequence array size",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38080",
    "datePublished": "2025-06-18T09:33:53.920Z",
    "dateReserved": "2025-04-16T04:51:23.980Z",
    "dateUpdated": "2025-07-11T17:21:43.246Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-49323 (GCVE-0-2022-49323)

Vulnerability from cvelistv5

Published

2025-02-26 02:10

Modified

2025-10-01 19:46

Severity ?

5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: iommu/arm-smmu: fix possible null-ptr-deref in arm_smmu_device_probe() It will cause null-ptr-deref when using 'res', if platform_get_resource() returns NULL, so move using 'res' after devm_ioremap_resource() that will check it to avoid null-ptr-deref. And use devm_platform_get_and_ioremap_resource() to simplify code.

References

URL

Tags

	https://git.kernel.org/stable/c/3660db29b0305f9a1d95979c7af0f5db6ea99f5d
	https://git.kernel.org/stable/c/98dd53a92825747395649f54d23512a13c3ed471
	https://git.kernel.org/stable/c/80776a71340f57d6a4952635fc89f0342072f3ca
	https://git.kernel.org/stable/c/449fc4561762ad9ad85362d5f01f0d0df397457a
	https://git.kernel.org/stable/c/d9ed8af1dee37f181096631fb03729ece98ba816

Impacted products

Vendor

Product

Version

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-49323",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:43:37.777213Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:46:56.343Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/iommu/arm/arm-smmu/arm-smmu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3660db29b0305f9a1d95979c7af0f5db6ea99f5d",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "98dd53a92825747395649f54d23512a13c3ed471",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "80776a71340f57d6a4952635fc89f0342072f3ca",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "449fc4561762ad9ad85362d5f01f0d0df397457a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "d9ed8af1dee37f181096631fb03729ece98ba816",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/iommu/arm/arm-smmu/arm-smmu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.122",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.47",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.17.*",
              "status": "unaffected",
              "version": "5.17.15",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.18.*",
              "status": "unaffected",
              "version": "5.18.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.122",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.47",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.17.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.18.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/arm-smmu: fix possible null-ptr-deref in arm_smmu_device_probe()\n\nIt will cause null-ptr-deref when using \u0027res\u0027, if platform_get_resource()\nreturns NULL, so move using \u0027res\u0027 after devm_ioremap_resource() that\nwill check it to avoid null-ptr-deref.\nAnd use devm_platform_get_and_ioremap_resource() to simplify code."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T08:35:11.847Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3660db29b0305f9a1d95979c7af0f5db6ea99f5d"
        },
        {
          "url": "https://git.kernel.org/stable/c/98dd53a92825747395649f54d23512a13c3ed471"
        },
        {
          "url": "https://git.kernel.org/stable/c/80776a71340f57d6a4952635fc89f0342072f3ca"
        },
        {
          "url": "https://git.kernel.org/stable/c/449fc4561762ad9ad85362d5f01f0d0df397457a"
        },
        {
          "url": "https://git.kernel.org/stable/c/d9ed8af1dee37f181096631fb03729ece98ba816"
        }
      ],
      "title": "iommu/arm-smmu: fix possible null-ptr-deref in arm_smmu_device_probe()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49323",
    "datePublished": "2025-02-26T02:10:47.142Z",
    "dateReserved": "2025-02-26T02:08:31.537Z",
    "dateUpdated": "2025-10-01T19:46:56.343Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-37819 (GCVE-0-2025-37819)

Vulnerability from cvelistv5

Published

2025-05-08 06:26

Modified

2025-11-03 19:55

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode() With ACPI in place, gicv2m_get_fwnode() is registered with the pci subsystem as pci_msi_get_fwnode_cb(), which may get invoked at runtime during a PCI host bridge probe. But, the call back is wrongly marked as __init, causing it to be freed, while being registered with the PCI subsystem and could trigger: Unable to handle kernel paging request at virtual address ffff8000816c0400 gicv2m_get_fwnode+0x0/0x58 (P) pci_set_bus_msi_domain+0x74/0x88 pci_register_host_bridge+0x194/0x548 This is easily reproducible on a Juno board with ACPI boot. Retain the function for later use.

References

URL

Tags

	https://git.kernel.org/stable/c/0c241dedc43a036599757cd08f356253fa3e5014
	https://git.kernel.org/stable/c/b63de43af8d215b0499eac28b2caa4439183efc1
	https://git.kernel.org/stable/c/f95659affee301464f0d058d528d96b35b452da8
	https://git.kernel.org/stable/c/dc0d654eb4179b06d3206e4396d072108b9ba082
	https://git.kernel.org/stable/c/2f2803e4b5e4df2b08d378deaab78b1681ef9b30
	https://git.kernel.org/stable/c/3939d6f29d34cdb60e3f68b76e39e00a964a1d51
	https://git.kernel.org/stable/c/47bee0081b483b077c7560bc5358ad101f89c8ef
	https://git.kernel.org/stable/c/3318dc299b072a0511d6dfd8367f3304fb6d9827

Impacted products

Vendor

Product

Version

Linux

Version: 0644b3daca28dcb320373ae20069c269c9386304
Version: 0644b3daca28dcb320373ae20069c269c9386304
Version: 0644b3daca28dcb320373ae20069c269c9386304
Version: 0644b3daca28dcb320373ae20069c269c9386304
Version: 0644b3daca28dcb320373ae20069c269c9386304
Version: 0644b3daca28dcb320373ae20069c269c9386304
Version: 0644b3daca28dcb320373ae20069c269c9386304
Version: 0644b3daca28dcb320373ae20069c269c9386304

Linux

Version: 4.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:55:52.082Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/irqchip/irq-gic-v2m.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0c241dedc43a036599757cd08f356253fa3e5014",
              "status": "affected",
              "version": "0644b3daca28dcb320373ae20069c269c9386304",
              "versionType": "git"
            },
            {
              "lessThan": "b63de43af8d215b0499eac28b2caa4439183efc1",
              "status": "affected",
              "version": "0644b3daca28dcb320373ae20069c269c9386304",
              "versionType": "git"
            },
            {
              "lessThan": "f95659affee301464f0d058d528d96b35b452da8",
              "status": "affected",
              "version": "0644b3daca28dcb320373ae20069c269c9386304",
              "versionType": "git"
            },
            {
              "lessThan": "dc0d654eb4179b06d3206e4396d072108b9ba082",
              "status": "affected",
              "version": "0644b3daca28dcb320373ae20069c269c9386304",
              "versionType": "git"
            },
            {
              "lessThan": "2f2803e4b5e4df2b08d378deaab78b1681ef9b30",
              "status": "affected",
              "version": "0644b3daca28dcb320373ae20069c269c9386304",
              "versionType": "git"
            },
            {
              "lessThan": "3939d6f29d34cdb60e3f68b76e39e00a964a1d51",
              "status": "affected",
              "version": "0644b3daca28dcb320373ae20069c269c9386304",
              "versionType": "git"
            },
            {
              "lessThan": "47bee0081b483b077c7560bc5358ad101f89c8ef",
              "status": "affected",
              "version": "0644b3daca28dcb320373ae20069c269c9386304",
              "versionType": "git"
            },
            {
              "lessThan": "3318dc299b072a0511d6dfd8367f3304fb6d9827",
              "status": "affected",
              "version": "0644b3daca28dcb320373ae20069c269c9386304",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/irqchip/irq-gic-v2m.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.5"
            },
            {
              "lessThan": "4.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.294",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.238",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.182",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.138",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.89",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.26",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.294",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.238",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.182",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.138",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.89",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.26",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.5",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode()\n\nWith ACPI in place, gicv2m_get_fwnode() is registered with the pci\nsubsystem as pci_msi_get_fwnode_cb(), which may get invoked at runtime\nduring a PCI host bridge probe. But, the call back is wrongly marked as\n__init, causing it to be freed, while being registered with the PCI\nsubsystem and could trigger:\n\n Unable to handle kernel paging request at virtual address ffff8000816c0400\n  gicv2m_get_fwnode+0x0/0x58 (P)\n  pci_set_bus_msi_domain+0x74/0x88\n  pci_register_host_bridge+0x194/0x548\n\nThis is easily reproducible on a Juno board with ACPI boot.\n\nRetain the function for later use."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-04T12:57:23.467Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0c241dedc43a036599757cd08f356253fa3e5014"
        },
        {
          "url": "https://git.kernel.org/stable/c/b63de43af8d215b0499eac28b2caa4439183efc1"
        },
        {
          "url": "https://git.kernel.org/stable/c/f95659affee301464f0d058d528d96b35b452da8"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc0d654eb4179b06d3206e4396d072108b9ba082"
        },
        {
          "url": "https://git.kernel.org/stable/c/2f2803e4b5e4df2b08d378deaab78b1681ef9b30"
        },
        {
          "url": "https://git.kernel.org/stable/c/3939d6f29d34cdb60e3f68b76e39e00a964a1d51"
        },
        {
          "url": "https://git.kernel.org/stable/c/47bee0081b483b077c7560bc5358ad101f89c8ef"
        },
        {
          "url": "https://git.kernel.org/stable/c/3318dc299b072a0511d6dfd8367f3304fb6d9827"
        }
      ],
      "title": "irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37819",
    "datePublished": "2025-05-08T06:26:13.975Z",
    "dateReserved": "2025-04-16T04:51:23.947Z",
    "dateUpdated": "2025-11-03T19:55:52.082Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38129 (GCVE-0-2025-38129)

Vulnerability from cvelistv5

Published

2025-07-03 08:35

Modified

2025-07-28 04:12

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: page_pool: Fix use-after-free in page_pool_recycle_in_ring syzbot reported a uaf in page_pool_recycle_in_ring: BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862 Read of size 8 at addr ffff8880286045a0 by task syz.0.284/6943 CPU: 0 UID: 0 PID: 6943 Comm: syz.0.284 Not tainted 6.13.0-rc3-syzkaller-gdfa94ce54f41 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862 __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:165 [inline] _raw_spin_unlock_bh+0x1b/0x40 kernel/locking/spinlock.c:210 spin_unlock_bh include/linux/spinlock.h:396 [inline] ptr_ring_produce_bh include/linux/ptr_ring.h:164 [inline] page_pool_recycle_in_ring net/core/page_pool.c:707 [inline] page_pool_put_unrefed_netmem+0x748/0xb00 net/core/page_pool.c:826 page_pool_put_netmem include/net/page_pool/helpers.h:323 [inline] page_pool_put_full_netmem include/net/page_pool/helpers.h:353 [inline] napi_pp_put_page+0x149/0x2b0 net/core/skbuff.c:1036 skb_pp_recycle net/core/skbuff.c:1047 [inline] skb_free_head net/core/skbuff.c:1094 [inline] skb_release_data+0x6c4/0x8a0 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x1c9/0x380 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1263 [inline] __skb_queue_purge_reason include/linux/skbuff.h:3343 [inline] root cause is: page_pool_recycle_in_ring ptr_ring_produce spin_lock(&r->producer_lock); WRITE_ONCE(r->queue[r->producer++], ptr) //recycle last page to pool page_pool_release page_pool_scrub page_pool_empty_ring ptr_ring_consume page_pool_return_page //release all page __page_pool_destroy free_percpu(pool->recycle_stats); free(pool) //free spin_unlock(&r->producer_lock); //pool->ring uaf read recycle_stat_inc(pool, ring); page_pool can be free while page pool recycle the last page in ring. Add producer-lock barrier to page_pool_release to prevent the page pool from being free before all pages have been recycled. recycle_stat_inc() is empty when CONFIG_PAGE_POOL_STATS is not enabled, which will trigger Wempty-body build warning. Add definition for pool stat macro to fix warning.

References

URL

Tags

	https://git.kernel.org/stable/c/e869a85acc2e60dc554579b910826a4919d8cd98
	https://git.kernel.org/stable/c/4ab8c0f8905c9c4d05e7f437e65a9a365573ff02
	https://git.kernel.org/stable/c/271683bb2cf32e5126c592b5d5e6a756fa374fd9

Impacted products

Vendor

Product

Version

Linux

Version: ff7d6b27f894f1469dc51ccb828b7363ccd9799f
Version: ff7d6b27f894f1469dc51ccb828b7363ccd9799f
Version: ff7d6b27f894f1469dc51ccb828b7363ccd9799f

Linux

Version: 4.18

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/core/page_pool.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e869a85acc2e60dc554579b910826a4919d8cd98",
              "status": "affected",
              "version": "ff7d6b27f894f1469dc51ccb828b7363ccd9799f",
              "versionType": "git"
            },
            {
              "lessThan": "4ab8c0f8905c9c4d05e7f437e65a9a365573ff02",
              "status": "affected",
              "version": "ff7d6b27f894f1469dc51ccb828b7363ccd9799f",
              "versionType": "git"
            },
            {
              "lessThan": "271683bb2cf32e5126c592b5d5e6a756fa374fd9",
              "status": "affected",
              "version": "ff7d6b27f894f1469dc51ccb828b7363ccd9799f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/core/page_pool.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.18"
            },
            {
              "lessThan": "4.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npage_pool: Fix use-after-free in page_pool_recycle_in_ring\n\nsyzbot reported a uaf in page_pool_recycle_in_ring:\n\nBUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862\nRead of size 8 at addr ffff8880286045a0 by task syz.0.284/6943\n\nCPU: 0 UID: 0 PID: 6943 Comm: syz.0.284 Not tainted 6.13.0-rc3-syzkaller-gdfa94ce54f41 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:489\n kasan_report+0x143/0x180 mm/kasan/report.c:602\n lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862\n __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:165 [inline]\n _raw_spin_unlock_bh+0x1b/0x40 kernel/locking/spinlock.c:210\n spin_unlock_bh include/linux/spinlock.h:396 [inline]\n ptr_ring_produce_bh include/linux/ptr_ring.h:164 [inline]\n page_pool_recycle_in_ring net/core/page_pool.c:707 [inline]\n page_pool_put_unrefed_netmem+0x748/0xb00 net/core/page_pool.c:826\n page_pool_put_netmem include/net/page_pool/helpers.h:323 [inline]\n page_pool_put_full_netmem include/net/page_pool/helpers.h:353 [inline]\n napi_pp_put_page+0x149/0x2b0 net/core/skbuff.c:1036\n skb_pp_recycle net/core/skbuff.c:1047 [inline]\n skb_free_head net/core/skbuff.c:1094 [inline]\n skb_release_data+0x6c4/0x8a0 net/core/skbuff.c:1125\n skb_release_all net/core/skbuff.c:1190 [inline]\n __kfree_skb net/core/skbuff.c:1204 [inline]\n sk_skb_reason_drop+0x1c9/0x380 net/core/skbuff.c:1242\n kfree_skb_reason include/linux/skbuff.h:1263 [inline]\n __skb_queue_purge_reason include/linux/skbuff.h:3343 [inline]\n\nroot cause is:\n\npage_pool_recycle_in_ring\n  ptr_ring_produce\n    spin_lock(\u0026r-\u003eproducer_lock);\n    WRITE_ONCE(r-\u003equeue[r-\u003eproducer++], ptr)\n      //recycle last page to pool\n\t\t\t\tpage_pool_release\n\t\t\t\t  page_pool_scrub\n\t\t\t\t    page_pool_empty_ring\n\t\t\t\t      ptr_ring_consume\n\t\t\t\t      page_pool_return_page  //release all page\n\t\t\t\t  __page_pool_destroy\n\t\t\t\t     free_percpu(pool-\u003erecycle_stats);\n\t\t\t\t     free(pool) //free\n\n     spin_unlock(\u0026r-\u003eproducer_lock); //pool-\u003ering uaf read\n  recycle_stat_inc(pool, ring);\n\npage_pool can be free while page pool recycle the last page in ring.\nAdd producer-lock barrier to page_pool_release to prevent the page\npool from being free before all pages have been recycled.\n\nrecycle_stat_inc() is empty when CONFIG_PAGE_POOL_STATS is not\nenabled, which will trigger Wempty-body build warning. Add definition\nfor pool stat macro to fix warning."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:12:58.108Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e869a85acc2e60dc554579b910826a4919d8cd98"
        },
        {
          "url": "https://git.kernel.org/stable/c/4ab8c0f8905c9c4d05e7f437e65a9a365573ff02"
        },
        {
          "url": "https://git.kernel.org/stable/c/271683bb2cf32e5126c592b5d5e6a756fa374fd9"
        }
      ],
      "title": "page_pool: Fix use-after-free in page_pool_recycle_in_ring",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38129",
    "datePublished": "2025-07-03T08:35:33.728Z",
    "dateReserved": "2025-04-16T04:51:23.987Z",
    "dateUpdated": "2025-07-28T04:12:58.108Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38173 (GCVE-0-2025-38173)

Vulnerability from cvelistv5

Published

2025-07-03 08:36

Modified

2025-11-03 17:34

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: crypto: marvell/cesa - Handle zero-length skcipher requests Do not access random memory for zero-length skcipher requests. Just return 0.

References

URL

Tags

	https://git.kernel.org/stable/c/32d3e8049a8b60f18c5c39f5931bfb1130ac11c9
	https://git.kernel.org/stable/c/c064ae2881d839709bd72d484d5f2af157f46024
	https://git.kernel.org/stable/c/e1cc69da619588b1488689fe3535a0ba75a2b0e7
	https://git.kernel.org/stable/c/78ea1ff6cb413a03ff6f7af4e28e24b4461a0965
	https://git.kernel.org/stable/c/5e9666ac8b94c978690f937d59170c5237bd2c45
	https://git.kernel.org/stable/c/7894694b5d5b2ecfd7fb081d6f60b9e169ab4d13
	https://git.kernel.org/stable/c/c9610dda42bd382a96f97e68825cb5f66cd9e1dc
	https://git.kernel.org/stable/c/8a4e047c6cc07676f637608a9dd675349b5de0a7

Impacted products

Vendor

Product

Version

Linux

Version: f63601fd616ab370774fa00ea10bcaaa9e48e84c
Version: f63601fd616ab370774fa00ea10bcaaa9e48e84c
Version: f63601fd616ab370774fa00ea10bcaaa9e48e84c
Version: f63601fd616ab370774fa00ea10bcaaa9e48e84c
Version: f63601fd616ab370774fa00ea10bcaaa9e48e84c
Version: f63601fd616ab370774fa00ea10bcaaa9e48e84c
Version: f63601fd616ab370774fa00ea10bcaaa9e48e84c
Version: f63601fd616ab370774fa00ea10bcaaa9e48e84c

Linux

Version: 4.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:59.620Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/crypto/marvell/cesa/cipher.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "32d3e8049a8b60f18c5c39f5931bfb1130ac11c9",
              "status": "affected",
              "version": "f63601fd616ab370774fa00ea10bcaaa9e48e84c",
              "versionType": "git"
            },
            {
              "lessThan": "c064ae2881d839709bd72d484d5f2af157f46024",
              "status": "affected",
              "version": "f63601fd616ab370774fa00ea10bcaaa9e48e84c",
              "versionType": "git"
            },
            {
              "lessThan": "e1cc69da619588b1488689fe3535a0ba75a2b0e7",
              "status": "affected",
              "version": "f63601fd616ab370774fa00ea10bcaaa9e48e84c",
              "versionType": "git"
            },
            {
              "lessThan": "78ea1ff6cb413a03ff6f7af4e28e24b4461a0965",
              "status": "affected",
              "version": "f63601fd616ab370774fa00ea10bcaaa9e48e84c",
              "versionType": "git"
            },
            {
              "lessThan": "5e9666ac8b94c978690f937d59170c5237bd2c45",
              "status": "affected",
              "version": "f63601fd616ab370774fa00ea10bcaaa9e48e84c",
              "versionType": "git"
            },
            {
              "lessThan": "7894694b5d5b2ecfd7fb081d6f60b9e169ab4d13",
              "status": "affected",
              "version": "f63601fd616ab370774fa00ea10bcaaa9e48e84c",
              "versionType": "git"
            },
            {
              "lessThan": "c9610dda42bd382a96f97e68825cb5f66cd9e1dc",
              "status": "affected",
              "version": "f63601fd616ab370774fa00ea10bcaaa9e48e84c",
              "versionType": "git"
            },
            {
              "lessThan": "8a4e047c6cc07676f637608a9dd675349b5de0a7",
              "status": "affected",
              "version": "f63601fd616ab370774fa00ea10bcaaa9e48e84c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/crypto/marvell/cesa/cipher.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.2"
            },
            {
              "lessThan": "4.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: marvell/cesa - Handle zero-length skcipher requests\n\nDo not access random memory for zero-length skcipher requests.\nJust return 0."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:14:15.078Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/32d3e8049a8b60f18c5c39f5931bfb1130ac11c9"
        },
        {
          "url": "https://git.kernel.org/stable/c/c064ae2881d839709bd72d484d5f2af157f46024"
        },
        {
          "url": "https://git.kernel.org/stable/c/e1cc69da619588b1488689fe3535a0ba75a2b0e7"
        },
        {
          "url": "https://git.kernel.org/stable/c/78ea1ff6cb413a03ff6f7af4e28e24b4461a0965"
        },
        {
          "url": "https://git.kernel.org/stable/c/5e9666ac8b94c978690f937d59170c5237bd2c45"
        },
        {
          "url": "https://git.kernel.org/stable/c/7894694b5d5b2ecfd7fb081d6f60b9e169ab4d13"
        },
        {
          "url": "https://git.kernel.org/stable/c/c9610dda42bd382a96f97e68825cb5f66cd9e1dc"
        },
        {
          "url": "https://git.kernel.org/stable/c/8a4e047c6cc07676f637608a9dd675349b5de0a7"
        }
      ],
      "title": "crypto: marvell/cesa - Handle zero-length skcipher requests",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38173",
    "datePublished": "2025-07-03T08:36:10.969Z",
    "dateReserved": "2025-04-16T04:51:23.991Z",
    "dateUpdated": "2025-11-03T17:34:59.620Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38487 (GCVE-0-2025-38487)

Vulnerability from cvelistv5

Published

2025-07-28 11:21

Modified

2025-11-03 17:38

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: soc: aspeed: lpc-snoop: Don't disable channels that aren't enabled Mitigate e.g. the following: # echo 1e789080.lpc-snoop > /sys/bus/platform/drivers/aspeed-lpc-snoop/unbind ... [ 120.363594] Unable to handle kernel NULL pointer dereference at virtual address 00000004 when write [ 120.373866] [00000004] *pgd=00000000 [ 120.377910] Internal error: Oops: 805 [#1] SMP ARM [ 120.383306] CPU: 1 UID: 0 PID: 315 Comm: sh Not tainted 6.15.0-rc1-00009-g926217bc7d7d-dirty #20 NONE ... [ 120.679543] Call trace: [ 120.679559] misc_deregister from aspeed_lpc_snoop_remove+0x84/0xac [ 120.692462] aspeed_lpc_snoop_remove from platform_remove+0x28/0x38 [ 120.700996] platform_remove from device_release_driver_internal+0x188/0x200 ...

References

URL

Tags

	https://git.kernel.org/stable/c/62e51f51d97477ea4e78c82e7076a171dac86c75
	https://git.kernel.org/stable/c/9e1d2b97f5e2a36a2fd30a8bd30ead9dac5e3a51
	https://git.kernel.org/stable/c/166afe964e8433d52c641f5d1c09102bacee9a92
	https://git.kernel.org/stable/c/dc5598482e2d3b234f6d72d6f5568e24f603e51a
	https://git.kernel.org/stable/c/329a80adc0e5f815d0514a6d403aaaf0995cd9be
	https://git.kernel.org/stable/c/b361598b7352f02456619a6105c7da952ef69f8f
	https://git.kernel.org/stable/c/ac10ed9862104936a412f8b475c869e99f048448
	https://git.kernel.org/stable/c/56448e78a6bb4e1a8528a0e2efe94eff0400c247

Impacted products

Vendor

Product

Version

Linux

Version: 9f4f9ae81d0affc182f54dd00285ddb90e0b3ae1
Version: 9f4f9ae81d0affc182f54dd00285ddb90e0b3ae1
Version: 9f4f9ae81d0affc182f54dd00285ddb90e0b3ae1
Version: 9f4f9ae81d0affc182f54dd00285ddb90e0b3ae1
Version: 9f4f9ae81d0affc182f54dd00285ddb90e0b3ae1
Version: 9f4f9ae81d0affc182f54dd00285ddb90e0b3ae1
Version: 9f4f9ae81d0affc182f54dd00285ddb90e0b3ae1
Version: 9f4f9ae81d0affc182f54dd00285ddb90e0b3ae1

Linux

Version: 4.13

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:38:56.987Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/soc/aspeed/aspeed-lpc-snoop.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "62e51f51d97477ea4e78c82e7076a171dac86c75",
              "status": "affected",
              "version": "9f4f9ae81d0affc182f54dd00285ddb90e0b3ae1",
              "versionType": "git"
            },
            {
              "lessThan": "9e1d2b97f5e2a36a2fd30a8bd30ead9dac5e3a51",
              "status": "affected",
              "version": "9f4f9ae81d0affc182f54dd00285ddb90e0b3ae1",
              "versionType": "git"
            },
            {
              "lessThan": "166afe964e8433d52c641f5d1c09102bacee9a92",
              "status": "affected",
              "version": "9f4f9ae81d0affc182f54dd00285ddb90e0b3ae1",
              "versionType": "git"
            },
            {
              "lessThan": "dc5598482e2d3b234f6d72d6f5568e24f603e51a",
              "status": "affected",
              "version": "9f4f9ae81d0affc182f54dd00285ddb90e0b3ae1",
              "versionType": "git"
            },
            {
              "lessThan": "329a80adc0e5f815d0514a6d403aaaf0995cd9be",
              "status": "affected",
              "version": "9f4f9ae81d0affc182f54dd00285ddb90e0b3ae1",
              "versionType": "git"
            },
            {
              "lessThan": "b361598b7352f02456619a6105c7da952ef69f8f",
              "status": "affected",
              "version": "9f4f9ae81d0affc182f54dd00285ddb90e0b3ae1",
              "versionType": "git"
            },
            {
              "lessThan": "ac10ed9862104936a412f8b475c869e99f048448",
              "status": "affected",
              "version": "9f4f9ae81d0affc182f54dd00285ddb90e0b3ae1",
              "versionType": "git"
            },
            {
              "lessThan": "56448e78a6bb4e1a8528a0e2efe94eff0400c247",
              "status": "affected",
              "version": "9f4f9ae81d0affc182f54dd00285ddb90e0b3ae1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/soc/aspeed/aspeed-lpc-snoop.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.13"
            },
            {
              "lessThan": "4.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.147",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.100",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.40",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.147",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.100",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.40",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.8",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: aspeed: lpc-snoop: Don\u0027t disable channels that aren\u0027t enabled\n\nMitigate e.g. the following:\n\n    # echo 1e789080.lpc-snoop \u003e /sys/bus/platform/drivers/aspeed-lpc-snoop/unbind\n    ...\n    [  120.363594] Unable to handle kernel NULL pointer dereference at virtual address 00000004 when write\n    [  120.373866] [00000004] *pgd=00000000\n    [  120.377910] Internal error: Oops: 805 [#1] SMP ARM\n    [  120.383306] CPU: 1 UID: 0 PID: 315 Comm: sh Not tainted 6.15.0-rc1-00009-g926217bc7d7d-dirty #20 NONE\n    ...\n    [  120.679543] Call trace:\n    [  120.679559]  misc_deregister from aspeed_lpc_snoop_remove+0x84/0xac\n    [  120.692462]  aspeed_lpc_snoop_remove from platform_remove+0x28/0x38\n    [  120.700996]  platform_remove from device_release_driver_internal+0x188/0x200\n    ..."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-28T14:43:24.856Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/62e51f51d97477ea4e78c82e7076a171dac86c75"
        },
        {
          "url": "https://git.kernel.org/stable/c/9e1d2b97f5e2a36a2fd30a8bd30ead9dac5e3a51"
        },
        {
          "url": "https://git.kernel.org/stable/c/166afe964e8433d52c641f5d1c09102bacee9a92"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc5598482e2d3b234f6d72d6f5568e24f603e51a"
        },
        {
          "url": "https://git.kernel.org/stable/c/329a80adc0e5f815d0514a6d403aaaf0995cd9be"
        },
        {
          "url": "https://git.kernel.org/stable/c/b361598b7352f02456619a6105c7da952ef69f8f"
        },
        {
          "url": "https://git.kernel.org/stable/c/ac10ed9862104936a412f8b475c869e99f048448"
        },
        {
          "url": "https://git.kernel.org/stable/c/56448e78a6bb4e1a8528a0e2efe94eff0400c247"
        }
      ],
      "title": "soc: aspeed: lpc-snoop: Don\u0027t disable channels that aren\u0027t enabled",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38487",
    "datePublished": "2025-07-28T11:21:51.249Z",
    "dateReserved": "2025-04-16T04:51:24.021Z",
    "dateUpdated": "2025-11-03T17:38:56.987Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38467 (GCVE-0-2025-38467)

Vulnerability from cvelistv5

Published

2025-07-25 15:27

Modified

2025-11-03 17:38

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling If there's support for another console device (such as a TTY serial), the kernel occasionally panics during boot. The panic message and a relevant snippet of the call stack is as follows: Unable to handle kernel NULL pointer dereference at virtual address 000000000000000 Call trace: drm_crtc_handle_vblank+0x10/0x30 (P) decon_irq_handler+0x88/0xb4 [...] Otherwise, the panics don't happen. This indicates that it's some sort of race condition. Add a check to validate if the drm device can handle vblanks before calling drm_crtc_handle_vblank() to avoid this.

References

URL

Tags

	https://git.kernel.org/stable/c/b4e72c0bf878f02faa00a7dc7c9ffc4ff7c116a7
	https://git.kernel.org/stable/c/a2130463fc9451005660b0eda7b61d5f746f7d74
	https://git.kernel.org/stable/c/87825fbd1e176cd5b896940f3959e7c9a916945d
	https://git.kernel.org/stable/c/a40a35166f7e4f6dcd4b087d620c8228922dcb0a
	https://git.kernel.org/stable/c/391e5ea5b877230b844c9bd8bbcd91b681b1ce2d
	https://git.kernel.org/stable/c/e9d9b25f376737b81f06de9c5aa422b488f47184
	https://git.kernel.org/stable/c/996740652e620ef8ee1e5c65832cf2ffa498577d
	https://git.kernel.org/stable/c/b846350aa272de99bf6fecfa6b08e64ebfb13173

Impacted products

Vendor

Product

Version

Linux

Version: 96976c3d9aff4e1387c30f6356ac01fa6f72ef46
Version: 96976c3d9aff4e1387c30f6356ac01fa6f72ef46
Version: 96976c3d9aff4e1387c30f6356ac01fa6f72ef46
Version: 96976c3d9aff4e1387c30f6356ac01fa6f72ef46
Version: 96976c3d9aff4e1387c30f6356ac01fa6f72ef46
Version: 96976c3d9aff4e1387c30f6356ac01fa6f72ef46
Version: 96976c3d9aff4e1387c30f6356ac01fa6f72ef46
Version: 96976c3d9aff4e1387c30f6356ac01fa6f72ef46

Linux

Version: 4.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:38:31.497Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/exynos/exynos7_drm_decon.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b4e72c0bf878f02faa00a7dc7c9ffc4ff7c116a7",
              "status": "affected",
              "version": "96976c3d9aff4e1387c30f6356ac01fa6f72ef46",
              "versionType": "git"
            },
            {
              "lessThan": "a2130463fc9451005660b0eda7b61d5f746f7d74",
              "status": "affected",
              "version": "96976c3d9aff4e1387c30f6356ac01fa6f72ef46",
              "versionType": "git"
            },
            {
              "lessThan": "87825fbd1e176cd5b896940f3959e7c9a916945d",
              "status": "affected",
              "version": "96976c3d9aff4e1387c30f6356ac01fa6f72ef46",
              "versionType": "git"
            },
            {
              "lessThan": "a40a35166f7e4f6dcd4b087d620c8228922dcb0a",
              "status": "affected",
              "version": "96976c3d9aff4e1387c30f6356ac01fa6f72ef46",
              "versionType": "git"
            },
            {
              "lessThan": "391e5ea5b877230b844c9bd8bbcd91b681b1ce2d",
              "status": "affected",
              "version": "96976c3d9aff4e1387c30f6356ac01fa6f72ef46",
              "versionType": "git"
            },
            {
              "lessThan": "e9d9b25f376737b81f06de9c5aa422b488f47184",
              "status": "affected",
              "version": "96976c3d9aff4e1387c30f6356ac01fa6f72ef46",
              "versionType": "git"
            },
            {
              "lessThan": "996740652e620ef8ee1e5c65832cf2ffa498577d",
              "status": "affected",
              "version": "96976c3d9aff4e1387c30f6356ac01fa6f72ef46",
              "versionType": "git"
            },
            {
              "lessThan": "b846350aa272de99bf6fecfa6b08e64ebfb13173",
              "status": "affected",
              "version": "96976c3d9aff4e1387c30f6356ac01fa6f72ef46",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/exynos/exynos7_drm_decon.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.0"
            },
            {
              "lessThan": "4.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.189",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.146",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.99",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.189",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.146",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.99",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.39",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.7",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/exynos: exynos7_drm_decon: add vblank check in IRQ handling\n\nIf there\u0027s support for another console device (such as a TTY serial),\nthe kernel occasionally panics during boot. The panic message and a\nrelevant snippet of the call stack is as follows:\n\n  Unable to handle kernel NULL pointer dereference at virtual address 000000000000000\n  Call trace:\n    drm_crtc_handle_vblank+0x10/0x30 (P)\n    decon_irq_handler+0x88/0xb4\n    [...]\n\nOtherwise, the panics don\u0027t happen. This indicates that it\u0027s some sort\nof race condition.\n\nAdd a check to validate if the drm device can handle vblanks before\ncalling drm_crtc_handle_vblank() to avoid this."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:23:16.975Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b4e72c0bf878f02faa00a7dc7c9ffc4ff7c116a7"
        },
        {
          "url": "https://git.kernel.org/stable/c/a2130463fc9451005660b0eda7b61d5f746f7d74"
        },
        {
          "url": "https://git.kernel.org/stable/c/87825fbd1e176cd5b896940f3959e7c9a916945d"
        },
        {
          "url": "https://git.kernel.org/stable/c/a40a35166f7e4f6dcd4b087d620c8228922dcb0a"
        },
        {
          "url": "https://git.kernel.org/stable/c/391e5ea5b877230b844c9bd8bbcd91b681b1ce2d"
        },
        {
          "url": "https://git.kernel.org/stable/c/e9d9b25f376737b81f06de9c5aa422b488f47184"
        },
        {
          "url": "https://git.kernel.org/stable/c/996740652e620ef8ee1e5c65832cf2ffa498577d"
        },
        {
          "url": "https://git.kernel.org/stable/c/b846350aa272de99bf6fecfa6b08e64ebfb13173"
        }
      ],
      "title": "drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38467",
    "datePublished": "2025-07-25T15:27:49.045Z",
    "dateReserved": "2025-04-16T04:51:24.020Z",
    "dateUpdated": "2025-11-03T17:38:31.497Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50025 (GCVE-0-2022-50025)

Vulnerability from cvelistv5

Published

2025-06-18 11:01

Modified

2025-09-03 12:59

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: cxl: Fix a memory leak in an error handling path A bitmap_zalloc() must be balanced by a corresponding bitmap_free() in the error handling path of afu_allocate_irqs().

References

URL

Tags

	https://git.kernel.org/stable/c/c2c7a29f99788e9e5dfe41d16868ea33da7cc235
	https://git.kernel.org/stable/c/6544ff559315498ad6c0a311359ca44987f9ca07
	https://git.kernel.org/stable/c/89d51dc6878c47b6400922fac21b6a33f9d1a588
	https://git.kernel.org/stable/c/695af60af755873399ce01cb97176768828bc1fd
	https://git.kernel.org/stable/c/4be138bcd6d68cec0ce47051b117541061f5141a
	https://git.kernel.org/stable/c/addff638c41753639368c252d0c5ba0d8fe9ed97
	https://git.kernel.org/stable/c/c2557780ee7818b701681c226fa4cb7c0b171665
	https://git.kernel.org/stable/c/3a15b45b5454da862376b5d69a4967f5c6fa1368

Impacted products

Vendor

Product

Version

Linux

Version: 80fa93fce37d3490f4bb0da8a5b239a6745bc744
Version: 80fa93fce37d3490f4bb0da8a5b239a6745bc744
Version: 80fa93fce37d3490f4bb0da8a5b239a6745bc744
Version: 80fa93fce37d3490f4bb0da8a5b239a6745bc744
Version: 80fa93fce37d3490f4bb0da8a5b239a6745bc744
Version: 80fa93fce37d3490f4bb0da8a5b239a6745bc744
Version: 80fa93fce37d3490f4bb0da8a5b239a6745bc744
Version: 80fa93fce37d3490f4bb0da8a5b239a6745bc744

Linux

Version: 3.19

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/misc/cxl/irq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c2c7a29f99788e9e5dfe41d16868ea33da7cc235",
              "status": "affected",
              "version": "80fa93fce37d3490f4bb0da8a5b239a6745bc744",
              "versionType": "git"
            },
            {
              "lessThan": "6544ff559315498ad6c0a311359ca44987f9ca07",
              "status": "affected",
              "version": "80fa93fce37d3490f4bb0da8a5b239a6745bc744",
              "versionType": "git"
            },
            {
              "lessThan": "89d51dc6878c47b6400922fac21b6a33f9d1a588",
              "status": "affected",
              "version": "80fa93fce37d3490f4bb0da8a5b239a6745bc744",
              "versionType": "git"
            },
            {
              "lessThan": "695af60af755873399ce01cb97176768828bc1fd",
              "status": "affected",
              "version": "80fa93fce37d3490f4bb0da8a5b239a6745bc744",
              "versionType": "git"
            },
            {
              "lessThan": "4be138bcd6d68cec0ce47051b117541061f5141a",
              "status": "affected",
              "version": "80fa93fce37d3490f4bb0da8a5b239a6745bc744",
              "versionType": "git"
            },
            {
              "lessThan": "addff638c41753639368c252d0c5ba0d8fe9ed97",
              "status": "affected",
              "version": "80fa93fce37d3490f4bb0da8a5b239a6745bc744",
              "versionType": "git"
            },
            {
              "lessThan": "c2557780ee7818b701681c226fa4cb7c0b171665",
              "status": "affected",
              "version": "80fa93fce37d3490f4bb0da8a5b239a6745bc744",
              "versionType": "git"
            },
            {
              "lessThan": "3a15b45b5454da862376b5d69a4967f5c6fa1368",
              "status": "affected",
              "version": "80fa93fce37d3490f4bb0da8a5b239a6745bc744",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/misc/cxl/irq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.19"
            },
            {
              "lessThan": "3.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.9.*",
              "status": "unaffected",
              "version": "4.9.326",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.256",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.211",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.138",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.63",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.9.326",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.291",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.256",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.211",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.138",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.63",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.4",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl: Fix a memory leak in an error handling path\n\nA bitmap_zalloc() must be balanced by a corresponding bitmap_free() in the\nerror handling path of afu_allocate_irqs()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-03T12:59:01.003Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c2c7a29f99788e9e5dfe41d16868ea33da7cc235"
        },
        {
          "url": "https://git.kernel.org/stable/c/6544ff559315498ad6c0a311359ca44987f9ca07"
        },
        {
          "url": "https://git.kernel.org/stable/c/89d51dc6878c47b6400922fac21b6a33f9d1a588"
        },
        {
          "url": "https://git.kernel.org/stable/c/695af60af755873399ce01cb97176768828bc1fd"
        },
        {
          "url": "https://git.kernel.org/stable/c/4be138bcd6d68cec0ce47051b117541061f5141a"
        },
        {
          "url": "https://git.kernel.org/stable/c/addff638c41753639368c252d0c5ba0d8fe9ed97"
        },
        {
          "url": "https://git.kernel.org/stable/c/c2557780ee7818b701681c226fa4cb7c0b171665"
        },
        {
          "url": "https://git.kernel.org/stable/c/3a15b45b5454da862376b5d69a4967f5c6fa1368"
        }
      ],
      "title": "cxl: Fix a memory leak in an error handling path",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50025",
    "datePublished": "2025-06-18T11:01:28.816Z",
    "dateReserved": "2025-06-18T10:57:27.394Z",
    "dateUpdated": "2025-09-03T12:59:01.003Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-49969 (GCVE-0-2022-49969)

Vulnerability from cvelistv5

Published

2025-06-18 11:00

Modified

2025-07-11 17:19

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: clear optc underflow before turn off odm clock [Why] After ODM clock off, optc underflow bit will be kept there always and clear not work. We need to clear that before clock off. [How] Clear that if have when clock off.

References

URL

Tags

	https://git.kernel.org/stable/c/443687798d6f094412b7312b64b3bb4d99aedff7
	https://git.kernel.org/stable/c/814b756d4ec3a8728debb116cf49005feada7750
	https://git.kernel.org/stable/c/3c1dfeaeb3b4e3ea656041da1241e6ee3c3b3202
	https://git.kernel.org/stable/c/5ee30bcfdb32526233d2572f3d9ec371928679f1
	https://git.kernel.org/stable/c/3101839b080137c367f3f88c2a040f791de880aa
	https://git.kernel.org/stable/c/b2a93490201300a749ad261b5c5d05cb50179c44

Impacted products

Vendor

Product

Version

Linux

Version: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c
Version: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c
Version: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c
Version: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c
Version: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c
Version: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c

Linux

Version: 4.15

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/display/dc/dcn10/dcn10_optc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "443687798d6f094412b7312b64b3bb4d99aedff7",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            },
            {
              "lessThan": "814b756d4ec3a8728debb116cf49005feada7750",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            },
            {
              "lessThan": "3c1dfeaeb3b4e3ea656041da1241e6ee3c3b3202",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            },
            {
              "lessThan": "5ee30bcfdb32526233d2572f3d9ec371928679f1",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            },
            {
              "lessThan": "3101839b080137c367f3f88c2a040f791de880aa",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            },
            {
              "lessThan": "b2a93490201300a749ad261b5c5d05cb50179c44",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/display/dc/dcn10/dcn10_optc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.15"
            },
            {
              "lessThan": "4.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.257",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.212",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.65",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.257",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.212",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.141",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.65",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.7",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: clear optc underflow before turn off odm clock\n\n[Why]\nAfter ODM clock off, optc underflow bit will be kept there always and clear not work.\nWe need to clear that before clock off.\n\n[How]\nClear that if have when clock off."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-11T17:19:23.743Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/443687798d6f094412b7312b64b3bb4d99aedff7"
        },
        {
          "url": "https://git.kernel.org/stable/c/814b756d4ec3a8728debb116cf49005feada7750"
        },
        {
          "url": "https://git.kernel.org/stable/c/3c1dfeaeb3b4e3ea656041da1241e6ee3c3b3202"
        },
        {
          "url": "https://git.kernel.org/stable/c/5ee30bcfdb32526233d2572f3d9ec371928679f1"
        },
        {
          "url": "https://git.kernel.org/stable/c/3101839b080137c367f3f88c2a040f791de880aa"
        },
        {
          "url": "https://git.kernel.org/stable/c/b2a93490201300a749ad261b5c5d05cb50179c44"
        }
      ],
      "title": "drm/amd/display: clear optc underflow before turn off odm clock",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49969",
    "datePublished": "2025-06-18T11:00:33.226Z",
    "dateReserved": "2025-06-18T10:57:27.384Z",
    "dateUpdated": "2025-07-11T17:19:23.743Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-23157 (GCVE-0-2025-23157)

Vulnerability from cvelistv5

Published

2025-05-01 12:55

Modified

2025-11-03 19:42

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: media: venus: hfi_parser: add check to avoid out of bound access There is a possibility that init_codecs is invoked multiple times during manipulated payload from video firmware. In such case, if codecs_count can get incremented to value more than MAX_CODEC_NUM, there can be OOB access. Reset the count so that it always starts from beginning.

References

URL

Tags

	https://git.kernel.org/stable/c/e5133a0b25463674903fdc0528e0a29b7267130e
	https://git.kernel.org/stable/c/2b8b9ea4e26a501eb220ea189e42b4527e65bdfa
	https://git.kernel.org/stable/c/1ad6aa1464b8a5ce5c194458315021e8d216108e
	https://git.kernel.org/stable/c/26bbedd06d85770581fda5d78e78539bb088fad1
	https://git.kernel.org/stable/c/d4d88ece4ba91df5b02f1d3f599650f9e9fc0f45
	https://git.kernel.org/stable/c/53e376178ceacca3ef1795038b22fc9ef45ff1d3
	https://git.kernel.org/stable/c/b2541e29d82da8a0df728aadec3e0a8db55d517b
	https://git.kernel.org/stable/c/cb5be9039f91979f8a2fac29f529f746d7848f3e
	https://git.kernel.org/stable/c/172bf5a9ef70a399bb227809db78442dc01d9e48

Impacted products

Vendor

Product

Version

Linux

Version: 1a73374a04e555103e5369429a30999114001dda
Version: 1a73374a04e555103e5369429a30999114001dda
Version: 1a73374a04e555103e5369429a30999114001dda
Version: 1a73374a04e555103e5369429a30999114001dda
Version: 1a73374a04e555103e5369429a30999114001dda
Version: 1a73374a04e555103e5369429a30999114001dda
Version: 1a73374a04e555103e5369429a30999114001dda
Version: 1a73374a04e555103e5369429a30999114001dda
Version: 1a73374a04e555103e5369429a30999114001dda

Linux

Version: 4.19

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:42:53.952Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/platform/qcom/venus/hfi_parser.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e5133a0b25463674903fdc0528e0a29b7267130e",
              "status": "affected",
              "version": "1a73374a04e555103e5369429a30999114001dda",
              "versionType": "git"
            },
            {
              "lessThan": "2b8b9ea4e26a501eb220ea189e42b4527e65bdfa",
              "status": "affected",
              "version": "1a73374a04e555103e5369429a30999114001dda",
              "versionType": "git"
            },
            {
              "lessThan": "1ad6aa1464b8a5ce5c194458315021e8d216108e",
              "status": "affected",
              "version": "1a73374a04e555103e5369429a30999114001dda",
              "versionType": "git"
            },
            {
              "lessThan": "26bbedd06d85770581fda5d78e78539bb088fad1",
              "status": "affected",
              "version": "1a73374a04e555103e5369429a30999114001dda",
              "versionType": "git"
            },
            {
              "lessThan": "d4d88ece4ba91df5b02f1d3f599650f9e9fc0f45",
              "status": "affected",
              "version": "1a73374a04e555103e5369429a30999114001dda",
              "versionType": "git"
            },
            {
              "lessThan": "53e376178ceacca3ef1795038b22fc9ef45ff1d3",
              "status": "affected",
              "version": "1a73374a04e555103e5369429a30999114001dda",
              "versionType": "git"
            },
            {
              "lessThan": "b2541e29d82da8a0df728aadec3e0a8db55d517b",
              "status": "affected",
              "version": "1a73374a04e555103e5369429a30999114001dda",
              "versionType": "git"
            },
            {
              "lessThan": "cb5be9039f91979f8a2fac29f529f746d7848f3e",
              "status": "affected",
              "version": "1a73374a04e555103e5369429a30999114001dda",
              "versionType": "git"
            },
            {
              "lessThan": "172bf5a9ef70a399bb227809db78442dc01d9e48",
              "status": "affected",
              "version": "1a73374a04e555103e5369429a30999114001dda",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/platform/qcom/venus/hfi_parser.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.19"
            },
            {
              "lessThan": "4.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.293",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.293",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.237",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.24",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.12",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: venus: hfi_parser: add check to avoid out of bound access\n\nThere is a possibility that init_codecs is invoked multiple times during\nmanipulated payload from video firmware. In such case, if codecs_count\ncan get incremented to value more than MAX_CODEC_NUM, there can be OOB\naccess. Reset the count so that it always starts from beginning."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:19:40.725Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e5133a0b25463674903fdc0528e0a29b7267130e"
        },
        {
          "url": "https://git.kernel.org/stable/c/2b8b9ea4e26a501eb220ea189e42b4527e65bdfa"
        },
        {
          "url": "https://git.kernel.org/stable/c/1ad6aa1464b8a5ce5c194458315021e8d216108e"
        },
        {
          "url": "https://git.kernel.org/stable/c/26bbedd06d85770581fda5d78e78539bb088fad1"
        },
        {
          "url": "https://git.kernel.org/stable/c/d4d88ece4ba91df5b02f1d3f599650f9e9fc0f45"
        },
        {
          "url": "https://git.kernel.org/stable/c/53e376178ceacca3ef1795038b22fc9ef45ff1d3"
        },
        {
          "url": "https://git.kernel.org/stable/c/b2541e29d82da8a0df728aadec3e0a8db55d517b"
        },
        {
          "url": "https://git.kernel.org/stable/c/cb5be9039f91979f8a2fac29f529f746d7848f3e"
        },
        {
          "url": "https://git.kernel.org/stable/c/172bf5a9ef70a399bb227809db78442dc01d9e48"
        }
      ],
      "title": "media: venus: hfi_parser: add check to avoid out of bound access",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-23157",
    "datePublished": "2025-05-01T12:55:43.193Z",
    "dateReserved": "2025-01-11T14:28:41.514Z",
    "dateUpdated": "2025-11-03T19:42:53.952Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38155 (GCVE-0-2025-38155)

Vulnerability from cvelistv5

Published

2025-07-03 08:35

Modified

2025-07-28 04:13

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init() devm_ioremap() returns NULL on error. Currently, mt7915_mmio_wed_init() does not check for this case, which results in a NULL pointer dereference. Prevent null pointer dereference in mt7915_mmio_wed_init().

References

URL

Tags

	https://git.kernel.org/stable/c/e9f9cef1877ac32285dbc1f31b86c8955b712fc2
	https://git.kernel.org/stable/c/790d05cde359356feea8915094a51166af1629f5
	https://git.kernel.org/stable/c/d825ed9fd768be10d52beba6f57a4b50c0c154aa
	https://git.kernel.org/stable/c/efb95439c1477bbc955cacd0179c35e7861b437c

Impacted products

Vendor

Product

Version

Linux

Version: 4f831d18d12da80cec0bebe5b8ca8702a528195a
Version: 4f831d18d12da80cec0bebe5b8ca8702a528195a
Version: 4f831d18d12da80cec0bebe5b8ca8702a528195a
Version: 4f831d18d12da80cec0bebe5b8ca8702a528195a

Linux

Version: 6.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/mediatek/mt76/mt7915/mmio.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e9f9cef1877ac32285dbc1f31b86c8955b712fc2",
              "status": "affected",
              "version": "4f831d18d12da80cec0bebe5b8ca8702a528195a",
              "versionType": "git"
            },
            {
              "lessThan": "790d05cde359356feea8915094a51166af1629f5",
              "status": "affected",
              "version": "4f831d18d12da80cec0bebe5b8ca8702a528195a",
              "versionType": "git"
            },
            {
              "lessThan": "d825ed9fd768be10d52beba6f57a4b50c0c154aa",
              "status": "affected",
              "version": "4f831d18d12da80cec0bebe5b8ca8702a528195a",
              "versionType": "git"
            },
            {
              "lessThan": "efb95439c1477bbc955cacd0179c35e7861b437c",
              "status": "affected",
              "version": "4f831d18d12da80cec0bebe5b8ca8702a528195a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/mediatek/mt76/mt7915/mmio.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init()\n\ndevm_ioremap() returns NULL on error. Currently, mt7915_mmio_wed_init()\ndoes not check for this case, which results in a NULL pointer\ndereference.\n\nPrevent null pointer dereference in mt7915_mmio_wed_init()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:13:45.339Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e9f9cef1877ac32285dbc1f31b86c8955b712fc2"
        },
        {
          "url": "https://git.kernel.org/stable/c/790d05cde359356feea8915094a51166af1629f5"
        },
        {
          "url": "https://git.kernel.org/stable/c/d825ed9fd768be10d52beba6f57a4b50c0c154aa"
        },
        {
          "url": "https://git.kernel.org/stable/c/efb95439c1477bbc955cacd0179c35e7861b437c"
        }
      ],
      "title": "wifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38155",
    "datePublished": "2025-07-03T08:35:58.185Z",
    "dateReserved": "2025-04-16T04:51:23.990Z",
    "dateUpdated": "2025-07-28T04:13:45.339Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-53020 (GCVE-0-2023-53020)

Vulnerability from cvelistv5

Published

2025-03-27 16:43

Modified

2025-10-01 17:19

Severity ?

4.7 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: l2tp: close all race conditions in l2tp_tunnel_register() The code in l2tp_tunnel_register() is racy in several ways: 1. It modifies the tunnel socket _after_ publishing it. 2. It calls setup_udp_tunnel_sock() on an existing socket without locking. 3. It changes sock lock class on fly, which triggers many syzbot reports. This patch amends all of them by moving socket initialization code before publishing and under sock lock. As suggested by Jakub, the l2tp lockdep class is not necessary as we can just switch to bh_lock_sock_nested().

References

URL

Tags

	https://git.kernel.org/stable/c/2d77e5c0ad79004b5ef901895437e9cce6dfcc7e
	https://git.kernel.org/stable/c/77e8ed776cdb1a24b2aab8fe7c6f1f154235e1ce
	https://git.kernel.org/stable/c/cef0845b6dcfa2f6c2c832e7f9622551456c741d
	https://git.kernel.org/stable/c/0b2c59720e65885a394a017d0cf9cab118914682

Impacted products

Vendor

Product

Version

Linux

Version: 37159ef2c1ae1e696b24b260b241209a19f92c60
Version: 37159ef2c1ae1e696b24b260b241209a19f92c60
Version: 37159ef2c1ae1e696b24b260b241209a19f92c60
Version: 37159ef2c1ae1e696b24b260b241209a19f92c60

Linux

Version: 3.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 4.7,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-53020",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T17:19:17.910133Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-362",
                "description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T17:19:20.613Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/l2tp/l2tp_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2d77e5c0ad79004b5ef901895437e9cce6dfcc7e",
              "status": "affected",
              "version": "37159ef2c1ae1e696b24b260b241209a19f92c60",
              "versionType": "git"
            },
            {
              "lessThan": "77e8ed776cdb1a24b2aab8fe7c6f1f154235e1ce",
              "status": "affected",
              "version": "37159ef2c1ae1e696b24b260b241209a19f92c60",
              "versionType": "git"
            },
            {
              "lessThan": "cef0845b6dcfa2f6c2c832e7f9622551456c741d",
              "status": "affected",
              "version": "37159ef2c1ae1e696b24b260b241209a19f92c60",
              "versionType": "git"
            },
            {
              "lessThan": "0b2c59720e65885a394a017d0cf9cab118914682",
              "status": "affected",
              "version": "37159ef2c1ae1e696b24b260b241209a19f92c60",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/l2tp/l2tp_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.6"
            },
            {
              "lessThan": "3.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.166",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.91",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.2",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.166",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.91",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.9",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nl2tp: close all race conditions in l2tp_tunnel_register()\n\nThe code in l2tp_tunnel_register() is racy in several ways:\n\n1. It modifies the tunnel socket _after_ publishing it.\n\n2. It calls setup_udp_tunnel_sock() on an existing socket without\n   locking.\n\n3. It changes sock lock class on fly, which triggers many syzbot\n   reports.\n\nThis patch amends all of them by moving socket initialization code\nbefore publishing and under sock lock. As suggested by Jakub, the\nl2tp lockdep class is not necessary as we can just switch to\nbh_lock_sock_nested()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:47:49.986Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2d77e5c0ad79004b5ef901895437e9cce6dfcc7e"
        },
        {
          "url": "https://git.kernel.org/stable/c/77e8ed776cdb1a24b2aab8fe7c6f1f154235e1ce"
        },
        {
          "url": "https://git.kernel.org/stable/c/cef0845b6dcfa2f6c2c832e7f9622551456c741d"
        },
        {
          "url": "https://git.kernel.org/stable/c/0b2c59720e65885a394a017d0cf9cab118914682"
        }
      ],
      "title": "l2tp: close all race conditions in l2tp_tunnel_register()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-53020",
    "datePublished": "2025-03-27T16:43:47.151Z",
    "dateReserved": "2025-03-27T16:40:15.752Z",
    "dateUpdated": "2025-10-01T17:19:20.613Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38315 (GCVE-0-2025-38315)

Vulnerability from cvelistv5

Published

2025-07-10 07:42

Modified

2025-07-28 04:18

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btintel: Check dsbr size from EFI variable Since the size of struct btintel_dsbr is already known, we can just start there instead of querying the EFI variable size. If the final result doesn't match what we expect also fail. This fixes a stack buffer overflow when the EFI variable is larger than struct btintel_dsbr.

References

URL

Tags

	https://git.kernel.org/stable/c/9427f6081f37c795a8bd29d0ee72a4da3bd64af8
	https://git.kernel.org/stable/c/7b8526bb489780ccc0caffc446ecabec83cfe568
	https://git.kernel.org/stable/c/3aa1dc3c9060e335e82e9c182bf3d1db29220b1b

Impacted products

Vendor

Product

Version

Linux

Version: eb9e749c0182affafadfbe5ded4503c4b5a9b57c
Version: eb9e749c0182affafadfbe5ded4503c4b5a9b57c
Version: eb9e749c0182affafadfbe5ded4503c4b5a9b57c

Linux

Version: 6.11

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/bluetooth/btintel.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9427f6081f37c795a8bd29d0ee72a4da3bd64af8",
              "status": "affected",
              "version": "eb9e749c0182affafadfbe5ded4503c4b5a9b57c",
              "versionType": "git"
            },
            {
              "lessThan": "7b8526bb489780ccc0caffc446ecabec83cfe568",
              "status": "affected",
              "version": "eb9e749c0182affafadfbe5ded4503c4b5a9b57c",
              "versionType": "git"
            },
            {
              "lessThan": "3aa1dc3c9060e335e82e9c182bf3d1db29220b1b",
              "status": "affected",
              "version": "eb9e749c0182affafadfbe5ded4503c4b5a9b57c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/bluetooth/btintel.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btintel: Check dsbr size from EFI variable\n\nSince the size of struct btintel_dsbr is already known, we can just\nstart there instead of querying the EFI variable size. If the final\nresult doesn\u0027t match what we expect also fail. This fixes a stack buffer\noverflow when the EFI variable is larger than struct btintel_dsbr."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:18:26.041Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9427f6081f37c795a8bd29d0ee72a4da3bd64af8"
        },
        {
          "url": "https://git.kernel.org/stable/c/7b8526bb489780ccc0caffc446ecabec83cfe568"
        },
        {
          "url": "https://git.kernel.org/stable/c/3aa1dc3c9060e335e82e9c182bf3d1db29220b1b"
        }
      ],
      "title": "Bluetooth: btintel: Check dsbr size from EFI variable",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38315",
    "datePublished": "2025-07-10T07:42:22.569Z",
    "dateReserved": "2025-04-16T04:51:24.003Z",
    "dateUpdated": "2025-07-28T04:18:26.041Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-37948 (GCVE-0-2025-37948)

Vulnerability from cvelistv5

Published

2025-05-20 16:01

Modified

2025-11-03 19:57

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs A malicious BPF program may manipulate the branch history to influence what the hardware speculates will happen next. On exit from a BPF program, emit the BHB mititgation sequence. This is only applied for 'classic' cBPF programs that are loaded by seccomp.

References

URL

Tags

	https://git.kernel.org/stable/c/c6a8735d841bcb7649734bb3a787bb174c67c0d8
	https://git.kernel.org/stable/c/993f63239c219696aef8887a4e7d3a16bf5a8ece
	https://git.kernel.org/stable/c/8fe5c37b0e08a97cf0210bb75970e945aaaeebab
	https://git.kernel.org/stable/c/42a20cf51011788f04cf2adbcd7681f02bdb6c27
	https://git.kernel.org/stable/c/38c345fd54afd9d6ed8d3fcddf3f6ea23887bf78
	https://git.kernel.org/stable/c/852b8ae934b5cbdc62496fa56ce9969aa2edda7f
	https://git.kernel.org/stable/c/0dfefc2ea2f29ced2416017d7e5b1253a54c2735

Impacted products

Vendor

Product

Version

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:57:38.769Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/include/asm/spectre.h",
            "arch/arm64/kernel/proton-pack.c",
            "arch/arm64/net/bpf_jit_comp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c6a8735d841bcb7649734bb3a787bb174c67c0d8",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "993f63239c219696aef8887a4e7d3a16bf5a8ece",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "8fe5c37b0e08a97cf0210bb75970e945aaaeebab",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "42a20cf51011788f04cf2adbcd7681f02bdb6c27",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "38c345fd54afd9d6ed8d3fcddf3f6ea23887bf78",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "852b8ae934b5cbdc62496fa56ce9969aa2edda7f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "0dfefc2ea2f29ced2416017d7e5b1253a54c2735",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/include/asm/spectre.h",
            "arch/arm64/kernel/proton-pack.c",
            "arch/arm64/net/bpf_jit_comp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.139",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.91",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.29",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.139",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.91",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: bpf: Add BHB mitigation to the epilogue for cBPF programs\n\nA malicious BPF program may manipulate the branch history to influence\nwhat the hardware speculates will happen next.\n\nOn exit from a BPF program, emit the BHB mititgation sequence.\n\nThis is only applied for \u0027classic\u0027 cBPF programs that are loaded by\nseccomp."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-27T10:21:20.431Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c6a8735d841bcb7649734bb3a787bb174c67c0d8"
        },
        {
          "url": "https://git.kernel.org/stable/c/993f63239c219696aef8887a4e7d3a16bf5a8ece"
        },
        {
          "url": "https://git.kernel.org/stable/c/8fe5c37b0e08a97cf0210bb75970e945aaaeebab"
        },
        {
          "url": "https://git.kernel.org/stable/c/42a20cf51011788f04cf2adbcd7681f02bdb6c27"
        },
        {
          "url": "https://git.kernel.org/stable/c/38c345fd54afd9d6ed8d3fcddf3f6ea23887bf78"
        },
        {
          "url": "https://git.kernel.org/stable/c/852b8ae934b5cbdc62496fa56ce9969aa2edda7f"
        },
        {
          "url": "https://git.kernel.org/stable/c/0dfefc2ea2f29ced2416017d7e5b1253a54c2735"
        }
      ],
      "title": "arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37948",
    "datePublished": "2025-05-20T16:01:44.452Z",
    "dateReserved": "2025-04-16T04:51:23.972Z",
    "dateUpdated": "2025-11-03T19:57:38.769Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38099 (GCVE-0-2025-38099)

Vulnerability from cvelistv5

Published

2025-07-03 08:13

Modified

2025-07-03 08:13

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Disable SCO support if READ_VOICE_SETTING is unsupported/broken A SCO connection without the proper voice_setting can cause the controller to lock up.

References

URL

Tags

	https://git.kernel.org/stable/c/f48ee562c095e552a30b8d9cc0566a267b410f8a
	https://git.kernel.org/stable/c/ec1f015ec0c6fd250a6564e8452f7bb3160b9cb1
	https://git.kernel.org/stable/c/14d17c78a4b1660c443bae9d38c814edea506f62

Impacted products

Vendor

Product

Version

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/hci_event.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f48ee562c095e552a30b8d9cc0566a267b410f8a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ec1f015ec0c6fd250a6564e8452f7bb3160b9cb1",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "14d17c78a4b1660c443bae9d38c814edea506f62",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/hci_event.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Disable SCO support if READ_VOICE_SETTING is unsupported/broken\n\nA SCO connection without the proper voice_setting can cause\nthe controller to lock up."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-03T08:13:59.288Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f48ee562c095e552a30b8d9cc0566a267b410f8a"
        },
        {
          "url": "https://git.kernel.org/stable/c/ec1f015ec0c6fd250a6564e8452f7bb3160b9cb1"
        },
        {
          "url": "https://git.kernel.org/stable/c/14d17c78a4b1660c443bae9d38c814edea506f62"
        }
      ],
      "title": "Bluetooth: Disable SCO support if READ_VOICE_SETTING is unsupported/broken",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38099",
    "datePublished": "2025-07-03T08:13:59.288Z",
    "dateReserved": "2025-04-16T04:51:23.985Z",
    "dateUpdated": "2025-07-03T08:13:59.288Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38350 (GCVE-0-2025-38350)

Vulnerability from cvelistv5

Published

2025-07-19 06:46

Modified

2025-11-03 17:37

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net/sched: Always pass notifications when child class becomes empty Certain classful qdiscs may invoke their classes' dequeue handler on an enqueue operation. This may unexpectedly empty the child qdisc and thus make an in-flight class passive via qlen_notify(). Most qdiscs do not expect such behaviour at this point in time and may re-activate the class eventually anyways which will lead to a use-after-free. The referenced fix commit attempted to fix this behavior for the HFSC case by moving the backlog accounting around, though this turned out to be incomplete since the parent's parent may run into the issue too. The following reproducer demonstrates this use-after-free: tc qdisc add dev lo root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo parent 1: classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1 tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0 tc qdisc add dev lo parent 2:1 handle 3: netem tc qdisc add dev lo parent 3:1 handle 4: blackhole echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 tc class delete dev lo classid 1:1 echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 Since backlog accounting issues leading to a use-after-frees on stale class pointers is a recurring pattern at this point, this patch takes a different approach. Instead of trying to fix the accounting, the patch ensures that qdisc_tree_reduce_backlog always calls qlen_notify when the child qdisc is empty. This solves the problem because deletion of qdiscs always involves a call to qdisc_reset() and / or qdisc_purge_queue() which ultimately resets its qlen to 0 thus causing the following qdisc_tree_reduce_backlog() to report to the parent. Note that this may call qlen_notify on passive classes multiple times. This is not a problem after the recent patch series that made all the classful qdiscs qlen_notify() handlers idempotent.

References

URL

Tags

	https://git.kernel.org/stable/c/3b290923ad2b23596208c1e29520badef4356a43
	https://git.kernel.org/stable/c/e9921b57dca05ac5f4fa1fa8e993d4f0ee52e2b7
	https://git.kernel.org/stable/c/e269f29e9395527bc00c213c6b15da04ebb35070
	https://git.kernel.org/stable/c/7874c9c132e906a52a187d045995b115973c93fb
	https://git.kernel.org/stable/c/f680a4643c6f71e758d8fe0431a958e9a6a4f59d
	https://git.kernel.org/stable/c/a553afd91f55ff39b1e8a1c4989a29394c9e0472
	https://git.kernel.org/stable/c/a44acdd9e84a211989ff4b9b92bf3545d8456ad5
	https://git.kernel.org/stable/c/103406b38c600fec1fe375a77b27d87e314aea09

Impacted products

Vendor

Product

Version

Linux

Version: 1034e3310752e8675e313f7271b348914008719a
Version: f9f593e34d2fb67644372c8f7b033bdc622ad228
Version: 89c301e929a0db14ebd94b4d97764ce1d6981653
Version: f1dde3eb17dc1b8bd07aed00004b1e05fc87a3d4
Version: 93c276942e75de0e5bc91576300d292e968f5a02
Version: 49b21795b8e5654a7df3d910a12e1060da4c04cf
Version: 3f981138109f63232a5fb7165938d4c945cc1b9d
Version: 3f981138109f63232a5fb7165938d4c945cc1b9d
Version: 3f3a22eebbc32b4fa8ce9c1d5f9db214b45b9335

Linux

Version: 6.15

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:37:00.889Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_api.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3b290923ad2b23596208c1e29520badef4356a43",
              "status": "affected",
              "version": "1034e3310752e8675e313f7271b348914008719a",
              "versionType": "git"
            },
            {
              "lessThan": "e9921b57dca05ac5f4fa1fa8e993d4f0ee52e2b7",
              "status": "affected",
              "version": "f9f593e34d2fb67644372c8f7b033bdc622ad228",
              "versionType": "git"
            },
            {
              "lessThan": "e269f29e9395527bc00c213c6b15da04ebb35070",
              "status": "affected",
              "version": "89c301e929a0db14ebd94b4d97764ce1d6981653",
              "versionType": "git"
            },
            {
              "lessThan": "7874c9c132e906a52a187d045995b115973c93fb",
              "status": "affected",
              "version": "f1dde3eb17dc1b8bd07aed00004b1e05fc87a3d4",
              "versionType": "git"
            },
            {
              "lessThan": "f680a4643c6f71e758d8fe0431a958e9a6a4f59d",
              "status": "affected",
              "version": "93c276942e75de0e5bc91576300d292e968f5a02",
              "versionType": "git"
            },
            {
              "lessThan": "a553afd91f55ff39b1e8a1c4989a29394c9e0472",
              "status": "affected",
              "version": "49b21795b8e5654a7df3d910a12e1060da4c04cf",
              "versionType": "git"
            },
            {
              "lessThan": "a44acdd9e84a211989ff4b9b92bf3545d8456ad5",
              "status": "affected",
              "version": "3f981138109f63232a5fb7165938d4c945cc1b9d",
              "versionType": "git"
            },
            {
              "lessThan": "103406b38c600fec1fe375a77b27d87e314aea09",
              "status": "affected",
              "version": "3f981138109f63232a5fb7165938d4c945cc1b9d",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "3f3a22eebbc32b4fa8ce9c1d5f9db214b45b9335",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_api.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.15"
            },
            {
              "lessThan": "6.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.187",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.144",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.97",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.37",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "5.4.294",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "5.10.238",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.187",
                  "versionStartIncluding": "5.15.185",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.144",
                  "versionStartIncluding": "6.1.141",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.97",
                  "versionStartIncluding": "6.6.93",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.37",
                  "versionStartIncluding": "6.12.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.6",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.14.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Always pass notifications when child class becomes empty\n\nCertain classful qdiscs may invoke their classes\u0027 dequeue handler on an\nenqueue operation. This may unexpectedly empty the child qdisc and thus\nmake an in-flight class passive via qlen_notify(). Most qdiscs do not\nexpect such behaviour at this point in time and may re-activate the\nclass eventually anyways which will lead to a use-after-free.\n\nThe referenced fix commit attempted to fix this behavior for the HFSC\ncase by moving the backlog accounting around, though this turned out to\nbe incomplete since the parent\u0027s parent may run into the issue too.\nThe following reproducer demonstrates this use-after-free:\n\n    tc qdisc add dev lo root handle 1: drr\n    tc filter add dev lo parent 1: basic classid 1:1\n    tc class add dev lo parent 1: classid 1:1 drr\n    tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1\n    tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0\n    tc qdisc add dev lo parent 2:1 handle 3: netem\n    tc qdisc add dev lo parent 3:1 handle 4: blackhole\n\n    echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888\n    tc class delete dev lo classid 1:1\n    echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888\n\nSince backlog accounting issues leading to a use-after-frees on stale\nclass pointers is a recurring pattern at this point, this patch takes\na different approach. Instead of trying to fix the accounting, the patch\nensures that qdisc_tree_reduce_backlog always calls qlen_notify when\nthe child qdisc is empty. This solves the problem because deletion of\nqdiscs always involves a call to qdisc_reset() and / or\nqdisc_purge_queue() which ultimately resets its qlen to 0 thus causing\nthe following qdisc_tree_reduce_backlog() to report to the parent. Note\nthat this may call qlen_notify on passive classes multiple times. This\nis not a problem after the recent patch series that made all the\nclassful qdiscs qlen_notify() handlers idempotent."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:19:38.148Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3b290923ad2b23596208c1e29520badef4356a43"
        },
        {
          "url": "https://git.kernel.org/stable/c/e9921b57dca05ac5f4fa1fa8e993d4f0ee52e2b7"
        },
        {
          "url": "https://git.kernel.org/stable/c/e269f29e9395527bc00c213c6b15da04ebb35070"
        },
        {
          "url": "https://git.kernel.org/stable/c/7874c9c132e906a52a187d045995b115973c93fb"
        },
        {
          "url": "https://git.kernel.org/stable/c/f680a4643c6f71e758d8fe0431a958e9a6a4f59d"
        },
        {
          "url": "https://git.kernel.org/stable/c/a553afd91f55ff39b1e8a1c4989a29394c9e0472"
        },
        {
          "url": "https://git.kernel.org/stable/c/a44acdd9e84a211989ff4b9b92bf3545d8456ad5"
        },
        {
          "url": "https://git.kernel.org/stable/c/103406b38c600fec1fe375a77b27d87e314aea09"
        }
      ],
      "title": "net/sched: Always pass notifications when child class becomes empty",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38350",
    "datePublished": "2025-07-19T06:46:29.849Z",
    "dateReserved": "2025-04-16T04:51:24.006Z",
    "dateUpdated": "2025-11-03T17:37:00.889Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21938 (GCVE-0-2025-21938)

Vulnerability from cvelistv5

Published

2025-04-01 15:41

Modified

2025-11-03 19:39

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: mptcp: fix 'scheduling while atomic' in mptcp_pm_nl_append_new_local_addr If multiple connection requests attempt to create an implicit mptcp endpoint in parallel, more than one caller may end up in mptcp_pm_nl_append_new_local_addr because none found the address in local_addr_list during their call to mptcp_pm_nl_get_local_id. In this case, the concurrent new_local_addr calls may delete the address entry created by the previous caller. These deletes use synchronize_rcu, but this is not permitted in some of the contexts where this function may be called. During packet recv, the caller may be in a rcu read critical section and have preemption disabled. An example stack: BUG: scheduling while atomic: swapper/2/0/0x00000302 Call Trace: <IRQ> dump_stack_lvl (lib/dump_stack.c:117 (discriminator 1)) dump_stack (lib/dump_stack.c:124) __schedule_bug (kernel/sched/core.c:5943) schedule_debug.constprop.0 (arch/x86/include/asm/preempt.h:33 kernel/sched/core.c:5970) __schedule (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:207 kernel/sched/features.h:29 kernel/sched/core.c:6621) schedule (arch/x86/include/asm/preempt.h:84 kernel/sched/core.c:6804 kernel/sched/core.c:6818) schedule_timeout (kernel/time/timer.c:2160) wait_for_completion (kernel/sched/completion.c:96 kernel/sched/completion.c:116 kernel/sched/completion.c:127 kernel/sched/completion.c:148) __wait_rcu_gp (include/linux/rcupdate.h:311 kernel/rcu/update.c:444) synchronize_rcu (kernel/rcu/tree.c:3609) mptcp_pm_nl_append_new_local_addr (net/mptcp/pm_netlink.c:966 net/mptcp/pm_netlink.c:1061) mptcp_pm_nl_get_local_id (net/mptcp/pm_netlink.c:1164) mptcp_pm_get_local_id (net/mptcp/pm.c:420) subflow_check_req (net/mptcp/subflow.c:98 net/mptcp/subflow.c:213) subflow_v4_route_req (net/mptcp/subflow.c:305) tcp_conn_request (net/ipv4/tcp_input.c:7216) subflow_v4_conn_request (net/mptcp/subflow.c:651) tcp_rcv_state_process (net/ipv4/tcp_input.c:6709) tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1934) tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2334) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205 (discriminator 1)) ip_local_deliver_finish (include/linux/rcupdate.h:813 net/ipv4/ip_input.c:234) ip_local_deliver (include/linux/netfilter.h:314 include/linux/netfilter.h:308 net/ipv4/ip_input.c:254) ip_sublist_rcv_finish (include/net/dst.h:461 net/ipv4/ip_input.c:580) ip_sublist_rcv (net/ipv4/ip_input.c:640) ip_list_rcv (net/ipv4/ip_input.c:675) __netif_receive_skb_list_core (net/core/dev.c:5583 net/core/dev.c:5631) netif_receive_skb_list_internal (net/core/dev.c:5685 net/core/dev.c:5774) napi_complete_done (include/linux/list.h:37 include/net/gro.h:449 include/net/gro.h:444 net/core/dev.c:6114) igb_poll (drivers/net/ethernet/intel/igb/igb_main.c:8244) igb __napi_poll (net/core/dev.c:6582) net_rx_action (net/core/dev.c:6653 net/core/dev.c:6787) handle_softirqs (kernel/softirq.c:553) __irq_exit_rcu (kernel/softirq.c:588 kernel/softirq.c:427 kernel/softirq.c:636) irq_exit_rcu (kernel/softirq.c:651) common_interrupt (arch/x86/kernel/irq.c:247 (discriminator 14)) </IRQ> This problem seems particularly prevalent if the user advertises an endpoint that has a different external vs internal address. In the case where the external address is advertised and multiple connections already exist, multiple subflow SYNs arrive in parallel which tends to trigger the race during creation of the first local_addr_list entries which have the internal address instead. Fix by skipping the replacement of an existing implicit local address if called via mptcp_pm_nl_get_local_id.

References

URL

Tags

	https://git.kernel.org/stable/c/f1404f368c40fc6a068dad72e4ee0824ee6a78ee
	https://git.kernel.org/stable/c/f3fcdb2de9fdbed9d8c6a8eb2c5fbd7d6f54a4d8
	https://git.kernel.org/stable/c/4b228dae3d2cc6d9dce167449cd8fa9f028e9376
	https://git.kernel.org/stable/c/125ccafe6dd062901b5a0c31ee9038740fc8859e
	https://git.kernel.org/stable/c/022bfe24aad8937705704ff2e414b100cf0f2e1a

Impacted products

Vendor

Product

Version

Linux

Version: d045b9eb95a9b611c483897a69e7285aefdc66d7
Version: d045b9eb95a9b611c483897a69e7285aefdc66d7
Version: d045b9eb95a9b611c483897a69e7285aefdc66d7
Version: d045b9eb95a9b611c483897a69e7285aefdc66d7
Version: d045b9eb95a9b611c483897a69e7285aefdc66d7

Linux

Version: 5.18

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:39:37.579Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/pm_netlink.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f1404f368c40fc6a068dad72e4ee0824ee6a78ee",
              "status": "affected",
              "version": "d045b9eb95a9b611c483897a69e7285aefdc66d7",
              "versionType": "git"
            },
            {
              "lessThan": "f3fcdb2de9fdbed9d8c6a8eb2c5fbd7d6f54a4d8",
              "status": "affected",
              "version": "d045b9eb95a9b611c483897a69e7285aefdc66d7",
              "versionType": "git"
            },
            {
              "lessThan": "4b228dae3d2cc6d9dce167449cd8fa9f028e9376",
              "status": "affected",
              "version": "d045b9eb95a9b611c483897a69e7285aefdc66d7",
              "versionType": "git"
            },
            {
              "lessThan": "125ccafe6dd062901b5a0c31ee9038740fc8859e",
              "status": "affected",
              "version": "d045b9eb95a9b611c483897a69e7285aefdc66d7",
              "versionType": "git"
            },
            {
              "lessThan": "022bfe24aad8937705704ff2e414b100cf0f2e1a",
              "status": "affected",
              "version": "d045b9eb95a9b611c483897a69e7285aefdc66d7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/pm_netlink.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.18"
            },
            {
              "lessThan": "5.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.131",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.131",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.83",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.19",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.7",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix \u0027scheduling while atomic\u0027 in mptcp_pm_nl_append_new_local_addr\n\nIf multiple connection requests attempt to create an implicit mptcp\nendpoint in parallel, more than one caller may end up in\nmptcp_pm_nl_append_new_local_addr because none found the address in\nlocal_addr_list during their call to mptcp_pm_nl_get_local_id.  In this\ncase, the concurrent new_local_addr calls may delete the address entry\ncreated by the previous caller.  These deletes use synchronize_rcu, but\nthis is not permitted in some of the contexts where this function may be\ncalled.  During packet recv, the caller may be in a rcu read critical\nsection and have preemption disabled.\n\nAn example stack:\n\n   BUG: scheduling while atomic: swapper/2/0/0x00000302\n\n   Call Trace:\n   \u003cIRQ\u003e\n   dump_stack_lvl (lib/dump_stack.c:117 (discriminator 1))\n   dump_stack (lib/dump_stack.c:124)\n   __schedule_bug (kernel/sched/core.c:5943)\n   schedule_debug.constprop.0 (arch/x86/include/asm/preempt.h:33 kernel/sched/core.c:5970)\n   __schedule (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:207 kernel/sched/features.h:29 kernel/sched/core.c:6621)\n   schedule (arch/x86/include/asm/preempt.h:84 kernel/sched/core.c:6804 kernel/sched/core.c:6818)\n   schedule_timeout (kernel/time/timer.c:2160)\n   wait_for_completion (kernel/sched/completion.c:96 kernel/sched/completion.c:116 kernel/sched/completion.c:127 kernel/sched/completion.c:148)\n   __wait_rcu_gp (include/linux/rcupdate.h:311 kernel/rcu/update.c:444)\n   synchronize_rcu (kernel/rcu/tree.c:3609)\n   mptcp_pm_nl_append_new_local_addr (net/mptcp/pm_netlink.c:966 net/mptcp/pm_netlink.c:1061)\n   mptcp_pm_nl_get_local_id (net/mptcp/pm_netlink.c:1164)\n   mptcp_pm_get_local_id (net/mptcp/pm.c:420)\n   subflow_check_req (net/mptcp/subflow.c:98 net/mptcp/subflow.c:213)\n   subflow_v4_route_req (net/mptcp/subflow.c:305)\n   tcp_conn_request (net/ipv4/tcp_input.c:7216)\n   subflow_v4_conn_request (net/mptcp/subflow.c:651)\n   tcp_rcv_state_process (net/ipv4/tcp_input.c:6709)\n   tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1934)\n   tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2334)\n   ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205 (discriminator 1))\n   ip_local_deliver_finish (include/linux/rcupdate.h:813 net/ipv4/ip_input.c:234)\n   ip_local_deliver (include/linux/netfilter.h:314 include/linux/netfilter.h:308 net/ipv4/ip_input.c:254)\n   ip_sublist_rcv_finish (include/net/dst.h:461 net/ipv4/ip_input.c:580)\n   ip_sublist_rcv (net/ipv4/ip_input.c:640)\n   ip_list_rcv (net/ipv4/ip_input.c:675)\n   __netif_receive_skb_list_core (net/core/dev.c:5583 net/core/dev.c:5631)\n   netif_receive_skb_list_internal (net/core/dev.c:5685 net/core/dev.c:5774)\n   napi_complete_done (include/linux/list.h:37 include/net/gro.h:449 include/net/gro.h:444 net/core/dev.c:6114)\n   igb_poll (drivers/net/ethernet/intel/igb/igb_main.c:8244) igb\n   __napi_poll (net/core/dev.c:6582)\n   net_rx_action (net/core/dev.c:6653 net/core/dev.c:6787)\n   handle_softirqs (kernel/softirq.c:553)\n   __irq_exit_rcu (kernel/softirq.c:588 kernel/softirq.c:427 kernel/softirq.c:636)\n   irq_exit_rcu (kernel/softirq.c:651)\n   common_interrupt (arch/x86/kernel/irq.c:247 (discriminator 14))\n   \u003c/IRQ\u003e\n\nThis problem seems particularly prevalent if the user advertises an\nendpoint that has a different external vs internal address.  In the case\nwhere the external address is advertised and multiple connections\nalready exist, multiple subflow SYNs arrive in parallel which tends to\ntrigger the race during creation of the first local_addr_list entries\nwhich have the internal address instead.\n\nFix by skipping the replacement of an existing implicit local address if\ncalled via mptcp_pm_nl_get_local_id."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:25:04.321Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f1404f368c40fc6a068dad72e4ee0824ee6a78ee"
        },
        {
          "url": "https://git.kernel.org/stable/c/f3fcdb2de9fdbed9d8c6a8eb2c5fbd7d6f54a4d8"
        },
        {
          "url": "https://git.kernel.org/stable/c/4b228dae3d2cc6d9dce167449cd8fa9f028e9376"
        },
        {
          "url": "https://git.kernel.org/stable/c/125ccafe6dd062901b5a0c31ee9038740fc8859e"
        },
        {
          "url": "https://git.kernel.org/stable/c/022bfe24aad8937705704ff2e414b100cf0f2e1a"
        }
      ],
      "title": "mptcp: fix \u0027scheduling while atomic\u0027 in mptcp_pm_nl_append_new_local_addr",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21938",
    "datePublished": "2025-04-01T15:41:04.886Z",
    "dateReserved": "2024-12-29T08:45:45.789Z",
    "dateUpdated": "2025-11-03T19:39:37.579Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37741 (GCVE-0-2025-37741)

Vulnerability from cvelistv5

Published

2025-05-01 12:55

Modified

2025-11-03 19:54

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: jfs: Prevent copying of nlink with value 0 from disk inode syzbot report a deadlock in diFree. [1] When calling "ioctl$LOOP_SET_STATUS64", the offset value passed in is 4, which does not match the mounted loop device, causing the mapping of the mounted loop device to be invalidated. When creating the directory and creating the inode of iag in diReadSpecial(), read the page of fixed disk inode (AIT) in raw mode in read_metapage(), the metapage data it returns is corrupted, which causes the nlink value of 0 to be assigned to the iag inode when executing copy_from_dinode(), which ultimately causes a deadlock when entering diFree(). To avoid this, first check the nlink value of dinode before setting iag inode. [1] WARNING: possible recursive locking detected 6.12.0-rc7-syzkaller-00212-g4a5df3796467 #0 Not tainted -------------------------------------------- syz-executor301/5309 is trying to acquire lock: ffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diFree+0x37c/0x2fb0 fs/jfs/jfs_imap.c:889 but task is already holding lock: ffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diAlloc+0x1b6/0x1630 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&(imap->im_aglock[index])); lock(&(imap->im_aglock[index])); *** DEADLOCK *** May be due to missing lock nesting notation 5 locks held by syz-executor301/5309: #0: ffff8880422a4420 (sb_writers#9){.+.+}-{0:0}, at: mnt_want_write+0x3f/0x90 fs/namespace.c:515 #1: ffff88804755b390 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}, at: inode_lock_nested include/linux/fs.h:850 [inline] #1: ffff88804755b390 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}, at: filename_create+0x260/0x540 fs/namei.c:4026 #2: ffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diAlloc+0x1b6/0x1630 #3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diNewIAG fs/jfs/jfs_imap.c:2460 [inline] #3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diAllocExt fs/jfs/jfs_imap.c:1905 [inline] #3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diAllocAG+0x4b7/0x1e50 fs/jfs/jfs_imap.c:1669 #4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diNewIAG fs/jfs/jfs_imap.c:2477 [inline] #4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diAllocExt fs/jfs/jfs_imap.c:1905 [inline] #4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diAllocAG+0x869/0x1e50 fs/jfs/jfs_imap.c:1669 stack backtrace: CPU: 0 UID: 0 PID: 5309 Comm: syz-executor301 Not tainted 6.12.0-rc7-syzkaller-00212-g4a5df3796467 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_deadlock_bug+0x483/0x620 kernel/locking/lockdep.c:3037 check_deadlock kernel/locking/lockdep.c:3089 [inline] validate_chain+0x15e2/0x5920 kernel/locking/lockdep.c:3891 __lock_acquire+0x1384/0x2050 kernel/locking/lockdep.c:5202 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825 __mutex_lock_common kernel/locking/mutex.c:608 [inline] __mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752 diFree+0x37c/0x2fb0 fs/jfs/jfs_imap.c:889 jfs_evict_inode+0x32d/0x440 fs/jfs/inode.c:156 evict+0x4e8/0x9b0 fs/inode.c:725 diFreeSpecial fs/jfs/jfs_imap.c:552 [inline] duplicateIXtree+0x3c6/0x550 fs/jfs/jfs_imap.c:3022 diNewIAG fs/jfs/jfs_imap.c:2597 [inline] diAllocExt fs/jfs/jfs_imap.c:1905 [inline] diAllocAG+0x17dc/0x1e50 fs/jfs/jfs_imap.c:1669 diAlloc+0x1d2/0x1630 fs/jfs/jfs_imap.c:1590 ialloc+0x8f/0x900 fs/jfs/jfs_inode.c:56 jfs_mkdir+0x1c5/0xba0 fs/jfs/namei.c:225 vfs_mkdir+0x2f9/0x4f0 fs/namei.c:4257 do_mkdirat+0x264/0x3a0 fs/namei.c:4280 __do_sys_mkdirat fs/namei.c:4295 [inline] __se_sys_mkdirat fs/namei.c:4293 [inline] __x64_sys_mkdirat+0x87/0xa0 fs/namei.c:4293 do_syscall_x64 arch/x86/en ---truncated---

References

URL

Tags

	https://git.kernel.org/stable/c/5b2f26d3fba4e9aac314f8bc0963b3fc28c0e456
	https://git.kernel.org/stable/c/8b5ce75f8bd3ddf480cc0a240d7ff5cdea0444f9
	https://git.kernel.org/stable/c/86bfeaa18f9e4615b97f2d613e0fcc4ced196527
	https://git.kernel.org/stable/c/c9541c2bd0edbdbc5c1148a84d3b48dc8d1b8af2
	https://git.kernel.org/stable/c/b3c4884b987e5d8d0ec061a4d52653c4f4b9c37e
	https://git.kernel.org/stable/c/aeb926e605f97857504bdf748f575e40617e2ef9
	https://git.kernel.org/stable/c/994787341358816d91b2fded288ecb7f129f2b27
	https://git.kernel.org/stable/c/a2b560815528ae8e266fca6038bb5585d13aaef4
	https://git.kernel.org/stable/c/b61e69bb1c049cf507e3c654fa3dc1568231bd07

Impacted products

Vendor

Product

Version

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:54:19.306Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/jfs/jfs_imap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5b2f26d3fba4e9aac314f8bc0963b3fc28c0e456",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "8b5ce75f8bd3ddf480cc0a240d7ff5cdea0444f9",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "86bfeaa18f9e4615b97f2d613e0fcc4ced196527",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "c9541c2bd0edbdbc5c1148a84d3b48dc8d1b8af2",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "b3c4884b987e5d8d0ec061a4d52653c4f4b9c37e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "aeb926e605f97857504bdf748f575e40617e2ef9",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "994787341358816d91b2fded288ecb7f129f2b27",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "a2b560815528ae8e266fca6038bb5585d13aaef4",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "b61e69bb1c049cf507e3c654fa3dc1568231bd07",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/jfs/jfs_imap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.293",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.293",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.237",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: Prevent copying of nlink with value 0 from disk inode\n\nsyzbot report a deadlock in diFree. [1]\n\nWhen calling \"ioctl$LOOP_SET_STATUS64\", the offset value passed in is 4,\nwhich does not match the mounted loop device, causing the mapping of the\nmounted loop device to be invalidated.\n\nWhen creating the directory and creating the inode of iag in diReadSpecial(),\nread the page of fixed disk inode (AIT) in raw mode in read_metapage(), the\nmetapage data it returns is corrupted, which causes the nlink value of 0 to be\nassigned to the iag inode when executing copy_from_dinode(), which ultimately\ncauses a deadlock when entering diFree().\n\nTo avoid this, first check the nlink value of dinode before setting iag inode.\n\n[1]\nWARNING: possible recursive locking detected\n6.12.0-rc7-syzkaller-00212-g4a5df3796467 #0 Not tainted\n--------------------------------------------\nsyz-executor301/5309 is trying to acquire lock:\nffff888044548920 (\u0026(imap-\u003eim_aglock[index])){+.+.}-{3:3}, at: diFree+0x37c/0x2fb0 fs/jfs/jfs_imap.c:889\n\nbut task is already holding lock:\nffff888044548920 (\u0026(imap-\u003eim_aglock[index])){+.+.}-{3:3}, at: diAlloc+0x1b6/0x1630\n\nother info that might help us debug this:\n Possible unsafe locking scenario:\n\n       CPU0\n       ----\n  lock(\u0026(imap-\u003eim_aglock[index]));\n  lock(\u0026(imap-\u003eim_aglock[index]));\n\n *** DEADLOCK ***\n\n May be due to missing lock nesting notation\n\n5 locks held by syz-executor301/5309:\n #0: ffff8880422a4420 (sb_writers#9){.+.+}-{0:0}, at: mnt_want_write+0x3f/0x90 fs/namespace.c:515\n #1: ffff88804755b390 (\u0026type-\u003ei_mutex_dir_key#6/1){+.+.}-{3:3}, at: inode_lock_nested include/linux/fs.h:850 [inline]\n #1: ffff88804755b390 (\u0026type-\u003ei_mutex_dir_key#6/1){+.+.}-{3:3}, at: filename_create+0x260/0x540 fs/namei.c:4026\n #2: ffff888044548920 (\u0026(imap-\u003eim_aglock[index])){+.+.}-{3:3}, at: diAlloc+0x1b6/0x1630\n #3: ffff888044548890 (\u0026imap-\u003eim_freelock){+.+.}-{3:3}, at: diNewIAG fs/jfs/jfs_imap.c:2460 [inline]\n #3: ffff888044548890 (\u0026imap-\u003eim_freelock){+.+.}-{3:3}, at: diAllocExt fs/jfs/jfs_imap.c:1905 [inline]\n #3: ffff888044548890 (\u0026imap-\u003eim_freelock){+.+.}-{3:3}, at: diAllocAG+0x4b7/0x1e50 fs/jfs/jfs_imap.c:1669\n #4: ffff88804755a618 (\u0026jfs_ip-\u003erdwrlock/1){++++}-{3:3}, at: diNewIAG fs/jfs/jfs_imap.c:2477 [inline]\n #4: ffff88804755a618 (\u0026jfs_ip-\u003erdwrlock/1){++++}-{3:3}, at: diAllocExt fs/jfs/jfs_imap.c:1905 [inline]\n #4: ffff88804755a618 (\u0026jfs_ip-\u003erdwrlock/1){++++}-{3:3}, at: diAllocAG+0x869/0x1e50 fs/jfs/jfs_imap.c:1669\n\nstack backtrace:\nCPU: 0 UID: 0 PID: 5309 Comm: syz-executor301 Not tainted 6.12.0-rc7-syzkaller-00212-g4a5df3796467 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_deadlock_bug+0x483/0x620 kernel/locking/lockdep.c:3037\n check_deadlock kernel/locking/lockdep.c:3089 [inline]\n validate_chain+0x15e2/0x5920 kernel/locking/lockdep.c:3891\n __lock_acquire+0x1384/0x2050 kernel/locking/lockdep.c:5202\n lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825\n __mutex_lock_common kernel/locking/mutex.c:608 [inline]\n __mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752\n diFree+0x37c/0x2fb0 fs/jfs/jfs_imap.c:889\n jfs_evict_inode+0x32d/0x440 fs/jfs/inode.c:156\n evict+0x4e8/0x9b0 fs/inode.c:725\n diFreeSpecial fs/jfs/jfs_imap.c:552 [inline]\n duplicateIXtree+0x3c6/0x550 fs/jfs/jfs_imap.c:3022\n diNewIAG fs/jfs/jfs_imap.c:2597 [inline]\n diAllocExt fs/jfs/jfs_imap.c:1905 [inline]\n diAllocAG+0x17dc/0x1e50 fs/jfs/jfs_imap.c:1669\n diAlloc+0x1d2/0x1630 fs/jfs/jfs_imap.c:1590\n ialloc+0x8f/0x900 fs/jfs/jfs_inode.c:56\n jfs_mkdir+0x1c5/0xba0 fs/jfs/namei.c:225\n vfs_mkdir+0x2f9/0x4f0 fs/namei.c:4257\n do_mkdirat+0x264/0x3a0 fs/namei.c:4280\n __do_sys_mkdirat fs/namei.c:4295 [inline]\n __se_sys_mkdirat fs/namei.c:4293 [inline]\n __x64_sys_mkdirat+0x87/0xa0 fs/namei.c:4293\n do_syscall_x64 arch/x86/en\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:19:53.571Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5b2f26d3fba4e9aac314f8bc0963b3fc28c0e456"
        },
        {
          "url": "https://git.kernel.org/stable/c/8b5ce75f8bd3ddf480cc0a240d7ff5cdea0444f9"
        },
        {
          "url": "https://git.kernel.org/stable/c/86bfeaa18f9e4615b97f2d613e0fcc4ced196527"
        },
        {
          "url": "https://git.kernel.org/stable/c/c9541c2bd0edbdbc5c1148a84d3b48dc8d1b8af2"
        },
        {
          "url": "https://git.kernel.org/stable/c/b3c4884b987e5d8d0ec061a4d52653c4f4b9c37e"
        },
        {
          "url": "https://git.kernel.org/stable/c/aeb926e605f97857504bdf748f575e40617e2ef9"
        },
        {
          "url": "https://git.kernel.org/stable/c/994787341358816d91b2fded288ecb7f129f2b27"
        },
        {
          "url": "https://git.kernel.org/stable/c/a2b560815528ae8e266fca6038bb5585d13aaef4"
        },
        {
          "url": "https://git.kernel.org/stable/c/b61e69bb1c049cf507e3c654fa3dc1568231bd07"
        }
      ],
      "title": "jfs: Prevent copying of nlink with value 0 from disk inode",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37741",
    "datePublished": "2025-05-01T12:55:49.947Z",
    "dateReserved": "2025-04-16T04:51:23.936Z",
    "dateUpdated": "2025-11-03T19:54:19.306Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38485 (GCVE-0-2025-38485)

Vulnerability from cvelistv5

Published

2025-07-28 11:21

Modified

2025-11-03 17:38

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: iio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush fxls8962af_fifo_flush() uses indio_dev->active_scan_mask (with iio_for_each_active_channel()) without making sure the indio_dev stays in buffer mode. There is a race if indio_dev exits buffer mode in the middle of the interrupt that flushes the fifo. Fix this by calling synchronize_irq() to ensure that no interrupt is currently running when disabling buffer mode. Unable to handle kernel NULL pointer dereference at virtual address 00000000 when read [...] _find_first_bit_le from fxls8962af_fifo_flush+0x17c/0x290 fxls8962af_fifo_flush from fxls8962af_interrupt+0x80/0x178 fxls8962af_interrupt from irq_thread_fn+0x1c/0x7c irq_thread_fn from irq_thread+0x110/0x1f4 irq_thread from kthread+0xe0/0xfc kthread from ret_from_fork+0x14/0x2c

References

URL

Tags

	https://git.kernel.org/stable/c/6ecd61c201b27ad2760b3975437ad2b97d725b98
	https://git.kernel.org/stable/c/dda42f23a8f5439eaac9521ce0531547d880cc54
	https://git.kernel.org/stable/c/bfcda3e1015791b3a63fb4d3aad408da9cf76e8f
	https://git.kernel.org/stable/c/1803d372460aaa9ae0188a30c9421d3f157f2f04
	https://git.kernel.org/stable/c/1fe16dc1a2f5057772e5391ec042ed7442966c9a

Impacted products

Vendor

Product

Version

Linux

Version: 79e3a5bdd9efbdf4e1069793d7735b432d641e7c
Version: 79e3a5bdd9efbdf4e1069793d7735b432d641e7c
Version: 79e3a5bdd9efbdf4e1069793d7735b432d641e7c
Version: 79e3a5bdd9efbdf4e1069793d7735b432d641e7c
Version: 79e3a5bdd9efbdf4e1069793d7735b432d641e7c

Linux

Version: 5.14

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:38:55.102Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/iio/accel/fxls8962af-core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6ecd61c201b27ad2760b3975437ad2b97d725b98",
              "status": "affected",
              "version": "79e3a5bdd9efbdf4e1069793d7735b432d641e7c",
              "versionType": "git"
            },
            {
              "lessThan": "dda42f23a8f5439eaac9521ce0531547d880cc54",
              "status": "affected",
              "version": "79e3a5bdd9efbdf4e1069793d7735b432d641e7c",
              "versionType": "git"
            },
            {
              "lessThan": "bfcda3e1015791b3a63fb4d3aad408da9cf76e8f",
              "status": "affected",
              "version": "79e3a5bdd9efbdf4e1069793d7735b432d641e7c",
              "versionType": "git"
            },
            {
              "lessThan": "1803d372460aaa9ae0188a30c9421d3f157f2f04",
              "status": "affected",
              "version": "79e3a5bdd9efbdf4e1069793d7735b432d641e7c",
              "versionType": "git"
            },
            {
              "lessThan": "1fe16dc1a2f5057772e5391ec042ed7442966c9a",
              "status": "affected",
              "version": "79e3a5bdd9efbdf4e1069793d7735b432d641e7c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/iio/accel/fxls8962af-core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.14"
            },
            {
              "lessThan": "5.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.147",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.100",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.40",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.147",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.100",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.40",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.8",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush\n\nfxls8962af_fifo_flush() uses indio_dev-\u003eactive_scan_mask (with\niio_for_each_active_channel()) without making sure the indio_dev\nstays in buffer mode.\nThere is a race if indio_dev exits buffer mode in the middle of the\ninterrupt that flushes the fifo. Fix this by calling\nsynchronize_irq() to ensure that no interrupt is currently running when\ndisabling buffer mode.\n\nUnable to handle kernel NULL pointer dereference at virtual address 00000000 when read\n[...]\n_find_first_bit_le from fxls8962af_fifo_flush+0x17c/0x290\nfxls8962af_fifo_flush from fxls8962af_interrupt+0x80/0x178\nfxls8962af_interrupt from irq_thread_fn+0x1c/0x7c\nirq_thread_fn from irq_thread+0x110/0x1f4\nirq_thread from kthread+0xe0/0xfc\nkthread from ret_from_fork+0x14/0x2c"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T11:21:49.624Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6ecd61c201b27ad2760b3975437ad2b97d725b98"
        },
        {
          "url": "https://git.kernel.org/stable/c/dda42f23a8f5439eaac9521ce0531547d880cc54"
        },
        {
          "url": "https://git.kernel.org/stable/c/bfcda3e1015791b3a63fb4d3aad408da9cf76e8f"
        },
        {
          "url": "https://git.kernel.org/stable/c/1803d372460aaa9ae0188a30c9421d3f157f2f04"
        },
        {
          "url": "https://git.kernel.org/stable/c/1fe16dc1a2f5057772e5391ec042ed7442966c9a"
        }
      ],
      "title": "iio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38485",
    "datePublished": "2025-07-28T11:21:49.624Z",
    "dateReserved": "2025-04-16T04:51:24.021Z",
    "dateUpdated": "2025-11-03T17:38:55.102Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38240 (GCVE-0-2025-38240)

Vulnerability from cvelistv5

Published

2025-04-18 07:01

Modified

2025-05-26 05:25

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: dp: drm_err => dev_err in HPD path to avoid NULL ptr The function mtk_dp_wait_hpd_asserted() may be called before the `mtk_dp->drm_dev` pointer is assigned in mtk_dp_bridge_attach(). Specifically it can be called via this callpath: - mtk_edp_wait_hpd_asserted - [panel probe] - dp_aux_ep_probe Using "drm" level prints anywhere in this callpath causes a NULL pointer dereference. Change the error message directly in mtk_dp_wait_hpd_asserted() to dev_err() to avoid this. Also change the error messages in mtk_dp_parse_capabilities(), which is called by mtk_dp_wait_hpd_asserted(). While touching these prints, also add the error code to them to make future debugging easier.

References

URL

Tags

	https://git.kernel.org/stable/c/13ec849fd2eab808ee8eba2625df7ebea3b85edf
	https://git.kernel.org/stable/c/57a9fb47551b33cde7b76d17c0072c3b394f4620
	https://git.kernel.org/stable/c/2fda391ef7a701748abd7fa32232981b522c1e07
	https://git.kernel.org/stable/c/149a5c38436c229950cf1020992ce65c9549bc19
	https://git.kernel.org/stable/c/106a6de46cf4887d535018185ec528ce822d6d84

Impacted products

Vendor

Product

Version

Linux

Version: 7eacba9a083be65c0f251c19380ec01147c01ebc
Version: 7eacba9a083be65c0f251c19380ec01147c01ebc
Version: 7eacba9a083be65c0f251c19380ec01147c01ebc
Version: 7eacba9a083be65c0f251c19380ec01147c01ebc
Version: 7eacba9a083be65c0f251c19380ec01147c01ebc

Linux

Version: 6.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/mediatek/mtk_dp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "13ec849fd2eab808ee8eba2625df7ebea3b85edf",
              "status": "affected",
              "version": "7eacba9a083be65c0f251c19380ec01147c01ebc",
              "versionType": "git"
            },
            {
              "lessThan": "57a9fb47551b33cde7b76d17c0072c3b394f4620",
              "status": "affected",
              "version": "7eacba9a083be65c0f251c19380ec01147c01ebc",
              "versionType": "git"
            },
            {
              "lessThan": "2fda391ef7a701748abd7fa32232981b522c1e07",
              "status": "affected",
              "version": "7eacba9a083be65c0f251c19380ec01147c01ebc",
              "versionType": "git"
            },
            {
              "lessThan": "149a5c38436c229950cf1020992ce65c9549bc19",
              "status": "affected",
              "version": "7eacba9a083be65c0f251c19380ec01147c01ebc",
              "versionType": "git"
            },
            {
              "lessThan": "106a6de46cf4887d535018185ec528ce822d6d84",
              "status": "affected",
              "version": "7eacba9a083be65c0f251c19380ec01147c01ebc",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/mediatek/mtk_dp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.87",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.87",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.23",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.11",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: dp: drm_err =\u003e dev_err in HPD path to avoid NULL ptr\n\nThe function mtk_dp_wait_hpd_asserted() may be called before the\n`mtk_dp-\u003edrm_dev` pointer is assigned in mtk_dp_bridge_attach().\nSpecifically it can be called via this callpath:\n - mtk_edp_wait_hpd_asserted\n - [panel probe]\n - dp_aux_ep_probe\n\nUsing \"drm\" level prints anywhere in this callpath causes a NULL\npointer dereference. Change the error message directly in\nmtk_dp_wait_hpd_asserted() to dev_err() to avoid this. Also change the\nerror messages in mtk_dp_parse_capabilities(), which is called by\nmtk_dp_wait_hpd_asserted().\n\nWhile touching these prints, also add the error code to them to make\nfuture debugging easier."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:25:21.005Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/13ec849fd2eab808ee8eba2625df7ebea3b85edf"
        },
        {
          "url": "https://git.kernel.org/stable/c/57a9fb47551b33cde7b76d17c0072c3b394f4620"
        },
        {
          "url": "https://git.kernel.org/stable/c/2fda391ef7a701748abd7fa32232981b522c1e07"
        },
        {
          "url": "https://git.kernel.org/stable/c/149a5c38436c229950cf1020992ce65c9549bc19"
        },
        {
          "url": "https://git.kernel.org/stable/c/106a6de46cf4887d535018185ec528ce822d6d84"
        }
      ],
      "title": "drm/mediatek: dp: drm_err =\u003e dev_err in HPD path to avoid NULL ptr",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38240",
    "datePublished": "2025-04-18T07:01:32.338Z",
    "dateReserved": "2025-04-16T04:51:23.996Z",
    "dateUpdated": "2025-05-26T05:25:21.005Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38109 (GCVE-0-2025-38109)

Vulnerability from cvelistv5

Published

2025-07-03 08:35

Modified

2025-07-28 04:12

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix ECVF vports unload on shutdown flow Fix shutdown flow UAF when a virtual function is created on the embedded chip (ECVF) of a BlueField device. In such case the vport acl ingress table is not properly destroyed. ECVF functionality is independent of ecpf_vport_exists capability and thus functions mlx5_eswitch_(enable|disable)_pf_vf_vports() should not test it when enabling/disabling ECVF vports. kernel log: [] refcount_t: underflow; use-after-free. [] WARNING: CPU: 3 PID: 1 at lib/refcount.c:28 refcount_warn_saturate+0x124/0x220 ---------------- [] Call trace: [] refcount_warn_saturate+0x124/0x220 [] tree_put_node+0x164/0x1e0 [mlx5_core] [] mlx5_destroy_flow_table+0x98/0x2c0 [mlx5_core] [] esw_acl_ingress_table_destroy+0x28/0x40 [mlx5_core] [] esw_acl_ingress_lgcy_cleanup+0x80/0xf4 [mlx5_core] [] esw_legacy_vport_acl_cleanup+0x44/0x60 [mlx5_core] [] esw_vport_cleanup+0x64/0x90 [mlx5_core] [] mlx5_esw_vport_disable+0xc0/0x1d0 [mlx5_core] [] mlx5_eswitch_unload_ec_vf_vports+0xcc/0x150 [mlx5_core] [] mlx5_eswitch_disable_sriov+0x198/0x2a0 [mlx5_core] [] mlx5_device_disable_sriov+0xb8/0x1e0 [mlx5_core] [] mlx5_sriov_detach+0x40/0x50 [mlx5_core] [] mlx5_unload+0x40/0xc4 [mlx5_core] [] mlx5_unload_one_devl_locked+0x6c/0xe4 [mlx5_core] [] mlx5_unload_one+0x3c/0x60 [mlx5_core] [] shutdown+0x7c/0xa4 [mlx5_core] [] pci_device_shutdown+0x3c/0xa0 [] device_shutdown+0x170/0x340 [] __do_sys_reboot+0x1f4/0x2a0 [] __arm64_sys_reboot+0x2c/0x40 [] invoke_syscall+0x78/0x100 [] el0_svc_common.constprop.0+0x54/0x184 [] do_el0_svc+0x30/0xac [] el0_svc+0x48/0x160 [] el0t_64_sync_handler+0xa4/0x12c [] el0t_64_sync+0x1a4/0x1a8 [] --[ end trace 9c4601d68c70030e ]---

References

URL

Tags

	https://git.kernel.org/stable/c/5953ae44dfe5dbad374318875be834c3b7b71ee6
	https://git.kernel.org/stable/c/da15ca0553325acf68039015f2f4db750c8e2b96
	https://git.kernel.org/stable/c/24db585d369f949f698e03d7d8017e5ae19d0497
	https://git.kernel.org/stable/c/687560d8a9a2d654829ad0da1ec24242f1de711d

Impacted products

Vendor

Product

Version

Linux

Version: a7719b29a82199b90ebbf355d3332e0fbfbf6045
Version: a7719b29a82199b90ebbf355d3332e0fbfbf6045
Version: a7719b29a82199b90ebbf355d3332e0fbfbf6045
Version: a7719b29a82199b90ebbf355d3332e0fbfbf6045

Linux

Version: 6.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/eswitch.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5953ae44dfe5dbad374318875be834c3b7b71ee6",
              "status": "affected",
              "version": "a7719b29a82199b90ebbf355d3332e0fbfbf6045",
              "versionType": "git"
            },
            {
              "lessThan": "da15ca0553325acf68039015f2f4db750c8e2b96",
              "status": "affected",
              "version": "a7719b29a82199b90ebbf355d3332e0fbfbf6045",
              "versionType": "git"
            },
            {
              "lessThan": "24db585d369f949f698e03d7d8017e5ae19d0497",
              "status": "affected",
              "version": "a7719b29a82199b90ebbf355d3332e0fbfbf6045",
              "versionType": "git"
            },
            {
              "lessThan": "687560d8a9a2d654829ad0da1ec24242f1de711d",
              "status": "affected",
              "version": "a7719b29a82199b90ebbf355d3332e0fbfbf6045",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/eswitch.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.5"
            },
            {
              "lessThan": "6.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix ECVF vports unload on shutdown flow\n\nFix shutdown flow UAF when a virtual function is created on the embedded\nchip (ECVF) of a BlueField device. In such case the vport acl ingress\ntable is not properly destroyed.\n\nECVF functionality is independent of ecpf_vport_exists capability and\nthus functions mlx5_eswitch_(enable|disable)_pf_vf_vports() should not\ntest it when enabling/disabling ECVF vports.\n\nkernel log:\n[] refcount_t: underflow; use-after-free.\n[] WARNING: CPU: 3 PID: 1 at lib/refcount.c:28\n   refcount_warn_saturate+0x124/0x220\n----------------\n[] Call trace:\n[] refcount_warn_saturate+0x124/0x220\n[] tree_put_node+0x164/0x1e0 [mlx5_core]\n[] mlx5_destroy_flow_table+0x98/0x2c0 [mlx5_core]\n[] esw_acl_ingress_table_destroy+0x28/0x40 [mlx5_core]\n[] esw_acl_ingress_lgcy_cleanup+0x80/0xf4 [mlx5_core]\n[] esw_legacy_vport_acl_cleanup+0x44/0x60 [mlx5_core]\n[] esw_vport_cleanup+0x64/0x90 [mlx5_core]\n[] mlx5_esw_vport_disable+0xc0/0x1d0 [mlx5_core]\n[] mlx5_eswitch_unload_ec_vf_vports+0xcc/0x150 [mlx5_core]\n[] mlx5_eswitch_disable_sriov+0x198/0x2a0 [mlx5_core]\n[] mlx5_device_disable_sriov+0xb8/0x1e0 [mlx5_core]\n[] mlx5_sriov_detach+0x40/0x50 [mlx5_core]\n[] mlx5_unload+0x40/0xc4 [mlx5_core]\n[] mlx5_unload_one_devl_locked+0x6c/0xe4 [mlx5_core]\n[] mlx5_unload_one+0x3c/0x60 [mlx5_core]\n[] shutdown+0x7c/0xa4 [mlx5_core]\n[] pci_device_shutdown+0x3c/0xa0\n[] device_shutdown+0x170/0x340\n[] __do_sys_reboot+0x1f4/0x2a0\n[] __arm64_sys_reboot+0x2c/0x40\n[] invoke_syscall+0x78/0x100\n[] el0_svc_common.constprop.0+0x54/0x184\n[] do_el0_svc+0x30/0xac\n[] el0_svc+0x48/0x160\n[] el0t_64_sync_handler+0xa4/0x12c\n[] el0t_64_sync+0x1a4/0x1a8\n[] --[ end trace 9c4601d68c70030e ]---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:12:25.395Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5953ae44dfe5dbad374318875be834c3b7b71ee6"
        },
        {
          "url": "https://git.kernel.org/stable/c/da15ca0553325acf68039015f2f4db750c8e2b96"
        },
        {
          "url": "https://git.kernel.org/stable/c/24db585d369f949f698e03d7d8017e5ae19d0497"
        },
        {
          "url": "https://git.kernel.org/stable/c/687560d8a9a2d654829ad0da1ec24242f1de711d"
        }
      ],
      "title": "net/mlx5: Fix ECVF vports unload on shutdown flow",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38109",
    "datePublished": "2025-07-03T08:35:19.240Z",
    "dateReserved": "2025-04-16T04:51:23.985Z",
    "dateUpdated": "2025-07-28T04:12:25.395Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38053 (GCVE-0-2025-38053)

Vulnerability from cvelistv5

Published

2025-06-18 09:33

Modified

2025-06-18 09:33

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: idpf: fix null-ptr-deref in idpf_features_check idpf_features_check is used to validate the TX packet. skb header length is compared with the hardware supported value received from the device control plane. The value is stored in the adapter structure and to access it, vport pointer is used. During reset all the vports are released and the vport pointer that the netdev private structure points to is NULL. To avoid null-ptr-deref, store the max header length value in netdev private structure. This also helps to cache the value and avoid accessing adapter pointer in hot path. BUG: kernel NULL pointer dereference, address: 0000000000000068 ... RIP: 0010:idpf_features_check+0x6d/0xe0 [idpf] Call Trace: <TASK> ? __die+0x23/0x70 ? page_fault_oops+0x154/0x520 ? exc_page_fault+0x76/0x190 ? asm_exc_page_fault+0x26/0x30 ? idpf_features_check+0x6d/0xe0 [idpf] netif_skb_features+0x88/0x310 validate_xmit_skb+0x2a/0x2b0 validate_xmit_skb_list+0x4c/0x70 sch_direct_xmit+0x19d/0x3a0 __dev_queue_xmit+0xb74/0xe70 ...

References

URL

Tags

	https://git.kernel.org/stable/c/f6f5e9c8cb680c3cb9771fd9fa114319cbc4f514
	https://git.kernel.org/stable/c/bf1e751c5a5611aa037ab44cca955c141eb68dcc
	https://git.kernel.org/stable/c/2dabe349f7882ff1407a784d54d8541909329088

Impacted products

Vendor

Product

Version

Linux

Version: a251eee62133774cf35ff829041377e721ef9c8c
Version: a251eee62133774cf35ff829041377e721ef9c8c
Version: a251eee62133774cf35ff829041377e721ef9c8c

Linux

Version: 6.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/idpf/idpf.h",
            "drivers/net/ethernet/intel/idpf/idpf_lib.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f6f5e9c8cb680c3cb9771fd9fa114319cbc4f514",
              "status": "affected",
              "version": "a251eee62133774cf35ff829041377e721ef9c8c",
              "versionType": "git"
            },
            {
              "lessThan": "bf1e751c5a5611aa037ab44cca955c141eb68dcc",
              "status": "affected",
              "version": "a251eee62133774cf35ff829041377e721ef9c8c",
              "versionType": "git"
            },
            {
              "lessThan": "2dabe349f7882ff1407a784d54d8541909329088",
              "status": "affected",
              "version": "a251eee62133774cf35ff829041377e721ef9c8c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/idpf/idpf.h",
            "drivers/net/ethernet/intel/idpf/idpf_lib.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.31",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: fix null-ptr-deref in idpf_features_check\n\nidpf_features_check is used to validate the TX packet. skb header\nlength is compared with the hardware supported value received from\nthe device control plane. The value is stored in the adapter structure\nand to access it, vport pointer is used. During reset all the vports\nare released and the vport pointer that the netdev private structure\npoints to is NULL.\n\nTo avoid null-ptr-deref, store the max header length value in netdev\nprivate structure. This also helps to cache the value and avoid\naccessing adapter pointer in hot path.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000068\n...\nRIP: 0010:idpf_features_check+0x6d/0xe0 [idpf]\nCall Trace:\n \u003cTASK\u003e\n ? __die+0x23/0x70\n ? page_fault_oops+0x154/0x520\n ? exc_page_fault+0x76/0x190\n ? asm_exc_page_fault+0x26/0x30\n ? idpf_features_check+0x6d/0xe0 [idpf]\n netif_skb_features+0x88/0x310\n validate_xmit_skb+0x2a/0x2b0\n validate_xmit_skb_list+0x4c/0x70\n sch_direct_xmit+0x19d/0x3a0\n __dev_queue_xmit+0xb74/0xe70\n ..."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-18T09:33:34.060Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f6f5e9c8cb680c3cb9771fd9fa114319cbc4f514"
        },
        {
          "url": "https://git.kernel.org/stable/c/bf1e751c5a5611aa037ab44cca955c141eb68dcc"
        },
        {
          "url": "https://git.kernel.org/stable/c/2dabe349f7882ff1407a784d54d8541909329088"
        }
      ],
      "title": "idpf: fix null-ptr-deref in idpf_features_check",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38053",
    "datePublished": "2025-06-18T09:33:34.060Z",
    "dateReserved": "2025-04-16T04:51:23.979Z",
    "dateUpdated": "2025-06-18T09:33:34.060Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38159 (GCVE-0-2025-38159)

Vulnerability from cvelistv5

Published

2025-07-03 08:36

Modified

2025-11-03 17:34

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds Set the size to 6 instead of 2, since 'para' array is passed to 'rtw_fw_bt_wifi_control(rtwdev, para[0], &para[1])', which reads 5 bytes: void rtw_fw_bt_wifi_control(struct rtw_dev *rtwdev, u8 op_code, u8 *data) { ... SET_BT_WIFI_CONTROL_DATA1(h2c_pkt, *data); SET_BT_WIFI_CONTROL_DATA2(h2c_pkt, *(data + 1)); ... SET_BT_WIFI_CONTROL_DATA5(h2c_pkt, *(data + 4)); Detected using the static analysis tool - Svace.

References

URL

Tags

	https://git.kernel.org/stable/c/1ee8ea6937d13b20f90ff35d71ccc03ba448182d
	https://git.kernel.org/stable/c/68a1037f0bac4de9a585aa9c879ef886109f3647
	https://git.kernel.org/stable/c/74e18211c2c89ab66c9546baa7408288db61aa0d
	https://git.kernel.org/stable/c/c13255389499275bc5489a0b5b7940ccea3aef04
	https://git.kernel.org/stable/c/9febcc8bded8be0d7efd8237fcef599b6d93b788
	https://git.kernel.org/stable/c/4c2c372de2e108319236203cce6de44d70ae15cd

Impacted products

Vendor

Product

Version

Linux

Version: 4136214f7c46839c15f0f177fe1d5052302c0205
Version: 4136214f7c46839c15f0f177fe1d5052302c0205
Version: 4136214f7c46839c15f0f177fe1d5052302c0205
Version: 4136214f7c46839c15f0f177fe1d5052302c0205
Version: 4136214f7c46839c15f0f177fe1d5052302c0205
Version: 4136214f7c46839c15f0f177fe1d5052302c0205

Linux

Version: 5.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:48.215Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/realtek/rtw88/coex.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1ee8ea6937d13b20f90ff35d71ccc03ba448182d",
              "status": "affected",
              "version": "4136214f7c46839c15f0f177fe1d5052302c0205",
              "versionType": "git"
            },
            {
              "lessThan": "68a1037f0bac4de9a585aa9c879ef886109f3647",
              "status": "affected",
              "version": "4136214f7c46839c15f0f177fe1d5052302c0205",
              "versionType": "git"
            },
            {
              "lessThan": "74e18211c2c89ab66c9546baa7408288db61aa0d",
              "status": "affected",
              "version": "4136214f7c46839c15f0f177fe1d5052302c0205",
              "versionType": "git"
            },
            {
              "lessThan": "c13255389499275bc5489a0b5b7940ccea3aef04",
              "status": "affected",
              "version": "4136214f7c46839c15f0f177fe1d5052302c0205",
              "versionType": "git"
            },
            {
              "lessThan": "9febcc8bded8be0d7efd8237fcef599b6d93b788",
              "status": "affected",
              "version": "4136214f7c46839c15f0f177fe1d5052302c0205",
              "versionType": "git"
            },
            {
              "lessThan": "4c2c372de2e108319236203cce6de44d70ae15cd",
              "status": "affected",
              "version": "4136214f7c46839c15f0f177fe1d5052302c0205",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/realtek/rtw88/coex.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.4"
            },
            {
              "lessThan": "5.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw88: fix the \u0027para\u0027 buffer size to avoid reading out of bounds\n\nSet the size to 6 instead of 2, since \u0027para\u0027 array is passed to\n\u0027rtw_fw_bt_wifi_control(rtwdev, para[0], \u0026para[1])\u0027, which reads\n5 bytes:\n\nvoid rtw_fw_bt_wifi_control(struct rtw_dev *rtwdev, u8 op_code, u8 *data)\n{\n    ...\n    SET_BT_WIFI_CONTROL_DATA1(h2c_pkt, *data);\n    SET_BT_WIFI_CONTROL_DATA2(h2c_pkt, *(data + 1));\n    ...\n    SET_BT_WIFI_CONTROL_DATA5(h2c_pkt, *(data + 4));\n\nDetected using the static analysis tool - Svace."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:13:51.003Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1ee8ea6937d13b20f90ff35d71ccc03ba448182d"
        },
        {
          "url": "https://git.kernel.org/stable/c/68a1037f0bac4de9a585aa9c879ef886109f3647"
        },
        {
          "url": "https://git.kernel.org/stable/c/74e18211c2c89ab66c9546baa7408288db61aa0d"
        },
        {
          "url": "https://git.kernel.org/stable/c/c13255389499275bc5489a0b5b7940ccea3aef04"
        },
        {
          "url": "https://git.kernel.org/stable/c/9febcc8bded8be0d7efd8237fcef599b6d93b788"
        },
        {
          "url": "https://git.kernel.org/stable/c/4c2c372de2e108319236203cce6de44d70ae15cd"
        }
      ],
      "title": "wifi: rtw88: fix the \u0027para\u0027 buffer size to avoid reading out of bounds",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38159",
    "datePublished": "2025-07-03T08:36:01.490Z",
    "dateReserved": "2025-04-16T04:51:23.990Z",
    "dateUpdated": "2025-11-03T17:34:48.215Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-49993 (GCVE-0-2022-49993)

Vulnerability from cvelistv5

Published

2025-06-18 11:00

Modified

2025-06-18 11:00

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: loop: Check for overflow while configuring loop The userspace can configure a loop using an ioctl call, wherein a configuration of type loop_config is passed (see lo_ioctl()'s case on line 1550 of drivers/block/loop.c). This proceeds to call loop_configure() which in turn calls loop_set_status_from_info() (see line 1050 of loop.c), passing &config->info which is of type loop_info64*. This function then sets the appropriate values, like the offset. loop_device has lo_offset of type loff_t (see line 52 of loop.c), which is typdef-chained to long long, whereas loop_info64 has lo_offset of type __u64 (see line 56 of include/uapi/linux/loop.h). The function directly copies offset from info to the device as follows (See line 980 of loop.c): lo->lo_offset = info->lo_offset; This results in an overflow, which triggers a warning in iomap_iter() due to a call to iomap_iter_done() which has: WARN_ON_ONCE(iter->iomap.offset > iter->pos); Thus, check for negative value during loop_set_status_from_info(). Bug report: https://syzkaller.appspot.com/bug?id=c620fe14aac810396d3c3edc9ad73848bf69a29e

References

URL

Tags

	https://git.kernel.org/stable/c/18e28817cb516b39de6281f6db9b0618b2cc7b42
	https://git.kernel.org/stable/c/adf0112d9b8acb03485624220b4934f69bf13369
	https://git.kernel.org/stable/c/a217715338fd48f72114725aa7a40e484a781ca7
	https://git.kernel.org/stable/c/b40877b8562c5720d0a7fce20729f56b75a3dede
	https://git.kernel.org/stable/c/6858933131d0dadac071c4d33335a9ea4b8e76cf
	https://git.kernel.org/stable/c/0455bef69028c65065f16bb04635591b2374249b
	https://git.kernel.org/stable/c/9be7fa7ead18a48940df7b59d993bbc8b9055c15
	https://git.kernel.org/stable/c/c490a0b5a4f36da3918181a8acdc6991d967c5f3

Impacted products

Vendor

Product

Version

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/block/loop.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "18e28817cb516b39de6281f6db9b0618b2cc7b42",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "adf0112d9b8acb03485624220b4934f69bf13369",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "a217715338fd48f72114725aa7a40e484a781ca7",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "b40877b8562c5720d0a7fce20729f56b75a3dede",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "6858933131d0dadac071c4d33335a9ea4b8e76cf",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "0455bef69028c65065f16bb04635591b2374249b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "9be7fa7ead18a48940df7b59d993bbc8b9055c15",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "c490a0b5a4f36da3918181a8acdc6991d967c5f3",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/block/loop.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "4.9.*",
              "status": "unaffected",
              "version": "4.9.327",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.292",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.312",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.274",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.9.327",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.292",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.312",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.274",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.140",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.64",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nloop: Check for overflow while configuring loop\n\nThe userspace can configure a loop using an ioctl call, wherein\na configuration of type loop_config is passed (see lo_ioctl()\u0027s\ncase on line 1550 of drivers/block/loop.c). This proceeds to call\nloop_configure() which in turn calls loop_set_status_from_info()\n(see line 1050 of loop.c), passing \u0026config-\u003einfo which is of type\nloop_info64*. This function then sets the appropriate values, like\nthe offset.\n\nloop_device has lo_offset of type loff_t (see line 52 of loop.c),\nwhich is typdef-chained to long long, whereas loop_info64 has\nlo_offset of type __u64 (see line 56 of include/uapi/linux/loop.h).\n\nThe function directly copies offset from info to the device as\nfollows (See line 980 of loop.c):\n\tlo-\u003elo_offset = info-\u003elo_offset;\n\nThis results in an overflow, which triggers a warning in iomap_iter()\ndue to a call to iomap_iter_done() which has:\n\tWARN_ON_ONCE(iter-\u003eiomap.offset \u003e iter-\u003epos);\n\nThus, check for negative value during loop_set_status_from_info().\n\nBug report: https://syzkaller.appspot.com/bug?id=c620fe14aac810396d3c3edc9ad73848bf69a29e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-18T11:00:53.487Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/18e28817cb516b39de6281f6db9b0618b2cc7b42"
        },
        {
          "url": "https://git.kernel.org/stable/c/adf0112d9b8acb03485624220b4934f69bf13369"
        },
        {
          "url": "https://git.kernel.org/stable/c/a217715338fd48f72114725aa7a40e484a781ca7"
        },
        {
          "url": "https://git.kernel.org/stable/c/b40877b8562c5720d0a7fce20729f56b75a3dede"
        },
        {
          "url": "https://git.kernel.org/stable/c/6858933131d0dadac071c4d33335a9ea4b8e76cf"
        },
        {
          "url": "https://git.kernel.org/stable/c/0455bef69028c65065f16bb04635591b2374249b"
        },
        {
          "url": "https://git.kernel.org/stable/c/9be7fa7ead18a48940df7b59d993bbc8b9055c15"
        },
        {
          "url": "https://git.kernel.org/stable/c/c490a0b5a4f36da3918181a8acdc6991d967c5f3"
        }
      ],
      "title": "loop: Check for overflow while configuring loop",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49993",
    "datePublished": "2025-06-18T11:00:53.487Z",
    "dateReserved": "2025-06-18T10:57:27.387Z",
    "dateUpdated": "2025-06-18T11:00:53.487Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38108 (GCVE-0-2025-38108)

Vulnerability from cvelistv5

Published

2025-07-03 08:35

Modified

2025-11-03 17:34

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net_sched: red: fix a race in __red_change() Gerrard Tai reported a race condition in RED, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock.

References

URL

Tags

	https://git.kernel.org/stable/c/2790c4ec481be45a80948d059cd7c9a06bc37493
	https://git.kernel.org/stable/c/a1bf6a4e9264a685b0e642994031f9c5aad72414
	https://git.kernel.org/stable/c/110a47efcf23438ff8d31dbd9c854fae2a48bf98
	https://git.kernel.org/stable/c/f569984417a4e12c67366e69bdcb752970de921d
	https://git.kernel.org/stable/c/2a71924ca4af59ffc00f0444732b6cd54b153d0e
	https://git.kernel.org/stable/c/4b755305b2b0618e857fdadb499365b5f2e478d1
	https://git.kernel.org/stable/c/444ad445df5496a785705019268a8a84b84484bb
	https://git.kernel.org/stable/c/85a3e0ede38450ea3053b8c45d28cf55208409b8

Impacted products

Vendor

Product

Version

Linux

Version: 0c8d13ac96070000da33f394f45e9c19638483c5
Version: 0c8d13ac96070000da33f394f45e9c19638483c5
Version: 0c8d13ac96070000da33f394f45e9c19638483c5
Version: 0c8d13ac96070000da33f394f45e9c19638483c5
Version: 0c8d13ac96070000da33f394f45e9c19638483c5
Version: 0c8d13ac96070000da33f394f45e9c19638483c5
Version: 0c8d13ac96070000da33f394f45e9c19638483c5
Version: 0c8d13ac96070000da33f394f45e9c19638483c5

Linux

Version: 5.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:11.552Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_red.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2790c4ec481be45a80948d059cd7c9a06bc37493",
              "status": "affected",
              "version": "0c8d13ac96070000da33f394f45e9c19638483c5",
              "versionType": "git"
            },
            {
              "lessThan": "a1bf6a4e9264a685b0e642994031f9c5aad72414",
              "status": "affected",
              "version": "0c8d13ac96070000da33f394f45e9c19638483c5",
              "versionType": "git"
            },
            {
              "lessThan": "110a47efcf23438ff8d31dbd9c854fae2a48bf98",
              "status": "affected",
              "version": "0c8d13ac96070000da33f394f45e9c19638483c5",
              "versionType": "git"
            },
            {
              "lessThan": "f569984417a4e12c67366e69bdcb752970de921d",
              "status": "affected",
              "version": "0c8d13ac96070000da33f394f45e9c19638483c5",
              "versionType": "git"
            },
            {
              "lessThan": "2a71924ca4af59ffc00f0444732b6cd54b153d0e",
              "status": "affected",
              "version": "0c8d13ac96070000da33f394f45e9c19638483c5",
              "versionType": "git"
            },
            {
              "lessThan": "4b755305b2b0618e857fdadb499365b5f2e478d1",
              "status": "affected",
              "version": "0c8d13ac96070000da33f394f45e9c19638483c5",
              "versionType": "git"
            },
            {
              "lessThan": "444ad445df5496a785705019268a8a84b84484bb",
              "status": "affected",
              "version": "0c8d13ac96070000da33f394f45e9c19638483c5",
              "versionType": "git"
            },
            {
              "lessThan": "85a3e0ede38450ea3053b8c45d28cf55208409b8",
              "status": "affected",
              "version": "0c8d13ac96070000da33f394f45e9c19638483c5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_red.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.0"
            },
            {
              "lessThan": "5.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: red: fix a race in __red_change()\n\nGerrard Tai reported a race condition in RED, whenever SFQ perturb timer\nfires at the wrong time.\n\nThe race is as follows:\n\nCPU 0                                 CPU 1\n[1]: lock root\n[2]: qdisc_tree_flush_backlog()\n[3]: unlock root\n |\n |                                    [5]: lock root\n |                                    [6]: rehash\n |                                    [7]: qdisc_tree_reduce_backlog()\n |\n[4]: qdisc_put()\n\nThis can be abused to underflow a parent\u0027s qlen.\n\nCalling qdisc_purge_queue() instead of qdisc_tree_flush_backlog()\nshould fix the race, because all packets will be purged from the qdisc\nbefore releasing the lock."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:12:23.828Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2790c4ec481be45a80948d059cd7c9a06bc37493"
        },
        {
          "url": "https://git.kernel.org/stable/c/a1bf6a4e9264a685b0e642994031f9c5aad72414"
        },
        {
          "url": "https://git.kernel.org/stable/c/110a47efcf23438ff8d31dbd9c854fae2a48bf98"
        },
        {
          "url": "https://git.kernel.org/stable/c/f569984417a4e12c67366e69bdcb752970de921d"
        },
        {
          "url": "https://git.kernel.org/stable/c/2a71924ca4af59ffc00f0444732b6cd54b153d0e"
        },
        {
          "url": "https://git.kernel.org/stable/c/4b755305b2b0618e857fdadb499365b5f2e478d1"
        },
        {
          "url": "https://git.kernel.org/stable/c/444ad445df5496a785705019268a8a84b84484bb"
        },
        {
          "url": "https://git.kernel.org/stable/c/85a3e0ede38450ea3053b8c45d28cf55208409b8"
        }
      ],
      "title": "net_sched: red: fix a race in __red_change()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38108",
    "datePublished": "2025-07-03T08:35:18.523Z",
    "dateReserved": "2025-04-16T04:51:23.985Z",
    "dateUpdated": "2025-11-03T17:34:11.552Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38353 (GCVE-0-2025-38353)

Vulnerability from cvelistv5

Published

2025-07-25 12:47

Modified

2025-07-28 11:16

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix taking invalid lock on wedge If device wedges on e.g. GuC upload, the submission is not yet enabled and the state is not even initialized. Protect the wedge call so it does nothing in this case. It fixes the following splat: [] xe 0000:bf:00.0: [drm] device wedged, needs recovery [] ------------[ cut here ]------------ [] DEBUG_LOCKS_WARN_ON(lock->magic != lock) [] WARNING: CPU: 48 PID: 312 at kernel/locking/mutex.c:564 __mutex_lock+0x8a1/0xe60 ... [] RIP: 0010:__mutex_lock+0x8a1/0xe60 [] mutex_lock_nested+0x1b/0x30 [] xe_guc_submit_wedge+0x80/0x2b0 [xe]

References

URL

Tags

	https://git.kernel.org/stable/c/a6d81b2d7037ef36163ad16459ed3fd17cb1b596
	https://git.kernel.org/stable/c/20eec7018e132a023f84ccbdf56b6c5b73d3094f
	https://git.kernel.org/stable/c/1e1981b16bb1bbe2fafa57ed439b45cb5b34e32d

Impacted products

Vendor

Product

Version

Linux

Version: dd08ebf6c3525a7ea2186e636df064ea47281987
Version: dd08ebf6c3525a7ea2186e636df064ea47281987
Version: dd08ebf6c3525a7ea2186e636df064ea47281987

Linux

Version: 6.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/xe/xe_guc_submit.c",
            "drivers/gpu/drm/xe/xe_guc_types.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a6d81b2d7037ef36163ad16459ed3fd17cb1b596",
              "status": "affected",
              "version": "dd08ebf6c3525a7ea2186e636df064ea47281987",
              "versionType": "git"
            },
            {
              "lessThan": "20eec7018e132a023f84ccbdf56b6c5b73d3094f",
              "status": "affected",
              "version": "dd08ebf6c3525a7ea2186e636df064ea47281987",
              "versionType": "git"
            },
            {
              "lessThan": "1e1981b16bb1bbe2fafa57ed439b45cb5b34e32d",
              "status": "affected",
              "version": "dd08ebf6c3525a7ea2186e636df064ea47281987",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/xe/xe_guc_submit.c",
            "drivers/gpu/drm/xe/xe_guc_types.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.36",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.36",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.5",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Fix taking invalid lock on wedge\n\nIf device wedges on e.g. GuC upload, the submission is not yet enabled\nand the state is not even initialized. Protect the wedge call so it does\nnothing in this case. It fixes the following splat:\n\n\t[] xe 0000:bf:00.0: [drm] device wedged, needs recovery\n\t[] ------------[ cut here ]------------\n\t[] DEBUG_LOCKS_WARN_ON(lock-\u003emagic != lock)\n\t[] WARNING: CPU: 48 PID: 312 at kernel/locking/mutex.c:564 __mutex_lock+0x8a1/0xe60\n\t...\n\t[] RIP: 0010:__mutex_lock+0x8a1/0xe60\n\t[]  mutex_lock_nested+0x1b/0x30\n\t[]  xe_guc_submit_wedge+0x80/0x2b0 [xe]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T11:16:45.184Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a6d81b2d7037ef36163ad16459ed3fd17cb1b596"
        },
        {
          "url": "https://git.kernel.org/stable/c/20eec7018e132a023f84ccbdf56b6c5b73d3094f"
        },
        {
          "url": "https://git.kernel.org/stable/c/1e1981b16bb1bbe2fafa57ed439b45cb5b34e32d"
        }
      ],
      "title": "drm/xe: Fix taking invalid lock on wedge",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38353",
    "datePublished": "2025-07-25T12:47:25.188Z",
    "dateReserved": "2025-04-16T04:51:24.007Z",
    "dateUpdated": "2025-07-28T11:16:45.184Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38275 (GCVE-0-2025-38275)

Vulnerability from cvelistv5

Published

2025-07-10 07:41

Modified

2025-11-03 17:36

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug The qmp_usb_iomap() helper function currently returns the raw result of devm_ioremap() for non-exclusive mappings. Since devm_ioremap() may return a NULL pointer and the caller only checks error pointers with IS_ERR(), NULL could bypass the check and lead to an invalid dereference. Fix the issue by checking if devm_ioremap() returns NULL. When it does, qmp_usb_iomap() now returns an error pointer via IOMEM_ERR_PTR(-ENOMEM), ensuring safe and consistent error handling.

References

URL

Tags

	https://git.kernel.org/stable/c/0b979a409e40457ca1b5cb48755d1f34eee58805
	https://git.kernel.org/stable/c/127dfb4f1c5a2b622039c5d203f321380ea36665
	https://git.kernel.org/stable/c/5072c1749197fc28b27d7efc0d80320d7cac9572
	https://git.kernel.org/stable/c/0c33117f00c8c5363c22676931b22ae5041f7603
	https://git.kernel.org/stable/c/d14402a38c2d868cacb1facaf9be908ca6558e59

Impacted products

Vendor

Product

Version

Linux

Version: a5d6b1ac56cbd6b5850a3a54e35f1cb71e8e8cdd
Version: a5d6b1ac56cbd6b5850a3a54e35f1cb71e8e8cdd
Version: a5d6b1ac56cbd6b5850a3a54e35f1cb71e8e8cdd
Version: a5d6b1ac56cbd6b5850a3a54e35f1cb71e8e8cdd
Version: a5d6b1ac56cbd6b5850a3a54e35f1cb71e8e8cdd
Version: 368ea32e0ad0335bdf3180067875a928e35387c6

Linux

Version: 6.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:36:09.044Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/phy/qualcomm/phy-qcom-qmp-usb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0b979a409e40457ca1b5cb48755d1f34eee58805",
              "status": "affected",
              "version": "a5d6b1ac56cbd6b5850a3a54e35f1cb71e8e8cdd",
              "versionType": "git"
            },
            {
              "lessThan": "127dfb4f1c5a2b622039c5d203f321380ea36665",
              "status": "affected",
              "version": "a5d6b1ac56cbd6b5850a3a54e35f1cb71e8e8cdd",
              "versionType": "git"
            },
            {
              "lessThan": "5072c1749197fc28b27d7efc0d80320d7cac9572",
              "status": "affected",
              "version": "a5d6b1ac56cbd6b5850a3a54e35f1cb71e8e8cdd",
              "versionType": "git"
            },
            {
              "lessThan": "0c33117f00c8c5363c22676931b22ae5041f7603",
              "status": "affected",
              "version": "a5d6b1ac56cbd6b5850a3a54e35f1cb71e8e8cdd",
              "versionType": "git"
            },
            {
              "lessThan": "d14402a38c2d868cacb1facaf9be908ca6558e59",
              "status": "affected",
              "version": "a5d6b1ac56cbd6b5850a3a54e35f1cb71e8e8cdd",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "368ea32e0ad0335bdf3180067875a928e35387c6",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/phy/qualcomm/phy-qcom-qmp-usb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.1"
            },
            {
              "lessThan": "6.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.15.93",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug\n\nThe qmp_usb_iomap() helper function currently returns the raw result of\ndevm_ioremap() for non-exclusive mappings. Since devm_ioremap() may return\na NULL pointer and the caller only checks error pointers with IS_ERR(),\nNULL could bypass the check and lead to an invalid dereference.\n\nFix the issue by checking if devm_ioremap() returns NULL. When it does,\nqmp_usb_iomap() now returns an error pointer via IOMEM_ERR_PTR(-ENOMEM),\nensuring safe and consistent error handling."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:17:03.723Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0b979a409e40457ca1b5cb48755d1f34eee58805"
        },
        {
          "url": "https://git.kernel.org/stable/c/127dfb4f1c5a2b622039c5d203f321380ea36665"
        },
        {
          "url": "https://git.kernel.org/stable/c/5072c1749197fc28b27d7efc0d80320d7cac9572"
        },
        {
          "url": "https://git.kernel.org/stable/c/0c33117f00c8c5363c22676931b22ae5041f7603"
        },
        {
          "url": "https://git.kernel.org/stable/c/d14402a38c2d868cacb1facaf9be908ca6558e59"
        }
      ],
      "title": "phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38275",
    "datePublished": "2025-07-10T07:41:55.658Z",
    "dateReserved": "2025-04-16T04:51:23.998Z",
    "dateUpdated": "2025-11-03T17:36:09.044Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38180 (GCVE-0-2025-38180)

Vulnerability from cvelistv5

Published

2025-07-04 13:37

Modified

2025-11-03 17:35

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net: atm: fix /proc/net/atm/lec handling /proc/net/atm/lec must ensure safety against dev_lec[] changes. It appears it had dev_put() calls without prior dev_hold(), leading to imbalance and UAF.

References

URL

Tags

	https://git.kernel.org/stable/c/fcfccf56f4eba7d00aa2d33c7bb1b33083237742
	https://git.kernel.org/stable/c/f2d1443b18806640abdb530e88009af7be2588e7
	https://git.kernel.org/stable/c/ca3829c18c8d0ceb656605d3bff6bb3dfb078589
	https://git.kernel.org/stable/c/e612c4b014f5808fbc6beae21f5ccaca5e76a2f8
	https://git.kernel.org/stable/c/a5e3a144268899f1a8c445c8a3bfa15873ba85e8
	https://git.kernel.org/stable/c/5fe1b23a2f87f43aeeac51e08819cbc6fd808cbc
	https://git.kernel.org/stable/c/9b9aeb3ada44d8abea1e31e4446113f460848ae4
	https://git.kernel.org/stable/c/d03b79f459c7935cff830d98373474f440bd03ae

Impacted products

Vendor

Product

Version

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Version: 2.6.12

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:35:04.821Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/atm/lec.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "fcfccf56f4eba7d00aa2d33c7bb1b33083237742",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "f2d1443b18806640abdb530e88009af7be2588e7",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ca3829c18c8d0ceb656605d3bff6bb3dfb078589",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "e612c4b014f5808fbc6beae21f5ccaca5e76a2f8",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "a5e3a144268899f1a8c445c8a3bfa15873ba85e8",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "5fe1b23a2f87f43aeeac51e08819cbc6fd808cbc",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "9b9aeb3ada44d8abea1e31e4446113f460848ae4",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "d03b79f459c7935cff830d98373474f440bd03ae",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/atm/lec.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atm: fix /proc/net/atm/lec handling\n\n/proc/net/atm/lec must ensure safety against dev_lec[] changes.\n\nIt appears it had dev_put() calls without prior dev_hold(),\nleading to imbalance and UAF."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:14:21.779Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/fcfccf56f4eba7d00aa2d33c7bb1b33083237742"
        },
        {
          "url": "https://git.kernel.org/stable/c/f2d1443b18806640abdb530e88009af7be2588e7"
        },
        {
          "url": "https://git.kernel.org/stable/c/ca3829c18c8d0ceb656605d3bff6bb3dfb078589"
        },
        {
          "url": "https://git.kernel.org/stable/c/e612c4b014f5808fbc6beae21f5ccaca5e76a2f8"
        },
        {
          "url": "https://git.kernel.org/stable/c/a5e3a144268899f1a8c445c8a3bfa15873ba85e8"
        },
        {
          "url": "https://git.kernel.org/stable/c/5fe1b23a2f87f43aeeac51e08819cbc6fd808cbc"
        },
        {
          "url": "https://git.kernel.org/stable/c/9b9aeb3ada44d8abea1e31e4446113f460848ae4"
        },
        {
          "url": "https://git.kernel.org/stable/c/d03b79f459c7935cff830d98373474f440bd03ae"
        }
      ],
      "title": "net: atm: fix /proc/net/atm/lec handling",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38180",
    "datePublished": "2025-07-04T13:37:08.258Z",
    "dateReserved": "2025-04-16T04:51:23.992Z",
    "dateUpdated": "2025-11-03T17:35:04.821Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38377 (GCVE-0-2025-38377)

Vulnerability from cvelistv5

Published

2025-07-25 12:53

Modified

2025-11-03 17:37

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: rose: fix dangling neighbour pointers in rose_rt_device_down() There are two bugs in rose_rt_device_down() that can cause use-after-free: 1. The loop bound `t->count` is modified within the loop, which can cause the loop to terminate early and miss some entries. 2. When removing an entry from the neighbour array, the subsequent entries are moved up to fill the gap, but the loop index `i` is still incremented, causing the next entry to be skipped. For example, if a node has three neighbours (A, A, B) with count=3 and A is being removed, the second A is not checked. i=0: (A, A, B) -> (A, B) with count=2 ^ checked i=1: (A, B) -> (A, B) with count=2 ^ checked (B, not A!) i=2: (doesn't occur because i < count is false) This leaves the second A in the array with count=2, but the rose_neigh structure has been freed. Code that accesses these entries assumes that the first `count` entries are valid pointers, causing a use-after-free when it accesses the dangling pointer. Fix both issues by iterating over the array in reverse order with a fixed loop bound. This ensures that all entries are examined and that the removal of an entry doesn't affect subsequent iterations.

References

URL

Tags

	https://git.kernel.org/stable/c/94e0918e39039c47ddceb609500817f7266be756
	https://git.kernel.org/stable/c/fe62a35fb1f77f494ed534fc69a9043dc5a30ce1
	https://git.kernel.org/stable/c/2b952dbb32fef835756f07ff0cd77efbb836dfea
	https://git.kernel.org/stable/c/b6b232e16e08c6dc120672b4753392df0d28c1b4
	https://git.kernel.org/stable/c/7a1841c9609377e989ec41c16551309ce79c39e4
	https://git.kernel.org/stable/c/446ac00b86be1670838e513b643933d78837d8db
	https://git.kernel.org/stable/c/2c6c82ee074bfcfd1bc978ec45bfea37703d840a
	https://git.kernel.org/stable/c/34a500caf48c47d5171f4aa1f237da39b07c6157

Impacted products

Vendor

Product

Version

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Version: 2.6.12

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:37:14.330Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/rose/rose_route.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "94e0918e39039c47ddceb609500817f7266be756",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "fe62a35fb1f77f494ed534fc69a9043dc5a30ce1",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "2b952dbb32fef835756f07ff0cd77efbb836dfea",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "b6b232e16e08c6dc120672b4753392df0d28c1b4",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "7a1841c9609377e989ec41c16551309ce79c39e4",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "446ac00b86be1670838e513b643933d78837d8db",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "2c6c82ee074bfcfd1bc978ec45bfea37703d840a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "34a500caf48c47d5171f4aa1f237da39b07c6157",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/rose/rose_route.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.187",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.144",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.97",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.37",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.187",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.144",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.97",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.37",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.6",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrose: fix dangling neighbour pointers in rose_rt_device_down()\n\nThere are two bugs in rose_rt_device_down() that can cause\nuse-after-free:\n\n1. The loop bound `t-\u003ecount` is modified within the loop, which can\n   cause the loop to terminate early and miss some entries.\n\n2. When removing an entry from the neighbour array, the subsequent entries\n   are moved up to fill the gap, but the loop index `i` is still\n   incremented, causing the next entry to be skipped.\n\nFor example, if a node has three neighbours (A, A, B) with count=3 and A\nis being removed, the second A is not checked.\n\n    i=0: (A, A, B) -\u003e (A, B) with count=2\n          ^ checked\n    i=1: (A, B)    -\u003e (A, B) with count=2\n             ^ checked (B, not A!)\n    i=2: (doesn\u0027t occur because i \u003c count is false)\n\nThis leaves the second A in the array with count=2, but the rose_neigh\nstructure has been freed. Code that accesses these entries assumes that\nthe first `count` entries are valid pointers, causing a use-after-free\nwhen it accesses the dangling pointer.\n\nFix both issues by iterating over the array in reverse order with a fixed\nloop bound. This ensures that all entries are examined and that the removal\nof an entry doesn\u0027t affect subsequent iterations."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:20:23.944Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/94e0918e39039c47ddceb609500817f7266be756"
        },
        {
          "url": "https://git.kernel.org/stable/c/fe62a35fb1f77f494ed534fc69a9043dc5a30ce1"
        },
        {
          "url": "https://git.kernel.org/stable/c/2b952dbb32fef835756f07ff0cd77efbb836dfea"
        },
        {
          "url": "https://git.kernel.org/stable/c/b6b232e16e08c6dc120672b4753392df0d28c1b4"
        },
        {
          "url": "https://git.kernel.org/stable/c/7a1841c9609377e989ec41c16551309ce79c39e4"
        },
        {
          "url": "https://git.kernel.org/stable/c/446ac00b86be1670838e513b643933d78837d8db"
        },
        {
          "url": "https://git.kernel.org/stable/c/2c6c82ee074bfcfd1bc978ec45bfea37703d840a"
        },
        {
          "url": "https://git.kernel.org/stable/c/34a500caf48c47d5171f4aa1f237da39b07c6157"
        }
      ],
      "title": "rose: fix dangling neighbour pointers in rose_rt_device_down()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38377",
    "datePublished": "2025-07-25T12:53:19.141Z",
    "dateReserved": "2025-04-16T04:51:24.010Z",
    "dateUpdated": "2025-11-03T17:37:14.330Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21898 (GCVE-0-2025-21898)

Vulnerability from cvelistv5

Published

2025-04-01 15:26

Modified

2025-11-03 19:38

Severity ?

5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: ftrace: Avoid potential division by zero in function_stat_show() Check whether denominator expression x * (x - 1) * 1000 mod {2^32, 2^64} produce zero and skip stddev computation in that case. For now don't care about rec->counter * rec->counter overflow because rec->time * rec->time overflow will likely happen earlier.

References

URL

Tags

	https://git.kernel.org/stable/c/5b3d32f607f0478b414b16516cf27f9170cf66c8
	https://git.kernel.org/stable/c/ca381f60a3bb7cfaa618d73ca411610bd7fc3149
	https://git.kernel.org/stable/c/3d738b53ed6cddb68e68c9874520a4bf846163b5
	https://git.kernel.org/stable/c/992775227843c9376773784b8b362add44592ad7
	https://git.kernel.org/stable/c/f58a3f8e284d0bdf94164a8e61cd4e70d337a1a3
	https://git.kernel.org/stable/c/746cc474a95473591853927b3a9792a2d671155b
	https://git.kernel.org/stable/c/9cdac46fa7e854e587eb5f393fe491b6d7a9bdf6
	https://git.kernel.org/stable/c/a1a7eb89ca0b89dc1c326eeee2596f263291aca3

Impacted products

CERTFR-2025-AVI-0723

Vulnerability from certfr_avis

Solutions

Action not permitted

CERTFR-2025-AVI-0723

Vulnerability from certfr_avis

Solutions

CVE-2024-53164 (GCVE-0-2024-53164)

Vulnerability from cvelistv5

CVE-2025-37987 (GCVE-0-2025-37987)

Vulnerability from cvelistv5

CVE-2025-22120 (GCVE-0-2025-22120)

Vulnerability from cvelistv5

CVE-2025-37767 (GCVE-0-2025-37767)

Vulnerability from cvelistv5

CVE-2025-38477 (GCVE-0-2025-38477)

Vulnerability from cvelistv5

CVE-2024-36978 (GCVE-0-2024-36978)

Vulnerability from cvelistv5

CVE-2025-37771 (GCVE-0-2025-37771)

Vulnerability from cvelistv5

CVE-2025-38007 (GCVE-0-2025-38007)

Vulnerability from cvelistv5

CVE-2025-37943 (GCVE-0-2025-37943)

Vulnerability from cvelistv5

CVE-2025-38463 (GCVE-0-2025-38463)

Vulnerability from cvelistv5

CVE-2022-49825 (GCVE-0-2022-49825)

Vulnerability from cvelistv5

CVE-2025-37946 (GCVE-0-2025-37946)

Vulnerability from cvelistv5

CVE-2025-38246 (GCVE-0-2025-38246)

Vulnerability from cvelistv5

CVE-2025-22089 (GCVE-0-2025-22089)

Vulnerability from cvelistv5

CVE-2025-38220 (GCVE-0-2025-38220)

Vulnerability from cvelistv5

CVE-2025-37812 (GCVE-0-2025-37812)

Vulnerability from cvelistv5

CVE-2025-38448 (GCVE-0-2025-38448)

Vulnerability from cvelistv5

CVE-2025-38136 (GCVE-0-2025-38136)

Vulnerability from cvelistv5

CVE-2025-38334 (GCVE-0-2025-38334)

Vulnerability from cvelistv5

CVE-2025-38157 (GCVE-0-2025-38157)

Vulnerability from cvelistv5

CVE-2025-37917 (GCVE-0-2025-37917)

Vulnerability from cvelistv5

CVE-2024-46713 (GCVE-0-2024-46713)

Vulnerability from cvelistv5

CVE-2025-22035 (GCVE-0-2025-22035)

Vulnerability from cvelistv5

CVE-2025-37782 (GCVE-0-2025-37782)

Vulnerability from cvelistv5

CVE-2025-38414 (GCVE-0-2025-38414)

Vulnerability from cvelistv5

CVE-2025-38107 (GCVE-0-2025-38107)

Vulnerability from cvelistv5

CVE-2025-38369 (GCVE-0-2025-38369)

Vulnerability from cvelistv5

CVE-2025-37754 (GCVE-0-2025-37754)

Vulnerability from cvelistv5

CVE-2025-38106 (GCVE-0-2025-38106)

Vulnerability from cvelistv5

CVE-2023-52927 (GCVE-0-2023-52927)

Vulnerability from cvelistv5

CVE-2025-37912 (GCVE-0-2025-37912)

Vulnerability from cvelistv5

CVE-2025-38410 (GCVE-0-2025-38410)

Vulnerability from cvelistv5

CVE-2025-38425 (GCVE-0-2025-38425)

Vulnerability from cvelistv5

CVE-2022-50027 (GCVE-0-2022-50027)

Vulnerability from cvelistv5

CVE-2025-38147 (GCVE-0-2025-38147)

Vulnerability from cvelistv5

CVE-2025-38078 (GCVE-0-2025-38078)

Vulnerability from cvelistv5

CVE-2025-37913 (GCVE-0-2025-37913)

Vulnerability from cvelistv5

CVE-2024-44963 (GCVE-0-2024-44963)

Vulnerability from cvelistv5