Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2025-AVI-0805
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans le noyau Linux de SUSE. Certaines d'entre elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, une atteinte à l'intégrité des données et un contournement de la politique de sécurité.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| SUSE | SUSE Linux Enterprise High Performance Computing | SUSE Linux Enterprise High Performance Computing 15 SP5 | ||
| SUSE | SUSE Linux Enterprise Live Patching | SUSE Linux Enterprise Live Patching 15-SP5 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server 12 SP5 LTSS | ||
| SUSE | SUSE Linux Enterprise Real Time | SUSE Linux Enterprise Real Time 15 SP7 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server for SAP Applications 15 SP6 | ||
| SUSE | SUSE Linux Enterprise High Performance Computing | SUSE Linux Enterprise High Performance Computing 12 SP5 | ||
| SUSE | SUSE Linux Enterprise Live Patching | SUSE Linux Enterprise Live Patching 12-SP5 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security | ||
| SUSE | SUSE Linux Enterprise Live Patching | SUSE Linux Enterprise Live Patching 15-SP6 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server for SAP Applications 12 SP5 | ||
| SUSE | SUSE Linux Enterprise Live Patching | SUSE Linux Enterprise Live Patching 15-SP7 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server 12 SP5 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server 15 SP5 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server for SAP Applications 15 SP5 | ||
| SUSE | openSUSE Leap | openSUSE Leap 15.6 | ||
| SUSE | SUSE Linux Enterprise Real Time | SUSE Linux Enterprise Real Time 15 SP5 | ||
| SUSE | openSUSE Leap | SUSE Linux Enterprise Server 12 SP5 LTSS | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server 15 SP6 | ||
| SUSE | SUSE Real Time Module | SUSE Real Time Module 15-SP6 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server for SAP Applications 15 SP7 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server 11 SP4 | ||
| SUSE | SUSE Linux Enterprise Micro | SUSE Linux Enterprise Micro 5.5 | ||
| SUSE | SUSE Linux Enterprise Real Time | SUSE Linux Enterprise Real Time 15 SP6 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server 15 SP7 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE |
References
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "SUSE Linux Enterprise High Performance Computing 15 SP5",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Live Patching 15-SP5",
"product": {
"name": "SUSE Linux Enterprise Live Patching",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 12 SP5 LTSS",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Real Time 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Real Time",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Performance Computing 12 SP5",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Live Patching 12-SP5",
"product": {
"name": "SUSE Linux Enterprise Live Patching",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Live Patching 15-SP6",
"product": {
"name": "SUSE Linux Enterprise Live Patching",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 12 SP5",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Live Patching 15-SP7",
"product": {
"name": "SUSE Linux Enterprise Live Patching",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 12 SP5",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 15 SP5",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Real Time 15 SP5",
"product": {
"name": "SUSE Linux Enterprise Real Time",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 12 SP5 LTSS",
"product": {
"name": "openSUSE Leap",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Real Time Module 15-SP6",
"product": {
"name": "SUSE Real Time Module",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 11 SP4",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Micro 5.5",
"product": {
"name": "SUSE Linux Enterprise Micro",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Real Time 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Real Time",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2022-50141",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50141"
},
{
"name": "CVE-2025-38490",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38490"
},
{
"name": "CVE-2022-50229",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50229"
},
{
"name": "CVE-2025-38201",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38201"
},
{
"name": "CVE-2025-38520",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38520"
},
{
"name": "CVE-2025-38588",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38588"
},
{
"name": "CVE-2025-38474",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38474"
},
{
"name": "CVE-2025-38601",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38601"
},
{
"name": "CVE-2022-49053",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49053"
},
{
"name": "CVE-2025-38515",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38515"
},
{
"name": "CVE-2025-38444",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38444"
},
{
"name": "CVE-2025-38624",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38624"
},
{
"name": "CVE-2025-38208",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38208"
},
{
"name": "CVE-2023-53117",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53117"
},
{
"name": "CVE-2025-38524",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38524"
},
{
"name": "CVE-2025-38087",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38087"
},
{
"name": "CVE-2022-50162",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50162"
},
{
"name": "CVE-2025-38646",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38646"
},
{
"name": "CVE-2025-38491",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38491"
},
{
"name": "CVE-2025-38313",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38313"
},
{
"name": "CVE-2025-38644",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38644"
},
{
"name": "CVE-2025-38563",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38563"
},
{
"name": "CVE-2025-38591",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38591"
},
{
"name": "CVE-2025-38609",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38609"
},
{
"name": "CVE-2023-53020",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53020"
},
{
"name": "CVE-2025-38500",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38500"
},
{
"name": "CVE-2025-38571",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38571"
},
{
"name": "CVE-2024-26661",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26661"
},
{
"name": "CVE-2023-4130",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4130"
},
{
"name": "CVE-2025-38445",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38445"
},
{
"name": "CVE-2025-38538",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38538"
},
{
"name": "CVE-2024-58238",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58238"
},
{
"name": "CVE-2025-38565",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38565"
},
{
"name": "CVE-2024-53057",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53057"
},
{
"name": "CVE-2025-38587",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38587"
},
{
"name": "CVE-2022-49975",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49975"
},
{
"name": "CVE-2025-38555",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38555"
},
{
"name": "CVE-2025-38102",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38102"
},
{
"name": "CVE-2025-38449",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38449"
},
{
"name": "CVE-2022-50138",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50138"
},
{
"name": "CVE-2025-38459",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38459"
},
{
"name": "CVE-2025-38184",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38184"
},
{
"name": "CVE-2025-38634",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38634"
},
{
"name": "CVE-2025-38458",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38458"
},
{
"name": "CVE-2025-38464",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38464"
},
{
"name": "CVE-2025-38457",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38457"
},
{
"name": "CVE-2025-38582",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38582"
},
{
"name": "CVE-2025-38543",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38543"
},
{
"name": "CVE-2025-38212",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38212"
},
{
"name": "CVE-2025-38537",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38537"
},
{
"name": "CVE-2025-38546",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38546"
},
{
"name": "CVE-2022-50066",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50066"
},
{
"name": "CVE-2025-38251",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38251"
},
{
"name": "CVE-2025-38632",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38632"
},
{
"name": "CVE-2025-38153",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38153"
},
{
"name": "CVE-2025-38548",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38548"
},
{
"name": "CVE-2025-21999",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21999"
},
{
"name": "CVE-2025-38465",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38465"
},
{
"name": "CVE-2025-38513",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38513"
},
{
"name": "CVE-2025-38670",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38670"
},
{
"name": "CVE-2022-50211",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50211"
},
{
"name": "CVE-2025-38602",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38602"
},
{
"name": "CVE-2025-38441",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38441"
},
{
"name": "CVE-2025-38568",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38568"
},
{
"name": "CVE-2025-38583",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38583"
},
{
"name": "CVE-2025-38499",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38499"
},
{
"name": "CVE-2025-38079",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38079"
},
{
"name": "CVE-2024-53164",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53164"
},
{
"name": "CVE-2025-38245",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38245"
},
{
"name": "CVE-2025-38656",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38656"
},
{
"name": "CVE-2025-23141",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23141"
},
{
"name": "CVE-2025-38541",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38541"
},
{
"name": "CVE-2025-38386",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38386"
},
{
"name": "CVE-2025-38530",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38530"
},
{
"name": "CVE-2025-38174",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38174"
},
{
"name": "CVE-2022-50080",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50080"
},
{
"name": "CVE-2022-49980",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49980"
},
{
"name": "CVE-2025-38529",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38529"
},
{
"name": "CVE-2025-38424",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38424"
},
{
"name": "CVE-2025-38430",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38430"
},
{
"name": "CVE-2025-38608",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38608"
},
{
"name": "CVE-2025-38650",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38650"
},
{
"name": "CVE-2024-28956",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28956"
},
{
"name": "CVE-2025-38621",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38621"
},
{
"name": "CVE-2025-38160",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38160"
},
{
"name": "CVE-2022-50116",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50116"
},
{
"name": "CVE-2025-38528",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38528"
},
{
"name": "CVE-2025-21971",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21971"
},
{
"name": "CVE-2025-38117",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38117"
},
{
"name": "CVE-2025-38556",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38556"
},
{
"name": "CVE-2025-38075",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38075"
},
{
"name": "CVE-2025-37885",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37885"
},
{
"name": "CVE-2025-38000",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38000"
},
{
"name": "CVE-2025-38617",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38617"
},
{
"name": "CVE-2025-38122",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38122"
},
{
"name": "CVE-2025-38612",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38612"
},
{
"name": "CVE-2025-38173",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38173"
},
{
"name": "CVE-2022-49967",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49967"
},
{
"name": "CVE-2025-38566",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38566"
},
{
"name": "CVE-2025-38663",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38663"
},
{
"name": "CVE-2024-49867",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-49867"
},
{
"name": "CVE-2025-38665",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38665"
},
{
"name": "CVE-2025-38671",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38671"
},
{
"name": "CVE-2025-37890",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37890"
},
{
"name": "CVE-2025-38635",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38635"
},
{
"name": "CVE-2023-3867",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3867"
},
{
"name": "CVE-2025-38540",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38540"
},
{
"name": "CVE-2022-50007",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50007"
},
{
"name": "CVE-2025-38146",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38146"
},
{
"name": "CVE-2025-38510",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38510"
},
{
"name": "CVE-2022-49981",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49981"
},
{
"name": "CVE-2022-50185",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50185"
},
{
"name": "CVE-2025-38472",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38472"
},
{
"name": "CVE-2025-38506",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38506"
},
{
"name": "CVE-2025-38604",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38604"
},
{
"name": "CVE-2025-22022",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22022"
},
{
"name": "CVE-2024-49996",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-49996"
},
{
"name": "CVE-2025-38006",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38006"
},
{
"name": "CVE-2025-38125",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38125"
},
{
"name": "CVE-2024-46733",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-46733"
},
{
"name": "CVE-2024-58239",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58239"
},
{
"name": "CVE-2025-38185",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38185"
},
{
"name": "CVE-2025-38001",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38001"
},
{
"name": "CVE-2025-38352",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38352"
},
{
"name": "CVE-2025-38263",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38263"
},
{
"name": "CVE-2025-38610",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38610"
},
{
"name": "CVE-2025-38214",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38214"
},
{
"name": "CVE-2025-38560",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38560"
},
{
"name": "CVE-2025-38618",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38618"
},
{
"name": "CVE-2023-52813",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52813"
},
{
"name": "CVE-2025-38581",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38581"
},
{
"name": "CVE-2025-21701",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21701"
},
{
"name": "CVE-2023-4515",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4515"
},
{
"name": "CVE-2025-38516",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38516"
},
{
"name": "CVE-2025-38576",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38576"
},
{
"name": "CVE-2025-38439",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38439"
},
{
"name": "CVE-2025-38553",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38553"
},
{
"name": "CVE-2025-38190",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38190"
},
{
"name": "CVE-2025-38205",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38205"
},
{
"name": "CVE-2024-47674",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47674"
},
{
"name": "CVE-2025-21659",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21659"
},
{
"name": "CVE-2025-38498",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38498"
},
{
"name": "CVE-2025-38200",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38200"
},
{
"name": "CVE-2025-38531",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38531"
},
{
"name": "CVE-2025-38503",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38503"
},
{
"name": "CVE-2025-38630",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38630"
},
{
"name": "CVE-2025-38585",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38585"
},
{
"name": "CVE-2022-50127",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50127"
},
{
"name": "CVE-2025-38213",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38213"
},
{
"name": "CVE-2025-38103",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38103"
},
{
"name": "CVE-2024-47706",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47706"
},
{
"name": "CVE-2025-38360",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38360"
},
{
"name": "CVE-2025-38512",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38512"
},
{
"name": "CVE-2022-50228",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50228"
},
{
"name": "CVE-2022-50191",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50191"
},
{
"name": "CVE-2025-38572",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38572"
},
{
"name": "CVE-2025-38460",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38460"
},
{
"name": "CVE-2025-38550",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38550"
},
{
"name": "CVE-2025-38535",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38535"
},
{
"name": "CVE-2025-38473",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38473"
},
{
"name": "CVE-2025-38470",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38470"
}
],
"initial_release_date": "2025-09-19T00:00:00",
"last_revision_date": "2025-09-19T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0805",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-09-19T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Ex\u00e9cution de code arbitraire"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de SUSE. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es, une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es et un contournement de la politique de s\u00e9curit\u00e9.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de SUSE",
"vendor_advisories": [
{
"published_at": "2025-09-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:02844-2",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202502844-2"
},
{
"published_at": "2025-09-13",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03210-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503210-1"
},
{
"published_at": "2025-09-12",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03190-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503190-1"
},
{
"published_at": "2025-09-15",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03226-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503226-1"
},
{
"published_at": "2025-09-15",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03223-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503223-1"
},
{
"published_at": "2025-09-12",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03207-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503207-1"
},
{
"published_at": "2025-09-15",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03221-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503221-1"
},
{
"published_at": "2025-09-13",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03208-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503208-1"
},
{
"published_at": "2025-09-13",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03214-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503214-1"
},
{
"published_at": "2025-09-13",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03212-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503212-1"
},
{
"published_at": "2025-09-12",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03204-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503204-1"
},
{
"published_at": "2025-09-15",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03235-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503235-1"
},
{
"published_at": "2025-09-13",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03209-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503209-1"
},
{
"published_at": "2025-09-12",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03195-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503195-1"
},
{
"published_at": "2025-09-12",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03194-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503194-1"
},
{
"published_at": "2025-09-15",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03217-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503217-1"
},
{
"published_at": "2025-09-13",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03213-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503213-1"
},
{
"published_at": "2025-09-14",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03215-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503215-1"
},
{
"published_at": "2025-09-15",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03222-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503222-1"
},
{
"published_at": "2025-09-12",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03191-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503191-1"
},
{
"published_at": "2025-09-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03272-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503272-1"
}
]
}
CVE-2025-38563 (GCVE-0-2025-38563)
Vulnerability from cvelistv5
Published
2025-08-19 17:02
Modified
2025-10-10 15:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
perf/core: Prevent VMA split of buffer mappings
The perf mmap code is careful about mmap()'ing the user page with the
ringbuffer and additionally the auxiliary buffer, when the event supports
it. Once the first mapping is established, subsequent mapping have to use
the same offset and the same size in both cases. The reference counting for
the ringbuffer and the auxiliary buffer depends on this being correct.
Though perf does not prevent that a related mapping is split via mmap(2),
munmap(2) or mremap(2). A split of a VMA results in perf_mmap_open() calls,
which take reference counts, but then the subsequent perf_mmap_close()
calls are not longer fulfilling the offset and size checks. This leads to
reference count leaks.
As perf already has the requirement for subsequent mappings to match the
initial mapping, the obvious consequence is that VMA splits, caused by
resizing of a mapping or partial unmapping, have to be prevented.
Implement the vm_operations_struct::may_split() callback and return
unconditionally -EINVAL.
That ensures that the mapping offsets and sizes cannot be changed after the
fact. Remapping to a different fixed address with the same size is still
possible as it takes the references for the new mapping and drops those of
the old mapping.
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 45bfb2e50471abbbfd83d40d28c986078b0d24ff Version: 45bfb2e50471abbbfd83d40d28c986078b0d24ff Version: 45bfb2e50471abbbfd83d40d28c986078b0d24ff Version: 45bfb2e50471abbbfd83d40d28c986078b0d24ff Version: 45bfb2e50471abbbfd83d40d28c986078b0d24ff Version: 45bfb2e50471abbbfd83d40d28c986078b0d24ff Version: 45bfb2e50471abbbfd83d40d28c986078b0d24ff Version: 45bfb2e50471abbbfd83d40d28c986078b0d24ff Version: 45bfb2e50471abbbfd83d40d28c986078b0d24ff |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/events/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e4346ffec2c44d6b0be834d59b20632b5bb5729e",
"status": "affected",
"version": "45bfb2e50471abbbfd83d40d28c986078b0d24ff",
"versionType": "git"
},
{
"lessThan": "d52451a9210f2e5a079ba052918c93563518a9ff",
"status": "affected",
"version": "45bfb2e50471abbbfd83d40d28c986078b0d24ff",
"versionType": "git"
},
{
"lessThan": "3bd518cc7ea61076bcd725e36ff0e690754977c0",
"status": "affected",
"version": "45bfb2e50471abbbfd83d40d28c986078b0d24ff",
"versionType": "git"
},
{
"lessThan": "7b84cb58d1f0aa07656802eae24689566e5f5b1b",
"status": "affected",
"version": "45bfb2e50471abbbfd83d40d28c986078b0d24ff",
"versionType": "git"
},
{
"lessThan": "6757a31a8e295ae4f01717a954afda173f25a121",
"status": "affected",
"version": "45bfb2e50471abbbfd83d40d28c986078b0d24ff",
"versionType": "git"
},
{
"lessThan": "e529888b7e8092912dd8789bdfc76685ccd2ff5f",
"status": "affected",
"version": "45bfb2e50471abbbfd83d40d28c986078b0d24ff",
"versionType": "git"
},
{
"lessThan": "ff668930871e0198c7f4e325058b8b7c286787bd",
"status": "affected",
"version": "45bfb2e50471abbbfd83d40d28c986078b0d24ff",
"versionType": "git"
},
{
"lessThan": "65311aad4c808bedad0c05d9bb8b06c47dae73eb",
"status": "affected",
"version": "45bfb2e50471abbbfd83d40d28c986078b0d24ff",
"versionType": "git"
},
{
"lessThan": "b024d7b56c77191cde544f838debb7f8451cd0d6",
"status": "affected",
"version": "45bfb2e50471abbbfd83d40d28c986078b0d24ff",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/events/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.1"
},
{
"lessThan": "4.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Prevent VMA split of buffer mappings\n\nThe perf mmap code is careful about mmap()\u0027ing the user page with the\nringbuffer and additionally the auxiliary buffer, when the event supports\nit. Once the first mapping is established, subsequent mapping have to use\nthe same offset and the same size in both cases. The reference counting for\nthe ringbuffer and the auxiliary buffer depends on this being correct.\n\nThough perf does not prevent that a related mapping is split via mmap(2),\nmunmap(2) or mremap(2). A split of a VMA results in perf_mmap_open() calls,\nwhich take reference counts, but then the subsequent perf_mmap_close()\ncalls are not longer fulfilling the offset and size checks. This leads to\nreference count leaks.\n\nAs perf already has the requirement for subsequent mappings to match the\ninitial mapping, the obvious consequence is that VMA splits, caused by\nresizing of a mapping or partial unmapping, have to be prevented.\n\nImplement the vm_operations_struct::may_split() callback and return\nunconditionally -EINVAL.\n\nThat ensures that the mapping offsets and sizes cannot be changed after the\nfact. Remapping to a different fixed address with the same size is still\npossible as it takes the references for the new mapping and drops those of\nthe old mapping."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T15:32:41.878Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e4346ffec2c44d6b0be834d59b20632b5bb5729e"
},
{
"url": "https://git.kernel.org/stable/c/d52451a9210f2e5a079ba052918c93563518a9ff"
},
{
"url": "https://git.kernel.org/stable/c/3bd518cc7ea61076bcd725e36ff0e690754977c0"
},
{
"url": "https://git.kernel.org/stable/c/7b84cb58d1f0aa07656802eae24689566e5f5b1b"
},
{
"url": "https://git.kernel.org/stable/c/6757a31a8e295ae4f01717a954afda173f25a121"
},
{
"url": "https://git.kernel.org/stable/c/e529888b7e8092912dd8789bdfc76685ccd2ff5f"
},
{
"url": "https://git.kernel.org/stable/c/ff668930871e0198c7f4e325058b8b7c286787bd"
},
{
"url": "https://git.kernel.org/stable/c/65311aad4c808bedad0c05d9bb8b06c47dae73eb"
},
{
"url": "https://git.kernel.org/stable/c/b024d7b56c77191cde544f838debb7f8451cd0d6"
},
{
"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-873/"
}
],
"title": "perf/core: Prevent VMA split of buffer mappings",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38563",
"datePublished": "2025-08-19T17:02:40.249Z",
"dateReserved": "2025-04-16T04:51:24.025Z",
"dateUpdated": "2025-10-10T15:32:41.878Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38582 (GCVE-0-2025-38582)
Vulnerability from cvelistv5
Published
2025-08-19 17:03
Modified
2025-09-29 05:54
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/hns: Fix double destruction of rsv_qp
rsv_qp may be double destroyed in error flow, first in free_mr_init(),
and then in hns_roce_exit(). Fix it by moving the free_mr_init() call
into hns_roce_v2_init().
list_del corruption, ffff589732eb9b50->next is LIST_POISON1 (dead000000000100)
WARNING: CPU: 8 PID: 1047115 at lib/list_debug.c:53 __list_del_entry_valid+0x148/0x240
...
Call trace:
__list_del_entry_valid+0x148/0x240
hns_roce_qp_remove+0x4c/0x3f0 [hns_roce_hw_v2]
hns_roce_v2_destroy_qp_common+0x1dc/0x5f4 [hns_roce_hw_v2]
hns_roce_v2_destroy_qp+0x22c/0x46c [hns_roce_hw_v2]
free_mr_exit+0x6c/0x120 [hns_roce_hw_v2]
hns_roce_v2_exit+0x170/0x200 [hns_roce_hw_v2]
hns_roce_exit+0x118/0x350 [hns_roce_hw_v2]
__hns_roce_hw_v2_init_instance+0x1c8/0x304 [hns_roce_hw_v2]
hns_roce_hw_v2_reset_notify_init+0x170/0x21c [hns_roce_hw_v2]
hns_roce_hw_v2_reset_notify+0x6c/0x190 [hns_roce_hw_v2]
hclge_notify_roce_client+0x6c/0x160 [hclge]
hclge_reset_rebuild+0x150/0x5c0 [hclge]
hclge_reset+0x10c/0x140 [hclge]
hclge_reset_subtask+0x80/0x104 [hclge]
hclge_reset_service_task+0x168/0x3ac [hclge]
hclge_service_task+0x50/0x100 [hclge]
process_one_work+0x250/0x9a0
worker_thread+0x324/0x990
kthread+0x190/0x210
ret_from_fork+0x10/0x18
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: fd8489294dd2beefb70f12ec4f6132aeec61a4d0 Version: fd8489294dd2beefb70f12ec4f6132aeec61a4d0 Version: fd8489294dd2beefb70f12ec4f6132aeec61a4d0 Version: fd8489294dd2beefb70f12ec4f6132aeec61a4d0 Version: 2ccf1c75d39949d8ea043d04a2e92d7100ea723d Version: d2d9c5127122745da6e887f451dd248cfeffca33 Version: dac2723d8bfa9cf5333f477741e6e5fa1ed34645 Version: 60595923371c2ebe7faf82536c47eb0c967e3425 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/hns/hns_roce_hw_v2.c",
"drivers/infiniband/hw/hns/hns_roce_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dab173bae3303f074f063750a8dead2550d8c782",
"status": "affected",
"version": "fd8489294dd2beefb70f12ec4f6132aeec61a4d0",
"versionType": "git"
},
{
"lessThan": "fc8b0f5b16bab2e032b4cfcd6218d5df3b80b2ea",
"status": "affected",
"version": "fd8489294dd2beefb70f12ec4f6132aeec61a4d0",
"versionType": "git"
},
{
"lessThan": "10b083dbba22be19baa848432b6f25aa68ab2db5",
"status": "affected",
"version": "fd8489294dd2beefb70f12ec4f6132aeec61a4d0",
"versionType": "git"
},
{
"lessThan": "c6957b95ecc5b63c5a4bb4ecc28af326cf8f6dc8",
"status": "affected",
"version": "fd8489294dd2beefb70f12ec4f6132aeec61a4d0",
"versionType": "git"
},
{
"status": "affected",
"version": "2ccf1c75d39949d8ea043d04a2e92d7100ea723d",
"versionType": "git"
},
{
"status": "affected",
"version": "d2d9c5127122745da6e887f451dd248cfeffca33",
"versionType": "git"
},
{
"status": "affected",
"version": "dac2723d8bfa9cf5333f477741e6e5fa1ed34645",
"versionType": "git"
},
{
"status": "affected",
"version": "60595923371c2ebe7faf82536c47eb0c967e3425",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/hns/hns_roce_hw_v2.c",
"drivers/infiniband/hw/hns/hns_roce_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.113",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.6.54",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.10.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.11.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Fix double destruction of rsv_qp\n\nrsv_qp may be double destroyed in error flow, first in free_mr_init(),\nand then in hns_roce_exit(). Fix it by moving the free_mr_init() call\ninto hns_roce_v2_init().\n\nlist_del corruption, ffff589732eb9b50-\u003enext is LIST_POISON1 (dead000000000100)\nWARNING: CPU: 8 PID: 1047115 at lib/list_debug.c:53 __list_del_entry_valid+0x148/0x240\n...\nCall trace:\n __list_del_entry_valid+0x148/0x240\n hns_roce_qp_remove+0x4c/0x3f0 [hns_roce_hw_v2]\n hns_roce_v2_destroy_qp_common+0x1dc/0x5f4 [hns_roce_hw_v2]\n hns_roce_v2_destroy_qp+0x22c/0x46c [hns_roce_hw_v2]\n free_mr_exit+0x6c/0x120 [hns_roce_hw_v2]\n hns_roce_v2_exit+0x170/0x200 [hns_roce_hw_v2]\n hns_roce_exit+0x118/0x350 [hns_roce_hw_v2]\n __hns_roce_hw_v2_init_instance+0x1c8/0x304 [hns_roce_hw_v2]\n hns_roce_hw_v2_reset_notify_init+0x170/0x21c [hns_roce_hw_v2]\n hns_roce_hw_v2_reset_notify+0x6c/0x190 [hns_roce_hw_v2]\n hclge_notify_roce_client+0x6c/0x160 [hclge]\n hclge_reset_rebuild+0x150/0x5c0 [hclge]\n hclge_reset+0x10c/0x140 [hclge]\n hclge_reset_subtask+0x80/0x104 [hclge]\n hclge_reset_service_task+0x168/0x3ac [hclge]\n hclge_service_task+0x50/0x100 [hclge]\n process_one_work+0x250/0x9a0\n worker_thread+0x324/0x990\n kthread+0x190/0x210\n ret_from_fork+0x10/0x18"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:54:13.704Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dab173bae3303f074f063750a8dead2550d8c782"
},
{
"url": "https://git.kernel.org/stable/c/fc8b0f5b16bab2e032b4cfcd6218d5df3b80b2ea"
},
{
"url": "https://git.kernel.org/stable/c/10b083dbba22be19baa848432b6f25aa68ab2db5"
},
{
"url": "https://git.kernel.org/stable/c/c6957b95ecc5b63c5a4bb4ecc28af326cf8f6dc8"
}
],
"title": "RDMA/hns: Fix double destruction of rsv_qp",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38582",
"datePublished": "2025-08-19T17:03:04.535Z",
"dateReserved": "2025-04-16T04:51:24.026Z",
"dateUpdated": "2025-09-29T05:54:13.704Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4515 (GCVE-0-2023-4515)
Vulnerability from cvelistv5
Published
2025-08-16 13:25
Modified
2025-08-16 13:25
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: validate command request size
In commit 2b9b8f3b68ed ("ksmbd: validate command payload size"), except
for SMB2_OPLOCK_BREAK_HE command, the request size of other commands
is not checked, it's not expected. Fix it by add check for request
size of other commands.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2misc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "595679098bdcdbfbba91ebe07a2f7f208df93870",
"status": "affected",
"version": "35f450f54dca1519bb24faacd0428db09f89a11f",
"versionType": "git"
},
{
"lessThan": "c6bef3bc30fd4a175aef846b7d928a6c40d091cd",
"status": "affected",
"version": "9650cf70ec9d94ff34daa088b643229231723c26",
"versionType": "git"
},
{
"lessThan": "ff7236b66d69582f90cf5616e63cfc3dc18142bb",
"status": "affected",
"version": "2b9b8f3b68edb3d67d79962f02e26dbb5ae3808d",
"versionType": "git"
},
{
"lessThan": "5aa4fda5aa9c2a5a7bac67b4a12b089ab81fee3c",
"status": "affected",
"version": "2b9b8f3b68edb3d67d79962f02e26dbb5ae3808d",
"versionType": "git"
},
{
"status": "affected",
"version": "768caf4019f0391c0b6452afe34cea1704133f7b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2misc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.127",
"versionStartIncluding": "5.15.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.46",
"versionStartIncluding": "6.1.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate command request size\n\nIn commit 2b9b8f3b68ed (\"ksmbd: validate command payload size\"), except\nfor SMB2_OPLOCK_BREAK_HE command, the request size of other commands\nis not checked, it\u0027s not expected. Fix it by add check for request\nsize of other commands."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-16T13:25:50.562Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/595679098bdcdbfbba91ebe07a2f7f208df93870"
},
{
"url": "https://git.kernel.org/stable/c/c6bef3bc30fd4a175aef846b7d928a6c40d091cd"
},
{
"url": "https://git.kernel.org/stable/c/ff7236b66d69582f90cf5616e63cfc3dc18142bb"
},
{
"url": "https://git.kernel.org/stable/c/5aa4fda5aa9c2a5a7bac67b4a12b089ab81fee3c"
}
],
"title": "ksmbd: validate command request size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-4515",
"datePublished": "2025-08-16T13:25:50.562Z",
"dateReserved": "2023-08-24T10:34:48.702Z",
"dateUpdated": "2025-08-16T13:25:50.562Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38473 (GCVE-0-2025-38473)
Vulnerability from cvelistv5
Published
2025-07-28 11:21
Modified
2025-08-28 14:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb()
syzbot reported null-ptr-deref in l2cap_sock_resume_cb(). [0]
l2cap_sock_resume_cb() has a similar problem that was fixed by commit
1bff51ea59a9 ("Bluetooth: fix use-after-free error in lock_sock_nested()").
Since both l2cap_sock_kill() and l2cap_sock_resume_cb() are executed
under l2cap_sock_resume_cb(), we can avoid the issue simply by checking
if chan->data is NULL.
Let's not access to the killed socket in l2cap_sock_resume_cb().
[0]:
BUG: KASAN: null-ptr-deref in instrument_atomic_write include/linux/instrumented.h:82 [inline]
BUG: KASAN: null-ptr-deref in clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]
BUG: KASAN: null-ptr-deref in l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711
Write of size 8 at addr 0000000000000570 by task kworker/u9:0/52
CPU: 1 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPT
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Workqueue: hci0 hci_rx_work
Call trace:
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:501 (C)
__dump_stack+0x30/0x40 lib/dump_stack.c:94
dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
print_report+0x58/0x84 mm/kasan/report.c:524
kasan_report+0xb0/0x110 mm/kasan/report.c:634
check_region_inline mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189
__kasan_check_write+0x20/0x30 mm/kasan/shadow.c:37
instrument_atomic_write include/linux/instrumented.h:82 [inline]
clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]
l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711
l2cap_security_cfm+0x524/0xea0 net/bluetooth/l2cap_core.c:7357
hci_auth_cfm include/net/bluetooth/hci_core.h:2092 [inline]
hci_auth_complete_evt+0x2e8/0xa4c net/bluetooth/hci_event.c:3514
hci_event_func net/bluetooth/hci_event.c:7511 [inline]
hci_event_packet+0x650/0xe9c net/bluetooth/hci_event.c:7565
hci_rx_work+0x320/0xb18 net/bluetooth/hci_core.c:4070
process_one_work+0x7e8/0x155c kernel/workqueue.c:3238
process_scheduled_works kernel/workqueue.c:3321 [inline]
worker_thread+0x958/0xed8 kernel/workqueue.c:3402
kthread+0x5fc/0x75c kernel/kthread.c:464
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:847
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d97c899bde330cd1c76c3a162558177563a74362 Version: d97c899bde330cd1c76c3a162558177563a74362 Version: d97c899bde330cd1c76c3a162558177563a74362 Version: d97c899bde330cd1c76c3a162558177563a74362 Version: d97c899bde330cd1c76c3a162558177563a74362 Version: d97c899bde330cd1c76c3a162558177563a74362 Version: d97c899bde330cd1c76c3a162558177563a74362 Version: d97c899bde330cd1c76c3a162558177563a74362 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "262cd18f5f7ede6a586580cadc5d0799e52e2e7c",
"status": "affected",
"version": "d97c899bde330cd1c76c3a162558177563a74362",
"versionType": "git"
},
{
"lessThan": "2b27b389006623673e8cfff4ce1e119cce640b05",
"status": "affected",
"version": "d97c899bde330cd1c76c3a162558177563a74362",
"versionType": "git"
},
{
"lessThan": "3a4eca2a1859955c65f07a570156bd2d9048ce33",
"status": "affected",
"version": "d97c899bde330cd1c76c3a162558177563a74362",
"versionType": "git"
},
{
"lessThan": "ac3a8147bb24314fb3e84986590148e79f9872ec",
"status": "affected",
"version": "d97c899bde330cd1c76c3a162558177563a74362",
"versionType": "git"
},
{
"lessThan": "c4f16f6b071a74ac7eefe5c28985285cbbe2cd96",
"status": "affected",
"version": "d97c899bde330cd1c76c3a162558177563a74362",
"versionType": "git"
},
{
"lessThan": "b97be7ee8a1cd96b89817cbd64a9f5cc16c17d08",
"status": "affected",
"version": "d97c899bde330cd1c76c3a162558177563a74362",
"versionType": "git"
},
{
"lessThan": "6d63901dcd592a1e3f71d7c6d78f9be5e8d7eef0",
"status": "affected",
"version": "d97c899bde330cd1c76c3a162558177563a74362",
"versionType": "git"
},
{
"lessThan": "a0075accbf0d76c2dad1ad3993d2e944505d99a0",
"status": "affected",
"version": "d97c899bde330cd1c76c3a162558177563a74362",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.13"
},
{
"lessThan": "3.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.147",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.147",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.100",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.40",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.8",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "3.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb()\n\nsyzbot reported null-ptr-deref in l2cap_sock_resume_cb(). [0]\n\nl2cap_sock_resume_cb() has a similar problem that was fixed by commit\n1bff51ea59a9 (\"Bluetooth: fix use-after-free error in lock_sock_nested()\").\n\nSince both l2cap_sock_kill() and l2cap_sock_resume_cb() are executed\nunder l2cap_sock_resume_cb(), we can avoid the issue simply by checking\nif chan-\u003edata is NULL.\n\nLet\u0027s not access to the killed socket in l2cap_sock_resume_cb().\n\n[0]:\nBUG: KASAN: null-ptr-deref in instrument_atomic_write include/linux/instrumented.h:82 [inline]\nBUG: KASAN: null-ptr-deref in clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]\nBUG: KASAN: null-ptr-deref in l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711\nWrite of size 8 at addr 0000000000000570 by task kworker/u9:0/52\n\nCPU: 1 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPT\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\nWorkqueue: hci0 hci_rx_work\nCall trace:\n show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:501 (C)\n __dump_stack+0x30/0x40 lib/dump_stack.c:94\n dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120\n print_report+0x58/0x84 mm/kasan/report.c:524\n kasan_report+0xb0/0x110 mm/kasan/report.c:634\n check_region_inline mm/kasan/generic.c:-1 [inline]\n kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189\n __kasan_check_write+0x20/0x30 mm/kasan/shadow.c:37\n instrument_atomic_write include/linux/instrumented.h:82 [inline]\n clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]\n l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711\n l2cap_security_cfm+0x524/0xea0 net/bluetooth/l2cap_core.c:7357\n hci_auth_cfm include/net/bluetooth/hci_core.h:2092 [inline]\n hci_auth_complete_evt+0x2e8/0xa4c net/bluetooth/hci_event.c:3514\n hci_event_func net/bluetooth/hci_event.c:7511 [inline]\n hci_event_packet+0x650/0xe9c net/bluetooth/hci_event.c:7565\n hci_rx_work+0x320/0xb18 net/bluetooth/hci_core.c:4070\n process_one_work+0x7e8/0x155c kernel/workqueue.c:3238\n process_scheduled_works kernel/workqueue.c:3321 [inline]\n worker_thread+0x958/0xed8 kernel/workqueue.c:3402\n kthread+0x5fc/0x75c kernel/kthread.c:464\n ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:847"
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T14:43:10.331Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/262cd18f5f7ede6a586580cadc5d0799e52e2e7c"
},
{
"url": "https://git.kernel.org/stable/c/2b27b389006623673e8cfff4ce1e119cce640b05"
},
{
"url": "https://git.kernel.org/stable/c/3a4eca2a1859955c65f07a570156bd2d9048ce33"
},
{
"url": "https://git.kernel.org/stable/c/ac3a8147bb24314fb3e84986590148e79f9872ec"
},
{
"url": "https://git.kernel.org/stable/c/c4f16f6b071a74ac7eefe5c28985285cbbe2cd96"
},
{
"url": "https://git.kernel.org/stable/c/b97be7ee8a1cd96b89817cbd64a9f5cc16c17d08"
},
{
"url": "https://git.kernel.org/stable/c/6d63901dcd592a1e3f71d7c6d78f9be5e8d7eef0"
},
{
"url": "https://git.kernel.org/stable/c/a0075accbf0d76c2dad1ad3993d2e944505d99a0"
}
],
"title": "Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38473",
"datePublished": "2025-07-28T11:21:34.880Z",
"dateReserved": "2025-04-16T04:51:24.021Z",
"dateUpdated": "2025-08-28T14:43:10.331Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38184 (GCVE-0-2025-38184)
Vulnerability from cvelistv5
Published
2025-07-04 13:37
Modified
2025-07-28 04:14
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer
The reproduction steps:
1. create a tun interface
2. enable l2 bearer
3. TIPC_NL_UDP_GET_REMOTEIP with media name set to tun
tipc: Started in network mode
tipc: Node identity 8af312d38a21, cluster identity 4711
tipc: Enabled bearer <eth:syz_tun>, priority 1
Oops: general protection fault
KASAN: null-ptr-deref in range
CPU: 1 UID: 1000 PID: 559 Comm: poc Not tainted 6.16.0-rc1+ #117 PREEMPT
Hardware name: QEMU Ubuntu 24.04 PC
RIP: 0010:tipc_udp_nl_dump_remoteip+0x4a4/0x8f0
the ub was in fact a struct dev.
when bid != 0 && skip_cnt != 0, bearer_list[bid] may be NULL or
other media when other thread changes it.
fix this by checking media_id.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 832629ca5c313e122b22b8e73a6d80f111b1a1ae Version: 832629ca5c313e122b22b8e73a6d80f111b1a1ae Version: 832629ca5c313e122b22b8e73a6d80f111b1a1ae Version: 832629ca5c313e122b22b8e73a6d80f111b1a1ae Version: 832629ca5c313e122b22b8e73a6d80f111b1a1ae Version: 832629ca5c313e122b22b8e73a6d80f111b1a1ae Version: 832629ca5c313e122b22b8e73a6d80f111b1a1ae Version: 832629ca5c313e122b22b8e73a6d80f111b1a1ae |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/tipc/udp_media.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3998283e4c32c0fe69edd59b0876c193f50abce6",
"status": "affected",
"version": "832629ca5c313e122b22b8e73a6d80f111b1a1ae",
"versionType": "git"
},
{
"lessThan": "c2e17984752b9131061d1a2ca1199da2706337fd",
"status": "affected",
"version": "832629ca5c313e122b22b8e73a6d80f111b1a1ae",
"versionType": "git"
},
{
"lessThan": "8595350615f952fcf8bc861464a6bf6b1129af50",
"status": "affected",
"version": "832629ca5c313e122b22b8e73a6d80f111b1a1ae",
"versionType": "git"
},
{
"lessThan": "05d332ba075753d569d66333d62d60fff5f57ad8",
"status": "affected",
"version": "832629ca5c313e122b22b8e73a6d80f111b1a1ae",
"versionType": "git"
},
{
"lessThan": "d3dfe821dfe091c0045044343c8d86596d66e2cf",
"status": "affected",
"version": "832629ca5c313e122b22b8e73a6d80f111b1a1ae",
"versionType": "git"
},
{
"lessThan": "0d3d91c3500f0c480e016faa4e2259c588616e59",
"status": "affected",
"version": "832629ca5c313e122b22b8e73a6d80f111b1a1ae",
"versionType": "git"
},
{
"lessThan": "0f4a72fb266e48dbe928e1d936eab149e4ac3e1b",
"status": "affected",
"version": "832629ca5c313e122b22b8e73a6d80f111b1a1ae",
"versionType": "git"
},
{
"lessThan": "f82727adcf2992822e12198792af450a76ebd5ef",
"status": "affected",
"version": "832629ca5c313e122b22b8e73a6d80f111b1a1ae",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/tipc/udp_media.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.95",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.295",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.239",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.95",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.35",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.4",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer\n\nThe reproduction steps:\n1. create a tun interface\n2. enable l2 bearer\n3. TIPC_NL_UDP_GET_REMOTEIP with media name set to tun\n\ntipc: Started in network mode\ntipc: Node identity 8af312d38a21, cluster identity 4711\ntipc: Enabled bearer \u003ceth:syz_tun\u003e, priority 1\nOops: general protection fault\nKASAN: null-ptr-deref in range\nCPU: 1 UID: 1000 PID: 559 Comm: poc Not tainted 6.16.0-rc1+ #117 PREEMPT\nHardware name: QEMU Ubuntu 24.04 PC\nRIP: 0010:tipc_udp_nl_dump_remoteip+0x4a4/0x8f0\n\nthe ub was in fact a struct dev.\n\nwhen bid != 0 \u0026\u0026 skip_cnt != 0, bearer_list[bid] may be NULL or\nother media when other thread changes it.\n\nfix this by checking media_id."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:14:27.865Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3998283e4c32c0fe69edd59b0876c193f50abce6"
},
{
"url": "https://git.kernel.org/stable/c/c2e17984752b9131061d1a2ca1199da2706337fd"
},
{
"url": "https://git.kernel.org/stable/c/8595350615f952fcf8bc861464a6bf6b1129af50"
},
{
"url": "https://git.kernel.org/stable/c/05d332ba075753d569d66333d62d60fff5f57ad8"
},
{
"url": "https://git.kernel.org/stable/c/d3dfe821dfe091c0045044343c8d86596d66e2cf"
},
{
"url": "https://git.kernel.org/stable/c/0d3d91c3500f0c480e016faa4e2259c588616e59"
},
{
"url": "https://git.kernel.org/stable/c/0f4a72fb266e48dbe928e1d936eab149e4ac3e1b"
},
{
"url": "https://git.kernel.org/stable/c/f82727adcf2992822e12198792af450a76ebd5ef"
}
],
"title": "tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38184",
"datePublished": "2025-07-04T13:37:11.226Z",
"dateReserved": "2025-04-16T04:51:23.992Z",
"dateUpdated": "2025-07-28T04:14:27.865Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38506 (GCVE-0-2025-38506)
Vulnerability from cvelistv5
Published
2025-08-16 10:54
Modified
2025-08-16 10:54
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: Allow CPU to reschedule while setting per-page memory attributes
When running an SEV-SNP guest with a sufficiently large amount of memory (1TB+),
the host can experience CPU soft lockups when running an operation in
kvm_vm_set_mem_attributes() to set memory attributes on the whole
range of guest memory.
watchdog: BUG: soft lockup - CPU#8 stuck for 26s! [qemu-kvm:6372]
CPU: 8 UID: 0 PID: 6372 Comm: qemu-kvm Kdump: loaded Not tainted 6.15.0-rc7.20250520.el9uek.rc1.x86_64 #1 PREEMPT(voluntary)
Hardware name: Oracle Corporation ORACLE SERVER E4-2c/Asm,MB Tray,2U,E4-2c, BIOS 78016600 11/13/2024
RIP: 0010:xas_create+0x78/0x1f0
Code: 00 00 00 41 80 fc 01 0f 84 82 00 00 00 ba 06 00 00 00 bd 06 00 00 00 49 8b 45 08 4d 8d 65 08 41 39 d6 73 20 83 ed 06 48 85 c0 <74> 67 48 89 c2 83 e2 03 48 83 fa 02 75 0c 48 3d 00 10 00 00 0f 87
RSP: 0018:ffffad890a34b940 EFLAGS: 00000286
RAX: ffff96f30b261daa RBX: ffffad890a34b9c8 RCX: 0000000000000000
RDX: 000000000000001e RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000018 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffad890a356868
R13: ffffad890a356860 R14: 0000000000000000 R15: ffffad890a356868
FS: 00007f5578a2a400(0000) GS:ffff97ed317e1000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f015c70fb18 CR3: 00000001109fd006 CR4: 0000000000f70ef0
PKRU: 55555554
Call Trace:
<TASK>
xas_store+0x58/0x630
__xa_store+0xa5/0x130
xa_store+0x2c/0x50
kvm_vm_set_mem_attributes+0x343/0x710 [kvm]
kvm_vm_ioctl+0x796/0xab0 [kvm]
__x64_sys_ioctl+0xa3/0xd0
do_syscall_64+0x8c/0x7a0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f5578d031bb
Code: ff ff ff 85 c0 79 9b 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 2d 4c 0f 00 f7 d8 64 89 01 48
RSP: 002b:00007ffe0a742b88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 000000004020aed2 RCX: 00007f5578d031bb
RDX: 00007ffe0a742c80 RSI: 000000004020aed2 RDI: 000000000000000b
RBP: 0000010000000000 R08: 0000010000000000 R09: 0000017680000000
R10: 0000000000000080 R11: 0000000000000246 R12: 00005575e5f95120
R13: 00007ffe0a742c80 R14: 0000000000000008 R15: 00005575e5f961e0
While looping through the range of memory setting the attributes,
call cond_resched() to give the scheduler a chance to run a higher
priority task on the runqueue if necessary and avoid staying in
kernel mode long enough to trigger the lockup.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"virt/kvm/kvm_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d9bd1163c8d8f716f45e54d034ee28757cc85549",
"status": "affected",
"version": "5a475554db1e476a14216e742ea2bdb77362d5d5",
"versionType": "git"
},
{
"lessThan": "1ef45ae7a3938f0844032ba670b4f89180a5bffc",
"status": "affected",
"version": "5a475554db1e476a14216e742ea2bdb77362d5d5",
"versionType": "git"
},
{
"lessThan": "47bb584237cc285e3a860b70c01f7bda9dcfb05b",
"status": "affected",
"version": "5a475554db1e476a14216e742ea2bdb77362d5d5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"virt/kvm/kvm_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.39",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.7",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Allow CPU to reschedule while setting per-page memory attributes\n\nWhen running an SEV-SNP guest with a sufficiently large amount of memory (1TB+),\nthe host can experience CPU soft lockups when running an operation in\nkvm_vm_set_mem_attributes() to set memory attributes on the whole\nrange of guest memory.\n\nwatchdog: BUG: soft lockup - CPU#8 stuck for 26s! [qemu-kvm:6372]\nCPU: 8 UID: 0 PID: 6372 Comm: qemu-kvm Kdump: loaded Not tainted 6.15.0-rc7.20250520.el9uek.rc1.x86_64 #1 PREEMPT(voluntary)\nHardware name: Oracle Corporation ORACLE SERVER E4-2c/Asm,MB Tray,2U,E4-2c, BIOS 78016600 11/13/2024\nRIP: 0010:xas_create+0x78/0x1f0\nCode: 00 00 00 41 80 fc 01 0f 84 82 00 00 00 ba 06 00 00 00 bd 06 00 00 00 49 8b 45 08 4d 8d 65 08 41 39 d6 73 20 83 ed 06 48 85 c0 \u003c74\u003e 67 48 89 c2 83 e2 03 48 83 fa 02 75 0c 48 3d 00 10 00 00 0f 87\nRSP: 0018:ffffad890a34b940 EFLAGS: 00000286\nRAX: ffff96f30b261daa RBX: ffffad890a34b9c8 RCX: 0000000000000000\nRDX: 000000000000001e RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000018 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: ffffad890a356868\nR13: ffffad890a356860 R14: 0000000000000000 R15: ffffad890a356868\nFS: 00007f5578a2a400(0000) GS:ffff97ed317e1000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f015c70fb18 CR3: 00000001109fd006 CR4: 0000000000f70ef0\nPKRU: 55555554\nCall Trace:\n \u003cTASK\u003e\n xas_store+0x58/0x630\n __xa_store+0xa5/0x130\n xa_store+0x2c/0x50\n kvm_vm_set_mem_attributes+0x343/0x710 [kvm]\n kvm_vm_ioctl+0x796/0xab0 [kvm]\n __x64_sys_ioctl+0xa3/0xd0\n do_syscall_64+0x8c/0x7a0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7f5578d031bb\nCode: ff ff ff 85 c0 79 9b 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d 2d 4c 0f 00 f7 d8 64 89 01 48\nRSP: 002b:00007ffe0a742b88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 000000004020aed2 RCX: 00007f5578d031bb\nRDX: 00007ffe0a742c80 RSI: 000000004020aed2 RDI: 000000000000000b\nRBP: 0000010000000000 R08: 0000010000000000 R09: 0000017680000000\nR10: 0000000000000080 R11: 0000000000000246 R12: 00005575e5f95120\nR13: 00007ffe0a742c80 R14: 0000000000000008 R15: 00005575e5f961e0\n\nWhile looping through the range of memory setting the attributes,\ncall cond_resched() to give the scheduler a chance to run a higher\npriority task on the runqueue if necessary and avoid staying in\nkernel mode long enough to trigger the lockup."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-16T10:54:43.826Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d9bd1163c8d8f716f45e54d034ee28757cc85549"
},
{
"url": "https://git.kernel.org/stable/c/1ef45ae7a3938f0844032ba670b4f89180a5bffc"
},
{
"url": "https://git.kernel.org/stable/c/47bb584237cc285e3a860b70c01f7bda9dcfb05b"
}
],
"title": "KVM: Allow CPU to reschedule while setting per-page memory attributes",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38506",
"datePublished": "2025-08-16T10:54:43.826Z",
"dateReserved": "2025-04-16T04:51:24.022Z",
"dateUpdated": "2025-08-16T10:54:43.826Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38621 (GCVE-0-2025-38621)
Vulnerability from cvelistv5
Published
2025-08-22 16:00
Modified
2025-09-29 05:54
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
md: make rdev_addable usable for rcu mode
Our testcase trigger panic:
BUG: kernel NULL pointer dereference, address: 00000000000000e0
...
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 2 UID: 0 PID: 85 Comm: kworker/2:1 Not tainted 6.16.0+ #94
PREEMPT(none)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.16.1-2.fc37 04/01/2014
Workqueue: md_misc md_start_sync
RIP: 0010:rdev_addable+0x4d/0xf0
...
Call Trace:
<TASK>
md_start_sync+0x329/0x480
process_one_work+0x226/0x6d0
worker_thread+0x19e/0x340
kthread+0x10f/0x250
ret_from_fork+0x14d/0x180
ret_from_fork_asm+0x1a/0x30
</TASK>
Modules linked in: raid10
CR2: 00000000000000e0
---[ end trace 0000000000000000 ]---
RIP: 0010:rdev_addable+0x4d/0xf0
md_spares_need_change in md_start_sync will call rdev_addable which
protected by rcu_read_lock/rcu_read_unlock. This rcu context will help
protect rdev won't be released, but rdev->mddev will be set to NULL
before we call synchronize_rcu in md_kick_rdev_from_array. Fix this by
using READ_ONCE and check does rdev->mddev still alive.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/md.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b5fbe940862339cdcc34dea7a057ad18d18fa137",
"status": "affected",
"version": "bc08041b32abe6c9824f78735bac22018eabfc06",
"versionType": "git"
},
{
"lessThan": "13017b427118f4311471ee47df74872372ca8482",
"status": "affected",
"version": "bc08041b32abe6c9824f78735bac22018eabfc06",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/md.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: make rdev_addable usable for rcu mode\n\nOur testcase trigger panic:\n\nBUG: kernel NULL pointer dereference, address: 00000000000000e0\n...\nOops: Oops: 0000 [#1] SMP NOPTI\nCPU: 2 UID: 0 PID: 85 Comm: kworker/2:1 Not tainted 6.16.0+ #94\nPREEMPT(none)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.16.1-2.fc37 04/01/2014\nWorkqueue: md_misc md_start_sync\nRIP: 0010:rdev_addable+0x4d/0xf0\n...\nCall Trace:\n \u003cTASK\u003e\n md_start_sync+0x329/0x480\n process_one_work+0x226/0x6d0\n worker_thread+0x19e/0x340\n kthread+0x10f/0x250\n ret_from_fork+0x14d/0x180\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\nModules linked in: raid10\nCR2: 00000000000000e0\n---[ end trace 0000000000000000 ]---\nRIP: 0010:rdev_addable+0x4d/0xf0\n\nmd_spares_need_change in md_start_sync will call rdev_addable which\nprotected by rcu_read_lock/rcu_read_unlock. This rcu context will help\nprotect rdev won\u0027t be released, but rdev-\u003emddev will be set to NULL\nbefore we call synchronize_rcu in md_kick_rdev_from_array. Fix this by\nusing READ_ONCE and check does rdev-\u003emddev still alive."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:54:56.808Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b5fbe940862339cdcc34dea7a057ad18d18fa137"
},
{
"url": "https://git.kernel.org/stable/c/13017b427118f4311471ee47df74872372ca8482"
}
],
"title": "md: make rdev_addable usable for rcu mode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38621",
"datePublished": "2025-08-22T16:00:30.308Z",
"dateReserved": "2025-04-16T04:51:24.029Z",
"dateUpdated": "2025-09-29T05:54:56.808Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38566 (GCVE-0-2025-38566)
Vulnerability from cvelistv5
Published
2025-08-19 17:02
Modified
2025-09-29 05:53
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sunrpc: fix handling of server side tls alerts
Scott Mayhew discovered a security exploit in NFS over TLS in
tls_alert_recv() due to its assumption it can read data from
the msg iterator's kvec..
kTLS implementation splits TLS non-data record payload between
the control message buffer (which includes the type such as TLS
aler or TLS cipher change) and the rest of the payload (say TLS
alert's level/description) which goes into the msg payload buffer.
This patch proposes to rework how control messages are setup and
used by sock_recvmsg().
If no control message structure is setup, kTLS layer will read and
process TLS data record types. As soon as it encounters a TLS control
message, it would return an error. At that point, NFS can setup a
kvec backed msg buffer and read in the control message such as a
TLS alert. Msg iterator can advance the kvec pointer as a part of
the copy process thus we need to revert the iterator before calling
into the tls_alert_recv.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sunrpc/svcsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b1df394621710b312f0393e3f240fdac0764f968",
"status": "affected",
"version": "5e052dda121e2870dd87181783da4a95d7d2927b",
"versionType": "git"
},
{
"lessThan": "25bb3647d30a20486b5fe7cff2b0e503c16c9692",
"status": "affected",
"version": "5e052dda121e2870dd87181783da4a95d7d2927b",
"versionType": "git"
},
{
"lessThan": "3b549da875414989f480b66835d514be80a0bd9c",
"status": "affected",
"version": "5e052dda121e2870dd87181783da4a95d7d2927b",
"versionType": "git"
},
{
"lessThan": "6b33c31cc788073bfbed9297e1f4486ed73d87da",
"status": "affected",
"version": "5e052dda121e2870dd87181783da4a95d7d2927b",
"versionType": "git"
},
{
"lessThan": "bee47cb026e762841f3faece47b51f985e215edb",
"status": "affected",
"version": "5e052dda121e2870dd87181783da4a95d7d2927b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sunrpc/svcsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsunrpc: fix handling of server side tls alerts\n\nScott Mayhew discovered a security exploit in NFS over TLS in\ntls_alert_recv() due to its assumption it can read data from\nthe msg iterator\u0027s kvec..\n\nkTLS implementation splits TLS non-data record payload between\nthe control message buffer (which includes the type such as TLS\naler or TLS cipher change) and the rest of the payload (say TLS\nalert\u0027s level/description) which goes into the msg payload buffer.\n\nThis patch proposes to rework how control messages are setup and\nused by sock_recvmsg().\n\nIf no control message structure is setup, kTLS layer will read and\nprocess TLS data record types. As soon as it encounters a TLS control\nmessage, it would return an error. At that point, NFS can setup a\nkvec backed msg buffer and read in the control message such as a\nTLS alert. Msg iterator can advance the kvec pointer as a part of\nthe copy process thus we need to revert the iterator before calling\ninto the tls_alert_recv."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:53:54.931Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b1df394621710b312f0393e3f240fdac0764f968"
},
{
"url": "https://git.kernel.org/stable/c/25bb3647d30a20486b5fe7cff2b0e503c16c9692"
},
{
"url": "https://git.kernel.org/stable/c/3b549da875414989f480b66835d514be80a0bd9c"
},
{
"url": "https://git.kernel.org/stable/c/6b33c31cc788073bfbed9297e1f4486ed73d87da"
},
{
"url": "https://git.kernel.org/stable/c/bee47cb026e762841f3faece47b51f985e215edb"
}
],
"title": "sunrpc: fix handling of server side tls alerts",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38566",
"datePublished": "2025-08-19T17:02:42.506Z",
"dateReserved": "2025-04-16T04:51:24.025Z",
"dateUpdated": "2025-09-29T05:53:54.931Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38528 (GCVE-0-2025-38528)
Vulnerability from cvelistv5
Published
2025-08-16 11:12
Modified
2025-08-28 14:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Reject %p% format string in bprintf-like helpers
static const char fmt[] = "%p%";
bpf_trace_printk(fmt, sizeof(fmt));
The above BPF program isn't rejected and causes a kernel warning at
runtime:
Please remove unsupported %\x00 in format string
WARNING: CPU: 1 PID: 7244 at lib/vsprintf.c:2680 format_decode+0x49c/0x5d0
This happens because bpf_bprintf_prepare skips over the second %,
detected as punctuation, while processing %p. This patch fixes it by
not skipping over punctuation. %\x00 is then processed in the next
iteration and rejected.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 48cac3f4a96ddf08df8e53809ed066de0dc93915 Version: 48cac3f4a96ddf08df8e53809ed066de0dc93915 Version: 48cac3f4a96ddf08df8e53809ed066de0dc93915 Version: 48cac3f4a96ddf08df8e53809ed066de0dc93915 Version: 48cac3f4a96ddf08df8e53809ed066de0dc93915 Version: 48cac3f4a96ddf08df8e53809ed066de0dc93915 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/helpers.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "97303e541e12f1fea97834ec64b98991e8775f39",
"status": "affected",
"version": "48cac3f4a96ddf08df8e53809ed066de0dc93915",
"versionType": "git"
},
{
"lessThan": "61d5fa45ed13e42af14c7e959baba9908b8ee6d4",
"status": "affected",
"version": "48cac3f4a96ddf08df8e53809ed066de0dc93915",
"versionType": "git"
},
{
"lessThan": "e7be679124bae8cf4fa6e40d7e1661baddfb3289",
"status": "affected",
"version": "48cac3f4a96ddf08df8e53809ed066de0dc93915",
"versionType": "git"
},
{
"lessThan": "6952aeace93f8c9ea01849efecac24dd3152c9c9",
"status": "affected",
"version": "48cac3f4a96ddf08df8e53809ed066de0dc93915",
"versionType": "git"
},
{
"lessThan": "1c5f5fd47bbda17cb885fe6f03730702cd53d3f8",
"status": "affected",
"version": "48cac3f4a96ddf08df8e53809ed066de0dc93915",
"versionType": "git"
},
{
"lessThan": "f8242745871f81a3ac37f9f51853d12854fd0b58",
"status": "affected",
"version": "48cac3f4a96ddf08df8e53809ed066de0dc93915",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/helpers.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.147",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.147",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.100",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.40",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.8",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Reject %p% format string in bprintf-like helpers\n\nstatic const char fmt[] = \"%p%\";\n bpf_trace_printk(fmt, sizeof(fmt));\n\nThe above BPF program isn\u0027t rejected and causes a kernel warning at\nruntime:\n\n Please remove unsupported %\\x00 in format string\n WARNING: CPU: 1 PID: 7244 at lib/vsprintf.c:2680 format_decode+0x49c/0x5d0\n\nThis happens because bpf_bprintf_prepare skips over the second %,\ndetected as punctuation, while processing %p. This patch fixes it by\nnot skipping over punctuation. %\\x00 is then processed in the next\niteration and rejected."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T14:43:34.943Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/97303e541e12f1fea97834ec64b98991e8775f39"
},
{
"url": "https://git.kernel.org/stable/c/61d5fa45ed13e42af14c7e959baba9908b8ee6d4"
},
{
"url": "https://git.kernel.org/stable/c/e7be679124bae8cf4fa6e40d7e1661baddfb3289"
},
{
"url": "https://git.kernel.org/stable/c/6952aeace93f8c9ea01849efecac24dd3152c9c9"
},
{
"url": "https://git.kernel.org/stable/c/1c5f5fd47bbda17cb885fe6f03730702cd53d3f8"
},
{
"url": "https://git.kernel.org/stable/c/f8242745871f81a3ac37f9f51853d12854fd0b58"
}
],
"title": "bpf: Reject %p% format string in bprintf-like helpers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38528",
"datePublished": "2025-08-16T11:12:21.667Z",
"dateReserved": "2025-04-16T04:51:24.023Z",
"dateUpdated": "2025-08-28T14:43:34.943Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38550 (GCVE-0-2025-38550)
Vulnerability from cvelistv5
Published
2025-08-16 11:34
Modified
2025-08-28 14:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: mcast: Delay put pmc->idev in mld_del_delrec()
pmc->idev is still used in ip6_mc_clear_src(), so as mld_clear_delrec()
does, the reference should be put after ip6_mc_clear_src() return.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 63ed8de4be81b699ca727e9f8e3344bd487806d7 Version: 63ed8de4be81b699ca727e9f8e3344bd487806d7 Version: 63ed8de4be81b699ca727e9f8e3344bd487806d7 Version: 63ed8de4be81b699ca727e9f8e3344bd487806d7 Version: 63ed8de4be81b699ca727e9f8e3344bd487806d7 Version: 63ed8de4be81b699ca727e9f8e3344bd487806d7 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/mcast.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6e4eec86fe5f6b3fdbc702d1d36ac2a6e7ec0806",
"status": "affected",
"version": "63ed8de4be81b699ca727e9f8e3344bd487806d7",
"versionType": "git"
},
{
"lessThan": "728db00a14cacb37f36e9382ab5fad55caf890cc",
"status": "affected",
"version": "63ed8de4be81b699ca727e9f8e3344bd487806d7",
"versionType": "git"
},
{
"lessThan": "dcbc346f50a009d8b7f4e330f9f2e22d6442fa26",
"status": "affected",
"version": "63ed8de4be81b699ca727e9f8e3344bd487806d7",
"versionType": "git"
},
{
"lessThan": "7929d27c747eafe8fca3eecd74a334503ee4c839",
"status": "affected",
"version": "63ed8de4be81b699ca727e9f8e3344bd487806d7",
"versionType": "git"
},
{
"lessThan": "5f18e0130194550dff734e155029ae734378b5ea",
"status": "affected",
"version": "63ed8de4be81b699ca727e9f8e3344bd487806d7",
"versionType": "git"
},
{
"lessThan": "ae3264a25a4635531264728859dbe9c659fad554",
"status": "affected",
"version": "63ed8de4be81b699ca727e9f8e3344bd487806d7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/mcast.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.147",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.147",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.100",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.40",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.8",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: mcast: Delay put pmc-\u003eidev in mld_del_delrec()\n\npmc-\u003eidev is still used in ip6_mc_clear_src(), so as mld_clear_delrec()\ndoes, the reference should be put after ip6_mc_clear_src() return."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T14:43:43.626Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6e4eec86fe5f6b3fdbc702d1d36ac2a6e7ec0806"
},
{
"url": "https://git.kernel.org/stable/c/728db00a14cacb37f36e9382ab5fad55caf890cc"
},
{
"url": "https://git.kernel.org/stable/c/dcbc346f50a009d8b7f4e330f9f2e22d6442fa26"
},
{
"url": "https://git.kernel.org/stable/c/7929d27c747eafe8fca3eecd74a334503ee4c839"
},
{
"url": "https://git.kernel.org/stable/c/5f18e0130194550dff734e155029ae734378b5ea"
},
{
"url": "https://git.kernel.org/stable/c/ae3264a25a4635531264728859dbe9c659fad554"
}
],
"title": "ipv6: mcast: Delay put pmc-\u003eidev in mld_del_delrec()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38550",
"datePublished": "2025-08-16T11:34:18.619Z",
"dateReserved": "2025-04-16T04:51:24.024Z",
"dateUpdated": "2025-08-28T14:43:43.626Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38515 (GCVE-0-2025-38515)
Vulnerability from cvelistv5
Published
2025-08-16 10:55
Modified
2025-08-16 10:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/sched: Increment job count before swapping tail spsc queue
A small race exists between spsc_queue_push and the run-job worker, in
which spsc_queue_push may return not-first while the run-job worker has
already idled due to the job count being zero. If this race occurs, job
scheduling stops, leading to hangs while waiting on the job’s DMA
fences.
Seal this race by incrementing the job count before appending to the
SPSC queue.
This race was observed on a drm-tip 6.16-rc1 build with the Xe driver in
an SVM test case.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 27105db6c63a571b91d01e749d026105a1e63bcf Version: 27105db6c63a571b91d01e749d026105a1e63bcf Version: 27105db6c63a571b91d01e749d026105a1e63bcf Version: 27105db6c63a571b91d01e749d026105a1e63bcf Version: 27105db6c63a571b91d01e749d026105a1e63bcf Version: 27105db6c63a571b91d01e749d026105a1e63bcf Version: 27105db6c63a571b91d01e749d026105a1e63bcf Version: 27105db6c63a571b91d01e749d026105a1e63bcf |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/drm/spsc_queue.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "549a9c78c3ea6807d0dc4162a4f5ba59f217d5a0",
"status": "affected",
"version": "27105db6c63a571b91d01e749d026105a1e63bcf",
"versionType": "git"
},
{
"lessThan": "e62f51d0ec8a9baf324caf9a564f8e318d36a551",
"status": "affected",
"version": "27105db6c63a571b91d01e749d026105a1e63bcf",
"versionType": "git"
},
{
"lessThan": "ef841f8e4e1ff67817ca899bedc5ebb00847c0a7",
"status": "affected",
"version": "27105db6c63a571b91d01e749d026105a1e63bcf",
"versionType": "git"
},
{
"lessThan": "f9a4f28a4fc4ee453a92a9abbe36e26224d17749",
"status": "affected",
"version": "27105db6c63a571b91d01e749d026105a1e63bcf",
"versionType": "git"
},
{
"lessThan": "c64f5310530baf75328292f9b9f3f2961d185183",
"status": "affected",
"version": "27105db6c63a571b91d01e749d026105a1e63bcf",
"versionType": "git"
},
{
"lessThan": "e2d6547dc8b9b332f9bc00875197287a6a4db65a",
"status": "affected",
"version": "27105db6c63a571b91d01e749d026105a1e63bcf",
"versionType": "git"
},
{
"lessThan": "ef58a95457466849fa7b31fd3953801a5af0f58b",
"status": "affected",
"version": "27105db6c63a571b91d01e749d026105a1e63bcf",
"versionType": "git"
},
{
"lessThan": "8af39ec5cf2be522c8eb43a3d8005ed59e4daaee",
"status": "affected",
"version": "27105db6c63a571b91d01e749d026105a1e63bcf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/drm/spsc_queue.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.240",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.146",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.296",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.240",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.189",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.146",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.99",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.39",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.7",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/sched: Increment job count before swapping tail spsc queue\n\nA small race exists between spsc_queue_push and the run-job worker, in\nwhich spsc_queue_push may return not-first while the run-job worker has\nalready idled due to the job count being zero. If this race occurs, job\nscheduling stops, leading to hangs while waiting on the job\u2019s DMA\nfences.\n\nSeal this race by incrementing the job count before appending to the\nSPSC queue.\n\nThis race was observed on a drm-tip 6.16-rc1 build with the Xe driver in\nan SVM test case."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-16T10:55:02.173Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/549a9c78c3ea6807d0dc4162a4f5ba59f217d5a0"
},
{
"url": "https://git.kernel.org/stable/c/e62f51d0ec8a9baf324caf9a564f8e318d36a551"
},
{
"url": "https://git.kernel.org/stable/c/ef841f8e4e1ff67817ca899bedc5ebb00847c0a7"
},
{
"url": "https://git.kernel.org/stable/c/f9a4f28a4fc4ee453a92a9abbe36e26224d17749"
},
{
"url": "https://git.kernel.org/stable/c/c64f5310530baf75328292f9b9f3f2961d185183"
},
{
"url": "https://git.kernel.org/stable/c/e2d6547dc8b9b332f9bc00875197287a6a4db65a"
},
{
"url": "https://git.kernel.org/stable/c/ef58a95457466849fa7b31fd3953801a5af0f58b"
},
{
"url": "https://git.kernel.org/stable/c/8af39ec5cf2be522c8eb43a3d8005ed59e4daaee"
}
],
"title": "drm/sched: Increment job count before swapping tail spsc queue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38515",
"datePublished": "2025-08-16T10:55:02.173Z",
"dateReserved": "2025-04-16T04:51:24.023Z",
"dateUpdated": "2025-08-16T10:55:02.173Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38457 (GCVE-0-2025-38457)
Vulnerability from cvelistv5
Published
2025-07-25 15:27
Modified
2025-07-28 04:22
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: Abort __tc_modify_qdisc if parent class does not exist
Lion's patch [1] revealed an ancient bug in the qdisc API.
Whenever a user creates/modifies a qdisc specifying as a parent another
qdisc, the qdisc API will, during grafting, detect that the user is
not trying to attach to a class and reject. However grafting is
performed after qdisc_create (and thus the qdiscs' init callback) is
executed. In qdiscs that eventually call qdisc_tree_reduce_backlog
during init or change (such as fq, hhf, choke, etc), an issue
arises. For example, executing the following commands:
sudo tc qdisc add dev lo root handle a: htb default 2
sudo tc qdisc add dev lo parent a: handle beef fq
Qdiscs such as fq, hhf, choke, etc unconditionally invoke
qdisc_tree_reduce_backlog() in their control path init() or change() which
then causes a failure to find the child class; however, that does not stop
the unconditional invocation of the assumed child qdisc's qlen_notify with
a null class. All these qdiscs make the assumption that class is non-null.
The solution is ensure that qdisc_leaf() which looks up the parent
class, and is invoked prior to qdisc_create(), should return failure on
not finding the class.
In this patch, we leverage qdisc_leaf to return ERR_PTRs whenever the
parentid doesn't correspond to a class, so that we can detect it
earlier on and abort before qdisc_create is called.
[1] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 Version: 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 Version: 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 Version: 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 Version: 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 Version: 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 Version: 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 Version: 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "923a276c74e25073ae391e930792ac86a9f77f1e",
"status": "affected",
"version": "5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6",
"versionType": "git"
},
{
"lessThan": "90436e72c9622c2f70389070088325a3232d339f",
"status": "affected",
"version": "5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6",
"versionType": "git"
},
{
"lessThan": "25452638f133ac19d75af3f928327d8016952c8e",
"status": "affected",
"version": "5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6",
"versionType": "git"
},
{
"lessThan": "23c165dde88eac405eebb59051ea1fe139a45803",
"status": "affected",
"version": "5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6",
"versionType": "git"
},
{
"lessThan": "4c691d1b6b6dbd73f30ed9ee7da05f037b0c49af",
"status": "affected",
"version": "5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6",
"versionType": "git"
},
{
"lessThan": "8ecd651ef24ab50123692a4e3e25db93cb11602a",
"status": "affected",
"version": "5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6",
"versionType": "git"
},
{
"lessThan": "e28a383d6485c3bb51dc5953552f76c4dea33eea",
"status": "affected",
"version": "5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6",
"versionType": "git"
},
{
"lessThan": "ffdde7bf5a439aaa1955ebd581f5c64ab1533963",
"status": "affected",
"version": "5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.20"
},
{
"lessThan": "2.6.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.240",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.146",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.296",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.240",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.189",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.146",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.99",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.39",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.7",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Abort __tc_modify_qdisc if parent class does not exist\n\nLion\u0027s patch [1] revealed an ancient bug in the qdisc API.\nWhenever a user creates/modifies a qdisc specifying as a parent another\nqdisc, the qdisc API will, during grafting, detect that the user is\nnot trying to attach to a class and reject. However grafting is\nperformed after qdisc_create (and thus the qdiscs\u0027 init callback) is\nexecuted. In qdiscs that eventually call qdisc_tree_reduce_backlog\nduring init or change (such as fq, hhf, choke, etc), an issue\narises. For example, executing the following commands:\n\nsudo tc qdisc add dev lo root handle a: htb default 2\nsudo tc qdisc add dev lo parent a: handle beef fq\n\nQdiscs such as fq, hhf, choke, etc unconditionally invoke\nqdisc_tree_reduce_backlog() in their control path init() or change() which\nthen causes a failure to find the child class; however, that does not stop\nthe unconditional invocation of the assumed child qdisc\u0027s qlen_notify with\na null class. All these qdiscs make the assumption that class is non-null.\n\nThe solution is ensure that qdisc_leaf() which looks up the parent\nclass, and is invoked prior to qdisc_create(), should return failure on\nnot finding the class.\nIn this patch, we leverage qdisc_leaf to return ERR_PTRs whenever the\nparentid doesn\u0027t correspond to a class, so that we can detect it\nearlier on and abort before qdisc_create is called.\n\n[1] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/"
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:22:51.557Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/923a276c74e25073ae391e930792ac86a9f77f1e"
},
{
"url": "https://git.kernel.org/stable/c/90436e72c9622c2f70389070088325a3232d339f"
},
{
"url": "https://git.kernel.org/stable/c/25452638f133ac19d75af3f928327d8016952c8e"
},
{
"url": "https://git.kernel.org/stable/c/23c165dde88eac405eebb59051ea1fe139a45803"
},
{
"url": "https://git.kernel.org/stable/c/4c691d1b6b6dbd73f30ed9ee7da05f037b0c49af"
},
{
"url": "https://git.kernel.org/stable/c/8ecd651ef24ab50123692a4e3e25db93cb11602a"
},
{
"url": "https://git.kernel.org/stable/c/e28a383d6485c3bb51dc5953552f76c4dea33eea"
},
{
"url": "https://git.kernel.org/stable/c/ffdde7bf5a439aaa1955ebd581f5c64ab1533963"
}
],
"title": "net/sched: Abort __tc_modify_qdisc if parent class does not exist",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38457",
"datePublished": "2025-07-25T15:27:36.226Z",
"dateReserved": "2025-04-16T04:51:24.019Z",
"dateUpdated": "2025-07-28T04:22:51.557Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22022 (GCVE-0-2025-22022)
Vulnerability from cvelistv5
Published
2025-04-16 10:23
Modified
2025-05-26 05:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: xhci: Apply the link chain quirk on NEC isoc endpoints
Two clearly different specimens of NEC uPD720200 (one with start/stop
bug, one without) were seen to cause IOMMU faults after some Missed
Service Errors. Faulting address is immediately after a transfer ring
segment and patched dynamic debug messages revealed that the MSE was
received when waiting for a TD near the end of that segment:
[ 1.041954] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ffa08fe0
[ 1.042120] xhci_hcd: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0005 address=0xffa09000 flags=0x0000]
[ 1.042146] xhci_hcd: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0005 address=0xffa09040 flags=0x0000]
It gets even funnier if the next page is a ring segment accessible to
the HC. Below, it reports MSE in segment at ff1e8000, plows through a
zero-filled page at ff1e9000 and starts reporting events for TRBs in
page at ff1ea000 every microframe, instead of jumping to seg ff1e6000.
[ 7.041671] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ff1e8fe0
[ 7.041999] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ff1e8fe0
[ 7.042011] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint
[ 7.042028] xhci_hcd: All TDs skipped for slot 1 ep 2. Clear skip flag.
[ 7.042134] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint
[ 7.042138] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 31
[ 7.042144] xhci_hcd: Looking for event-dma 00000000ff1ea040 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820
[ 7.042259] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint
[ 7.042262] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 31
[ 7.042266] xhci_hcd: Looking for event-dma 00000000ff1ea050 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820
At some point completion events change from Isoch Buffer Overrun to
Short Packet and the HC finally finds cycle bit mismatch in ff1ec000.
[ 7.098130] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 13
[ 7.098132] xhci_hcd: Looking for event-dma 00000000ff1ecc50 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820
[ 7.098254] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 13
[ 7.098256] xhci_hcd: Looking for event-dma 00000000ff1ecc60 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820
[ 7.098379] xhci_hcd: Overrun event on slot 1 ep 2
It's possible that data from the isochronous device were written to
random buffers of pending TDs on other endpoints (either IN or OUT),
other devices or even other HCs in the same IOMMU domain.
Lastly, an error from a different USB device on another HC. Was it
caused by the above? I don't know, but it may have been. The disk
was working without any other issues and generated PCIe traffic to
starve the NEC of upstream BW and trigger those MSEs. The two HCs
shared one x1 slot by means of a commercial "PCIe splitter" board.
[ 7.162604] usb 10-2: reset SuperSpeed USB device number 3 using xhci_hcd
[ 7.178990] sd 9:0:0:0: [sdb] tag#0 UNKNOWN(0x2003) Result: hostbyte=0x07 driverbyte=DRIVER_OK cmd_age=0s
[ 7.179001] sd 9:0:0:0: [sdb] tag#0 CDB: opcode=0x28 28 00 04 02 ae 00 00 02 00 00
[ 7.179004] I/O error, dev sdb, sector 67284480 op 0x0:(READ) flags 0x80700 phys_seg 5 prio class 0
Fortunately, it appears that this ridiculous bug is avoided by setting
the chain bit of Link TRBs on isochronous rings. Other ancient HCs are
known which also expect the bit to be set and they ignore Link TRBs if
it's not. Reportedly, 0.95 spec guaranteed that the bit is set.
The bandwidth-starved NEC HC running a 32KB/uframe UVC endpoint reports
tens of MSEs per second and runs into the bug within seconds. Chaining
Link TRBs allows the same workload to run for many minutes, many times.
No ne
---truncated---
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/xhci.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a4931d9fb99eb5462f3eaa231999d279c40afb21",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "43a18225150ce874d23b37761c302a5dffee1595",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "061a1683bae6ef56ab8fa392725ba7495515cd1d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bb0ba4cb1065e87f9cc75db1fa454e56d0894d01",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/xhci.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Apply the link chain quirk on NEC isoc endpoints\n\nTwo clearly different specimens of NEC uPD720200 (one with start/stop\nbug, one without) were seen to cause IOMMU faults after some Missed\nService Errors. Faulting address is immediately after a transfer ring\nsegment and patched dynamic debug messages revealed that the MSE was\nreceived when waiting for a TD near the end of that segment:\n\n[ 1.041954] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ffa08fe0\n[ 1.042120] xhci_hcd: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0005 address=0xffa09000 flags=0x0000]\n[ 1.042146] xhci_hcd: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0005 address=0xffa09040 flags=0x0000]\n\nIt gets even funnier if the next page is a ring segment accessible to\nthe HC. Below, it reports MSE in segment at ff1e8000, plows through a\nzero-filled page at ff1e9000 and starts reporting events for TRBs in\npage at ff1ea000 every microframe, instead of jumping to seg ff1e6000.\n\n[ 7.041671] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ff1e8fe0\n[ 7.041999] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ff1e8fe0\n[ 7.042011] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint\n[ 7.042028] xhci_hcd: All TDs skipped for slot 1 ep 2. Clear skip flag.\n[ 7.042134] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint\n[ 7.042138] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 31\n[ 7.042144] xhci_hcd: Looking for event-dma 00000000ff1ea040 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820\n[ 7.042259] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint\n[ 7.042262] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 31\n[ 7.042266] xhci_hcd: Looking for event-dma 00000000ff1ea050 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820\n\nAt some point completion events change from Isoch Buffer Overrun to\nShort Packet and the HC finally finds cycle bit mismatch in ff1ec000.\n\n[ 7.098130] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 13\n[ 7.098132] xhci_hcd: Looking for event-dma 00000000ff1ecc50 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820\n[ 7.098254] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 13\n[ 7.098256] xhci_hcd: Looking for event-dma 00000000ff1ecc60 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820\n[ 7.098379] xhci_hcd: Overrun event on slot 1 ep 2\n\nIt\u0027s possible that data from the isochronous device were written to\nrandom buffers of pending TDs on other endpoints (either IN or OUT),\nother devices or even other HCs in the same IOMMU domain.\n\nLastly, an error from a different USB device on another HC. Was it\ncaused by the above? I don\u0027t know, but it may have been. The disk\nwas working without any other issues and generated PCIe traffic to\nstarve the NEC of upstream BW and trigger those MSEs. The two HCs\nshared one x1 slot by means of a commercial \"PCIe splitter\" board.\n\n[ 7.162604] usb 10-2: reset SuperSpeed USB device number 3 using xhci_hcd\n[ 7.178990] sd 9:0:0:0: [sdb] tag#0 UNKNOWN(0x2003) Result: hostbyte=0x07 driverbyte=DRIVER_OK cmd_age=0s\n[ 7.179001] sd 9:0:0:0: [sdb] tag#0 CDB: opcode=0x28 28 00 04 02 ae 00 00 02 00 00\n[ 7.179004] I/O error, dev sdb, sector 67284480 op 0x0:(READ) flags 0x80700 phys_seg 5 prio class 0\n\nFortunately, it appears that this ridiculous bug is avoided by setting\nthe chain bit of Link TRBs on isochronous rings. Other ancient HCs are\nknown which also expect the bit to be set and they ignore Link TRBs if\nit\u0027s not. Reportedly, 0.95 spec guaranteed that the bit is set.\n\nThe bandwidth-starved NEC HC running a 32KB/uframe UVC endpoint reports\ntens of MSEs per second and runs into the bug within seconds. Chaining\nLink TRBs allows the same workload to run for many minutes, many times.\n\nNo ne\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-26T05:16:48.388Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a4931d9fb99eb5462f3eaa231999d279c40afb21"
},
{
"url": "https://git.kernel.org/stable/c/43a18225150ce874d23b37761c302a5dffee1595"
},
{
"url": "https://git.kernel.org/stable/c/061a1683bae6ef56ab8fa392725ba7495515cd1d"
},
{
"url": "https://git.kernel.org/stable/c/bb0ba4cb1065e87f9cc75db1fa454e56d0894d01"
}
],
"title": "usb: xhci: Apply the link chain quirk on NEC isoc endpoints",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22022",
"datePublished": "2025-04-16T10:23:27.423Z",
"dateReserved": "2024-12-29T08:45:45.807Z",
"dateUpdated": "2025-05-26T05:16:48.388Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38460 (GCVE-0-2025-38460)
Vulnerability from cvelistv5
Published
2025-07-25 15:27
Modified
2025-07-28 04:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
atm: clip: Fix potential null-ptr-deref in to_atmarpd().
atmarpd is protected by RTNL since commit f3a0592b37b8 ("[ATM]: clip
causes unregister hang").
However, it is not enough because to_atmarpd() is called without RTNL,
especially clip_neigh_solicit() / neigh_ops->solicit() is unsleepable.
Also, there is no RTNL dependency around atmarpd.
Let's use a private mutex and RCU to protect access to atmarpd in
to_atmarpd().
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/atm/clip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a4c5785feb979cd996a99cfaad8bf353b2e79301",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "70eac9ba7ce25d99c1d99bbf4ddb058940f631f9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3251ce3979f41bd228f77a7615f9dd616d06a110",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ee4d9e4ddf3f9c4ee2ec0a3aad6196ee36d30e57",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "06935c50cfa3ac57cce80bba67b6d38ec1406e92",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "36caab990b69ef4eec1d81c52a19f080b7daa059",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f58e4270c73e7f086322978d585ea67c8076ce49",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "706cc36477139c1616a9b2b96610a8bb520b7119",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/atm/clip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.240",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.146",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.296",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.240",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.189",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.146",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.99",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.39",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.7",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: clip: Fix potential null-ptr-deref in to_atmarpd().\n\natmarpd is protected by RTNL since commit f3a0592b37b8 (\"[ATM]: clip\ncauses unregister hang\").\n\nHowever, it is not enough because to_atmarpd() is called without RTNL,\nespecially clip_neigh_solicit() / neigh_ops-\u003esolicit() is unsleepable.\n\nAlso, there is no RTNL dependency around atmarpd.\n\nLet\u0027s use a private mutex and RCU to protect access to atmarpd in\nto_atmarpd()."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:23:06.309Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a4c5785feb979cd996a99cfaad8bf353b2e79301"
},
{
"url": "https://git.kernel.org/stable/c/70eac9ba7ce25d99c1d99bbf4ddb058940f631f9"
},
{
"url": "https://git.kernel.org/stable/c/3251ce3979f41bd228f77a7615f9dd616d06a110"
},
{
"url": "https://git.kernel.org/stable/c/ee4d9e4ddf3f9c4ee2ec0a3aad6196ee36d30e57"
},
{
"url": "https://git.kernel.org/stable/c/06935c50cfa3ac57cce80bba67b6d38ec1406e92"
},
{
"url": "https://git.kernel.org/stable/c/36caab990b69ef4eec1d81c52a19f080b7daa059"
},
{
"url": "https://git.kernel.org/stable/c/f58e4270c73e7f086322978d585ea67c8076ce49"
},
{
"url": "https://git.kernel.org/stable/c/706cc36477139c1616a9b2b96610a8bb520b7119"
}
],
"title": "atm: clip: Fix potential null-ptr-deref in to_atmarpd().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38460",
"datePublished": "2025-07-25T15:27:38.608Z",
"dateReserved": "2025-04-16T04:51:24.019Z",
"dateUpdated": "2025-07-28T04:23:06.309Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50007 (GCVE-0-2022-50007)
Vulnerability from cvelistv5
Published
2025-06-18 11:01
Modified
2025-06-18 11:01
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfrm: fix refcount leak in __xfrm_policy_check()
The issue happens on an error path in __xfrm_policy_check(). When the
fetching process of the object `pols[1]` fails, the function simply
returns 0, forgetting to decrement the reference count of `pols[0]`,
which is incremented earlier by either xfrm_sk_policy_lookup() or
xfrm_policy_lookup(). This may result in memory leaks.
Fix it by decreasing the reference count of `pols[0]` in that path.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 134b0fc544ba062498451611cb6f3e4454221b3d Version: 134b0fc544ba062498451611cb6f3e4454221b3d Version: 134b0fc544ba062498451611cb6f3e4454221b3d Version: 134b0fc544ba062498451611cb6f3e4454221b3d Version: 134b0fc544ba062498451611cb6f3e4454221b3d Version: 134b0fc544ba062498451611cb6f3e4454221b3d Version: 134b0fc544ba062498451611cb6f3e4454221b3d Version: 134b0fc544ba062498451611cb6f3e4454221b3d |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_policy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "18e6b6e2555c93f5ca09f2b85ef1fa025c8accea",
"status": "affected",
"version": "134b0fc544ba062498451611cb6f3e4454221b3d",
"versionType": "git"
},
{
"lessThan": "8f94b933103ee1bda119543369cc18a1be5536db",
"status": "affected",
"version": "134b0fc544ba062498451611cb6f3e4454221b3d",
"versionType": "git"
},
{
"lessThan": "0769491a8acd3e85ca4c3f65080eac2c824262df",
"status": "affected",
"version": "134b0fc544ba062498451611cb6f3e4454221b3d",
"versionType": "git"
},
{
"lessThan": "63da7a2bbf3f28094920e0b8a17d2571a9bd842d",
"status": "affected",
"version": "134b0fc544ba062498451611cb6f3e4454221b3d",
"versionType": "git"
},
{
"lessThan": "1305d7d4f35ca6f214a2d23b075aa6a924cff3be",
"status": "affected",
"version": "134b0fc544ba062498451611cb6f3e4454221b3d",
"versionType": "git"
},
{
"lessThan": "26ad2398fe4984f4f6f930bcb3bc9047fa77265b",
"status": "affected",
"version": "134b0fc544ba062498451611cb6f3e4454221b3d",
"versionType": "git"
},
{
"lessThan": "d66c052879791313f90c0584420f196a038fb8b8",
"status": "affected",
"version": "134b0fc544ba062498451611cb6f3e4454221b3d",
"versionType": "git"
},
{
"lessThan": "9c9cb23e00ddf45679b21b4dacc11d1ae7961ebe",
"status": "affected",
"version": "134b0fc544ba062498451611cb6f3e4454221b3d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_policy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.19"
},
{
"lessThan": "2.6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.327",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.292",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.212",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.327",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.292",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.257",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.212",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.140",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.64",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.6",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0",
"versionStartIncluding": "2.6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: fix refcount leak in __xfrm_policy_check()\n\nThe issue happens on an error path in __xfrm_policy_check(). When the\nfetching process of the object `pols[1]` fails, the function simply\nreturns 0, forgetting to decrement the reference count of `pols[0]`,\nwhich is incremented earlier by either xfrm_sk_policy_lookup() or\nxfrm_policy_lookup(). This may result in memory leaks.\n\nFix it by decreasing the reference count of `pols[0]` in that path."
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T11:01:12.447Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/18e6b6e2555c93f5ca09f2b85ef1fa025c8accea"
},
{
"url": "https://git.kernel.org/stable/c/8f94b933103ee1bda119543369cc18a1be5536db"
},
{
"url": "https://git.kernel.org/stable/c/0769491a8acd3e85ca4c3f65080eac2c824262df"
},
{
"url": "https://git.kernel.org/stable/c/63da7a2bbf3f28094920e0b8a17d2571a9bd842d"
},
{
"url": "https://git.kernel.org/stable/c/1305d7d4f35ca6f214a2d23b075aa6a924cff3be"
},
{
"url": "https://git.kernel.org/stable/c/26ad2398fe4984f4f6f930bcb3bc9047fa77265b"
},
{
"url": "https://git.kernel.org/stable/c/d66c052879791313f90c0584420f196a038fb8b8"
},
{
"url": "https://git.kernel.org/stable/c/9c9cb23e00ddf45679b21b4dacc11d1ae7961ebe"
}
],
"title": "xfrm: fix refcount leak in __xfrm_policy_check()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50007",
"datePublished": "2025-06-18T11:01:12.447Z",
"dateReserved": "2025-06-18T10:57:27.388Z",
"dateUpdated": "2025-06-18T11:01:12.447Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38122 (GCVE-0-2025-38122)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO
gve_alloc_pending_packet() can return NULL, but gve_tx_add_skb_dqo()
did not check for this case before dereferencing the returned pointer.
Add a missing NULL check to prevent a potential NULL pointer
dereference when allocation fails.
This improves robustness in low-memory scenarios.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: a57e5de476be0b4b7f42beb6a21c19ad9c577aa3 Version: a57e5de476be0b4b7f42beb6a21c19ad9c577aa3 Version: a57e5de476be0b4b7f42beb6a21c19ad9c577aa3 Version: a57e5de476be0b4b7f42beb6a21c19ad9c577aa3 Version: a57e5de476be0b4b7f42beb6a21c19ad9c577aa3 Version: a57e5de476be0b4b7f42beb6a21c19ad9c577aa3 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/google/gve/gve_tx_dqo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ae98a1787fdcb0096d122bc80d93c3c7d812c04b",
"status": "affected",
"version": "a57e5de476be0b4b7f42beb6a21c19ad9c577aa3",
"versionType": "git"
},
{
"lessThan": "2e5ead9e4e91fbe7799bd38afd8904543be1cb51",
"status": "affected",
"version": "a57e5de476be0b4b7f42beb6a21c19ad9c577aa3",
"versionType": "git"
},
{
"lessThan": "7f6265fce3bd424ded666481b37f106d7915fb6b",
"status": "affected",
"version": "a57e5de476be0b4b7f42beb6a21c19ad9c577aa3",
"versionType": "git"
},
{
"lessThan": "a0319c9b1648a67511e947a596ca86888451c0a7",
"status": "affected",
"version": "a57e5de476be0b4b7f42beb6a21c19ad9c577aa3",
"versionType": "git"
},
{
"lessThan": "c741a7ef68023ac800054e2131c3e22e647fd7e3",
"status": "affected",
"version": "a57e5de476be0b4b7f42beb6a21c19ad9c577aa3",
"versionType": "git"
},
{
"lessThan": "12c331b29c7397ac3b03584e12902990693bc248",
"status": "affected",
"version": "a57e5de476be0b4b7f42beb6a21c19ad9c577aa3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/google/gve/gve_tx_dqo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.94",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.34",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.3",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngve: add missing NULL check for gve_alloc_pending_packet() in TX DQO\n\ngve_alloc_pending_packet() can return NULL, but gve_tx_add_skb_dqo()\ndid not check for this case before dereferencing the returned pointer.\n\nAdd a missing NULL check to prevent a potential NULL pointer\ndereference when allocation fails.\n\nThis improves robustness in low-memory scenarios."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:12:42.700Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ae98a1787fdcb0096d122bc80d93c3c7d812c04b"
},
{
"url": "https://git.kernel.org/stable/c/2e5ead9e4e91fbe7799bd38afd8904543be1cb51"
},
{
"url": "https://git.kernel.org/stable/c/7f6265fce3bd424ded666481b37f106d7915fb6b"
},
{
"url": "https://git.kernel.org/stable/c/a0319c9b1648a67511e947a596ca86888451c0a7"
},
{
"url": "https://git.kernel.org/stable/c/c741a7ef68023ac800054e2131c3e22e647fd7e3"
},
{
"url": "https://git.kernel.org/stable/c/12c331b29c7397ac3b03584e12902990693bc248"
}
],
"title": "gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38122",
"datePublished": "2025-07-03T08:35:28.582Z",
"dateReserved": "2025-04-16T04:51:23.986Z",
"dateUpdated": "2025-07-28T04:12:42.700Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49053 (GCVE-0-2022-49053)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-21 08:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: tcmu: Fix possible page UAF
tcmu_try_get_data_page() looks up pages under cmdr_lock, but it does not
take refcount properly and just returns page pointer. When
tcmu_try_get_data_page() returns, the returned page may have been freed by
tcmu_blocks_release().
We need to get_page() under cmdr_lock to avoid concurrent
tcmu_blocks_release().
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 141685a39151aea95eb56562d2953e919c6c73da Version: 141685a39151aea95eb56562d2953e919c6c73da Version: 141685a39151aea95eb56562d2953e919c6c73da Version: 141685a39151aea95eb56562d2953e919c6c73da Version: 141685a39151aea95eb56562d2953e919c6c73da Version: 141685a39151aea95eb56562d2953e919c6c73da Version: 141685a39151aea95eb56562d2953e919c6c73da |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49053",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T17:59:25.641949Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:02:30.241Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/target/target_core_user.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d7c5d79e50be6e06b669141e3db1f977a0dd4e8e",
"status": "affected",
"version": "141685a39151aea95eb56562d2953e919c6c73da",
"versionType": "git"
},
{
"lessThan": "e3e0e067d5b34e4a68e3cc55f8eebc413f56f8ed",
"status": "affected",
"version": "141685a39151aea95eb56562d2953e919c6c73da",
"versionType": "git"
},
{
"lessThan": "fb7a5115422fbd6a4d505e8844f1ef5529f10489",
"status": "affected",
"version": "141685a39151aea95eb56562d2953e919c6c73da",
"versionType": "git"
},
{
"lessThan": "aec36b98a1bbaa84bfd8299a306e4c12314af626",
"status": "affected",
"version": "141685a39151aea95eb56562d2953e919c6c73da",
"versionType": "git"
},
{
"lessThan": "b7f3b5d70c834f49f7d87a2f2ed1c6284d9a0322",
"status": "affected",
"version": "141685a39151aea95eb56562d2953e919c6c73da",
"versionType": "git"
},
{
"lessThan": "a9564d84ed9f6ee71017d062d0d2182154294a4b",
"status": "affected",
"version": "141685a39151aea95eb56562d2953e919c6c73da",
"versionType": "git"
},
{
"lessThan": "a6968f7a367f128d120447360734344d5a3d5336",
"status": "affected",
"version": "141685a39151aea95eb56562d2953e919c6c73da",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/target/target_core_user.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.239",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.190",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.112",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.35",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.4",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: tcmu: Fix possible page UAF\n\ntcmu_try_get_data_page() looks up pages under cmdr_lock, but it does not\ntake refcount properly and just returns page pointer. When\ntcmu_try_get_data_page() returns, the returned page may have been freed by\ntcmu_blocks_release().\n\nWe need to get_page() under cmdr_lock to avoid concurrent\ntcmu_blocks_release()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T08:44:03.988Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d7c5d79e50be6e06b669141e3db1f977a0dd4e8e"
},
{
"url": "https://git.kernel.org/stable/c/e3e0e067d5b34e4a68e3cc55f8eebc413f56f8ed"
},
{
"url": "https://git.kernel.org/stable/c/fb7a5115422fbd6a4d505e8844f1ef5529f10489"
},
{
"url": "https://git.kernel.org/stable/c/aec36b98a1bbaa84bfd8299a306e4c12314af626"
},
{
"url": "https://git.kernel.org/stable/c/b7f3b5d70c834f49f7d87a2f2ed1c6284d9a0322"
},
{
"url": "https://git.kernel.org/stable/c/a9564d84ed9f6ee71017d062d0d2182154294a4b"
},
{
"url": "https://git.kernel.org/stable/c/a6968f7a367f128d120447360734344d5a3d5336"
}
],
"title": "scsi: target: tcmu: Fix possible page UAF",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49053",
"datePublished": "2025-02-26T01:54:26.806Z",
"dateReserved": "2025-02-26T01:49:39.242Z",
"dateUpdated": "2025-05-21T08:44:03.988Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38245 (GCVE-0-2025-38245)
Vulnerability from cvelistv5
Published
2025-07-09 10:42
Modified
2025-07-28 04:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister().
syzbot reported a warning below during atm_dev_register(). [0]
Before creating a new device and procfs/sysfs for it, atm_dev_register()
looks up a duplicated device by __atm_dev_lookup(). These operations are
done under atm_dev_mutex.
However, when removing a device in atm_dev_deregister(), it releases the
mutex just after removing the device from the list that __atm_dev_lookup()
iterates over.
So, there will be a small race window where the device does not exist on
the device list but procfs/sysfs are still not removed, triggering the
splat.
Let's hold the mutex until procfs/sysfs are removed in
atm_dev_deregister().
[0]:
proc_dir_entry 'atm/atmtcp:0' already registered
WARNING: CPU: 0 PID: 5919 at fs/proc/generic.c:377 proc_register+0x455/0x5f0 fs/proc/generic.c:377
Modules linked in:
CPU: 0 UID: 0 PID: 5919 Comm: syz-executor284 Not tainted 6.16.0-rc2-syzkaller-00047-g52da431bf03b #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
RIP: 0010:proc_register+0x455/0x5f0 fs/proc/generic.c:377
Code: 48 89 f9 48 c1 e9 03 80 3c 01 00 0f 85 a2 01 00 00 48 8b 44 24 10 48 c7 c7 20 c0 c2 8b 48 8b b0 d8 00 00 00 e8 0c 02 1c ff 90 <0f> 0b 90 90 48 c7 c7 80 f2 82 8e e8 0b de 23 09 48 8b 4c 24 28 48
RSP: 0018:ffffc9000466fa30 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817ae248
RDX: ffff888026280000 RSI: ffffffff817ae255 RDI: 0000000000000001
RBP: ffff8880232bed48 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffff888076ed2140
R13: dffffc0000000000 R14: ffff888078a61340 R15: ffffed100edda444
FS: 00007f38b3b0c6c0(0000) GS:ffff888124753000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f38b3bdf953 CR3: 0000000076d58000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
proc_create_data+0xbe/0x110 fs/proc/generic.c:585
atm_proc_dev_register+0x112/0x1e0 net/atm/proc.c:361
atm_dev_register+0x46d/0x890 net/atm/resources.c:113
atmtcp_create+0x77/0x210 drivers/atm/atmtcp.c:369
atmtcp_attach drivers/atm/atmtcp.c:403 [inline]
atmtcp_ioctl+0x2f9/0xd60 drivers/atm/atmtcp.c:464
do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159
sock_do_ioctl+0x115/0x280 net/socket.c:1190
sock_ioctl+0x227/0x6b0 net/socket.c:1311
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl fs/ioctl.c:893 [inline]
__x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f38b3b74459
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f38b3b0c198 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f38b3bfe318 RCX: 00007f38b3b74459
RDX: 0000000000000000 RSI: 0000000000006180 RDI: 0000000000000005
RBP: 00007f38b3bfe310 R08: 65732f636f72702f R09: 65732f636f72702f
R10: 65732f636f72702f R11: 0000000000000246 R12: 00007f38b3bcb0ac
R13: 00007f38b3b0c1a0 R14: 0000200000000200 R15: 00007f38b3bcb03b
</TASK>
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 64bf69ddff7637b7ed7acf9b2a823cc0ee519439 Version: 64bf69ddff7637b7ed7acf9b2a823cc0ee519439 Version: 64bf69ddff7637b7ed7acf9b2a823cc0ee519439 Version: 64bf69ddff7637b7ed7acf9b2a823cc0ee519439 Version: 64bf69ddff7637b7ed7acf9b2a823cc0ee519439 Version: 64bf69ddff7637b7ed7acf9b2a823cc0ee519439 Version: 64bf69ddff7637b7ed7acf9b2a823cc0ee519439 Version: 64bf69ddff7637b7ed7acf9b2a823cc0ee519439 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/atm/resources.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2a8dcee649d12f69713f2589171a1caf6d4fa439",
"status": "affected",
"version": "64bf69ddff7637b7ed7acf9b2a823cc0ee519439",
"versionType": "git"
},
{
"lessThan": "4bb1bb438134d9ee6b97cc07289dd7c569092eec",
"status": "affected",
"version": "64bf69ddff7637b7ed7acf9b2a823cc0ee519439",
"versionType": "git"
},
{
"lessThan": "26248d5d68c865b888d632162abbf8130645622c",
"status": "affected",
"version": "64bf69ddff7637b7ed7acf9b2a823cc0ee519439",
"versionType": "git"
},
{
"lessThan": "b2e40fcfe1575faaa548f87614006d3fe44c779e",
"status": "affected",
"version": "64bf69ddff7637b7ed7acf9b2a823cc0ee519439",
"versionType": "git"
},
{
"lessThan": "cabed6ba92a9a8c09da02a3f20e32ecd80989896",
"status": "affected",
"version": "64bf69ddff7637b7ed7acf9b2a823cc0ee519439",
"versionType": "git"
},
{
"lessThan": "ae539d963a17443ec54cba8a767e4ffa318264f4",
"status": "affected",
"version": "64bf69ddff7637b7ed7acf9b2a823cc0ee519439",
"versionType": "git"
},
{
"lessThan": "6922f1a048c090f10704bbef4a3a1e81932d2e0a",
"status": "affected",
"version": "64bf69ddff7637b7ed7acf9b2a823cc0ee519439",
"versionType": "git"
},
{
"lessThan": "a433791aeaea6e84df709e0b9584b9bbe040cd1c",
"status": "affected",
"version": "64bf69ddff7637b7ed7acf9b2a823cc0ee519439",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/atm/resources.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.15"
},
{
"lessThan": "2.6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.240",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.187",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.96",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.296",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.240",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.187",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.143",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.96",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.36",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.5",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: Release atm_dev_mutex after removing procfs in atm_dev_deregister().\n\nsyzbot reported a warning below during atm_dev_register(). [0]\n\nBefore creating a new device and procfs/sysfs for it, atm_dev_register()\nlooks up a duplicated device by __atm_dev_lookup(). These operations are\ndone under atm_dev_mutex.\n\nHowever, when removing a device in atm_dev_deregister(), it releases the\nmutex just after removing the device from the list that __atm_dev_lookup()\niterates over.\n\nSo, there will be a small race window where the device does not exist on\nthe device list but procfs/sysfs are still not removed, triggering the\nsplat.\n\nLet\u0027s hold the mutex until procfs/sysfs are removed in\natm_dev_deregister().\n\n[0]:\nproc_dir_entry \u0027atm/atmtcp:0\u0027 already registered\nWARNING: CPU: 0 PID: 5919 at fs/proc/generic.c:377 proc_register+0x455/0x5f0 fs/proc/generic.c:377\nModules linked in:\nCPU: 0 UID: 0 PID: 5919 Comm: syz-executor284 Not tainted 6.16.0-rc2-syzkaller-00047-g52da431bf03b #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\nRIP: 0010:proc_register+0x455/0x5f0 fs/proc/generic.c:377\nCode: 48 89 f9 48 c1 e9 03 80 3c 01 00 0f 85 a2 01 00 00 48 8b 44 24 10 48 c7 c7 20 c0 c2 8b 48 8b b0 d8 00 00 00 e8 0c 02 1c ff 90 \u003c0f\u003e 0b 90 90 48 c7 c7 80 f2 82 8e e8 0b de 23 09 48 8b 4c 24 28 48\nRSP: 0018:ffffc9000466fa30 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817ae248\nRDX: ffff888026280000 RSI: ffffffff817ae255 RDI: 0000000000000001\nRBP: ffff8880232bed48 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000001 R12: ffff888076ed2140\nR13: dffffc0000000000 R14: ffff888078a61340 R15: ffffed100edda444\nFS: 00007f38b3b0c6c0(0000) GS:ffff888124753000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f38b3bdf953 CR3: 0000000076d58000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n proc_create_data+0xbe/0x110 fs/proc/generic.c:585\n atm_proc_dev_register+0x112/0x1e0 net/atm/proc.c:361\n atm_dev_register+0x46d/0x890 net/atm/resources.c:113\n atmtcp_create+0x77/0x210 drivers/atm/atmtcp.c:369\n atmtcp_attach drivers/atm/atmtcp.c:403 [inline]\n atmtcp_ioctl+0x2f9/0xd60 drivers/atm/atmtcp.c:464\n do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159\n sock_do_ioctl+0x115/0x280 net/socket.c:1190\n sock_ioctl+0x227/0x6b0 net/socket.c:1311\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl fs/ioctl.c:893 [inline]\n __x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f38b3b74459\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f38b3b0c198 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007f38b3bfe318 RCX: 00007f38b3b74459\nRDX: 0000000000000000 RSI: 0000000000006180 RDI: 0000000000000005\nRBP: 00007f38b3bfe310 R08: 65732f636f72702f R09: 65732f636f72702f\nR10: 65732f636f72702f R11: 0000000000000246 R12: 00007f38b3bcb0ac\nR13: 00007f38b3b0c1a0 R14: 0000200000000200 R15: 00007f38b3bcb03b\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:16:04.621Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2a8dcee649d12f69713f2589171a1caf6d4fa439"
},
{
"url": "https://git.kernel.org/stable/c/4bb1bb438134d9ee6b97cc07289dd7c569092eec"
},
{
"url": "https://git.kernel.org/stable/c/26248d5d68c865b888d632162abbf8130645622c"
},
{
"url": "https://git.kernel.org/stable/c/b2e40fcfe1575faaa548f87614006d3fe44c779e"
},
{
"url": "https://git.kernel.org/stable/c/cabed6ba92a9a8c09da02a3f20e32ecd80989896"
},
{
"url": "https://git.kernel.org/stable/c/ae539d963a17443ec54cba8a767e4ffa318264f4"
},
{
"url": "https://git.kernel.org/stable/c/6922f1a048c090f10704bbef4a3a1e81932d2e0a"
},
{
"url": "https://git.kernel.org/stable/c/a433791aeaea6e84df709e0b9584b9bbe040cd1c"
}
],
"title": "atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38245",
"datePublished": "2025-07-09T10:42:27.263Z",
"dateReserved": "2025-04-16T04:51:23.997Z",
"dateUpdated": "2025-07-28T04:16:04.621Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21999 (GCVE-0-2025-21999)
Vulnerability from cvelistv5
Published
2025-04-03 07:19
Modified
2025-06-19 12:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
proc: fix UAF in proc_get_inode()
Fix race between rmmod and /proc/XXX's inode instantiation.
The bug is that pde->proc_ops don't belong to /proc, it belongs to a
module, therefore dereferencing it after /proc entry has been registered
is a bug unless use_pde/unuse_pde() pair has been used.
use_pde/unuse_pde can be avoided (2 atomic ops!) because pde->proc_ops
never changes so information necessary for inode instantiation can be
saved _before_ proc_register() in PDE itself and used later, avoiding
pde->proc_ops->... dereference.
rmmod lookup
sys_delete_module
proc_lookup_de
pde_get(de);
proc_get_inode(dir->i_sb, de);
mod->exit()
proc_remove
remove_proc_subtree
proc_entry_rundown(de);
free_module(mod);
if (S_ISREG(inode->i_mode))
if (de->proc_ops->proc_read_iter)
--> As module is already freed, will trigger UAF
BUG: unable to handle page fault for address: fffffbfff80a702b
PGD 817fc4067 P4D 817fc4067 PUD 817fc0067 PMD 102ef4067 PTE 0
Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 26 UID: 0 PID: 2667 Comm: ls Tainted: G
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
RIP: 0010:proc_get_inode+0x302/0x6e0
RSP: 0018:ffff88811c837998 EFLAGS: 00010a06
RAX: dffffc0000000000 RBX: ffffffffc0538140 RCX: 0000000000000007
RDX: 1ffffffff80a702b RSI: 0000000000000001 RDI: ffffffffc0538158
RBP: ffff8881299a6000 R08: 0000000067bbe1e5 R09: 1ffff11023906f20
R10: ffffffffb560ca07 R11: ffffffffb2b43a58 R12: ffff888105bb78f0
R13: ffff888100518048 R14: ffff8881299a6004 R15: 0000000000000001
FS: 00007f95b9686840(0000) GS:ffff8883af100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff80a702b CR3: 0000000117dd2000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
proc_lookup_de+0x11f/0x2e0
__lookup_slow+0x188/0x350
walk_component+0x2ab/0x4f0
path_lookupat+0x120/0x660
filename_lookup+0x1ce/0x560
vfs_statx+0xac/0x150
__do_sys_newstat+0x96/0x110
do_syscall_64+0x5f/0x170
entry_SYSCALL_64_after_hwframe+0x76/0x7e
[adobriyan@gmail.com: don't do 2 atomic ops on the common path]
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 97a32539b9568bb653683349e5a76d02ff3c3e2c Version: 97a32539b9568bb653683349e5a76d02ff3c3e2c Version: 97a32539b9568bb653683349e5a76d02ff3c3e2c Version: 97a32539b9568bb653683349e5a76d02ff3c3e2c Version: 97a32539b9568bb653683349e5a76d02ff3c3e2c Version: 97a32539b9568bb653683349e5a76d02ff3c3e2c Version: 97a32539b9568bb653683349e5a76d02ff3c3e2c |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21999",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-03T15:26:31.372538Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T15:27:39.157Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/proc/generic.c",
"fs/proc/inode.c",
"fs/proc/internal.h",
"include/linux/proc_fs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "eda279586e571b05dff44d48e05f8977ad05855d",
"status": "affected",
"version": "97a32539b9568bb653683349e5a76d02ff3c3e2c",
"versionType": "git"
},
{
"lessThan": "4b0b8445b6fd41e6f62ac90547a0ea9d348de3fa",
"status": "affected",
"version": "97a32539b9568bb653683349e5a76d02ff3c3e2c",
"versionType": "git"
},
{
"lessThan": "966f331403dc3ed04ff64eaf3930cf1267965e53",
"status": "affected",
"version": "97a32539b9568bb653683349e5a76d02ff3c3e2c",
"versionType": "git"
},
{
"lessThan": "63b53198aff2e4e6c5866a4ff73c7891f958ffa4",
"status": "affected",
"version": "97a32539b9568bb653683349e5a76d02ff3c3e2c",
"versionType": "git"
},
{
"lessThan": "ede3e8ac90ae106f0b29cd759aadebc1568f1308",
"status": "affected",
"version": "97a32539b9568bb653683349e5a76d02ff3c3e2c",
"versionType": "git"
},
{
"lessThan": "64dc7c68e040251d9ec6e989acb69f8f6ae4a10b",
"status": "affected",
"version": "97a32539b9568bb653683349e5a76d02ff3c3e2c",
"versionType": "git"
},
{
"lessThan": "654b33ada4ab5e926cd9c570196fefa7bec7c1df",
"status": "affected",
"version": "97a32539b9568bb653683349e5a76d02ff3c3e2c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/proc/generic.c",
"fs/proc/inode.c",
"fs/proc/internal.h",
"include/linux/proc_fs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.236",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.85",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.236",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.180",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.132",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.85",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.21",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.9",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nproc: fix UAF in proc_get_inode()\n\nFix race between rmmod and /proc/XXX\u0027s inode instantiation.\n\nThe bug is that pde-\u003eproc_ops don\u0027t belong to /proc, it belongs to a\nmodule, therefore dereferencing it after /proc entry has been registered\nis a bug unless use_pde/unuse_pde() pair has been used.\n\nuse_pde/unuse_pde can be avoided (2 atomic ops!) because pde-\u003eproc_ops\nnever changes so information necessary for inode instantiation can be\nsaved _before_ proc_register() in PDE itself and used later, avoiding\npde-\u003eproc_ops-\u003e... dereference.\n\n rmmod lookup\nsys_delete_module\n proc_lookup_de\n\t\t\t pde_get(de);\n\t\t\t proc_get_inode(dir-\u003ei_sb, de);\n mod-\u003eexit()\n proc_remove\n remove_proc_subtree\n proc_entry_rundown(de);\n free_module(mod);\n\n if (S_ISREG(inode-\u003ei_mode))\n\t if (de-\u003eproc_ops-\u003eproc_read_iter)\n --\u003e As module is already freed, will trigger UAF\n\nBUG: unable to handle page fault for address: fffffbfff80a702b\nPGD 817fc4067 P4D 817fc4067 PUD 817fc0067 PMD 102ef4067 PTE 0\nOops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 26 UID: 0 PID: 2667 Comm: ls Tainted: G\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996)\nRIP: 0010:proc_get_inode+0x302/0x6e0\nRSP: 0018:ffff88811c837998 EFLAGS: 00010a06\nRAX: dffffc0000000000 RBX: ffffffffc0538140 RCX: 0000000000000007\nRDX: 1ffffffff80a702b RSI: 0000000000000001 RDI: ffffffffc0538158\nRBP: ffff8881299a6000 R08: 0000000067bbe1e5 R09: 1ffff11023906f20\nR10: ffffffffb560ca07 R11: ffffffffb2b43a58 R12: ffff888105bb78f0\nR13: ffff888100518048 R14: ffff8881299a6004 R15: 0000000000000001\nFS: 00007f95b9686840(0000) GS:ffff8883af100000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: fffffbfff80a702b CR3: 0000000117dd2000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n proc_lookup_de+0x11f/0x2e0\n __lookup_slow+0x188/0x350\n walk_component+0x2ab/0x4f0\n path_lookupat+0x120/0x660\n filename_lookup+0x1ce/0x560\n vfs_statx+0xac/0x150\n __do_sys_newstat+0x96/0x110\n do_syscall_64+0x5f/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n[adobriyan@gmail.com: don\u0027t do 2 atomic ops on the common path]"
}
],
"providerMetadata": {
"dateUpdated": "2025-06-19T12:56:46.985Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/eda279586e571b05dff44d48e05f8977ad05855d"
},
{
"url": "https://git.kernel.org/stable/c/4b0b8445b6fd41e6f62ac90547a0ea9d348de3fa"
},
{
"url": "https://git.kernel.org/stable/c/966f331403dc3ed04ff64eaf3930cf1267965e53"
},
{
"url": "https://git.kernel.org/stable/c/63b53198aff2e4e6c5866a4ff73c7891f958ffa4"
},
{
"url": "https://git.kernel.org/stable/c/ede3e8ac90ae106f0b29cd759aadebc1568f1308"
},
{
"url": "https://git.kernel.org/stable/c/64dc7c68e040251d9ec6e989acb69f8f6ae4a10b"
},
{
"url": "https://git.kernel.org/stable/c/654b33ada4ab5e926cd9c570196fefa7bec7c1df"
}
],
"title": "proc: fix UAF in proc_get_inode()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21999",
"datePublished": "2025-04-03T07:19:03.040Z",
"dateReserved": "2024-12-29T08:45:45.801Z",
"dateUpdated": "2025-06-19T12:56:46.985Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38490 (GCVE-0-2025-38490)
Vulnerability from cvelistv5
Published
2025-07-28 11:21
Modified
2025-07-28 11:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: libwx: remove duplicate page_pool_put_full_page()
page_pool_put_full_page() should only be invoked when freeing Rx buffers
or building a skb if the size is too short. At other times, the pages
need to be reused. So remove the redundant page put. In the original
code, double free pages cause kernel panic:
[ 876.949834] __irq_exit_rcu+0xc7/0x130
[ 876.949836] common_interrupt+0xb8/0xd0
[ 876.949838] </IRQ>
[ 876.949838] <TASK>
[ 876.949840] asm_common_interrupt+0x22/0x40
[ 876.949841] RIP: 0010:cpuidle_enter_state+0xc2/0x420
[ 876.949843] Code: 00 00 e8 d1 1d 5e ff e8 ac f0 ff ff 49 89 c5 0f 1f 44 00 00 31 ff e8 cd fc 5c ff 45 84 ff 0f 85 40 02 00 00 fb 0f 1f 44 00 00 <45> 85 f6 0f 88 84 01 00 00 49 63 d6 48 8d 04 52 48 8d 04 82 49 8d
[ 876.949844] RSP: 0018:ffffaa7340267e78 EFLAGS: 00000246
[ 876.949845] RAX: ffff9e3f135be000 RBX: 0000000000000002 RCX: 0000000000000000
[ 876.949846] RDX: 000000cc2dc4cb7c RSI: ffffffff89ee49ae RDI: ffffffff89ef9f9e
[ 876.949847] RBP: ffff9e378f940800 R08: 0000000000000002 R09: 00000000000000ed
[ 876.949848] R10: 000000000000afc8 R11: ffff9e3e9e5a9b6c R12: ffffffff8a6d8580
[ 876.949849] R13: 000000cc2dc4cb7c R14: 0000000000000002 R15: 0000000000000000
[ 876.949852] ? cpuidle_enter_state+0xb3/0x420
[ 876.949855] cpuidle_enter+0x29/0x40
[ 876.949857] cpuidle_idle_call+0xfd/0x170
[ 876.949859] do_idle+0x7a/0xc0
[ 876.949861] cpu_startup_entry+0x25/0x30
[ 876.949862] start_secondary+0x117/0x140
[ 876.949864] common_startup_64+0x13e/0x148
[ 876.949867] </TASK>
[ 876.949868] ---[ end trace 0000000000000000 ]---
[ 876.949869] ------------[ cut here ]------------
[ 876.949870] list_del corruption, ffffead40445a348->next is NULL
[ 876.949873] WARNING: CPU: 14 PID: 0 at lib/list_debug.c:52 __list_del_entry_valid_or_report+0x67/0x120
[ 876.949875] Modules linked in: snd_hrtimer(E) bnep(E) binfmt_misc(E) amdgpu(E) squashfs(E) vfat(E) loop(E) fat(E) amd_atl(E) snd_hda_codec_realtek(E) intel_rapl_msr(E) snd_hda_codec_generic(E) intel_rapl_common(E) snd_hda_scodec_component(E) snd_hda_codec_hdmi(E) snd_hda_intel(E) edac_mce_amd(E) snd_intel_dspcfg(E) snd_hda_codec(E) snd_hda_core(E) amdxcp(E) kvm_amd(E) snd_hwdep(E) gpu_sched(E) drm_panel_backlight_quirks(E) cec(E) snd_pcm(E) drm_buddy(E) snd_seq_dummy(E) drm_ttm_helper(E) btusb(E) kvm(E) snd_seq_oss(E) btrtl(E) ttm(E) btintel(E) snd_seq_midi(E) btbcm(E) drm_exec(E) snd_seq_midi_event(E) i2c_algo_bit(E) snd_rawmidi(E) bluetooth(E) drm_suballoc_helper(E) irqbypass(E) snd_seq(E) ghash_clmulni_intel(E) sha512_ssse3(E) drm_display_helper(E) aesni_intel(E) snd_seq_device(E) rfkill(E) snd_timer(E) gf128mul(E) drm_client_lib(E) drm_kms_helper(E) snd(E) i2c_piix4(E) joydev(E) soundcore(E) wmi_bmof(E) ccp(E) k10temp(E) i2c_smbus(E) gpio_amdpt(E) i2c_designware_platform(E) gpio_generic(E) sg(E)
[ 876.949914] i2c_designware_core(E) sch_fq_codel(E) parport_pc(E) drm(E) ppdev(E) lp(E) parport(E) fuse(E) nfnetlink(E) ip_tables(E) ext4 crc16 mbcache jbd2 sd_mod sfp mdio_i2c i2c_core txgbe ahci ngbe pcs_xpcs libahci libwx r8169 phylink libata realtek ptp pps_core video wmi
[ 876.949933] CPU: 14 UID: 0 PID: 0 Comm: swapper/14 Kdump: loaded Tainted: G W E 6.16.0-rc2+ #20 PREEMPT(voluntary)
[ 876.949935] Tainted: [W]=WARN, [E]=UNSIGNED_MODULE
[ 876.949936] Hardware name: Micro-Star International Co., Ltd. MS-7E16/X670E GAMING PLUS WIFI (MS-7E16), BIOS 1.90 12/31/2024
[ 876.949936] RIP: 0010:__list_del_entry_valid_or_report+0x67/0x120
[ 876.949938] Code: 00 00 00 48 39 7d 08 0f 85 a6 00 00 00 5b b8 01 00 00 00 5d 41 5c e9 73 0d 93 ff 48 89 fe 48 c7 c7 a0 31 e8 89 e8 59 7c b3 ff <0f> 0b 31 c0 5b 5d 41 5c e9 57 0d 93 ff 48 89 fe 48 c7 c7 c8 31 e8
[ 876.949940] RSP: 0018:ffffaa73405d0c60 EFLAGS: 00010282
[ 876.949941] RAX: 0000000000000000 RBX: ffffead40445a348 RCX: 0000000000000000
[ 876.949942] RDX: 0000000000000105 RSI: 00000
---truncated---
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/wangxun/libwx/wx_lib.c",
"drivers/net/ethernet/wangxun/libwx/wx_type.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3c91a56762b1f0d1e4af2d86c2cba83b61ed9eaa",
"status": "affected",
"version": "3c47e8ae113a68da47987750d9896e325d0aeedd",
"versionType": "git"
},
{
"lessThan": "08d18bda0d03f5ec376929a8c6c4495f9594593a",
"status": "affected",
"version": "3c47e8ae113a68da47987750d9896e325d0aeedd",
"versionType": "git"
},
{
"lessThan": "003e4765d8661be97e650a833868c53d35574130",
"status": "affected",
"version": "3c47e8ae113a68da47987750d9896e325d0aeedd",
"versionType": "git"
},
{
"lessThan": "1b7e585c04cd5f0731dd25ffd396277e55fae0e6",
"status": "affected",
"version": "3c47e8ae113a68da47987750d9896e325d0aeedd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/wangxun/libwx/wx_lib.c",
"drivers/net/ethernet/wangxun/libwx/wx_type.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.100",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.40",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.8",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: libwx: remove duplicate page_pool_put_full_page()\n\npage_pool_put_full_page() should only be invoked when freeing Rx buffers\nor building a skb if the size is too short. At other times, the pages\nneed to be reused. So remove the redundant page put. In the original\ncode, double free pages cause kernel panic:\n\n[ 876.949834] __irq_exit_rcu+0xc7/0x130\n[ 876.949836] common_interrupt+0xb8/0xd0\n[ 876.949838] \u003c/IRQ\u003e\n[ 876.949838] \u003cTASK\u003e\n[ 876.949840] asm_common_interrupt+0x22/0x40\n[ 876.949841] RIP: 0010:cpuidle_enter_state+0xc2/0x420\n[ 876.949843] Code: 00 00 e8 d1 1d 5e ff e8 ac f0 ff ff 49 89 c5 0f 1f 44 00 00 31 ff e8 cd fc 5c ff 45 84 ff 0f 85 40 02 00 00 fb 0f 1f 44 00 00 \u003c45\u003e 85 f6 0f 88 84 01 00 00 49 63 d6 48 8d 04 52 48 8d 04 82 49 8d\n[ 876.949844] RSP: 0018:ffffaa7340267e78 EFLAGS: 00000246\n[ 876.949845] RAX: ffff9e3f135be000 RBX: 0000000000000002 RCX: 0000000000000000\n[ 876.949846] RDX: 000000cc2dc4cb7c RSI: ffffffff89ee49ae RDI: ffffffff89ef9f9e\n[ 876.949847] RBP: ffff9e378f940800 R08: 0000000000000002 R09: 00000000000000ed\n[ 876.949848] R10: 000000000000afc8 R11: ffff9e3e9e5a9b6c R12: ffffffff8a6d8580\n[ 876.949849] R13: 000000cc2dc4cb7c R14: 0000000000000002 R15: 0000000000000000\n[ 876.949852] ? cpuidle_enter_state+0xb3/0x420\n[ 876.949855] cpuidle_enter+0x29/0x40\n[ 876.949857] cpuidle_idle_call+0xfd/0x170\n[ 876.949859] do_idle+0x7a/0xc0\n[ 876.949861] cpu_startup_entry+0x25/0x30\n[ 876.949862] start_secondary+0x117/0x140\n[ 876.949864] common_startup_64+0x13e/0x148\n[ 876.949867] \u003c/TASK\u003e\n[ 876.949868] ---[ end trace 0000000000000000 ]---\n[ 876.949869] ------------[ cut here ]------------\n[ 876.949870] list_del corruption, ffffead40445a348-\u003enext is NULL\n[ 876.949873] WARNING: CPU: 14 PID: 0 at lib/list_debug.c:52 __list_del_entry_valid_or_report+0x67/0x120\n[ 876.949875] Modules linked in: snd_hrtimer(E) bnep(E) binfmt_misc(E) amdgpu(E) squashfs(E) vfat(E) loop(E) fat(E) amd_atl(E) snd_hda_codec_realtek(E) intel_rapl_msr(E) snd_hda_codec_generic(E) intel_rapl_common(E) snd_hda_scodec_component(E) snd_hda_codec_hdmi(E) snd_hda_intel(E) edac_mce_amd(E) snd_intel_dspcfg(E) snd_hda_codec(E) snd_hda_core(E) amdxcp(E) kvm_amd(E) snd_hwdep(E) gpu_sched(E) drm_panel_backlight_quirks(E) cec(E) snd_pcm(E) drm_buddy(E) snd_seq_dummy(E) drm_ttm_helper(E) btusb(E) kvm(E) snd_seq_oss(E) btrtl(E) ttm(E) btintel(E) snd_seq_midi(E) btbcm(E) drm_exec(E) snd_seq_midi_event(E) i2c_algo_bit(E) snd_rawmidi(E) bluetooth(E) drm_suballoc_helper(E) irqbypass(E) snd_seq(E) ghash_clmulni_intel(E) sha512_ssse3(E) drm_display_helper(E) aesni_intel(E) snd_seq_device(E) rfkill(E) snd_timer(E) gf128mul(E) drm_client_lib(E) drm_kms_helper(E) snd(E) i2c_piix4(E) joydev(E) soundcore(E) wmi_bmof(E) ccp(E) k10temp(E) i2c_smbus(E) gpio_amdpt(E) i2c_designware_platform(E) gpio_generic(E) sg(E)\n[ 876.949914] i2c_designware_core(E) sch_fq_codel(E) parport_pc(E) drm(E) ppdev(E) lp(E) parport(E) fuse(E) nfnetlink(E) ip_tables(E) ext4 crc16 mbcache jbd2 sd_mod sfp mdio_i2c i2c_core txgbe ahci ngbe pcs_xpcs libahci libwx r8169 phylink libata realtek ptp pps_core video wmi\n[ 876.949933] CPU: 14 UID: 0 PID: 0 Comm: swapper/14 Kdump: loaded Tainted: G W E 6.16.0-rc2+ #20 PREEMPT(voluntary)\n[ 876.949935] Tainted: [W]=WARN, [E]=UNSIGNED_MODULE\n[ 876.949936] Hardware name: Micro-Star International Co., Ltd. MS-7E16/X670E GAMING PLUS WIFI (MS-7E16), BIOS 1.90 12/31/2024\n[ 876.949936] RIP: 0010:__list_del_entry_valid_or_report+0x67/0x120\n[ 876.949938] Code: 00 00 00 48 39 7d 08 0f 85 a6 00 00 00 5b b8 01 00 00 00 5d 41 5c e9 73 0d 93 ff 48 89 fe 48 c7 c7 a0 31 e8 89 e8 59 7c b3 ff \u003c0f\u003e 0b 31 c0 5b 5d 41 5c e9 57 0d 93 ff 48 89 fe 48 c7 c7 c8 31 e8\n[ 876.949940] RSP: 0018:ffffaa73405d0c60 EFLAGS: 00010282\n[ 876.949941] RAX: 0000000000000000 RBX: ffffead40445a348 RCX: 0000000000000000\n[ 876.949942] RDX: 0000000000000105 RSI: 00000\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T11:21:54.009Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3c91a56762b1f0d1e4af2d86c2cba83b61ed9eaa"
},
{
"url": "https://git.kernel.org/stable/c/08d18bda0d03f5ec376929a8c6c4495f9594593a"
},
{
"url": "https://git.kernel.org/stable/c/003e4765d8661be97e650a833868c53d35574130"
},
{
"url": "https://git.kernel.org/stable/c/1b7e585c04cd5f0731dd25ffd396277e55fae0e6"
}
],
"title": "net: libwx: remove duplicate page_pool_put_full_page()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38490",
"datePublished": "2025-07-28T11:21:54.009Z",
"dateReserved": "2025-04-16T04:51:24.021Z",
"dateUpdated": "2025-07-28T11:21:54.009Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38213 (GCVE-0-2025-38213)
Vulnerability from cvelistv5
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Show details on NVD website{
"containers": {
"cna": {
"providerMetadata": {
"dateUpdated": "2025-08-11T15:22:59.453Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"rejectedReasons": [
{
"lang": "en",
"value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38213",
"datePublished": "2025-07-04T13:37:31.709Z",
"dateRejected": "2025-08-11T15:22:59.453Z",
"dateReserved": "2025-04-16T04:51:23.995Z",
"dateUpdated": "2025-08-11T15:22:59.453Z",
"state": "REJECTED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38588 (GCVE-0-2025-38588)
Vulnerability from cvelistv5
Published
2025-08-19 17:03
Modified
2025-09-29 05:54
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: prevent infinite loop in rt6_nlmsg_size()
While testing prior patch, I was able to trigger
an infinite loop in rt6_nlmsg_size() in the following place:
list_for_each_entry_rcu(sibling, &f6i->fib6_siblings,
fib6_siblings) {
rt6_nh_nlmsg_size(sibling->fib6_nh, &nexthop_len);
}
This is because fib6_del_route() and fib6_add_rt2node()
uses list_del_rcu(), which can confuse rcu readers,
because they might no longer see the head of the list.
Restart the loop if f6i->fib6_nsiblings is zero.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d0ec61c9f3583b76aebdbb271f5c0d3fcccd48b2 Version: 52da02521ede55fb86546c3fffd9377b3261b91f Version: 34a949e7a0869dfa31a40416d2a56973fae1807b Version: d9ccb18f83ea2bb654289b6ecf014fd267cc988b Version: d9ccb18f83ea2bb654289b6ecf014fd267cc988b Version: d9ccb18f83ea2bb654289b6ecf014fd267cc988b Version: 11edcd026012ac18acee0f1514db3ed1b160fc6f |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_fib.c",
"net/ipv6/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6d345136c9b875f065d226908a29c25cdf9343f8",
"status": "affected",
"version": "d0ec61c9f3583b76aebdbb271f5c0d3fcccd48b2",
"versionType": "git"
},
{
"lessThan": "e1b7932af47f92432be8303d2439d1bf77b0be23",
"status": "affected",
"version": "52da02521ede55fb86546c3fffd9377b3261b91f",
"versionType": "git"
},
{
"lessThan": "cd8d8bbd9ced4cc5d06d858f67d4aa87745e8f38",
"status": "affected",
"version": "34a949e7a0869dfa31a40416d2a56973fae1807b",
"versionType": "git"
},
{
"lessThan": "3c13db3e47e170bab19e574404e7b6be45ea873d",
"status": "affected",
"version": "d9ccb18f83ea2bb654289b6ecf014fd267cc988b",
"versionType": "git"
},
{
"lessThan": "46aeb66e9e54ed0d56c18615e1c3dbd502b327ab",
"status": "affected",
"version": "d9ccb18f83ea2bb654289b6ecf014fd267cc988b",
"versionType": "git"
},
{
"lessThan": "54e6fe9dd3b0e7c481c2228782c9494d653546da",
"status": "affected",
"version": "d9ccb18f83ea2bb654289b6ecf014fd267cc988b",
"versionType": "git"
},
{
"status": "affected",
"version": "11edcd026012ac18acee0f1514db3ed1b160fc6f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_fib.c",
"net/ipv6/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "6.1.128",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "6.6.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "6.12.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.11.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: prevent infinite loop in rt6_nlmsg_size()\n\nWhile testing prior patch, I was able to trigger\nan infinite loop in rt6_nlmsg_size() in the following place:\n\nlist_for_each_entry_rcu(sibling, \u0026f6i-\u003efib6_siblings,\n\t\t\tfib6_siblings) {\n\trt6_nh_nlmsg_size(sibling-\u003efib6_nh, \u0026nexthop_len);\n}\n\nThis is because fib6_del_route() and fib6_add_rt2node()\nuses list_del_rcu(), which can confuse rcu readers,\nbecause they might no longer see the head of the list.\n\nRestart the loop if f6i-\u003efib6_nsiblings is zero."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:54:20.550Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6d345136c9b875f065d226908a29c25cdf9343f8"
},
{
"url": "https://git.kernel.org/stable/c/e1b7932af47f92432be8303d2439d1bf77b0be23"
},
{
"url": "https://git.kernel.org/stable/c/cd8d8bbd9ced4cc5d06d858f67d4aa87745e8f38"
},
{
"url": "https://git.kernel.org/stable/c/3c13db3e47e170bab19e574404e7b6be45ea873d"
},
{
"url": "https://git.kernel.org/stable/c/46aeb66e9e54ed0d56c18615e1c3dbd502b327ab"
},
{
"url": "https://git.kernel.org/stable/c/54e6fe9dd3b0e7c481c2228782c9494d653546da"
}
],
"title": "ipv6: prevent infinite loop in rt6_nlmsg_size()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38588",
"datePublished": "2025-08-19T17:03:09.856Z",
"dateReserved": "2025-04-16T04:51:24.026Z",
"dateUpdated": "2025-09-29T05:54:20.550Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38103 (GCVE-0-2025-38103)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse()
Update struct hid_descriptor to better reflect the mandatory and
optional parts of the HID Descriptor as per USB HID 1.11 specification.
Note: the kernel currently does not parse any optional HID class
descriptors, only the mandatory report descriptor.
Update all references to member element desc[0] to rpt_desc.
Add test to verify bLength and bNumDescriptors values are valid.
Replace the for loop with direct access to the mandatory HID class
descriptor member for the report descriptor. This eliminates the
possibility of getting an out-of-bounds fault.
Add a warning message if the HID descriptor contains any unsupported
optional HID class descriptors.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f043bfc98c193c284e2cd768fefabe18ac2fed9b Version: f043bfc98c193c284e2cd768fefabe18ac2fed9b Version: f043bfc98c193c284e2cd768fefabe18ac2fed9b Version: f043bfc98c193c284e2cd768fefabe18ac2fed9b Version: f043bfc98c193c284e2cd768fefabe18ac2fed9b Version: f043bfc98c193c284e2cd768fefabe18ac2fed9b Version: f043bfc98c193c284e2cd768fefabe18ac2fed9b Version: f043bfc98c193c284e2cd768fefabe18ac2fed9b Version: 99de0781e0de7c866f762b931351c2a501c3074f Version: 8d675aa967d3927ac100f7af48f2a2af8a041d2d Version: f4cf5d75416ae3d79e03179fe6f4b9f1231ae42c Version: 439f76690d7d5dd212ea7bebc1f2fa077e3d645d Version: 2929cb995378205bceda86d6fd3cbc22e522f97f Version: 57265cddde308292af881ce634a5378dd4e25900 Version: 984154e7eef1f9e543dabd7422cfc99015778732 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-hyperv.c",
"drivers/hid/usbhid/hid-core.c",
"drivers/usb/gadget/function/f_hid.c",
"include/linux/hid.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7a6d6b68db128da2078ccd9a751dfa3f75c9cf5b",
"status": "affected",
"version": "f043bfc98c193c284e2cd768fefabe18ac2fed9b",
"versionType": "git"
},
{
"lessThan": "41827a2dbdd7880df9881506dee13bc88d4230bb",
"status": "affected",
"version": "f043bfc98c193c284e2cd768fefabe18ac2fed9b",
"versionType": "git"
},
{
"lessThan": "1df80d748f984290c895e843401824215dcfbfb0",
"status": "affected",
"version": "f043bfc98c193c284e2cd768fefabe18ac2fed9b",
"versionType": "git"
},
{
"lessThan": "a8f842534807985d3a676006d140541b87044345",
"status": "affected",
"version": "f043bfc98c193c284e2cd768fefabe18ac2fed9b",
"versionType": "git"
},
{
"lessThan": "4fa7831cf0ac71a0a345369d1a6084f2b096e55e",
"status": "affected",
"version": "f043bfc98c193c284e2cd768fefabe18ac2fed9b",
"versionType": "git"
},
{
"lessThan": "74388368927e9c52a69524af5bbd6c55eb4690de",
"status": "affected",
"version": "f043bfc98c193c284e2cd768fefabe18ac2fed9b",
"versionType": "git"
},
{
"lessThan": "485e1b741eb838cbe1d6b0e81e5ab62ae6c095cf",
"status": "affected",
"version": "f043bfc98c193c284e2cd768fefabe18ac2fed9b",
"versionType": "git"
},
{
"lessThan": "fe7f7ac8e0c708446ff017453add769ffc15deed",
"status": "affected",
"version": "f043bfc98c193c284e2cd768fefabe18ac2fed9b",
"versionType": "git"
},
{
"status": "affected",
"version": "99de0781e0de7c866f762b931351c2a501c3074f",
"versionType": "git"
},
{
"status": "affected",
"version": "8d675aa967d3927ac100f7af48f2a2af8a041d2d",
"versionType": "git"
},
{
"status": "affected",
"version": "f4cf5d75416ae3d79e03179fe6f4b9f1231ae42c",
"versionType": "git"
},
{
"status": "affected",
"version": "439f76690d7d5dd212ea7bebc1f2fa077e3d645d",
"versionType": "git"
},
{
"status": "affected",
"version": "2929cb995378205bceda86d6fd3cbc22e522f97f",
"versionType": "git"
},
{
"status": "affected",
"version": "57265cddde308292af881ce634a5378dd4e25900",
"versionType": "git"
},
{
"status": "affected",
"version": "984154e7eef1f9e543dabd7422cfc99015778732",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-hyperv.c",
"drivers/hid/usbhid/hid-core.c",
"drivers/usb/gadget/function/f_hid.c",
"include/linux/hid.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.295",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.239",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.94",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.34",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.3",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.2.95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.50",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.18.76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.1.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.57",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.13.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse()\n\nUpdate struct hid_descriptor to better reflect the mandatory and\noptional parts of the HID Descriptor as per USB HID 1.11 specification.\nNote: the kernel currently does not parse any optional HID class\ndescriptors, only the mandatory report descriptor.\n\nUpdate all references to member element desc[0] to rpt_desc.\n\nAdd test to verify bLength and bNumDescriptors values are valid.\n\nReplace the for loop with direct access to the mandatory HID class\ndescriptor member for the report descriptor. This eliminates the\npossibility of getting an out-of-bounds fault.\n\nAdd a warning message if the HID descriptor contains any unsupported\noptional HID class descriptors."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:12:18.213Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7a6d6b68db128da2078ccd9a751dfa3f75c9cf5b"
},
{
"url": "https://git.kernel.org/stable/c/41827a2dbdd7880df9881506dee13bc88d4230bb"
},
{
"url": "https://git.kernel.org/stable/c/1df80d748f984290c895e843401824215dcfbfb0"
},
{
"url": "https://git.kernel.org/stable/c/a8f842534807985d3a676006d140541b87044345"
},
{
"url": "https://git.kernel.org/stable/c/4fa7831cf0ac71a0a345369d1a6084f2b096e55e"
},
{
"url": "https://git.kernel.org/stable/c/74388368927e9c52a69524af5bbd6c55eb4690de"
},
{
"url": "https://git.kernel.org/stable/c/485e1b741eb838cbe1d6b0e81e5ab62ae6c095cf"
},
{
"url": "https://git.kernel.org/stable/c/fe7f7ac8e0c708446ff017453add769ffc15deed"
}
],
"title": "HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38103",
"datePublished": "2025-07-03T08:35:13.941Z",
"dateReserved": "2025-04-16T04:51:23.985Z",
"dateUpdated": "2025-07-28T04:12:18.213Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38190 (GCVE-0-2025-38190)
Vulnerability from cvelistv5
Published
2025-07-04 13:37
Modified
2025-07-28 04:14
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
atm: Revert atm_account_tx() if copy_from_iter_full() fails.
In vcc_sendmsg(), we account skb->truesize to sk->sk_wmem_alloc by
atm_account_tx().
It is expected to be reverted by atm_pop_raw() later called by
vcc->dev->ops->send(vcc, skb).
However, vcc_sendmsg() misses the same revert when copy_from_iter_full()
fails, and then we will leak a socket.
Let's factorise the revert part as atm_return_tx() and call it in
the failure path.
Note that the corresponding sk_wmem_alloc operation can be found in
alloc_tx() as of the blamed commit.
$ git blame -L:alloc_tx net/atm/common.c c55fa3cccbc2c~
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/atmdev.h",
"net/atm/common.c",
"net/atm/raw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5e0d00992118e234ebf29d5145c1cc920342777e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c12430edd92fd49a4800b0f3fb395b50cb16bcc1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "287b4f085d2ca3375cf1ee672af27410c64777e8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2252c539c43f9a1431a7e8b34e3c18e9dd77a96d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3902205eadf35db59dbc2186c2a98b9e6182efa5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3d828519bd69bfcaabdd942a872679617ef06739",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7d6bc28cfe5c8e3a279b4b4bdeed6698b2702685",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7851263998d4269125fd6cb3fdbfc7c6db853859",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/atmdev.h",
"net/atm/common.c",
"net/atm/raw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.95",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.295",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.239",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.95",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.35",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.4",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: Revert atm_account_tx() if copy_from_iter_full() fails.\n\nIn vcc_sendmsg(), we account skb-\u003etruesize to sk-\u003esk_wmem_alloc by\natm_account_tx().\n\nIt is expected to be reverted by atm_pop_raw() later called by\nvcc-\u003edev-\u003eops-\u003esend(vcc, skb).\n\nHowever, vcc_sendmsg() misses the same revert when copy_from_iter_full()\nfails, and then we will leak a socket.\n\nLet\u0027s factorise the revert part as atm_return_tx() and call it in\nthe failure path.\n\nNote that the corresponding sk_wmem_alloc operation can be found in\nalloc_tx() as of the blamed commit.\n\n $ git blame -L:alloc_tx net/atm/common.c c55fa3cccbc2c~"
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:14:36.366Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5e0d00992118e234ebf29d5145c1cc920342777e"
},
{
"url": "https://git.kernel.org/stable/c/c12430edd92fd49a4800b0f3fb395b50cb16bcc1"
},
{
"url": "https://git.kernel.org/stable/c/287b4f085d2ca3375cf1ee672af27410c64777e8"
},
{
"url": "https://git.kernel.org/stable/c/2252c539c43f9a1431a7e8b34e3c18e9dd77a96d"
},
{
"url": "https://git.kernel.org/stable/c/3902205eadf35db59dbc2186c2a98b9e6182efa5"
},
{
"url": "https://git.kernel.org/stable/c/3d828519bd69bfcaabdd942a872679617ef06739"
},
{
"url": "https://git.kernel.org/stable/c/7d6bc28cfe5c8e3a279b4b4bdeed6698b2702685"
},
{
"url": "https://git.kernel.org/stable/c/7851263998d4269125fd6cb3fdbfc7c6db853859"
}
],
"title": "atm: Revert atm_account_tx() if copy_from_iter_full() fails.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38190",
"datePublished": "2025-07-04T13:37:15.054Z",
"dateReserved": "2025-04-16T04:51:23.993Z",
"dateUpdated": "2025-07-28T04:14:36.366Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50229 (GCVE-0-2022-50229)
Vulnerability from cvelistv5
Published
2025-06-18 11:04
Modified
2025-06-18 11:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: bcd2000: Fix a UAF bug on the error path of probing
When the driver fails in snd_card_register() at probe time, it will free
the 'bcd2k->midi_out_urb' before killing it, which may cause a UAF bug.
The following log can reveal it:
[ 50.727020] BUG: KASAN: use-after-free in bcd2000_input_complete+0x1f1/0x2e0 [snd_bcd2000]
[ 50.727623] Read of size 8 at addr ffff88810fab0e88 by task swapper/4/0
[ 50.729530] Call Trace:
[ 50.732899] bcd2000_input_complete+0x1f1/0x2e0 [snd_bcd2000]
Fix this by adding usb_kill_urb() before usb_free_urb().
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: b47a22290d581277be70e8a597824a4985d39e83 Version: b47a22290d581277be70e8a597824a4985d39e83 Version: b47a22290d581277be70e8a597824a4985d39e83 Version: b47a22290d581277be70e8a597824a4985d39e83 Version: b47a22290d581277be70e8a597824a4985d39e83 Version: b47a22290d581277be70e8a597824a4985d39e83 Version: b47a22290d581277be70e8a597824a4985d39e83 Version: b47a22290d581277be70e8a597824a4985d39e83 Version: b47a22290d581277be70e8a597824a4985d39e83 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/usb/bcd2000/bcd2000.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a718eba7e458e2f40531be3c6b6a0028ca7fcace",
"status": "affected",
"version": "b47a22290d581277be70e8a597824a4985d39e83",
"versionType": "git"
},
{
"lessThan": "4fc41f7ebb7efca282f1740ea934d16f33c1d109",
"status": "affected",
"version": "b47a22290d581277be70e8a597824a4985d39e83",
"versionType": "git"
},
{
"lessThan": "5e7338f4dd92b2f8915a82abfa1dd3ad3464bea0",
"status": "affected",
"version": "b47a22290d581277be70e8a597824a4985d39e83",
"versionType": "git"
},
{
"lessThan": "05e0bb8c3c4dde3e21b9c1cf9395afb04e8b24db",
"status": "affected",
"version": "b47a22290d581277be70e8a597824a4985d39e83",
"versionType": "git"
},
{
"lessThan": "348620464a5c127399ac09b266f494f393661952",
"status": "affected",
"version": "b47a22290d581277be70e8a597824a4985d39e83",
"versionType": "git"
},
{
"lessThan": "64ca7f50ad96c2c65ae390b954925a36eabe04aa",
"status": "affected",
"version": "b47a22290d581277be70e8a597824a4985d39e83",
"versionType": "git"
},
{
"lessThan": "1d6a246cf97c380f2da76591f03019dd9c9599c3",
"status": "affected",
"version": "b47a22290d581277be70e8a597824a4985d39e83",
"versionType": "git"
},
{
"lessThan": "b0d4af0a4763ddc02344789ef2a281c494bc330d",
"status": "affected",
"version": "b47a22290d581277be70e8a597824a4985d39e83",
"versionType": "git"
},
{
"lessThan": "ffb2759df7efbc00187bfd9d1072434a13a54139",
"status": "affected",
"version": "b47a22290d581277be70e8a597824a4985d39e83",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/usb/bcd2000/bcd2000.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.256",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.211",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.137",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.326",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.291",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.256",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.211",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.137",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.61",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.18",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.2",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: bcd2000: Fix a UAF bug on the error path of probing\n\nWhen the driver fails in snd_card_register() at probe time, it will free\nthe \u0027bcd2k-\u003emidi_out_urb\u0027 before killing it, which may cause a UAF bug.\n\nThe following log can reveal it:\n\n[ 50.727020] BUG: KASAN: use-after-free in bcd2000_input_complete+0x1f1/0x2e0 [snd_bcd2000]\n[ 50.727623] Read of size 8 at addr ffff88810fab0e88 by task swapper/4/0\n[ 50.729530] Call Trace:\n[ 50.732899] bcd2000_input_complete+0x1f1/0x2e0 [snd_bcd2000]\n\nFix this by adding usb_kill_urb() before usb_free_urb()."
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T11:04:06.069Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a718eba7e458e2f40531be3c6b6a0028ca7fcace"
},
{
"url": "https://git.kernel.org/stable/c/4fc41f7ebb7efca282f1740ea934d16f33c1d109"
},
{
"url": "https://git.kernel.org/stable/c/5e7338f4dd92b2f8915a82abfa1dd3ad3464bea0"
},
{
"url": "https://git.kernel.org/stable/c/05e0bb8c3c4dde3e21b9c1cf9395afb04e8b24db"
},
{
"url": "https://git.kernel.org/stable/c/348620464a5c127399ac09b266f494f393661952"
},
{
"url": "https://git.kernel.org/stable/c/64ca7f50ad96c2c65ae390b954925a36eabe04aa"
},
{
"url": "https://git.kernel.org/stable/c/1d6a246cf97c380f2da76591f03019dd9c9599c3"
},
{
"url": "https://git.kernel.org/stable/c/b0d4af0a4763ddc02344789ef2a281c494bc330d"
},
{
"url": "https://git.kernel.org/stable/c/ffb2759df7efbc00187bfd9d1072434a13a54139"
}
],
"title": "ALSA: bcd2000: Fix a UAF bug on the error path of probing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50229",
"datePublished": "2025-06-18T11:04:06.069Z",
"dateReserved": "2025-06-18T10:57:27.432Z",
"dateUpdated": "2025-06-18T11:04:06.069Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38656 (GCVE-0-2025-38656)
Vulnerability from cvelistv5
Published
2025-08-22 16:00
Modified
2025-08-28 14:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: iwlwifi: Fix error code in iwl_op_mode_dvm_start()
Preserve the error code if iwl_setup_deferred_work() fails. The current
code returns ERR_PTR(0) (which is NULL) on this path. I believe the
missing error code potentially leads to a use after free involving
debugfs.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c0e43c3f6c0a79381b468574c241065998412b7c Version: 70a1b527eaea9430b1bd87de59f3b9f6bd225701 Version: 90a0d9f339960448a3acc1437a46730f975efd6a Version: c80832d445653baba5ac80cd2c2637c437ac881b Version: b398120fbe0acfef60b16f6a0f69902d385d7728 Version: 2e9f85ee3b46453a2f250a57d3a9f10c70c71202 Version: 6663c52608d8d8727bf1911e6d9218069ba1c85e Version: ca980f1911a7144d451d1c31298ab8507c6bd88f Version: 7dd6350307af6521b6240b295c93b7eec4daebe6 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/intel/iwlwifi/dvm/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "991e2066f6009d3cb898413058c62dbcc92bd6d2",
"status": "affected",
"version": "c0e43c3f6c0a79381b468574c241065998412b7c",
"versionType": "git"
},
{
"lessThan": "1d068272c21d886d06526454b68368100ba0a720",
"status": "affected",
"version": "70a1b527eaea9430b1bd87de59f3b9f6bd225701",
"versionType": "git"
},
{
"lessThan": "cf80c02a9fdb6c5bc8508beb6a0f6a1294fc32f6",
"status": "affected",
"version": "90a0d9f339960448a3acc1437a46730f975efd6a",
"versionType": "git"
},
{
"status": "affected",
"version": "c80832d445653baba5ac80cd2c2637c437ac881b",
"versionType": "git"
},
{
"status": "affected",
"version": "b398120fbe0acfef60b16f6a0f69902d385d7728",
"versionType": "git"
},
{
"status": "affected",
"version": "2e9f85ee3b46453a2f250a57d3a9f10c70c71202",
"versionType": "git"
},
{
"status": "affected",
"version": "6663c52608d8d8727bf1911e6d9218069ba1c85e",
"versionType": "git"
},
{
"status": "affected",
"version": "ca980f1911a7144d451d1c31298ab8507c6bd88f",
"versionType": "git"
},
{
"status": "affected",
"version": "7dd6350307af6521b6240b295c93b7eec4daebe6",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/intel/iwlwifi/dvm/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux"
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.297",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.241",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.148",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.6.102",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.12.42",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: Fix error code in iwl_op_mode_dvm_start()\n\nPreserve the error code if iwl_setup_deferred_work() fails. The current\ncode returns ERR_PTR(0) (which is NULL) on this path. I believe the\nmissing error code potentially leads to a use after free involving\ndebugfs."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T14:44:29.601Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/991e2066f6009d3cb898413058c62dbcc92bd6d2"
},
{
"url": "https://git.kernel.org/stable/c/1d068272c21d886d06526454b68368100ba0a720"
},
{
"url": "https://git.kernel.org/stable/c/cf80c02a9fdb6c5bc8508beb6a0f6a1294fc32f6"
}
],
"title": "wifi: iwlwifi: Fix error code in iwl_op_mode_dvm_start()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38656",
"datePublished": "2025-08-22T16:00:59.678Z",
"dateReserved": "2025-04-16T04:51:24.030Z",
"dateUpdated": "2025-08-28T14:44:29.601Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38538 (GCVE-0-2025-38538)
Vulnerability from cvelistv5
Published
2025-08-16 11:12
Modified
2025-08-28 14:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: nbpfaxi: Fix memory corruption in probe()
The nbpf->chan[] array is allocated earlier in the nbpf_probe() function
and it has "num_channels" elements. These three loops iterate one
element farther than they should and corrupt memory.
The changes to the second loop are more involved. In this case, we're
copying data from the irqbuf[] array into the nbpf->chan[] array. If
the data in irqbuf[i] is the error IRQ then we skip it, so the iterators
are not in sync. I added a check to ensure that we don't go beyond the
end of the irqbuf[] array. I'm pretty sure this can't happen, but it
seemed harmless to add a check.
On the other hand, after the loop has ended there is a check to ensure
that the "chan" iterator is where we expect it to be. In the original
code we went one element beyond the end of the array so the iterator
wasn't in the correct place and it would always return -EINVAL. However,
now it will always be in the correct place. I deleted the check since
we know the result.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: b45b262cefd5b8eb2ba88d20e5bd295881293894 Version: b45b262cefd5b8eb2ba88d20e5bd295881293894 Version: b45b262cefd5b8eb2ba88d20e5bd295881293894 Version: b45b262cefd5b8eb2ba88d20e5bd295881293894 Version: b45b262cefd5b8eb2ba88d20e5bd295881293894 Version: b45b262cefd5b8eb2ba88d20e5bd295881293894 Version: b45b262cefd5b8eb2ba88d20e5bd295881293894 Version: b45b262cefd5b8eb2ba88d20e5bd295881293894 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/nbpfaxi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "84fff8e6f11b9af1407e273995b5257d99ff0cff",
"status": "affected",
"version": "b45b262cefd5b8eb2ba88d20e5bd295881293894",
"versionType": "git"
},
{
"lessThan": "aec396b4f736f3f8d2c28a9cd2924a4ada57ae87",
"status": "affected",
"version": "b45b262cefd5b8eb2ba88d20e5bd295881293894",
"versionType": "git"
},
{
"lessThan": "24861ef8b517a309a4225f2793be0cd8fa0bec9e",
"status": "affected",
"version": "b45b262cefd5b8eb2ba88d20e5bd295881293894",
"versionType": "git"
},
{
"lessThan": "f366b36c5e3ce29c9a3c8eed3d1631908e4fc8bb",
"status": "affected",
"version": "b45b262cefd5b8eb2ba88d20e5bd295881293894",
"versionType": "git"
},
{
"lessThan": "4bb016438335ec02b01f96bf1367378c2bfe03e5",
"status": "affected",
"version": "b45b262cefd5b8eb2ba88d20e5bd295881293894",
"versionType": "git"
},
{
"lessThan": "122160289adf8ebf15060f1cbf6265b55a914948",
"status": "affected",
"version": "b45b262cefd5b8eb2ba88d20e5bd295881293894",
"versionType": "git"
},
{
"lessThan": "d6bbd67ab5de37a74ac85c83c5a26664b62034dd",
"status": "affected",
"version": "b45b262cefd5b8eb2ba88d20e5bd295881293894",
"versionType": "git"
},
{
"lessThan": "188c6ba1dd925849c5d94885c8bbdeb0b3dcf510",
"status": "affected",
"version": "b45b262cefd5b8eb2ba88d20e5bd295881293894",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/nbpfaxi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.147",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.147",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.100",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.40",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.8",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "3.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: nbpfaxi: Fix memory corruption in probe()\n\nThe nbpf-\u003echan[] array is allocated earlier in the nbpf_probe() function\nand it has \"num_channels\" elements. These three loops iterate one\nelement farther than they should and corrupt memory.\n\nThe changes to the second loop are more involved. In this case, we\u0027re\ncopying data from the irqbuf[] array into the nbpf-\u003echan[] array. If\nthe data in irqbuf[i] is the error IRQ then we skip it, so the iterators\nare not in sync. I added a check to ensure that we don\u0027t go beyond the\nend of the irqbuf[] array. I\u0027m pretty sure this can\u0027t happen, but it\nseemed harmless to add a check.\n\nOn the other hand, after the loop has ended there is a check to ensure\nthat the \"chan\" iterator is where we expect it to be. In the original\ncode we went one element beyond the end of the array so the iterator\nwasn\u0027t in the correct place and it would always return -EINVAL. However,\nnow it will always be in the correct place. I deleted the check since\nwe know the result."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T14:43:39.887Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/84fff8e6f11b9af1407e273995b5257d99ff0cff"
},
{
"url": "https://git.kernel.org/stable/c/aec396b4f736f3f8d2c28a9cd2924a4ada57ae87"
},
{
"url": "https://git.kernel.org/stable/c/24861ef8b517a309a4225f2793be0cd8fa0bec9e"
},
{
"url": "https://git.kernel.org/stable/c/f366b36c5e3ce29c9a3c8eed3d1631908e4fc8bb"
},
{
"url": "https://git.kernel.org/stable/c/4bb016438335ec02b01f96bf1367378c2bfe03e5"
},
{
"url": "https://git.kernel.org/stable/c/122160289adf8ebf15060f1cbf6265b55a914948"
},
{
"url": "https://git.kernel.org/stable/c/d6bbd67ab5de37a74ac85c83c5a26664b62034dd"
},
{
"url": "https://git.kernel.org/stable/c/188c6ba1dd925849c5d94885c8bbdeb0b3dcf510"
}
],
"title": "dmaengine: nbpfaxi: Fix memory corruption in probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38538",
"datePublished": "2025-08-16T11:12:30.878Z",
"dateReserved": "2025-04-16T04:51:24.024Z",
"dateUpdated": "2025-08-28T14:43:39.887Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38512 (GCVE-0-2025-38512)
Vulnerability from cvelistv5
Published
2025-08-16 10:54
Modified
2025-08-16 10:54
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: prevent A-MSDU attacks in mesh networks
This patch is a mitigation to prevent the A-MSDU spoofing vulnerability
for mesh networks. The initial update to the IEEE 802.11 standard, in
response to the FragAttacks, missed this case (CVE-2025-27558). It can
be considered a variant of CVE-2020-24588 but for mesh networks.
This patch tries to detect if a standard MSDU was turned into an A-MSDU
by an adversary. This is done by parsing a received A-MSDU as a standard
MSDU, calculating the length of the Mesh Control header, and seeing if
the 6 bytes after this header equal the start of an rfc1042 header. If
equal, this is a strong indication of an ongoing attack attempt.
This defense was tested with mac80211_hwsim against a mesh network that
uses an empty Mesh Address Extension field, i.e., when four addresses
are used, and when using a 12-byte Mesh Address Extension field, i.e.,
when six addresses are used. Functionality of normal MSDUs and A-MSDUs
was also tested, and confirmed working, when using both an empty and
12-byte Mesh Address Extension field.
It was also tested with mac80211_hwsim that A-MSDU attacks in non-mesh
networks keep being detected and prevented.
Note that the vulnerability being patched, and the defense being
implemented, was also discussed in the following paper and in the
following IEEE 802.11 presentation:
https://papers.mathyvanhoef.com/wisec2025.pdf
https://mentor.ieee.org/802.11/dcn/25/11-25-0949-00-000m-a-msdu-mesh-spoof-protection.docx
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/wireless/util.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e2c8a3c0388aef6bfc4aabfba07bc7dff16eea80",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ec6392061de6681148b63ee6c8744da833498cdd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e01851f6e9a665a6011b14714b271d3e6b0b8d32",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6e3b09402cc6c3e3474fa548e8adf6897dda05de",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "737bb912ebbe4571195c56eba557c4d7315b26fb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/wireless/util.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.146",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.146",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: prevent A-MSDU attacks in mesh networks\n\nThis patch is a mitigation to prevent the A-MSDU spoofing vulnerability\nfor mesh networks. The initial update to the IEEE 802.11 standard, in\nresponse to the FragAttacks, missed this case (CVE-2025-27558). It can\nbe considered a variant of CVE-2020-24588 but for mesh networks.\n\nThis patch tries to detect if a standard MSDU was turned into an A-MSDU\nby an adversary. This is done by parsing a received A-MSDU as a standard\nMSDU, calculating the length of the Mesh Control header, and seeing if\nthe 6 bytes after this header equal the start of an rfc1042 header. If\nequal, this is a strong indication of an ongoing attack attempt.\n\nThis defense was tested with mac80211_hwsim against a mesh network that\nuses an empty Mesh Address Extension field, i.e., when four addresses\nare used, and when using a 12-byte Mesh Address Extension field, i.e.,\nwhen six addresses are used. Functionality of normal MSDUs and A-MSDUs\nwas also tested, and confirmed working, when using both an empty and\n12-byte Mesh Address Extension field.\n\nIt was also tested with mac80211_hwsim that A-MSDU attacks in non-mesh\nnetworks keep being detected and prevented.\n\nNote that the vulnerability being patched, and the defense being\nimplemented, was also discussed in the following paper and in the\nfollowing IEEE 802.11 presentation:\n\nhttps://papers.mathyvanhoef.com/wisec2025.pdf\nhttps://mentor.ieee.org/802.11/dcn/25/11-25-0949-00-000m-a-msdu-mesh-spoof-protection.docx"
}
],
"providerMetadata": {
"dateUpdated": "2025-08-16T10:54:54.285Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e2c8a3c0388aef6bfc4aabfba07bc7dff16eea80"
},
{
"url": "https://git.kernel.org/stable/c/ec6392061de6681148b63ee6c8744da833498cdd"
},
{
"url": "https://git.kernel.org/stable/c/e01851f6e9a665a6011b14714b271d3e6b0b8d32"
},
{
"url": "https://git.kernel.org/stable/c/6e3b09402cc6c3e3474fa548e8adf6897dda05de"
},
{
"url": "https://git.kernel.org/stable/c/737bb912ebbe4571195c56eba557c4d7315b26fb"
}
],
"title": "wifi: prevent A-MSDU attacks in mesh networks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38512",
"datePublished": "2025-08-16T10:54:54.285Z",
"dateReserved": "2025-04-16T04:51:24.022Z",
"dateUpdated": "2025-08-16T10:54:54.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38537 (GCVE-0-2025-38537)
Vulnerability from cvelistv5
Published
2025-08-16 11:12
Modified
2025-08-16 11:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: phy: Don't register LEDs for genphy
If a PHY has no driver, the genphy driver is probed/removed directly in
phy_attach/detach. If the PHY's ofnode has an "leds" subnode, then the
LEDs will be (un)registered when probing/removing the genphy driver.
This could occur if the leds are for a non-generic driver that isn't
loaded for whatever reason. Synchronously removing the PHY device in
phy_detach leads to the following deadlock:
rtnl_lock()
ndo_close()
...
phy_detach()
phy_remove()
phy_leds_unregister()
led_classdev_unregister()
led_trigger_set()
netdev_trigger_deactivate()
unregister_netdevice_notifier()
rtnl_lock()
There is a corresponding deadlock on the open/register side of things
(and that one is reported by lockdep), but it requires a race while this
one is deterministic.
Generic PHYs do not support LEDs anyway, so don't bother registering
them.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/phy/phy_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ec158d05eaa91b2809cab65f8068290e3c05ebdd",
"status": "affected",
"version": "01e5b728e9e43ae444e0369695a5f72209906464",
"versionType": "git"
},
{
"lessThan": "fd6493533af9e5d73d0d42ff2a8ded978a701dc6",
"status": "affected",
"version": "01e5b728e9e43ae444e0369695a5f72209906464",
"versionType": "git"
},
{
"lessThan": "75e1b2079ef0653a2f7aa69be515d86b7faf1908",
"status": "affected",
"version": "01e5b728e9e43ae444e0369695a5f72209906464",
"versionType": "git"
},
{
"lessThan": "f0f2b992d8185a0366be951685e08643aae17d6d",
"status": "affected",
"version": "01e5b728e9e43ae444e0369695a5f72209906464",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/phy/phy_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.100",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.40",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.8",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: Don\u0027t register LEDs for genphy\n\nIf a PHY has no driver, the genphy driver is probed/removed directly in\nphy_attach/detach. If the PHY\u0027s ofnode has an \"leds\" subnode, then the\nLEDs will be (un)registered when probing/removing the genphy driver.\nThis could occur if the leds are for a non-generic driver that isn\u0027t\nloaded for whatever reason. Synchronously removing the PHY device in\nphy_detach leads to the following deadlock:\n\nrtnl_lock()\nndo_close()\n ...\n phy_detach()\n phy_remove()\n phy_leds_unregister()\n led_classdev_unregister()\n led_trigger_set()\n netdev_trigger_deactivate()\n unregister_netdevice_notifier()\n rtnl_lock()\n\nThere is a corresponding deadlock on the open/register side of things\n(and that one is reported by lockdep), but it requires a race while this\none is deterministic.\n\nGeneric PHYs do not support LEDs anyway, so don\u0027t bother registering\nthem."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-16T11:12:29.432Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ec158d05eaa91b2809cab65f8068290e3c05ebdd"
},
{
"url": "https://git.kernel.org/stable/c/fd6493533af9e5d73d0d42ff2a8ded978a701dc6"
},
{
"url": "https://git.kernel.org/stable/c/75e1b2079ef0653a2f7aa69be515d86b7faf1908"
},
{
"url": "https://git.kernel.org/stable/c/f0f2b992d8185a0366be951685e08643aae17d6d"
}
],
"title": "net: phy: Don\u0027t register LEDs for genphy",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38537",
"datePublished": "2025-08-16T11:12:29.432Z",
"dateReserved": "2025-04-16T04:51:24.024Z",
"dateUpdated": "2025-08-16T11:12:29.432Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38609 (GCVE-0-2025-38609)
Vulnerability from cvelistv5
Published
2025-08-19 17:03
Modified
2025-09-29 05:54
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
PM / devfreq: Check governor before using governor->name
Commit 96ffcdf239de ("PM / devfreq: Remove redundant governor_name from
struct devfreq") removes governor_name and uses governor->name to replace
it. But devfreq->governor may be NULL and directly using
devfreq->governor->name may cause null pointer exception. Move the check of
governor to before using governor->name.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 96ffcdf239de6f9970178bb7d643e16fd9e68ab9 Version: 96ffcdf239de6f9970178bb7d643e16fd9e68ab9 Version: 96ffcdf239de6f9970178bb7d643e16fd9e68ab9 Version: 96ffcdf239de6f9970178bb7d643e16fd9e68ab9 Version: 96ffcdf239de6f9970178bb7d643e16fd9e68ab9 Version: 96ffcdf239de6f9970178bb7d643e16fd9e68ab9 Version: 96ffcdf239de6f9970178bb7d643e16fd9e68ab9 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/devfreq/devfreq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f0479e878d4beb45e73c03e574c59f0a23ccd176",
"status": "affected",
"version": "96ffcdf239de6f9970178bb7d643e16fd9e68ab9",
"versionType": "git"
},
{
"lessThan": "631e101728df2a86b8fb761b49fad9712c651f8a",
"status": "affected",
"version": "96ffcdf239de6f9970178bb7d643e16fd9e68ab9",
"versionType": "git"
},
{
"lessThan": "81f50619370045120c133bfdda5b320c8c97d41e",
"status": "affected",
"version": "96ffcdf239de6f9970178bb7d643e16fd9e68ab9",
"versionType": "git"
},
{
"lessThan": "d5632359dbc44862fc1ed04093c1f57529830261",
"status": "affected",
"version": "96ffcdf239de6f9970178bb7d643e16fd9e68ab9",
"versionType": "git"
},
{
"lessThan": "2731c68f536fddcb71332db7f8d78c5eb4684c04",
"status": "affected",
"version": "96ffcdf239de6f9970178bb7d643e16fd9e68ab9",
"versionType": "git"
},
{
"lessThan": "75323a49aa603cf5484a6d74d0d329e86d756e11",
"status": "affected",
"version": "96ffcdf239de6f9970178bb7d643e16fd9e68ab9",
"versionType": "git"
},
{
"lessThan": "bab7834c03820eb11269bc48f07c3800192460d2",
"status": "affected",
"version": "96ffcdf239de6f9970178bb7d643e16fd9e68ab9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/devfreq/devfreq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPM / devfreq: Check governor before using governor-\u003ename\n\nCommit 96ffcdf239de (\"PM / devfreq: Remove redundant governor_name from\nstruct devfreq\") removes governor_name and uses governor-\u003ename to replace\nit. But devfreq-\u003egovernor may be NULL and directly using\ndevfreq-\u003egovernor-\u003ename may cause null pointer exception. Move the check of\ngovernor to before using governor-\u003ename."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:54:43.955Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f0479e878d4beb45e73c03e574c59f0a23ccd176"
},
{
"url": "https://git.kernel.org/stable/c/631e101728df2a86b8fb761b49fad9712c651f8a"
},
{
"url": "https://git.kernel.org/stable/c/81f50619370045120c133bfdda5b320c8c97d41e"
},
{
"url": "https://git.kernel.org/stable/c/d5632359dbc44862fc1ed04093c1f57529830261"
},
{
"url": "https://git.kernel.org/stable/c/2731c68f536fddcb71332db7f8d78c5eb4684c04"
},
{
"url": "https://git.kernel.org/stable/c/75323a49aa603cf5484a6d74d0d329e86d756e11"
},
{
"url": "https://git.kernel.org/stable/c/bab7834c03820eb11269bc48f07c3800192460d2"
}
],
"title": "PM / devfreq: Check governor before using governor-\u003ename",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38609",
"datePublished": "2025-08-19T17:03:52.542Z",
"dateReserved": "2025-04-16T04:51:24.029Z",
"dateUpdated": "2025-09-29T05:54:43.955Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38205 (GCVE-0-2025-38205)
Vulnerability from cvelistv5
Published
2025-07-04 13:37
Modified
2025-07-28 04:15
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Avoid divide by zero by initializing dummy pitch to 1
[Why]
If the dummy values in `populate_dummy_dml_surface_cfg()` aren't updated
then they can lead to a divide by zero in downstream callers like
CalculateVMAndRowBytes()
[How]
Initialize dummy value to a value to avoid divide by zero.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/dml2/dml2_translation_helper.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8044f981b2cf8c32fe1bd5d1fc991552cdf7ffe0",
"status": "affected",
"version": "7966f319c66d9468623c6a6a017ecbc0dd79be75",
"versionType": "git"
},
{
"lessThan": "7e40f64896e8e3dca471e287672db5ace12ea0be",
"status": "affected",
"version": "7966f319c66d9468623c6a6a017ecbc0dd79be75",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/dml2/dml2_translation_helper.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.4",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Avoid divide by zero by initializing dummy pitch to 1\n\n[Why]\nIf the dummy values in `populate_dummy_dml_surface_cfg()` aren\u0027t updated\nthen they can lead to a divide by zero in downstream callers like\nCalculateVMAndRowBytes()\n\n[How]\nInitialize dummy value to a value to avoid divide by zero."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:15:02.988Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8044f981b2cf8c32fe1bd5d1fc991552cdf7ffe0"
},
{
"url": "https://git.kernel.org/stable/c/7e40f64896e8e3dca471e287672db5ace12ea0be"
}
],
"title": "drm/amd/display: Avoid divide by zero by initializing dummy pitch to 1",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38205",
"datePublished": "2025-07-04T13:37:25.242Z",
"dateReserved": "2025-04-16T04:51:23.994Z",
"dateUpdated": "2025-07-28T04:15:02.988Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38571 (GCVE-0-2025-38571)
Vulnerability from cvelistv5
Published
2025-08-19 17:02
Modified
2025-09-29 05:54
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sunrpc: fix client side handling of tls alerts
A security exploit was discovered in NFS over TLS in tls_alert_recv
due to its assumption that there is valid data in the msghdr's
iterator's kvec.
Instead, this patch proposes the rework how control messages are
setup and used by sock_recvmsg().
If no control message structure is setup, kTLS layer will read and
process TLS data record types. As soon as it encounters a TLS control
message, it would return an error. At that point, NFS can setup a kvec
backed control buffer and read in the control message such as a TLS
alert. Scott found that a msg iterator can advance the kvec pointer
as a part of the copy process thus we need to revert the iterator
before calling into the tls_alert_recv.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sunrpc/xprtsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a55b3d15331859d9fdd261cfa6d34ca2aeb0fb95",
"status": "affected",
"version": "dea034b963c8901bdcc3d3880c04f0d75c95112f",
"versionType": "git"
},
{
"lessThan": "c36b2fbd60e8f9c6f975522130998608880c93be",
"status": "affected",
"version": "dea034b963c8901bdcc3d3880c04f0d75c95112f",
"versionType": "git"
},
{
"lessThan": "3ee397eaaca4fa04db21bb98c8f1d0c6cc525368",
"status": "affected",
"version": "dea034b963c8901bdcc3d3880c04f0d75c95112f",
"versionType": "git"
},
{
"lessThan": "3feada5baf4dc96e151ff2ca54630e1d274e5458",
"status": "affected",
"version": "dea034b963c8901bdcc3d3880c04f0d75c95112f",
"versionType": "git"
},
{
"lessThan": "cc5d59081fa26506d02de2127ab822f40d88bc5a",
"status": "affected",
"version": "dea034b963c8901bdcc3d3880c04f0d75c95112f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sunrpc/xprtsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsunrpc: fix client side handling of tls alerts\n\nA security exploit was discovered in NFS over TLS in tls_alert_recv\ndue to its assumption that there is valid data in the msghdr\u0027s\niterator\u0027s kvec.\n\nInstead, this patch proposes the rework how control messages are\nsetup and used by sock_recvmsg().\n\nIf no control message structure is setup, kTLS layer will read and\nprocess TLS data record types. As soon as it encounters a TLS control\nmessage, it would return an error. At that point, NFS can setup a kvec\nbacked control buffer and read in the control message such as a TLS\nalert. Scott found that a msg iterator can advance the kvec pointer\nas a part of the copy process thus we need to revert the iterator\nbefore calling into the tls_alert_recv."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:54:02.055Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a55b3d15331859d9fdd261cfa6d34ca2aeb0fb95"
},
{
"url": "https://git.kernel.org/stable/c/c36b2fbd60e8f9c6f975522130998608880c93be"
},
{
"url": "https://git.kernel.org/stable/c/3ee397eaaca4fa04db21bb98c8f1d0c6cc525368"
},
{
"url": "https://git.kernel.org/stable/c/3feada5baf4dc96e151ff2ca54630e1d274e5458"
},
{
"url": "https://git.kernel.org/stable/c/cc5d59081fa26506d02de2127ab822f40d88bc5a"
}
],
"title": "sunrpc: fix client side handling of tls alerts",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38571",
"datePublished": "2025-08-19T17:02:51.620Z",
"dateReserved": "2025-04-16T04:51:24.025Z",
"dateUpdated": "2025-09-29T05:54:02.055Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38572 (GCVE-0-2025-38572)
Vulnerability from cvelistv5
Published
2025-08-19 17:02
Modified
2025-09-29 05:54
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: reject malicious packets in ipv6_gso_segment()
syzbot was able to craft a packet with very long IPv6 extension headers
leading to an overflow of skb->transport_header.
This 16bit field has a limited range.
Add skb_reset_transport_header_careful() helper and use it
from ipv6_gso_segment()
WARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 skb_reset_transport_header include/linux/skbuff.h:3032 [inline]
WARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151
Modules linked in:
CPU: 0 UID: 0 PID: 5871 Comm: syz-executor211 Not tainted 6.16.0-rc6-syzkaller-g7abc678e3084 #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:skb_reset_transport_header include/linux/skbuff.h:3032 [inline]
RIP: 0010:ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151
Call Trace:
<TASK>
skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53
nsh_gso_segment+0x54a/0xe10 net/nsh/nsh.c:110
skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53
__skb_gso_segment+0x342/0x510 net/core/gso.c:124
skb_gso_segment include/net/gso.h:83 [inline]
validate_xmit_skb+0x857/0x11b0 net/core/dev.c:3950
validate_xmit_skb_list+0x84/0x120 net/core/dev.c:4000
sch_direct_xmit+0xd3/0x4b0 net/sched/sch_generic.c:329
__dev_xmit_skb net/core/dev.c:4102 [inline]
__dev_queue_xmit+0x17b6/0x3a70 net/core/dev.c:4679
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d1da932ed4ecad2a14cbcc01ed589d617d0f0f09 Version: d1da932ed4ecad2a14cbcc01ed589d617d0f0f09 Version: d1da932ed4ecad2a14cbcc01ed589d617d0f0f09 Version: d1da932ed4ecad2a14cbcc01ed589d617d0f0f09 Version: d1da932ed4ecad2a14cbcc01ed589d617d0f0f09 Version: d1da932ed4ecad2a14cbcc01ed589d617d0f0f09 Version: d1da932ed4ecad2a14cbcc01ed589d617d0f0f09 Version: d1da932ed4ecad2a14cbcc01ed589d617d0f0f09 Version: d1da932ed4ecad2a14cbcc01ed589d617d0f0f09 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/skbuff.h",
"net/ipv6/ip6_offload.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5dc60b2a00ed7629214ac0c48e43f40af2078703",
"status": "affected",
"version": "d1da932ed4ecad2a14cbcc01ed589d617d0f0f09",
"versionType": "git"
},
{
"lessThan": "3f638e0b28bde7c3354a0df938ab3a96739455d1",
"status": "affected",
"version": "d1da932ed4ecad2a14cbcc01ed589d617d0f0f09",
"versionType": "git"
},
{
"lessThan": "09ff062b89d8e48165247d677d1ca23d6d607e9b",
"status": "affected",
"version": "d1da932ed4ecad2a14cbcc01ed589d617d0f0f09",
"versionType": "git"
},
{
"lessThan": "de322cdf600fc9433845a9e944d1ca6b31cfb67e",
"status": "affected",
"version": "d1da932ed4ecad2a14cbcc01ed589d617d0f0f09",
"versionType": "git"
},
{
"lessThan": "ef05007b403dcc21e701cb1f30d4572ac0a9da20",
"status": "affected",
"version": "d1da932ed4ecad2a14cbcc01ed589d617d0f0f09",
"versionType": "git"
},
{
"lessThan": "5489e7fc6f8be3062f8cb7e49406de4bfd94db67",
"status": "affected",
"version": "d1da932ed4ecad2a14cbcc01ed589d617d0f0f09",
"versionType": "git"
},
{
"lessThan": "573b8250fc2554761db3bc2bbdbab23789d52d4e",
"status": "affected",
"version": "d1da932ed4ecad2a14cbcc01ed589d617d0f0f09",
"versionType": "git"
},
{
"lessThan": "ee851768e4b8371ce151fd446d24bf3ae2d18789",
"status": "affected",
"version": "d1da932ed4ecad2a14cbcc01ed589d617d0f0f09",
"versionType": "git"
},
{
"lessThan": "d45cf1e7d7180256e17c9ce88e32e8061a7887fe",
"status": "affected",
"version": "d1da932ed4ecad2a14cbcc01ed589d617d0f0f09",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/skbuff.h",
"net/ipv6/ip6_offload.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: reject malicious packets in ipv6_gso_segment()\n\nsyzbot was able to craft a packet with very long IPv6 extension headers\nleading to an overflow of skb-\u003etransport_header.\n\nThis 16bit field has a limited range.\n\nAdd skb_reset_transport_header_careful() helper and use it\nfrom ipv6_gso_segment()\n\nWARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 skb_reset_transport_header include/linux/skbuff.h:3032 [inline]\nWARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151\nModules linked in:\nCPU: 0 UID: 0 PID: 5871 Comm: syz-executor211 Not tainted 6.16.0-rc6-syzkaller-g7abc678e3084 #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025\n RIP: 0010:skb_reset_transport_header include/linux/skbuff.h:3032 [inline]\n RIP: 0010:ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151\nCall Trace:\n \u003cTASK\u003e\n skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53\n nsh_gso_segment+0x54a/0xe10 net/nsh/nsh.c:110\n skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53\n __skb_gso_segment+0x342/0x510 net/core/gso.c:124\n skb_gso_segment include/net/gso.h:83 [inline]\n validate_xmit_skb+0x857/0x11b0 net/core/dev.c:3950\n validate_xmit_skb_list+0x84/0x120 net/core/dev.c:4000\n sch_direct_xmit+0xd3/0x4b0 net/sched/sch_generic.c:329\n __dev_xmit_skb net/core/dev.c:4102 [inline]\n __dev_queue_xmit+0x17b6/0x3a70 net/core/dev.c:4679"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:54:03.372Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5dc60b2a00ed7629214ac0c48e43f40af2078703"
},
{
"url": "https://git.kernel.org/stable/c/3f638e0b28bde7c3354a0df938ab3a96739455d1"
},
{
"url": "https://git.kernel.org/stable/c/09ff062b89d8e48165247d677d1ca23d6d607e9b"
},
{
"url": "https://git.kernel.org/stable/c/de322cdf600fc9433845a9e944d1ca6b31cfb67e"
},
{
"url": "https://git.kernel.org/stable/c/ef05007b403dcc21e701cb1f30d4572ac0a9da20"
},
{
"url": "https://git.kernel.org/stable/c/5489e7fc6f8be3062f8cb7e49406de4bfd94db67"
},
{
"url": "https://git.kernel.org/stable/c/573b8250fc2554761db3bc2bbdbab23789d52d4e"
},
{
"url": "https://git.kernel.org/stable/c/ee851768e4b8371ce151fd446d24bf3ae2d18789"
},
{
"url": "https://git.kernel.org/stable/c/d45cf1e7d7180256e17c9ce88e32e8061a7887fe"
}
],
"title": "ipv6: reject malicious packets in ipv6_gso_segment()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38572",
"datePublished": "2025-08-19T17:02:52.340Z",
"dateReserved": "2025-04-16T04:51:24.025Z",
"dateUpdated": "2025-09-29T05:54:03.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38079 (GCVE-0-2025-38079)
Vulnerability from cvelistv5
Published
2025-06-18 09:33
Modified
2025-06-18 09:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: algif_hash - fix double free in hash_accept
If accept(2) is called on socket type algif_hash with
MSG_MORE flag set and crypto_ahash_import fails,
sk2 is freed. However, it is also freed in af_alg_release,
leading to slab-use-after-free error.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: fe869cdb89c95d060c77eea20204d6c91f233b53 Version: fe869cdb89c95d060c77eea20204d6c91f233b53 Version: fe869cdb89c95d060c77eea20204d6c91f233b53 Version: fe869cdb89c95d060c77eea20204d6c91f233b53 Version: fe869cdb89c95d060c77eea20204d6c91f233b53 Version: fe869cdb89c95d060c77eea20204d6c91f233b53 Version: fe869cdb89c95d060c77eea20204d6c91f233b53 Version: fe869cdb89c95d060c77eea20204d6c91f233b53 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/algif_hash.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5bff312b59b3f2a54ff504e4f4e47272b64f3633",
"status": "affected",
"version": "fe869cdb89c95d060c77eea20204d6c91f233b53",
"versionType": "git"
},
{
"lessThan": "bf7bba75b91539e93615f560893a599c1e1c98bf",
"status": "affected",
"version": "fe869cdb89c95d060c77eea20204d6c91f233b53",
"versionType": "git"
},
{
"lessThan": "c3059d58f79fdfb2201249c2741514e34562b547",
"status": "affected",
"version": "fe869cdb89c95d060c77eea20204d6c91f233b53",
"versionType": "git"
},
{
"lessThan": "f0f3d09f53534ea385d55ced408f2b67059b16e4",
"status": "affected",
"version": "fe869cdb89c95d060c77eea20204d6c91f233b53",
"versionType": "git"
},
{
"lessThan": "134daaba93193df9e988524b5cd2f52d15eb1993",
"status": "affected",
"version": "fe869cdb89c95d060c77eea20204d6c91f233b53",
"versionType": "git"
},
{
"lessThan": "2f45a8d64fb4ed4830a4b3273834ecd6ca504896",
"status": "affected",
"version": "fe869cdb89c95d060c77eea20204d6c91f233b53",
"versionType": "git"
},
{
"lessThan": "0346f4b742345d1c733c977f3a7aef5a6419a967",
"status": "affected",
"version": "fe869cdb89c95d060c77eea20204d6c91f233b53",
"versionType": "git"
},
{
"lessThan": "b2df03ed4052e97126267e8c13ad4204ea6ba9b6",
"status": "affected",
"version": "fe869cdb89c95d060c77eea20204d6c91f233b53",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/algif_hash.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.38"
},
{
"lessThan": "2.6.38",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.294",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.185",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.294",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.238",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.185",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.141",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.93",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.31",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.9",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "2.6.38",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: algif_hash - fix double free in hash_accept\n\nIf accept(2) is called on socket type algif_hash with\nMSG_MORE flag set and crypto_ahash_import fails,\nsk2 is freed. However, it is also freed in af_alg_release,\nleading to slab-use-after-free error."
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T09:33:53.251Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5bff312b59b3f2a54ff504e4f4e47272b64f3633"
},
{
"url": "https://git.kernel.org/stable/c/bf7bba75b91539e93615f560893a599c1e1c98bf"
},
{
"url": "https://git.kernel.org/stable/c/c3059d58f79fdfb2201249c2741514e34562b547"
},
{
"url": "https://git.kernel.org/stable/c/f0f3d09f53534ea385d55ced408f2b67059b16e4"
},
{
"url": "https://git.kernel.org/stable/c/134daaba93193df9e988524b5cd2f52d15eb1993"
},
{
"url": "https://git.kernel.org/stable/c/2f45a8d64fb4ed4830a4b3273834ecd6ca504896"
},
{
"url": "https://git.kernel.org/stable/c/0346f4b742345d1c733c977f3a7aef5a6419a967"
},
{
"url": "https://git.kernel.org/stable/c/b2df03ed4052e97126267e8c13ad4204ea6ba9b6"
}
],
"title": "crypto: algif_hash - fix double free in hash_accept",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38079",
"datePublished": "2025-06-18T09:33:53.251Z",
"dateReserved": "2025-04-16T04:51:23.980Z",
"dateUpdated": "2025-06-18T09:33:53.251Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50127 (GCVE-0-2022-50127)
Vulnerability from cvelistv5
Published
2025-06-18 11:02
Modified
2025-06-18 11:02
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix error unwind in rxe_create_qp()
In the function rxe_create_qp(), rxe_qp_from_init() is called to
initialize qp, internally things like the spin locks are not setup until
rxe_qp_init_req().
If an error occures before this point then the unwind will call
rxe_cleanup() and eventually to rxe_qp_do_cleanup()/rxe_cleanup_task()
which will oops when trying to access the uninitialized spinlock.
Move the spinlock initializations earlier before any failures.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8700e3e7c4857d28ebaa824509934556da0b3e76 Version: 8700e3e7c4857d28ebaa824509934556da0b3e76 Version: 8700e3e7c4857d28ebaa824509934556da0b3e76 Version: 8700e3e7c4857d28ebaa824509934556da0b3e76 Version: 8700e3e7c4857d28ebaa824509934556da0b3e76 Version: 8700e3e7c4857d28ebaa824509934556da0b3e76 Version: 8700e3e7c4857d28ebaa824509934556da0b3e76 Version: 8700e3e7c4857d28ebaa824509934556da0b3e76 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_qp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3c838ca6fbdb173102780d7bdf18f2f7d9e30979",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "1a63f24e724f677db1ab21251f4d0011ae0bb5b5",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "b348e204a53103f51070513a7494da7c62ecbdaa",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "3ef491b26c720a87fcfbd78b7dc8eb83d9753fe6",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "2ceeb04252e621c0b128ecc8fedbca922d11adba",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "db924bd8484c76558a4ac4c4b5aeb52e857f0341",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "f05b7cf02123aaf99db78abfe638efefdbe15555",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "fd5382c5805c4bcb50fd25b7246247d3f7114733",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_qp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.256",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.211",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.137",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.291",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.256",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.211",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.137",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.61",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.18",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.2",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix error unwind in rxe_create_qp()\n\nIn the function rxe_create_qp(), rxe_qp_from_init() is called to\ninitialize qp, internally things like the spin locks are not setup until\nrxe_qp_init_req().\n\nIf an error occures before this point then the unwind will call\nrxe_cleanup() and eventually to rxe_qp_do_cleanup()/rxe_cleanup_task()\nwhich will oops when trying to access the uninitialized spinlock.\n\nMove the spinlock initializations earlier before any failures."
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T11:02:54.332Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3c838ca6fbdb173102780d7bdf18f2f7d9e30979"
},
{
"url": "https://git.kernel.org/stable/c/1a63f24e724f677db1ab21251f4d0011ae0bb5b5"
},
{
"url": "https://git.kernel.org/stable/c/b348e204a53103f51070513a7494da7c62ecbdaa"
},
{
"url": "https://git.kernel.org/stable/c/3ef491b26c720a87fcfbd78b7dc8eb83d9753fe6"
},
{
"url": "https://git.kernel.org/stable/c/2ceeb04252e621c0b128ecc8fedbca922d11adba"
},
{
"url": "https://git.kernel.org/stable/c/db924bd8484c76558a4ac4c4b5aeb52e857f0341"
},
{
"url": "https://git.kernel.org/stable/c/f05b7cf02123aaf99db78abfe638efefdbe15555"
},
{
"url": "https://git.kernel.org/stable/c/fd5382c5805c4bcb50fd25b7246247d3f7114733"
}
],
"title": "RDMA/rxe: Fix error unwind in rxe_create_qp()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50127",
"datePublished": "2025-06-18T11:02:54.332Z",
"dateReserved": "2025-06-18T10:57:27.417Z",
"dateUpdated": "2025-06-18T11:02:54.332Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-53057 (GCVE-0-2024-53057)
Vulnerability from cvelistv5
Published
2024-11-19 17:19
Modified
2025-05-04 09:51
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT
In qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed
to be either root or ingress. This assumption is bogus since it's valid
to create egress qdiscs with major handle ffff:
Budimir Markovic found that for qdiscs like DRR that maintain an active
class list, it will cause a UAF with a dangling class pointer.
In 066a3b5b2346, the concern was to avoid iterating over the ingress
qdisc since its parent is itself. The proper fix is to stop when parent
TC_H_ROOT is reached because the only way to retrieve ingress is when a
hierarchy which does not contain a ffff: major handle call into
qdisc_lookup with TC_H_MAJ(TC_H_ROOT).
In the scenario where major ffff: is an egress qdisc in any of the tree
levels, the updates will also propagate to TC_H_ROOT, which then the
iteration must stop.
net/sched/sch_api.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 066a3b5b2346febf9a655b444567b7138e3bb939 Version: 066a3b5b2346febf9a655b444567b7138e3bb939 Version: 066a3b5b2346febf9a655b444567b7138e3bb939 Version: 066a3b5b2346febf9a655b444567b7138e3bb939 Version: 066a3b5b2346febf9a655b444567b7138e3bb939 Version: 066a3b5b2346febf9a655b444567b7138e3bb939 Version: 066a3b5b2346febf9a655b444567b7138e3bb939 Version: 066a3b5b2346febf9a655b444567b7138e3bb939 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-53057",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-11T14:25:23.594430Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-11T14:58:31.650Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e7f9a6f97eb067599a74f3bcb6761976b0ed303e",
"status": "affected",
"version": "066a3b5b2346febf9a655b444567b7138e3bb939",
"versionType": "git"
},
{
"lessThan": "dbe778b08b5101df9e89bc06e0a3a7ecd2f4ef20",
"status": "affected",
"version": "066a3b5b2346febf9a655b444567b7138e3bb939",
"versionType": "git"
},
{
"lessThan": "ce691c814bc7a3c30c220ffb5b7422715458fd9b",
"status": "affected",
"version": "066a3b5b2346febf9a655b444567b7138e3bb939",
"versionType": "git"
},
{
"lessThan": "05df1b1dff8f197f1c275b57ccb2ca33021df552",
"status": "affected",
"version": "066a3b5b2346febf9a655b444567b7138e3bb939",
"versionType": "git"
},
{
"lessThan": "580b3189c1972aff0f993837567d36392e9d981b",
"status": "affected",
"version": "066a3b5b2346febf9a655b444567b7138e3bb939",
"versionType": "git"
},
{
"lessThan": "597cf9748c3477bf61bc35f0634129f56764ad24",
"status": "affected",
"version": "066a3b5b2346febf9a655b444567b7138e3bb939",
"versionType": "git"
},
{
"lessThan": "9995909615c3431a5304c1210face5f268d24dba",
"status": "affected",
"version": "066a3b5b2346febf9a655b444567b7138e3bb939",
"versionType": "git"
},
{
"lessThan": "2e95c4384438adeaa772caa560244b1a2efef816",
"status": "affected",
"version": "066a3b5b2346febf9a655b444567b7138e3bb939",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.25"
},
{
"lessThan": "2.6.25",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.323",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.285",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.171",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.116",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.323",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.285",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.229",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.171",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.116",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.60",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.7",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "2.6.25",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT\n\nIn qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed\nto be either root or ingress. This assumption is bogus since it\u0027s valid\nto create egress qdiscs with major handle ffff:\nBudimir Markovic found that for qdiscs like DRR that maintain an active\nclass list, it will cause a UAF with a dangling class pointer.\n\nIn 066a3b5b2346, the concern was to avoid iterating over the ingress\nqdisc since its parent is itself. The proper fix is to stop when parent\nTC_H_ROOT is reached because the only way to retrieve ingress is when a\nhierarchy which does not contain a ffff: major handle call into\nqdisc_lookup with TC_H_MAJ(TC_H_ROOT).\n\nIn the scenario where major ffff: is an egress qdisc in any of the tree\nlevels, the updates will also propagate to TC_H_ROOT, which then the\niteration must stop.\n\n\n net/sched/sch_api.c | 2 +-\n 1 file changed, 1 insertion(+), 1 deletion(-)"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:51:52.422Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e7f9a6f97eb067599a74f3bcb6761976b0ed303e"
},
{
"url": "https://git.kernel.org/stable/c/dbe778b08b5101df9e89bc06e0a3a7ecd2f4ef20"
},
{
"url": "https://git.kernel.org/stable/c/ce691c814bc7a3c30c220ffb5b7422715458fd9b"
},
{
"url": "https://git.kernel.org/stable/c/05df1b1dff8f197f1c275b57ccb2ca33021df552"
},
{
"url": "https://git.kernel.org/stable/c/580b3189c1972aff0f993837567d36392e9d981b"
},
{
"url": "https://git.kernel.org/stable/c/597cf9748c3477bf61bc35f0634129f56764ad24"
},
{
"url": "https://git.kernel.org/stable/c/9995909615c3431a5304c1210face5f268d24dba"
},
{
"url": "https://git.kernel.org/stable/c/2e95c4384438adeaa772caa560244b1a2efef816"
}
],
"title": "net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-53057",
"datePublished": "2024-11-19T17:19:40.284Z",
"dateReserved": "2024-11-19T17:17:24.974Z",
"dateUpdated": "2025-05-04T09:51:52.422Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38173 (GCVE-0-2025-38173)
Vulnerability from cvelistv5
Published
2025-07-03 08:36
Modified
2025-07-28 04:14
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: marvell/cesa - Handle zero-length skcipher requests
Do not access random memory for zero-length skcipher requests.
Just return 0.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f63601fd616ab370774fa00ea10bcaaa9e48e84c Version: f63601fd616ab370774fa00ea10bcaaa9e48e84c Version: f63601fd616ab370774fa00ea10bcaaa9e48e84c Version: f63601fd616ab370774fa00ea10bcaaa9e48e84c Version: f63601fd616ab370774fa00ea10bcaaa9e48e84c Version: f63601fd616ab370774fa00ea10bcaaa9e48e84c Version: f63601fd616ab370774fa00ea10bcaaa9e48e84c Version: f63601fd616ab370774fa00ea10bcaaa9e48e84c |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/marvell/cesa/cipher.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "32d3e8049a8b60f18c5c39f5931bfb1130ac11c9",
"status": "affected",
"version": "f63601fd616ab370774fa00ea10bcaaa9e48e84c",
"versionType": "git"
},
{
"lessThan": "c064ae2881d839709bd72d484d5f2af157f46024",
"status": "affected",
"version": "f63601fd616ab370774fa00ea10bcaaa9e48e84c",
"versionType": "git"
},
{
"lessThan": "e1cc69da619588b1488689fe3535a0ba75a2b0e7",
"status": "affected",
"version": "f63601fd616ab370774fa00ea10bcaaa9e48e84c",
"versionType": "git"
},
{
"lessThan": "78ea1ff6cb413a03ff6f7af4e28e24b4461a0965",
"status": "affected",
"version": "f63601fd616ab370774fa00ea10bcaaa9e48e84c",
"versionType": "git"
},
{
"lessThan": "5e9666ac8b94c978690f937d59170c5237bd2c45",
"status": "affected",
"version": "f63601fd616ab370774fa00ea10bcaaa9e48e84c",
"versionType": "git"
},
{
"lessThan": "7894694b5d5b2ecfd7fb081d6f60b9e169ab4d13",
"status": "affected",
"version": "f63601fd616ab370774fa00ea10bcaaa9e48e84c",
"versionType": "git"
},
{
"lessThan": "c9610dda42bd382a96f97e68825cb5f66cd9e1dc",
"status": "affected",
"version": "f63601fd616ab370774fa00ea10bcaaa9e48e84c",
"versionType": "git"
},
{
"lessThan": "8a4e047c6cc07676f637608a9dd675349b5de0a7",
"status": "affected",
"version": "f63601fd616ab370774fa00ea10bcaaa9e48e84c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/marvell/cesa/cipher.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.295",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.239",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.94",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.34",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.3",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: marvell/cesa - Handle zero-length skcipher requests\n\nDo not access random memory for zero-length skcipher requests.\nJust return 0."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:14:15.078Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/32d3e8049a8b60f18c5c39f5931bfb1130ac11c9"
},
{
"url": "https://git.kernel.org/stable/c/c064ae2881d839709bd72d484d5f2af157f46024"
},
{
"url": "https://git.kernel.org/stable/c/e1cc69da619588b1488689fe3535a0ba75a2b0e7"
},
{
"url": "https://git.kernel.org/stable/c/78ea1ff6cb413a03ff6f7af4e28e24b4461a0965"
},
{
"url": "https://git.kernel.org/stable/c/5e9666ac8b94c978690f937d59170c5237bd2c45"
},
{
"url": "https://git.kernel.org/stable/c/7894694b5d5b2ecfd7fb081d6f60b9e169ab4d13"
},
{
"url": "https://git.kernel.org/stable/c/c9610dda42bd382a96f97e68825cb5f66cd9e1dc"
},
{
"url": "https://git.kernel.org/stable/c/8a4e047c6cc07676f637608a9dd675349b5de0a7"
}
],
"title": "crypto: marvell/cesa - Handle zero-length skcipher requests",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38173",
"datePublished": "2025-07-03T08:36:10.969Z",
"dateReserved": "2025-04-16T04:51:23.991Z",
"dateUpdated": "2025-07-28T04:14:15.078Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50211 (GCVE-0-2022-50211)
Vulnerability from cvelistv5
Published
2025-06-18 11:03
Modified
2025-06-18 11:03
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
md-raid10: fix KASAN warning
There's a KASAN warning in raid10_remove_disk when running the lvm
test lvconvert-raid-reshape.sh. We fix this warning by verifying that the
value "number" is valid.
BUG: KASAN: slab-out-of-bounds in raid10_remove_disk+0x61/0x2a0 [raid10]
Read of size 8 at addr ffff889108f3d300 by task mdX_raid10/124682
CPU: 3 PID: 124682 Comm: mdX_raid10 Not tainted 5.19.0-rc6 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x34/0x44
print_report.cold+0x45/0x57a
? __lock_text_start+0x18/0x18
? raid10_remove_disk+0x61/0x2a0 [raid10]
kasan_report+0xa8/0xe0
? raid10_remove_disk+0x61/0x2a0 [raid10]
raid10_remove_disk+0x61/0x2a0 [raid10]
Buffer I/O error on dev dm-76, logical block 15344, async page read
? __mutex_unlock_slowpath.constprop.0+0x1e0/0x1e0
remove_and_add_spares+0x367/0x8a0 [md_mod]
? super_written+0x1c0/0x1c0 [md_mod]
? mutex_trylock+0xac/0x120
? _raw_spin_lock+0x72/0xc0
? _raw_spin_lock_bh+0xc0/0xc0
md_check_recovery+0x848/0x960 [md_mod]
raid10d+0xcf/0x3360 [raid10]
? sched_clock_cpu+0x185/0x1a0
? rb_erase+0x4d4/0x620
? var_wake_function+0xe0/0xe0
? psi_group_change+0x411/0x500
? preempt_count_sub+0xf/0xc0
? _raw_spin_lock_irqsave+0x78/0xc0
? __lock_text_start+0x18/0x18
? raid10_sync_request+0x36c0/0x36c0 [raid10]
? preempt_count_sub+0xf/0xc0
? _raw_spin_unlock_irqrestore+0x19/0x40
? del_timer_sync+0xa9/0x100
? try_to_del_timer_sync+0xc0/0xc0
? _raw_spin_lock_irqsave+0x78/0xc0
? __lock_text_start+0x18/0x18
? _raw_spin_unlock_irq+0x11/0x24
? __list_del_entry_valid+0x68/0xa0
? finish_wait+0xa3/0x100
md_thread+0x161/0x260 [md_mod]
? unregister_md_personality+0xa0/0xa0 [md_mod]
? _raw_spin_lock_irqsave+0x78/0xc0
? prepare_to_wait_event+0x2c0/0x2c0
? unregister_md_personality+0xa0/0xa0 [md_mod]
kthread+0x148/0x180
? kthread_complete_and_exit+0x20/0x20
ret_from_fork+0x1f/0x30
</TASK>
Allocated by task 124495:
kasan_save_stack+0x1e/0x40
__kasan_kmalloc+0x80/0xa0
setup_conf+0x140/0x5c0 [raid10]
raid10_run+0x4cd/0x740 [raid10]
md_run+0x6f9/0x1300 [md_mod]
raid_ctr+0x2531/0x4ac0 [dm_raid]
dm_table_add_target+0x2b0/0x620 [dm_mod]
table_load+0x1c8/0x400 [dm_mod]
ctl_ioctl+0x29e/0x560 [dm_mod]
dm_compat_ctl_ioctl+0x7/0x20 [dm_mod]
__do_compat_sys_ioctl+0xfa/0x160
do_syscall_64+0x90/0xc0
entry_SYSCALL_64_after_hwframe+0x46/0xb0
Last potentially related work creation:
kasan_save_stack+0x1e/0x40
__kasan_record_aux_stack+0x9e/0xc0
kvfree_call_rcu+0x84/0x480
timerfd_release+0x82/0x140
L __fput+0xfa/0x400
task_work_run+0x80/0xc0
exit_to_user_mode_prepare+0x155/0x160
syscall_exit_to_user_mode+0x12/0x40
do_syscall_64+0x42/0xc0
entry_SYSCALL_64_after_hwframe+0x46/0xb0
Second to last potentially related work creation:
kasan_save_stack+0x1e/0x40
__kasan_record_aux_stack+0x9e/0xc0
kvfree_call_rcu+0x84/0x480
timerfd_release+0x82/0x140
__fput+0xfa/0x400
task_work_run+0x80/0xc0
exit_to_user_mode_prepare+0x155/0x160
syscall_exit_to_user_mode+0x12/0x40
do_syscall_64+0x42/0xc0
entry_SYSCALL_64_after_hwframe+0x46/0xb0
The buggy address belongs to the object at ffff889108f3d200
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 0 bytes to the right of
256-byte region [ffff889108f3d200, ffff889108f3d300)
The buggy address belongs to the physical page:
page:000000007ef2a34c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1108f3c
head:000000007ef2a34c order:2 compound_mapcount:0 compound_pincount:0
flags: 0x4000000000010200(slab|head|zone=2)
raw: 4000000000010200 0000000000000000 dead000000000001 ffff889100042b40
raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff889108f3d200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff889108f3d280: 00 00
---truncated---
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/raid10.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "75fbd370a2cec9e92f48285bd90735ed0c837f52",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bcbdc26a44aba488d2f7122f2d66801bccb74733",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7a6ccc8fa192fd357c2d5d4c6ce67c834a179e23",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ce839b9331c11780470f3d727b6fe3c2794a4620",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5fd4ffa2372a41361d2bdd27ea5730e4e673240c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0f4d18cbea4a6e37a05fd8ee2887439f85211110",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bf30b9ba09b0ac2a10f04dce2b0835ec4d178aa6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5f57843565131bb782388f9d993f9ee8f453dee1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d17f744e883b2f8d13cca252d71cfe8ace346f7d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/raid10.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.256",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.211",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.137",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.326",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.256",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.211",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.137",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd-raid10: fix KASAN warning\n\nThere\u0027s a KASAN warning in raid10_remove_disk when running the lvm\ntest lvconvert-raid-reshape.sh. We fix this warning by verifying that the\nvalue \"number\" is valid.\n\nBUG: KASAN: slab-out-of-bounds in raid10_remove_disk+0x61/0x2a0 [raid10]\nRead of size 8 at addr ffff889108f3d300 by task mdX_raid10/124682\n\nCPU: 3 PID: 124682 Comm: mdX_raid10 Not tainted 5.19.0-rc6 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x34/0x44\n print_report.cold+0x45/0x57a\n ? __lock_text_start+0x18/0x18\n ? raid10_remove_disk+0x61/0x2a0 [raid10]\n kasan_report+0xa8/0xe0\n ? raid10_remove_disk+0x61/0x2a0 [raid10]\n raid10_remove_disk+0x61/0x2a0 [raid10]\nBuffer I/O error on dev dm-76, logical block 15344, async page read\n ? __mutex_unlock_slowpath.constprop.0+0x1e0/0x1e0\n remove_and_add_spares+0x367/0x8a0 [md_mod]\n ? super_written+0x1c0/0x1c0 [md_mod]\n ? mutex_trylock+0xac/0x120\n ? _raw_spin_lock+0x72/0xc0\n ? _raw_spin_lock_bh+0xc0/0xc0\n md_check_recovery+0x848/0x960 [md_mod]\n raid10d+0xcf/0x3360 [raid10]\n ? sched_clock_cpu+0x185/0x1a0\n ? rb_erase+0x4d4/0x620\n ? var_wake_function+0xe0/0xe0\n ? psi_group_change+0x411/0x500\n ? preempt_count_sub+0xf/0xc0\n ? _raw_spin_lock_irqsave+0x78/0xc0\n ? __lock_text_start+0x18/0x18\n ? raid10_sync_request+0x36c0/0x36c0 [raid10]\n ? preempt_count_sub+0xf/0xc0\n ? _raw_spin_unlock_irqrestore+0x19/0x40\n ? del_timer_sync+0xa9/0x100\n ? try_to_del_timer_sync+0xc0/0xc0\n ? _raw_spin_lock_irqsave+0x78/0xc0\n ? __lock_text_start+0x18/0x18\n ? _raw_spin_unlock_irq+0x11/0x24\n ? __list_del_entry_valid+0x68/0xa0\n ? finish_wait+0xa3/0x100\n md_thread+0x161/0x260 [md_mod]\n ? unregister_md_personality+0xa0/0xa0 [md_mod]\n ? _raw_spin_lock_irqsave+0x78/0xc0\n ? prepare_to_wait_event+0x2c0/0x2c0\n ? unregister_md_personality+0xa0/0xa0 [md_mod]\n kthread+0x148/0x180\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x1f/0x30\n \u003c/TASK\u003e\n\nAllocated by task 124495:\n kasan_save_stack+0x1e/0x40\n __kasan_kmalloc+0x80/0xa0\n setup_conf+0x140/0x5c0 [raid10]\n raid10_run+0x4cd/0x740 [raid10]\n md_run+0x6f9/0x1300 [md_mod]\n raid_ctr+0x2531/0x4ac0 [dm_raid]\n dm_table_add_target+0x2b0/0x620 [dm_mod]\n table_load+0x1c8/0x400 [dm_mod]\n ctl_ioctl+0x29e/0x560 [dm_mod]\n dm_compat_ctl_ioctl+0x7/0x20 [dm_mod]\n __do_compat_sys_ioctl+0xfa/0x160\n do_syscall_64+0x90/0xc0\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nLast potentially related work creation:\n kasan_save_stack+0x1e/0x40\n __kasan_record_aux_stack+0x9e/0xc0\n kvfree_call_rcu+0x84/0x480\n timerfd_release+0x82/0x140\nL __fput+0xfa/0x400\n task_work_run+0x80/0xc0\n exit_to_user_mode_prepare+0x155/0x160\n syscall_exit_to_user_mode+0x12/0x40\n do_syscall_64+0x42/0xc0\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nSecond to last potentially related work creation:\n kasan_save_stack+0x1e/0x40\n __kasan_record_aux_stack+0x9e/0xc0\n kvfree_call_rcu+0x84/0x480\n timerfd_release+0x82/0x140\n __fput+0xfa/0x400\n task_work_run+0x80/0xc0\n exit_to_user_mode_prepare+0x155/0x160\n syscall_exit_to_user_mode+0x12/0x40\n do_syscall_64+0x42/0xc0\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nThe buggy address belongs to the object at ffff889108f3d200\n which belongs to the cache kmalloc-256 of size 256\nThe buggy address is located 0 bytes to the right of\n 256-byte region [ffff889108f3d200, ffff889108f3d300)\n\nThe buggy address belongs to the physical page:\npage:000000007ef2a34c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1108f3c\nhead:000000007ef2a34c order:2 compound_mapcount:0 compound_pincount:0\nflags: 0x4000000000010200(slab|head|zone=2)\nraw: 4000000000010200 0000000000000000 dead000000000001 ffff889100042b40\nraw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffff889108f3d200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff889108f3d280: 00 00\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T11:03:49.739Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/75fbd370a2cec9e92f48285bd90735ed0c837f52"
},
{
"url": "https://git.kernel.org/stable/c/bcbdc26a44aba488d2f7122f2d66801bccb74733"
},
{
"url": "https://git.kernel.org/stable/c/7a6ccc8fa192fd357c2d5d4c6ce67c834a179e23"
},
{
"url": "https://git.kernel.org/stable/c/ce839b9331c11780470f3d727b6fe3c2794a4620"
},
{
"url": "https://git.kernel.org/stable/c/5fd4ffa2372a41361d2bdd27ea5730e4e673240c"
},
{
"url": "https://git.kernel.org/stable/c/0f4d18cbea4a6e37a05fd8ee2887439f85211110"
},
{
"url": "https://git.kernel.org/stable/c/bf30b9ba09b0ac2a10f04dce2b0835ec4d178aa6"
},
{
"url": "https://git.kernel.org/stable/c/5f57843565131bb782388f9d993f9ee8f453dee1"
},
{
"url": "https://git.kernel.org/stable/c/d17f744e883b2f8d13cca252d71cfe8ace346f7d"
}
],
"title": "md-raid10: fix KASAN warning",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50211",
"datePublished": "2025-06-18T11:03:49.739Z",
"dateReserved": "2025-06-18T10:57:27.429Z",
"dateUpdated": "2025-06-18T11:03:49.739Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38543 (GCVE-0-2025-38543)
Vulnerability from cvelistv5
Published
2025-08-16 11:22
Modified
2025-08-16 11:22
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/tegra: nvdec: Fix dma_alloc_coherent error check
Check for NULL return value with dma_alloc_coherent, in line with
Robin's fix for vic.c in 'drm/tegra: vic: Fix DMA API misuse'.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/tegra/nvdec.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "61b8d20962d00b7df117011c52f97cbb9c76a669",
"status": "affected",
"version": "46f226c93d35b936aeec6eb31da932dc2e86f413",
"versionType": "git"
},
{
"lessThan": "d1240029f97ac8c06db4dd4407bbbf83e8d08570",
"status": "affected",
"version": "46f226c93d35b936aeec6eb31da932dc2e86f413",
"versionType": "git"
},
{
"lessThan": "a560de522374af931fa994d161db3667b0bb2545",
"status": "affected",
"version": "46f226c93d35b936aeec6eb31da932dc2e86f413",
"versionType": "git"
},
{
"lessThan": "2e0812eedccd0629d73c9d0b1184a5db055df1da",
"status": "affected",
"version": "46f226c93d35b936aeec6eb31da932dc2e86f413",
"versionType": "git"
},
{
"lessThan": "44306a684cd1699b8562a54945ddc43e2abc9eab",
"status": "affected",
"version": "46f226c93d35b936aeec6eb31da932dc2e86f413",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/tegra/nvdec.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.146",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.146",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.99",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.39",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.7",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/tegra: nvdec: Fix dma_alloc_coherent error check\n\nCheck for NULL return value with dma_alloc_coherent, in line with\nRobin\u0027s fix for vic.c in \u0027drm/tegra: vic: Fix DMA API misuse\u0027."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-16T11:22:17.619Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/61b8d20962d00b7df117011c52f97cbb9c76a669"
},
{
"url": "https://git.kernel.org/stable/c/d1240029f97ac8c06db4dd4407bbbf83e8d08570"
},
{
"url": "https://git.kernel.org/stable/c/a560de522374af931fa994d161db3667b0bb2545"
},
{
"url": "https://git.kernel.org/stable/c/2e0812eedccd0629d73c9d0b1184a5db055df1da"
},
{
"url": "https://git.kernel.org/stable/c/44306a684cd1699b8562a54945ddc43e2abc9eab"
}
],
"title": "drm/tegra: nvdec: Fix dma_alloc_coherent error check",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38543",
"datePublished": "2025-08-16T11:22:17.619Z",
"dateReserved": "2025-04-16T04:51:24.024Z",
"dateUpdated": "2025-08-16T11:22:17.619Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38000 (GCVE-0-2025-38000)
Vulnerability from cvelistv5
Published
2025-06-06 13:03
Modified
2025-06-06 13:03
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()
When enqueuing the first packet to an HFSC class, hfsc_enqueue() calls the
child qdisc's peek() operation before incrementing sch->q.qlen and
sch->qstats.backlog. If the child qdisc uses qdisc_peek_dequeued(), this may
trigger an immediate dequeue and potential packet drop. In such cases,
qdisc_tree_reduce_backlog() is called, but the HFSC qdisc's qlen and backlog
have not yet been updated, leading to inconsistent queue accounting. This
can leave an empty HFSC class in the active list, causing further
consequences like use-after-free.
This patch fixes the bug by moving the increment of sch->q.qlen and
sch->qstats.backlog before the call to the child qdisc's peek() operation.
This ensures that queue length and backlog are always accurate when packet
drops or dequeues are triggered during the peek.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 12d0ad3be9c3854e52ec74bb83bb6f43612827c7 Version: 12d0ad3be9c3854e52ec74bb83bb6f43612827c7 Version: 12d0ad3be9c3854e52ec74bb83bb6f43612827c7 Version: 12d0ad3be9c3854e52ec74bb83bb6f43612827c7 Version: 12d0ad3be9c3854e52ec74bb83bb6f43612827c7 Version: 12d0ad3be9c3854e52ec74bb83bb6f43612827c7 Version: 12d0ad3be9c3854e52ec74bb83bb6f43612827c7 Version: 12d0ad3be9c3854e52ec74bb83bb6f43612827c7 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_hfsc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1034e3310752e8675e313f7271b348914008719a",
"status": "affected",
"version": "12d0ad3be9c3854e52ec74bb83bb6f43612827c7",
"versionType": "git"
},
{
"lessThan": "f9f593e34d2fb67644372c8f7b033bdc622ad228",
"status": "affected",
"version": "12d0ad3be9c3854e52ec74bb83bb6f43612827c7",
"versionType": "git"
},
{
"lessThan": "89c301e929a0db14ebd94b4d97764ce1d6981653",
"status": "affected",
"version": "12d0ad3be9c3854e52ec74bb83bb6f43612827c7",
"versionType": "git"
},
{
"lessThan": "f1dde3eb17dc1b8bd07aed00004b1e05fc87a3d4",
"status": "affected",
"version": "12d0ad3be9c3854e52ec74bb83bb6f43612827c7",
"versionType": "git"
},
{
"lessThan": "93c276942e75de0e5bc91576300d292e968f5a02",
"status": "affected",
"version": "12d0ad3be9c3854e52ec74bb83bb6f43612827c7",
"versionType": "git"
},
{
"lessThan": "49b21795b8e5654a7df3d910a12e1060da4c04cf",
"status": "affected",
"version": "12d0ad3be9c3854e52ec74bb83bb6f43612827c7",
"versionType": "git"
},
{
"lessThan": "3f3a22eebbc32b4fa8ce9c1d5f9db214b45b9335",
"status": "affected",
"version": "12d0ad3be9c3854e52ec74bb83bb6f43612827c7",
"versionType": "git"
},
{
"lessThan": "3f981138109f63232a5fb7165938d4c945cc1b9d",
"status": "affected",
"version": "12d0ad3be9c3854e52ec74bb83bb6f43612827c7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_hfsc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.294",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.185",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.294",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.238",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.185",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.141",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.93",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.31",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.9",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()\n\nWhen enqueuing the first packet to an HFSC class, hfsc_enqueue() calls the\nchild qdisc\u0027s peek() operation before incrementing sch-\u003eq.qlen and\nsch-\u003eqstats.backlog. If the child qdisc uses qdisc_peek_dequeued(), this may\ntrigger an immediate dequeue and potential packet drop. In such cases,\nqdisc_tree_reduce_backlog() is called, but the HFSC qdisc\u0027s qlen and backlog\nhave not yet been updated, leading to inconsistent queue accounting. This\ncan leave an empty HFSC class in the active list, causing further\nconsequences like use-after-free.\n\nThis patch fixes the bug by moving the increment of sch-\u003eq.qlen and\nsch-\u003eqstats.backlog before the call to the child qdisc\u0027s peek() operation.\nThis ensures that queue length and backlog are always accurate when packet\ndrops or dequeues are triggered during the peek."
}
],
"providerMetadata": {
"dateUpdated": "2025-06-06T13:03:35.405Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1034e3310752e8675e313f7271b348914008719a"
},
{
"url": "https://git.kernel.org/stable/c/f9f593e34d2fb67644372c8f7b033bdc622ad228"
},
{
"url": "https://git.kernel.org/stable/c/89c301e929a0db14ebd94b4d97764ce1d6981653"
},
{
"url": "https://git.kernel.org/stable/c/f1dde3eb17dc1b8bd07aed00004b1e05fc87a3d4"
},
{
"url": "https://git.kernel.org/stable/c/93c276942e75de0e5bc91576300d292e968f5a02"
},
{
"url": "https://git.kernel.org/stable/c/49b21795b8e5654a7df3d910a12e1060da4c04cf"
},
{
"url": "https://git.kernel.org/stable/c/3f3a22eebbc32b4fa8ce9c1d5f9db214b45b9335"
},
{
"url": "https://git.kernel.org/stable/c/3f981138109f63232a5fb7165938d4c945cc1b9d"
}
],
"title": "sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38000",
"datePublished": "2025-06-06T13:03:35.405Z",
"dateReserved": "2025-04-16T04:51:23.976Z",
"dateUpdated": "2025-06-06T13:03:35.405Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50066 (GCVE-0-2022-50066)
Vulnerability from cvelistv5
Published
2025-06-18 11:02
Modified
2025-06-18 11:02
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: atlantic: fix aq_vec index out of range error
The final update statement of the for loop exceeds the array range, the
dereference of self->aq_vec[i] is not checked and then leads to the
index out of range error.
Also fixed this kind of coding style in other for loop.
[ 97.937604] UBSAN: array-index-out-of-bounds in drivers/net/ethernet/aquantia/atlantic/aq_nic.c:1404:48
[ 97.937607] index 8 is out of range for type 'aq_vec_s *[8]'
[ 97.937608] CPU: 38 PID: 3767 Comm: kworker/u256:18 Not tainted 5.19.0+ #2
[ 97.937610] Hardware name: Dell Inc. Precision 7865 Tower/, BIOS 1.0.0 06/12/2022
[ 97.937611] Workqueue: events_unbound async_run_entry_fn
[ 97.937616] Call Trace:
[ 97.937617] <TASK>
[ 97.937619] dump_stack_lvl+0x49/0x63
[ 97.937624] dump_stack+0x10/0x16
[ 97.937626] ubsan_epilogue+0x9/0x3f
[ 97.937627] __ubsan_handle_out_of_bounds.cold+0x44/0x49
[ 97.937629] ? __scm_send+0x348/0x440
[ 97.937632] ? aq_vec_stop+0x72/0x80 [atlantic]
[ 97.937639] aq_nic_stop+0x1b6/0x1c0 [atlantic]
[ 97.937644] aq_suspend_common+0x88/0x90 [atlantic]
[ 97.937648] aq_pm_suspend_poweroff+0xe/0x20 [atlantic]
[ 97.937653] pci_pm_suspend+0x7e/0x1a0
[ 97.937655] ? pci_pm_suspend_noirq+0x2b0/0x2b0
[ 97.937657] dpm_run_callback+0x54/0x190
[ 97.937660] __device_suspend+0x14c/0x4d0
[ 97.937661] async_suspend+0x23/0x70
[ 97.937663] async_run_entry_fn+0x33/0x120
[ 97.937664] process_one_work+0x21f/0x3f0
[ 97.937666] worker_thread+0x4a/0x3c0
[ 97.937668] ? process_one_work+0x3f0/0x3f0
[ 97.937669] kthread+0xf0/0x120
[ 97.937671] ? kthread_complete_and_exit+0x20/0x20
[ 97.937672] ret_from_fork+0x22/0x30
[ 97.937676] </TASK>
v2. fixed "warning: variable 'aq_vec' set but not used"
v3. simplified a for loop
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/aquantia/atlantic/aq_nic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "df60c534d4c5a681172952dd4b475a5d818b3a86",
"status": "affected",
"version": "97bde5c4f909a55ab4c36cf0ac9094f6c9e4cdf6",
"versionType": "git"
},
{
"lessThan": "422a02a771599cac96f2b2900d993e0bb7ba5b88",
"status": "affected",
"version": "97bde5c4f909a55ab4c36cf0ac9094f6c9e4cdf6",
"versionType": "git"
},
{
"lessThan": "23bf155476539354ab5c8cc9bb460fd1209b39b5",
"status": "affected",
"version": "97bde5c4f909a55ab4c36cf0ac9094f6c9e4cdf6",
"versionType": "git"
},
{
"lessThan": "2ba5e47fb75fbb8fab45f5c1bc8d5c33d8834bd3",
"status": "affected",
"version": "97bde5c4f909a55ab4c36cf0ac9094f6c9e4cdf6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/aquantia/atlantic/aq_nic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.138",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.138",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.63",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.4",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atlantic: fix aq_vec index out of range error\n\nThe final update statement of the for loop exceeds the array range, the\ndereference of self-\u003eaq_vec[i] is not checked and then leads to the\nindex out of range error.\nAlso fixed this kind of coding style in other for loop.\n\n[ 97.937604] UBSAN: array-index-out-of-bounds in drivers/net/ethernet/aquantia/atlantic/aq_nic.c:1404:48\n[ 97.937607] index 8 is out of range for type \u0027aq_vec_s *[8]\u0027\n[ 97.937608] CPU: 38 PID: 3767 Comm: kworker/u256:18 Not tainted 5.19.0+ #2\n[ 97.937610] Hardware name: Dell Inc. Precision 7865 Tower/, BIOS 1.0.0 06/12/2022\n[ 97.937611] Workqueue: events_unbound async_run_entry_fn\n[ 97.937616] Call Trace:\n[ 97.937617] \u003cTASK\u003e\n[ 97.937619] dump_stack_lvl+0x49/0x63\n[ 97.937624] dump_stack+0x10/0x16\n[ 97.937626] ubsan_epilogue+0x9/0x3f\n[ 97.937627] __ubsan_handle_out_of_bounds.cold+0x44/0x49\n[ 97.937629] ? __scm_send+0x348/0x440\n[ 97.937632] ? aq_vec_stop+0x72/0x80 [atlantic]\n[ 97.937639] aq_nic_stop+0x1b6/0x1c0 [atlantic]\n[ 97.937644] aq_suspend_common+0x88/0x90 [atlantic]\n[ 97.937648] aq_pm_suspend_poweroff+0xe/0x20 [atlantic]\n[ 97.937653] pci_pm_suspend+0x7e/0x1a0\n[ 97.937655] ? pci_pm_suspend_noirq+0x2b0/0x2b0\n[ 97.937657] dpm_run_callback+0x54/0x190\n[ 97.937660] __device_suspend+0x14c/0x4d0\n[ 97.937661] async_suspend+0x23/0x70\n[ 97.937663] async_run_entry_fn+0x33/0x120\n[ 97.937664] process_one_work+0x21f/0x3f0\n[ 97.937666] worker_thread+0x4a/0x3c0\n[ 97.937668] ? process_one_work+0x3f0/0x3f0\n[ 97.937669] kthread+0xf0/0x120\n[ 97.937671] ? kthread_complete_and_exit+0x20/0x20\n[ 97.937672] ret_from_fork+0x22/0x30\n[ 97.937676] \u003c/TASK\u003e\n\nv2. fixed \"warning: variable \u0027aq_vec\u0027 set but not used\"\n\nv3. simplified a for loop"
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T11:02:12.475Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/df60c534d4c5a681172952dd4b475a5d818b3a86"
},
{
"url": "https://git.kernel.org/stable/c/422a02a771599cac96f2b2900d993e0bb7ba5b88"
},
{
"url": "https://git.kernel.org/stable/c/23bf155476539354ab5c8cc9bb460fd1209b39b5"
},
{
"url": "https://git.kernel.org/stable/c/2ba5e47fb75fbb8fab45f5c1bc8d5c33d8834bd3"
}
],
"title": "net: atlantic: fix aq_vec index out of range error",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50066",
"datePublished": "2025-06-18T11:02:12.475Z",
"dateReserved": "2025-06-18T10:57:27.405Z",
"dateUpdated": "2025-06-18T11:02:12.475Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38624 (GCVE-0-2025-38624)
Vulnerability from cvelistv5
Published
2025-08-22 16:00
Modified
2025-09-29 05:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
PCI: pnv_php: Clean up allocated IRQs on unplug
When the root of a nested PCIe bridge configuration is unplugged, the
pnv_php driver leaked the allocated IRQ resources for the child bridges'
hotplug event notifications, resulting in a panic.
Fix this by walking all child buses and deallocating all its IRQ resources
before calling pci_hp_remove_devices().
Also modify the lifetime of the workqueue at struct pnv_php_slot::wq so
that it is only destroyed in pnv_php_free_slot(), instead of
pnv_php_disable_irq(). This is required since pnv_php_disable_irq() will
now be called by workers triggered by hot unplug interrupts, so the
workqueue needs to stay allocated.
The abridged kernel panic that occurs without this patch is as follows:
WARNING: CPU: 0 PID: 687 at kernel/irq/msi.c:292 msi_device_data_release+0x6c/0x9c
CPU: 0 UID: 0 PID: 687 Comm: bash Not tainted 6.14.0-rc5+ #2
Call Trace:
msi_device_data_release+0x34/0x9c (unreliable)
release_nodes+0x64/0x13c
devres_release_all+0xc0/0x140
device_del+0x2d4/0x46c
pci_destroy_dev+0x5c/0x194
pci_hp_remove_devices+0x90/0x128
pci_hp_remove_devices+0x44/0x128
pnv_php_disable_slot+0x54/0xd4
power_write_file+0xf8/0x18c
pci_slot_attr_store+0x40/0x5c
sysfs_kf_write+0x64/0x78
kernfs_fop_write_iter+0x1b0/0x290
vfs_write+0x3bc/0x50c
ksys_write+0x84/0x140
system_call_exception+0x124/0x230
system_call_vectored_common+0x15c/0x2ec
[bhelgaas: tidy comments]
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pci/hotplug/pnv_php.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8c1ad4af160691e157d688ad9619ced2df556aac",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "912e200240b6f9758f0b126e64a61c9227f4ad37",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "398170b7fd0e0db2f8096df5206c75e5ff41415a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "32173edf3fe2d447e14e5e3b299387c6f9602a88",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "28aa3cfce12487614219e7667ec84424e1f43227",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1773c19fa55e944cdd2634e2d9e552f87f2d38d5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bbd302c4b79df10197ffa7270ca3aa572eeca33c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4668619092554e1b95c9a5ac2941ca47ba6d548a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pci/hotplug/pnv_php.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: pnv_php: Clean up allocated IRQs on unplug\n\nWhen the root of a nested PCIe bridge configuration is unplugged, the\npnv_php driver leaked the allocated IRQ resources for the child bridges\u0027\nhotplug event notifications, resulting in a panic.\n\nFix this by walking all child buses and deallocating all its IRQ resources\nbefore calling pci_hp_remove_devices().\n\nAlso modify the lifetime of the workqueue at struct pnv_php_slot::wq so\nthat it is only destroyed in pnv_php_free_slot(), instead of\npnv_php_disable_irq(). This is required since pnv_php_disable_irq() will\nnow be called by workers triggered by hot unplug interrupts, so the\nworkqueue needs to stay allocated.\n\nThe abridged kernel panic that occurs without this patch is as follows:\n\n WARNING: CPU: 0 PID: 687 at kernel/irq/msi.c:292 msi_device_data_release+0x6c/0x9c\n CPU: 0 UID: 0 PID: 687 Comm: bash Not tainted 6.14.0-rc5+ #2\n Call Trace:\n msi_device_data_release+0x34/0x9c (unreliable)\n release_nodes+0x64/0x13c\n devres_release_all+0xc0/0x140\n device_del+0x2d4/0x46c\n pci_destroy_dev+0x5c/0x194\n pci_hp_remove_devices+0x90/0x128\n pci_hp_remove_devices+0x44/0x128\n pnv_php_disable_slot+0x54/0xd4\n power_write_file+0xf8/0x18c\n pci_slot_attr_store+0x40/0x5c\n sysfs_kf_write+0x64/0x78\n kernfs_fop_write_iter+0x1b0/0x290\n vfs_write+0x3bc/0x50c\n ksys_write+0x84/0x140\n system_call_exception+0x124/0x230\n system_call_vectored_common+0x15c/0x2ec\n\n[bhelgaas: tidy comments]"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:55:00.297Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8c1ad4af160691e157d688ad9619ced2df556aac"
},
{
"url": "https://git.kernel.org/stable/c/912e200240b6f9758f0b126e64a61c9227f4ad37"
},
{
"url": "https://git.kernel.org/stable/c/398170b7fd0e0db2f8096df5206c75e5ff41415a"
},
{
"url": "https://git.kernel.org/stable/c/32173edf3fe2d447e14e5e3b299387c6f9602a88"
},
{
"url": "https://git.kernel.org/stable/c/28aa3cfce12487614219e7667ec84424e1f43227"
},
{
"url": "https://git.kernel.org/stable/c/1773c19fa55e944cdd2634e2d9e552f87f2d38d5"
},
{
"url": "https://git.kernel.org/stable/c/bbd302c4b79df10197ffa7270ca3aa572eeca33c"
},
{
"url": "https://git.kernel.org/stable/c/4668619092554e1b95c9a5ac2941ca47ba6d548a"
}
],
"title": "PCI: pnv_php: Clean up allocated IRQs on unplug",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38624",
"datePublished": "2025-08-22T16:00:32.924Z",
"dateReserved": "2025-04-16T04:51:24.029Z",
"dateUpdated": "2025-09-29T05:55:00.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38153 (GCVE-0-2025-38153)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: usb: aqc111: fix error handling of usbnet read calls
Syzkaller, courtesy of syzbot, identified an error (see report [1]) in
aqc111 driver, caused by incomplete sanitation of usb read calls'
results. This problem is quite similar to the one fixed in commit
920a9fa27e78 ("net: asix: add proper error handling of usb read errors").
For instance, usbnet_read_cmd() may read fewer than 'size' bytes,
even if the caller expected the full amount, and aqc111_read_cmd()
will not check its result properly. As [1] shows, this may lead
to MAC address in aqc111_bind() being only partly initialized,
triggering KMSAN warnings.
Fix the issue by verifying that the number of bytes read is
as expected and not less.
[1] Partial syzbot report:
BUG: KMSAN: uninit-value in is_valid_ether_addr include/linux/etherdevice.h:208 [inline]
BUG: KMSAN: uninit-value in usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830
is_valid_ether_addr include/linux/etherdevice.h:208 [inline]
usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830
usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x4d1/0xd90 drivers/base/dd.c:658
__driver_probe_device+0x268/0x380 drivers/base/dd.c:800
...
Uninit was stored to memory at:
dev_addr_mod+0xb0/0x550 net/core/dev_addr_lists.c:582
__dev_addr_set include/linux/netdevice.h:4874 [inline]
eth_hw_addr_set include/linux/etherdevice.h:325 [inline]
aqc111_bind+0x35f/0x1150 drivers/net/usb/aqc111.c:717
usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772
usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396
...
Uninit was stored to memory at:
ether_addr_copy include/linux/etherdevice.h:305 [inline]
aqc111_read_perm_mac drivers/net/usb/aqc111.c:663 [inline]
aqc111_bind+0x794/0x1150 drivers/net/usb/aqc111.c:713
usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772
usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
...
Local variable buf.i created at:
aqc111_read_perm_mac drivers/net/usb/aqc111.c:656 [inline]
aqc111_bind+0x221/0x1150 drivers/net/usb/aqc111.c:713
usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: df2d59a2ab6c9ceac2c4104272fce03493b8f62f Version: df2d59a2ab6c9ceac2c4104272fce03493b8f62f Version: df2d59a2ab6c9ceac2c4104272fce03493b8f62f Version: df2d59a2ab6c9ceac2c4104272fce03493b8f62f Version: df2d59a2ab6c9ceac2c4104272fce03493b8f62f Version: df2d59a2ab6c9ceac2c4104272fce03493b8f62f Version: df2d59a2ab6c9ceac2c4104272fce03493b8f62f Version: df2d59a2ab6c9ceac2c4104272fce03493b8f62f |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/aqc111.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8c97655275482ef5384ce0501640630a0fc0f6f4",
"status": "affected",
"version": "df2d59a2ab6c9ceac2c4104272fce03493b8f62f",
"versionType": "git"
},
{
"lessThan": "11273279012c922f37cfb4dd95d142803fc07b98",
"status": "affected",
"version": "df2d59a2ab6c9ceac2c4104272fce03493b8f62f",
"versionType": "git"
},
{
"lessThan": "f398d2dfe450ce2c031d10b585448862d74a0501",
"status": "affected",
"version": "df2d59a2ab6c9ceac2c4104272fce03493b8f62f",
"versionType": "git"
},
{
"lessThan": "acb47a40b5e38be03ef659b7bacdddc592ed73b7",
"status": "affected",
"version": "df2d59a2ab6c9ceac2c4104272fce03493b8f62f",
"versionType": "git"
},
{
"lessThan": "60790d287c1a1ced3554d4a87c2f27bf299a932a",
"status": "affected",
"version": "df2d59a2ab6c9ceac2c4104272fce03493b8f62f",
"versionType": "git"
},
{
"lessThan": "30a9e834c74e260533b8d0885e3c89f6f32f7993",
"status": "affected",
"version": "df2d59a2ab6c9ceac2c4104272fce03493b8f62f",
"versionType": "git"
},
{
"lessThan": "7c01863b1c47f040d9674171e77789a423b9b128",
"status": "affected",
"version": "df2d59a2ab6c9ceac2c4104272fce03493b8f62f",
"versionType": "git"
},
{
"lessThan": "405b0d610745fb5e84fc2961d9b960abb9f3d107",
"status": "affected",
"version": "df2d59a2ab6c9ceac2c4104272fce03493b8f62f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/aqc111.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.295",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.239",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.94",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.34",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.3",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: aqc111: fix error handling of usbnet read calls\n\nSyzkaller, courtesy of syzbot, identified an error (see report [1]) in\naqc111 driver, caused by incomplete sanitation of usb read calls\u0027\nresults. This problem is quite similar to the one fixed in commit\n920a9fa27e78 (\"net: asix: add proper error handling of usb read errors\").\n\nFor instance, usbnet_read_cmd() may read fewer than \u0027size\u0027 bytes,\neven if the caller expected the full amount, and aqc111_read_cmd()\nwill not check its result properly. As [1] shows, this may lead\nto MAC address in aqc111_bind() being only partly initialized,\ntriggering KMSAN warnings.\n\nFix the issue by verifying that the number of bytes read is\nas expected and not less.\n\n[1] Partial syzbot report:\nBUG: KMSAN: uninit-value in is_valid_ether_addr include/linux/etherdevice.h:208 [inline]\nBUG: KMSAN: uninit-value in usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830\n is_valid_ether_addr include/linux/etherdevice.h:208 [inline]\n usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830\n usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396\n call_driver_probe drivers/base/dd.c:-1 [inline]\n really_probe+0x4d1/0xd90 drivers/base/dd.c:658\n __driver_probe_device+0x268/0x380 drivers/base/dd.c:800\n...\n\nUninit was stored to memory at:\n dev_addr_mod+0xb0/0x550 net/core/dev_addr_lists.c:582\n __dev_addr_set include/linux/netdevice.h:4874 [inline]\n eth_hw_addr_set include/linux/etherdevice.h:325 [inline]\n aqc111_bind+0x35f/0x1150 drivers/net/usb/aqc111.c:717\n usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772\n usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396\n...\n\nUninit was stored to memory at:\n ether_addr_copy include/linux/etherdevice.h:305 [inline]\n aqc111_read_perm_mac drivers/net/usb/aqc111.c:663 [inline]\n aqc111_bind+0x794/0x1150 drivers/net/usb/aqc111.c:713\n usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772\n usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396\n call_driver_probe drivers/base/dd.c:-1 [inline]\n...\n\nLocal variable buf.i created at:\n aqc111_read_perm_mac drivers/net/usb/aqc111.c:656 [inline]\n aqc111_bind+0x221/0x1150 drivers/net/usb/aqc111.c:713\n usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772"
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:13:42.491Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8c97655275482ef5384ce0501640630a0fc0f6f4"
},
{
"url": "https://git.kernel.org/stable/c/11273279012c922f37cfb4dd95d142803fc07b98"
},
{
"url": "https://git.kernel.org/stable/c/f398d2dfe450ce2c031d10b585448862d74a0501"
},
{
"url": "https://git.kernel.org/stable/c/acb47a40b5e38be03ef659b7bacdddc592ed73b7"
},
{
"url": "https://git.kernel.org/stable/c/60790d287c1a1ced3554d4a87c2f27bf299a932a"
},
{
"url": "https://git.kernel.org/stable/c/30a9e834c74e260533b8d0885e3c89f6f32f7993"
},
{
"url": "https://git.kernel.org/stable/c/7c01863b1c47f040d9674171e77789a423b9b128"
},
{
"url": "https://git.kernel.org/stable/c/405b0d610745fb5e84fc2961d9b960abb9f3d107"
}
],
"title": "net: usb: aqc111: fix error handling of usbnet read calls",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38153",
"datePublished": "2025-07-03T08:35:56.526Z",
"dateReserved": "2025-04-16T04:51:23.990Z",
"dateUpdated": "2025-07-28T04:13:42.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38075 (GCVE-0-2025-38075)
Vulnerability from cvelistv5
Published
2025-06-18 09:33
Modified
2025-09-03 12:59
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: iscsi: Fix timeout on deleted connection
NOPIN response timer may expire on a deleted connection and crash with
such logs:
Did not receive response to NOPIN on CID: 0, failing connection for I_T Nexus (null),i,0x00023d000125,iqn.2017-01.com.iscsi.target,t,0x3d
BUG: Kernel NULL pointer dereference on read at 0x00000000
NIP strlcpy+0x8/0xb0
LR iscsit_fill_cxn_timeout_err_stats+0x5c/0xc0 [iscsi_target_mod]
Call Trace:
iscsit_handle_nopin_response_timeout+0xfc/0x120 [iscsi_target_mod]
call_timer_fn+0x58/0x1f0
run_timer_softirq+0x740/0x860
__do_softirq+0x16c/0x420
irq_exit+0x188/0x1c0
timer_interrupt+0x184/0x410
That is because nopin response timer may be re-started on nopin timer
expiration.
Stop nopin timer before stopping the nopin response timer to be sure
that no one of them will be re-started.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e48354ce078c079996f89d715dfa44814b4eba01 Version: e48354ce078c079996f89d715dfa44814b4eba01 Version: e48354ce078c079996f89d715dfa44814b4eba01 Version: e48354ce078c079996f89d715dfa44814b4eba01 Version: e48354ce078c079996f89d715dfa44814b4eba01 Version: e48354ce078c079996f89d715dfa44814b4eba01 Version: e48354ce078c079996f89d715dfa44814b4eba01 Version: e48354ce078c079996f89d715dfa44814b4eba01 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/target/iscsi/iscsi_target.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "571ce6b6f5cbaf7d24af03cad592fc0e2a54de35",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "2c5081439c7ab8da08427befe427f0d732ebc9f9",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "019ca2804f3fb49a7f8e56ea6aeaa1ff32724c27",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "6815846e0c3a62116a7da9740e3a7c10edc5c7e9",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "fe8421e853ef289e1324fcda004751c89dd9c18a",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "87389bff743c55b6b85282de91109391f43e0814",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "3e6429e3707943078240a2c0c0b3ee99ea9b0d9c",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "7f533cc5ee4c4436cee51dc58e81dfd9c3384418",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/target/iscsi/iscsi_target.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.1"
},
{
"lessThan": "3.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.294",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.185",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.294",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.238",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.185",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.141",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.93",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.31",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.9",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: iscsi: Fix timeout on deleted connection\n\nNOPIN response timer may expire on a deleted connection and crash with\nsuch logs:\n\nDid not receive response to NOPIN on CID: 0, failing connection for I_T Nexus (null),i,0x00023d000125,iqn.2017-01.com.iscsi.target,t,0x3d\n\nBUG: Kernel NULL pointer dereference on read at 0x00000000\nNIP strlcpy+0x8/0xb0\nLR iscsit_fill_cxn_timeout_err_stats+0x5c/0xc0 [iscsi_target_mod]\nCall Trace:\n iscsit_handle_nopin_response_timeout+0xfc/0x120 [iscsi_target_mod]\n call_timer_fn+0x58/0x1f0\n run_timer_softirq+0x740/0x860\n __do_softirq+0x16c/0x420\n irq_exit+0x188/0x1c0\n timer_interrupt+0x184/0x410\n\nThat is because nopin response timer may be re-started on nopin timer\nexpiration.\n\nStop nopin timer before stopping the nopin response timer to be sure\nthat no one of them will be re-started."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T12:59:35.232Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/571ce6b6f5cbaf7d24af03cad592fc0e2a54de35"
},
{
"url": "https://git.kernel.org/stable/c/2c5081439c7ab8da08427befe427f0d732ebc9f9"
},
{
"url": "https://git.kernel.org/stable/c/019ca2804f3fb49a7f8e56ea6aeaa1ff32724c27"
},
{
"url": "https://git.kernel.org/stable/c/6815846e0c3a62116a7da9740e3a7c10edc5c7e9"
},
{
"url": "https://git.kernel.org/stable/c/fe8421e853ef289e1324fcda004751c89dd9c18a"
},
{
"url": "https://git.kernel.org/stable/c/87389bff743c55b6b85282de91109391f43e0814"
},
{
"url": "https://git.kernel.org/stable/c/3e6429e3707943078240a2c0c0b3ee99ea9b0d9c"
},
{
"url": "https://git.kernel.org/stable/c/7f533cc5ee4c4436cee51dc58e81dfd9c3384418"
}
],
"title": "scsi: target: iscsi: Fix timeout on deleted connection",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38075",
"datePublished": "2025-06-18T09:33:50.646Z",
"dateReserved": "2025-04-16T04:51:23.980Z",
"dateUpdated": "2025-09-03T12:59:35.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38540 (GCVE-0-2025-38540)
Vulnerability from cvelistv5
Published
2025-08-16 11:22
Modified
2025-08-16 11:22
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras
The Chicony Electronics HP 5MP Cameras (USB ID 04F2:B824 & 04F2:B82C)
report a HID sensor interface that is not actually implemented.
Attempting to access this non-functional sensor via iio_info causes
system hangs as runtime PM tries to wake up an unresponsive sensor.
Add these 2 devices to the HID ignore list since the sensor interface is
non-functional by design and should not be exposed to userspace.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-ids.h",
"drivers/hid/hid-quirks.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "35f1a5360ac68d9629abbb3930a0a07901cba296",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7ac00f019698f614a49cce34c198d0568ab0e1c2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1b297ab6f38ca60a4ca7298b297944ec6043b2f4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2b0931eee48208c25bb77486946dea8e96aa6a36",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3ce1d87d1f5d80322757aa917182deb7370963b9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c72536350e82b53a1be0f3bfdf1511bba2827102",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a2a91abd19c574b598b1c69ad76ad9c7eedaf062",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "54bae4c17c11688339eb73a04fd24203bb6e7494",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-ids.h",
"drivers/hid/hid-quirks.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.240",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.146",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.296",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.240",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.189",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.146",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras\n\nThe Chicony Electronics HP 5MP Cameras (USB ID 04F2:B824 \u0026 04F2:B82C)\nreport a HID sensor interface that is not actually implemented.\nAttempting to access this non-functional sensor via iio_info causes\nsystem hangs as runtime PM tries to wake up an unresponsive sensor.\n\nAdd these 2 devices to the HID ignore list since the sensor interface is\nnon-functional by design and should not be exposed to userspace."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-16T11:22:14.773Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/35f1a5360ac68d9629abbb3930a0a07901cba296"
},
{
"url": "https://git.kernel.org/stable/c/7ac00f019698f614a49cce34c198d0568ab0e1c2"
},
{
"url": "https://git.kernel.org/stable/c/1b297ab6f38ca60a4ca7298b297944ec6043b2f4"
},
{
"url": "https://git.kernel.org/stable/c/2b0931eee48208c25bb77486946dea8e96aa6a36"
},
{
"url": "https://git.kernel.org/stable/c/3ce1d87d1f5d80322757aa917182deb7370963b9"
},
{
"url": "https://git.kernel.org/stable/c/c72536350e82b53a1be0f3bfdf1511bba2827102"
},
{
"url": "https://git.kernel.org/stable/c/a2a91abd19c574b598b1c69ad76ad9c7eedaf062"
},
{
"url": "https://git.kernel.org/stable/c/54bae4c17c11688339eb73a04fd24203bb6e7494"
}
],
"title": "HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38540",
"datePublished": "2025-08-16T11:22:14.773Z",
"dateReserved": "2025-04-16T04:51:24.024Z",
"dateUpdated": "2025-08-16T11:22:14.773Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38524 (GCVE-0-2025-38524)
Vulnerability from cvelistv5
Published
2025-08-16 11:12
Modified
2025-08-16 11:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Fix recv-recv race of completed call
If a call receives an event (such as incoming data), the call gets placed
on the socket's queue and a thread in recvmsg can be awakened to go and
process it. Once the thread has picked up the call off of the queue,
further events will cause it to be requeued, and once the socket lock is
dropped (recvmsg uses call->user_mutex to allow the socket to be used in
parallel), a second thread can come in and its recvmsg can pop the call off
the socket queue again.
In such a case, the first thread will be receiving stuff from the call and
the second thread will be blocked on call->user_mutex. The first thread
can, at this point, process both the event that it picked call for and the
event that the second thread picked the call for and may see the call
terminate - in which case the call will be "released", decoupling the call
from the user call ID assigned to it (RXRPC_USER_CALL_ID in the control
message).
The first thread will return okay, but then the second thread will wake up
holding the user_mutex and, if it sees that the call has been released by
the first thread, it will BUG thusly:
kernel BUG at net/rxrpc/recvmsg.c:474!
Fix this by just dequeuing the call and ignoring it if it is seen to be
already released. We can't tell userspace about it anyway as the user call
ID has become stale.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/trace/events/rxrpc.h",
"net/rxrpc/call_accept.c",
"net/rxrpc/recvmsg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7692bde890061797f3dece0148d7859e85c55778",
"status": "affected",
"version": "248f219cb8bcbfbd7f132752d44afa2df7c241d1",
"versionType": "git"
},
{
"lessThan": "839fe96c15209dc2255c064bb44b636efe04f032",
"status": "affected",
"version": "248f219cb8bcbfbd7f132752d44afa2df7c241d1",
"versionType": "git"
},
{
"lessThan": "6c75a97a32a5fa2060c3dd30207e63b6914b606d",
"status": "affected",
"version": "248f219cb8bcbfbd7f132752d44afa2df7c241d1",
"versionType": "git"
},
{
"lessThan": "962fb1f651c2cf2083e0c3ef53ba69e3b96d3fbc",
"status": "affected",
"version": "248f219cb8bcbfbd7f132752d44afa2df7c241d1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/trace/events/rxrpc.h",
"net/rxrpc/call_accept.c",
"net/rxrpc/recvmsg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.100",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.40",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.8",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix recv-recv race of completed call\n\nIf a call receives an event (such as incoming data), the call gets placed\non the socket\u0027s queue and a thread in recvmsg can be awakened to go and\nprocess it. Once the thread has picked up the call off of the queue,\nfurther events will cause it to be requeued, and once the socket lock is\ndropped (recvmsg uses call-\u003euser_mutex to allow the socket to be used in\nparallel), a second thread can come in and its recvmsg can pop the call off\nthe socket queue again.\n\nIn such a case, the first thread will be receiving stuff from the call and\nthe second thread will be blocked on call-\u003euser_mutex. The first thread\ncan, at this point, process both the event that it picked call for and the\nevent that the second thread picked the call for and may see the call\nterminate - in which case the call will be \"released\", decoupling the call\nfrom the user call ID assigned to it (RXRPC_USER_CALL_ID in the control\nmessage).\n\nThe first thread will return okay, but then the second thread will wake up\nholding the user_mutex and, if it sees that the call has been released by\nthe first thread, it will BUG thusly:\n\n\tkernel BUG at net/rxrpc/recvmsg.c:474!\n\nFix this by just dequeuing the call and ignoring it if it is seen to be\nalready released. We can\u0027t tell userspace about it anyway as the user call\nID has become stale."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-16T11:12:18.314Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7692bde890061797f3dece0148d7859e85c55778"
},
{
"url": "https://git.kernel.org/stable/c/839fe96c15209dc2255c064bb44b636efe04f032"
},
{
"url": "https://git.kernel.org/stable/c/6c75a97a32a5fa2060c3dd30207e63b6914b606d"
},
{
"url": "https://git.kernel.org/stable/c/962fb1f651c2cf2083e0c3ef53ba69e3b96d3fbc"
}
],
"title": "rxrpc: Fix recv-recv race of completed call",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38524",
"datePublished": "2025-08-16T11:12:18.314Z",
"dateReserved": "2025-04-16T04:51:24.023Z",
"dateUpdated": "2025-08-16T11:12:18.314Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21659 (GCVE-0-2025-21659)
Vulnerability from cvelistv5
Published
2025-01-21 12:18
Modified
2025-05-04 07:18
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netdev: prevent accessing NAPI instances from another namespace
The NAPI IDs were not fully exposed to user space prior to the netlink
API, so they were never namespaced. The netlink API must ensure that
at the very least NAPI instance belongs to the same netns as the owner
of the genl sock.
napi_by_id() can become static now, but it needs to move because of
dev_get_by_napi_id().
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/dev.c",
"net/core/dev.h",
"net/core/netdev-genl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b683ba0df11ff563cc237eb1b74d6adfa77226bf",
"status": "affected",
"version": "27f91aaf49b3a50e5a02ad5fa27b7c453d029a72",
"versionType": "git"
},
{
"lessThan": "d1cacd74776895f6435941f86a1130e58f6dd226",
"status": "affected",
"version": "27f91aaf49b3a50e5a02ad5fa27b7c453d029a72",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/dev.c",
"net/core/dev.h",
"net/core/netdev-genl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.10",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetdev: prevent accessing NAPI instances from another namespace\n\nThe NAPI IDs were not fully exposed to user space prior to the netlink\nAPI, so they were never namespaced. The netlink API must ensure that\nat the very least NAPI instance belongs to the same netns as the owner\nof the genl sock.\n\nnapi_by_id() can become static now, but it needs to move because of\ndev_get_by_napi_id()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:18:25.265Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b683ba0df11ff563cc237eb1b74d6adfa77226bf"
},
{
"url": "https://git.kernel.org/stable/c/d1cacd74776895f6435941f86a1130e58f6dd226"
}
],
"title": "netdev: prevent accessing NAPI instances from another namespace",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21659",
"datePublished": "2025-01-21T12:18:15.407Z",
"dateReserved": "2024-12-29T08:45:45.732Z",
"dateUpdated": "2025-05-04T07:18:25.265Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3867 (GCVE-0-2023-3867)
Vulnerability from cvelistv5
Published
2025-08-16 13:29
Modified
2025-08-19 05:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix out of bounds read in smb2_sess_setup
ksmbd does not consider the case of that smb2 session setup is
in compound request. If this is the second payload of the compound,
OOB read issue occurs while processing the first payload in
the smb2_sess_setup().
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "676392184785ace61e939831e7ca44a03d438c3b",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "ef572ffa8eb44111eed2925fbb2adca78bdcbf61",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "2ba03cecb12ac7ac9e0170e251543c56832d9959",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "98422bdd4cb3ca4d08844046f6507d7ec2c2b8d8",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.145",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.145",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix out of bounds read in smb2_sess_setup\n\nksmbd does not consider the case of that smb2 session setup is\nin compound request. If this is the second payload of the compound,\nOOB read issue occurs while processing the first payload in\nthe smb2_sess_setup()."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-19T05:47:14.506Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/676392184785ace61e939831e7ca44a03d438c3b"
},
{
"url": "https://git.kernel.org/stable/c/ef572ffa8eb44111eed2925fbb2adca78bdcbf61"
},
{
"url": "https://git.kernel.org/stable/c/2ba03cecb12ac7ac9e0170e251543c56832d9959"
},
{
"url": "https://git.kernel.org/stable/c/98422bdd4cb3ca4d08844046f6507d7ec2c2b8d8"
}
],
"title": "ksmbd: fix out of bounds read in smb2_sess_setup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-3867",
"datePublished": "2025-08-16T13:29:51.946Z",
"dateReserved": "2023-07-24T14:52:44.448Z",
"dateUpdated": "2025-08-19T05:47:14.506Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53020 (GCVE-0-2023-53020)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-10-01 17:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
l2tp: close all race conditions in l2tp_tunnel_register()
The code in l2tp_tunnel_register() is racy in several ways:
1. It modifies the tunnel socket _after_ publishing it.
2. It calls setup_udp_tunnel_sock() on an existing socket without
locking.
3. It changes sock lock class on fly, which triggers many syzbot
reports.
This patch amends all of them by moving socket initialization code
before publishing and under sock lock. As suggested by Jakub, the
l2tp lockdep class is not necessary as we can just switch to
bh_lock_sock_nested().
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53020",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T17:19:17.910133Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T17:19:20.613Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/l2tp/l2tp_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2d77e5c0ad79004b5ef901895437e9cce6dfcc7e",
"status": "affected",
"version": "37159ef2c1ae1e696b24b260b241209a19f92c60",
"versionType": "git"
},
{
"lessThan": "77e8ed776cdb1a24b2aab8fe7c6f1f154235e1ce",
"status": "affected",
"version": "37159ef2c1ae1e696b24b260b241209a19f92c60",
"versionType": "git"
},
{
"lessThan": "cef0845b6dcfa2f6c2c832e7f9622551456c741d",
"status": "affected",
"version": "37159ef2c1ae1e696b24b260b241209a19f92c60",
"versionType": "git"
},
{
"lessThan": "0b2c59720e65885a394a017d0cf9cab118914682",
"status": "affected",
"version": "37159ef2c1ae1e696b24b260b241209a19f92c60",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/l2tp/l2tp_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.6"
},
{
"lessThan": "3.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.166",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nl2tp: close all race conditions in l2tp_tunnel_register()\n\nThe code in l2tp_tunnel_register() is racy in several ways:\n\n1. It modifies the tunnel socket _after_ publishing it.\n\n2. It calls setup_udp_tunnel_sock() on an existing socket without\n locking.\n\n3. It changes sock lock class on fly, which triggers many syzbot\n reports.\n\nThis patch amends all of them by moving socket initialization code\nbefore publishing and under sock lock. As suggested by Jakub, the\nl2tp lockdep class is not necessary as we can just switch to\nbh_lock_sock_nested()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:49.986Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2d77e5c0ad79004b5ef901895437e9cce6dfcc7e"
},
{
"url": "https://git.kernel.org/stable/c/77e8ed776cdb1a24b2aab8fe7c6f1f154235e1ce"
},
{
"url": "https://git.kernel.org/stable/c/cef0845b6dcfa2f6c2c832e7f9622551456c741d"
},
{
"url": "https://git.kernel.org/stable/c/0b2c59720e65885a394a017d0cf9cab118914682"
}
],
"title": "l2tp: close all race conditions in l2tp_tunnel_register()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53020",
"datePublished": "2025-03-27T16:43:47.151Z",
"dateReserved": "2025-03-27T16:40:15.752Z",
"dateUpdated": "2025-10-01T17:19:20.613Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-37885 (GCVE-0-2025-37885)
Vulnerability from cvelistv5
Published
2025-05-09 06:45
Modified
2025-05-26 05:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86: Reset IRTE to host control if *new* route isn't postable
Restore an IRTE back to host control (remapped or posted MSI mode) if the
*new* GSI route prevents posting the IRQ directly to a vCPU, regardless of
the GSI routing type. Updating the IRTE if and only if the new GSI is an
MSI results in KVM leaving an IRTE posting to a vCPU.
The dangling IRTE can result in interrupts being incorrectly delivered to
the guest, and in the worst case scenario can result in use-after-free,
e.g. if the VM is torn down, but the underlying host IRQ isn't freed.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: efc644048ecde54f016011fe10110addd0de348f Version: efc644048ecde54f016011fe10110addd0de348f Version: efc644048ecde54f016011fe10110addd0de348f Version: efc644048ecde54f016011fe10110addd0de348f Version: efc644048ecde54f016011fe10110addd0de348f Version: efc644048ecde54f016011fe10110addd0de348f Version: efc644048ecde54f016011fe10110addd0de348f |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/avic.c",
"arch/x86/kvm/vmx/posted_intr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e5f2dee9f7fcd2ff4b97869f3c66a0d89c167769",
"status": "affected",
"version": "efc644048ecde54f016011fe10110addd0de348f",
"versionType": "git"
},
{
"lessThan": "116c7d35b8f72eac383b9fd371d7c1a8ffc2968b",
"status": "affected",
"version": "efc644048ecde54f016011fe10110addd0de348f",
"versionType": "git"
},
{
"lessThan": "023816bd5fa46fab94d1e7917fe131b79ed1fb41",
"status": "affected",
"version": "efc644048ecde54f016011fe10110addd0de348f",
"versionType": "git"
},
{
"lessThan": "3481fd96d801715942b6f69fe251133128156f30",
"status": "affected",
"version": "efc644048ecde54f016011fe10110addd0de348f",
"versionType": "git"
},
{
"lessThan": "b5de7ac74f69603ad803c524b840bffd36368fc3",
"status": "affected",
"version": "efc644048ecde54f016011fe10110addd0de348f",
"versionType": "git"
},
{
"lessThan": "3066ec21d1a33896125747f68638725f456308db",
"status": "affected",
"version": "efc644048ecde54f016011fe10110addd0de348f",
"versionType": "git"
},
{
"lessThan": "9bcac97dc42d2f4da8229d18feb0fe2b1ce523a2",
"status": "affected",
"version": "efc644048ecde54f016011fe10110addd0de348f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/avic.c",
"arch/x86/kvm/vmx/posted_intr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.237",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.89",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.26",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.237",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.181",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.136",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.89",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.26",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.5",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Reset IRTE to host control if *new* route isn\u0027t postable\n\nRestore an IRTE back to host control (remapped or posted MSI mode) if the\n*new* GSI route prevents posting the IRQ directly to a vCPU, regardless of\nthe GSI routing type. Updating the IRTE if and only if the new GSI is an\nMSI results in KVM leaving an IRTE posting to a vCPU.\n\nThe dangling IRTE can result in interrupts being incorrectly delivered to\nthe guest, and in the worst case scenario can result in use-after-free,\ne.g. if the VM is torn down, but the underlying host IRQ isn\u0027t freed."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-26T05:23:01.651Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e5f2dee9f7fcd2ff4b97869f3c66a0d89c167769"
},
{
"url": "https://git.kernel.org/stable/c/116c7d35b8f72eac383b9fd371d7c1a8ffc2968b"
},
{
"url": "https://git.kernel.org/stable/c/023816bd5fa46fab94d1e7917fe131b79ed1fb41"
},
{
"url": "https://git.kernel.org/stable/c/3481fd96d801715942b6f69fe251133128156f30"
},
{
"url": "https://git.kernel.org/stable/c/b5de7ac74f69603ad803c524b840bffd36368fc3"
},
{
"url": "https://git.kernel.org/stable/c/3066ec21d1a33896125747f68638725f456308db"
},
{
"url": "https://git.kernel.org/stable/c/9bcac97dc42d2f4da8229d18feb0fe2b1ce523a2"
}
],
"title": "KVM: x86: Reset IRTE to host control if *new* route isn\u0027t postable",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-37885",
"datePublished": "2025-05-09T06:45:48.150Z",
"dateReserved": "2025-04-16T04:51:23.963Z",
"dateUpdated": "2025-05-26T05:23:01.651Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38160 (GCVE-0-2025-38160)
Vulnerability from cvelistv5
Published
2025-07-03 08:36
Modified
2025-07-28 04:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: bcm: rpi: Add NULL check in raspberrypi_clk_register()
devm_kasprintf() returns NULL when memory allocation fails. Currently,
raspberrypi_clk_register() does not check for this case, which results
in a NULL pointer dereference.
Add NULL check after devm_kasprintf() to prevent this issue.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 93d2725affd65686792f4b57e49ef660f3c8c0f9 Version: 93d2725affd65686792f4b57e49ef660f3c8c0f9 Version: 93d2725affd65686792f4b57e49ef660f3c8c0f9 Version: 93d2725affd65686792f4b57e49ef660f3c8c0f9 Version: 93d2725affd65686792f4b57e49ef660f3c8c0f9 Version: 93d2725affd65686792f4b57e49ef660f3c8c0f9 Version: 93d2725affd65686792f4b57e49ef660f3c8c0f9 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/bcm/clk-raspberrypi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "938f625bd3364cfdc93916739add3b637ff90368",
"status": "affected",
"version": "93d2725affd65686792f4b57e49ef660f3c8c0f9",
"versionType": "git"
},
{
"lessThan": "54ce9bcdaee59d4ef0703f390d55708557818f9e",
"status": "affected",
"version": "93d2725affd65686792f4b57e49ef660f3c8c0f9",
"versionType": "git"
},
{
"lessThan": "52562161df3567cdaedada46834a7a8d8c4ab737",
"status": "affected",
"version": "93d2725affd65686792f4b57e49ef660f3c8c0f9",
"versionType": "git"
},
{
"lessThan": "3c1adc2f8c732ea09e8c4bce5941fec019c6205d",
"status": "affected",
"version": "93d2725affd65686792f4b57e49ef660f3c8c0f9",
"versionType": "git"
},
{
"lessThan": "0a2712cd24ecfeb520af60f6f859b442c7ab01ff",
"status": "affected",
"version": "93d2725affd65686792f4b57e49ef660f3c8c0f9",
"versionType": "git"
},
{
"lessThan": "1b69a5299f28ce8e6afa37c3690dbc14c3a1f53f",
"status": "affected",
"version": "93d2725affd65686792f4b57e49ef660f3c8c0f9",
"versionType": "git"
},
{
"lessThan": "73c46d9a93d071ca69858dea3f569111b03e549e",
"status": "affected",
"version": "93d2725affd65686792f4b57e49ef660f3c8c0f9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/bcm/clk-raspberrypi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.239",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.94",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.34",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.3",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: bcm: rpi: Add NULL check in raspberrypi_clk_register()\n\ndevm_kasprintf() returns NULL when memory allocation fails. Currently,\nraspberrypi_clk_register() does not check for this case, which results\nin a NULL pointer dereference.\n\nAdd NULL check after devm_kasprintf() to prevent this issue."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:13:52.430Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/938f625bd3364cfdc93916739add3b637ff90368"
},
{
"url": "https://git.kernel.org/stable/c/54ce9bcdaee59d4ef0703f390d55708557818f9e"
},
{
"url": "https://git.kernel.org/stable/c/52562161df3567cdaedada46834a7a8d8c4ab737"
},
{
"url": "https://git.kernel.org/stable/c/3c1adc2f8c732ea09e8c4bce5941fec019c6205d"
},
{
"url": "https://git.kernel.org/stable/c/0a2712cd24ecfeb520af60f6f859b442c7ab01ff"
},
{
"url": "https://git.kernel.org/stable/c/1b69a5299f28ce8e6afa37c3690dbc14c3a1f53f"
},
{
"url": "https://git.kernel.org/stable/c/73c46d9a93d071ca69858dea3f569111b03e549e"
}
],
"title": "clk: bcm: rpi: Add NULL check in raspberrypi_clk_register()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38160",
"datePublished": "2025-07-03T08:36:02.357Z",
"dateReserved": "2025-04-16T04:51:23.990Z",
"dateUpdated": "2025-07-28T04:13:52.430Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38439 (GCVE-0-2025-38439)
Vulnerability from cvelistv5
Published
2025-07-25 15:27
Modified
2025-07-28 04:22
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT
When transmitting an XDP_REDIRECT packet, call dma_unmap_len_set()
with the proper length instead of 0. This bug triggers this warning
on a system with IOMMU enabled:
WARNING: CPU: 36 PID: 0 at drivers/iommu/dma-iommu.c:842 __iommu_dma_unmap+0x159/0x170
RIP: 0010:__iommu_dma_unmap+0x159/0x170
Code: a8 00 00 00 00 48 c7 45 b0 00 00 00 00 48 c7 45 c8 00 00 00 00 48 c7 45 a0 ff ff ff ff 4c 89 45
b8 4c 89 45 c0 e9 77 ff ff ff <0f> 0b e9 60 ff ff ff e8 8b bf 6a 00 66 66 2e 0f 1f 84 00 00 00 00
RSP: 0018:ff22d31181150c88 EFLAGS: 00010206
RAX: 0000000000002000 RBX: 00000000e13a0000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ff22d31181150cf0 R08: ff22d31181150ca8 R09: 0000000000000000
R10: 0000000000000000 R11: ff22d311d36c9d80 R12: 0000000000001000
R13: ff13544d10645010 R14: ff22d31181150c90 R15: ff13544d0b2bac00
FS: 0000000000000000(0000) GS:ff13550908a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005be909dacff8 CR3: 0008000173408003 CR4: 0000000000f71ef0
PKRU: 55555554
Call Trace:
<IRQ>
? show_regs+0x6d/0x80
? __warn+0x89/0x160
? __iommu_dma_unmap+0x159/0x170
? report_bug+0x17e/0x1b0
? handle_bug+0x46/0x90
? exc_invalid_op+0x18/0x80
? asm_exc_invalid_op+0x1b/0x20
? __iommu_dma_unmap+0x159/0x170
? __iommu_dma_unmap+0xb3/0x170
iommu_dma_unmap_page+0x4f/0x100
dma_unmap_page_attrs+0x52/0x220
? srso_alias_return_thunk+0x5/0xfbef5
? xdp_return_frame+0x2e/0xd0
bnxt_tx_int_xdp+0xdf/0x440 [bnxt_en]
__bnxt_poll_work_done+0x81/0x1e0 [bnxt_en]
bnxt_poll+0xd3/0x1e0 [bnxt_en]
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f18c2b77b2e4eec2313d519ba125bd6a069513cf Version: f18c2b77b2e4eec2313d519ba125bd6a069513cf Version: f18c2b77b2e4eec2313d519ba125bd6a069513cf Version: f18c2b77b2e4eec2313d519ba125bd6a069513cf Version: f18c2b77b2e4eec2313d519ba125bd6a069513cf Version: f18c2b77b2e4eec2313d519ba125bd6a069513cf Version: f18c2b77b2e4eec2313d519ba125bd6a069513cf Version: f18c2b77b2e4eec2313d519ba125bd6a069513cf |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e260f4d49370c85a4701d43c6d16b8c39f8b605f",
"status": "affected",
"version": "f18c2b77b2e4eec2313d519ba125bd6a069513cf",
"versionType": "git"
},
{
"lessThan": "16ae306602163fcb7ae83f2701b542e43c100cee",
"status": "affected",
"version": "f18c2b77b2e4eec2313d519ba125bd6a069513cf",
"versionType": "git"
},
{
"lessThan": "8d672a1a6bfc81fef9151925c9c0481f4acf4bec",
"status": "affected",
"version": "f18c2b77b2e4eec2313d519ba125bd6a069513cf",
"versionType": "git"
},
{
"lessThan": "f9eaf6d036075dc820520e1194692c0619b7297b",
"status": "affected",
"version": "f18c2b77b2e4eec2313d519ba125bd6a069513cf",
"versionType": "git"
},
{
"lessThan": "5909679a82cd74cf0343d9e3ddf4b6931aa7e613",
"status": "affected",
"version": "f18c2b77b2e4eec2313d519ba125bd6a069513cf",
"versionType": "git"
},
{
"lessThan": "f154e41e1d9d15ab21300ba7bbf0ebb5cb3b9c2a",
"status": "affected",
"version": "f18c2b77b2e4eec2313d519ba125bd6a069513cf",
"versionType": "git"
},
{
"lessThan": "50dad9909715094e7d9ca25e9e0412b875987519",
"status": "affected",
"version": "f18c2b77b2e4eec2313d519ba125bd6a069513cf",
"versionType": "git"
},
{
"lessThan": "3cdf199d4755d477972ee87110b2aebc88b3cfad",
"status": "affected",
"version": "f18c2b77b2e4eec2313d519ba125bd6a069513cf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.240",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.146",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.296",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.240",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.189",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.146",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.99",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.39",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.7",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Set DMA unmap len correctly for XDP_REDIRECT\n\nWhen transmitting an XDP_REDIRECT packet, call dma_unmap_len_set()\nwith the proper length instead of 0. This bug triggers this warning\non a system with IOMMU enabled:\n\nWARNING: CPU: 36 PID: 0 at drivers/iommu/dma-iommu.c:842 __iommu_dma_unmap+0x159/0x170\nRIP: 0010:__iommu_dma_unmap+0x159/0x170\nCode: a8 00 00 00 00 48 c7 45 b0 00 00 00 00 48 c7 45 c8 00 00 00 00 48 c7 45 a0 ff ff ff ff 4c 89 45\nb8 4c 89 45 c0 e9 77 ff ff ff \u003c0f\u003e 0b e9 60 ff ff ff e8 8b bf 6a 00 66 66 2e 0f 1f 84 00 00 00 00\nRSP: 0018:ff22d31181150c88 EFLAGS: 00010206\nRAX: 0000000000002000 RBX: 00000000e13a0000 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: ff22d31181150cf0 R08: ff22d31181150ca8 R09: 0000000000000000\nR10: 0000000000000000 R11: ff22d311d36c9d80 R12: 0000000000001000\nR13: ff13544d10645010 R14: ff22d31181150c90 R15: ff13544d0b2bac00\nFS: 0000000000000000(0000) GS:ff13550908a00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005be909dacff8 CR3: 0008000173408003 CR4: 0000000000f71ef0\nPKRU: 55555554\nCall Trace:\n\u003cIRQ\u003e\n? show_regs+0x6d/0x80\n? __warn+0x89/0x160\n? __iommu_dma_unmap+0x159/0x170\n? report_bug+0x17e/0x1b0\n? handle_bug+0x46/0x90\n? exc_invalid_op+0x18/0x80\n? asm_exc_invalid_op+0x1b/0x20\n? __iommu_dma_unmap+0x159/0x170\n? __iommu_dma_unmap+0xb3/0x170\niommu_dma_unmap_page+0x4f/0x100\ndma_unmap_page_attrs+0x52/0x220\n? srso_alias_return_thunk+0x5/0xfbef5\n? xdp_return_frame+0x2e/0xd0\nbnxt_tx_int_xdp+0xdf/0x440 [bnxt_en]\n__bnxt_poll_work_done+0x81/0x1e0 [bnxt_en]\nbnxt_poll+0xd3/0x1e0 [bnxt_en]"
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:22:14.626Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e260f4d49370c85a4701d43c6d16b8c39f8b605f"
},
{
"url": "https://git.kernel.org/stable/c/16ae306602163fcb7ae83f2701b542e43c100cee"
},
{
"url": "https://git.kernel.org/stable/c/8d672a1a6bfc81fef9151925c9c0481f4acf4bec"
},
{
"url": "https://git.kernel.org/stable/c/f9eaf6d036075dc820520e1194692c0619b7297b"
},
{
"url": "https://git.kernel.org/stable/c/5909679a82cd74cf0343d9e3ddf4b6931aa7e613"
},
{
"url": "https://git.kernel.org/stable/c/f154e41e1d9d15ab21300ba7bbf0ebb5cb3b9c2a"
},
{
"url": "https://git.kernel.org/stable/c/50dad9909715094e7d9ca25e9e0412b875987519"
},
{
"url": "https://git.kernel.org/stable/c/3cdf199d4755d477972ee87110b2aebc88b3cfad"
}
],
"title": "bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38439",
"datePublished": "2025-07-25T15:27:18.640Z",
"dateReserved": "2025-04-16T04:51:24.016Z",
"dateUpdated": "2025-07-28T04:22:14.626Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38531 (GCVE-0-2025-38531)
Vulnerability from cvelistv5
Published
2025-08-16 11:12
Modified
2025-08-16 11:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iio: common: st_sensors: Fix use of uninitialize device structs
Throughout the various probe functions &indio_dev->dev is used before it
is initialized. This caused a kernel panic in st_sensors_power_enable()
when the call to devm_regulator_bulk_get_enable() fails and then calls
dev_err_probe() with the uninitialized device.
This seems to only cause a panic with dev_err_probe(), dev_err(),
dev_warn() and dev_info() don't seem to cause a panic, but are fixed
as well.
The issue is reported and traced here: [1]
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iio/accel/st_accel_core.c",
"drivers/iio/common/st_sensors/st_sensors_core.c",
"drivers/iio/common/st_sensors/st_sensors_trigger.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "610615c9668037e3eca11132063b93b2d945af13",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3297a9016a45144883ec990bd4bd5b1d79cafb46",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9f92e93e257b33e73622640a9205f8642ec16ddd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iio/accel/st_accel_core.c",
"drivers/iio/common/st_sensors/st_sensors_core.c",
"drivers/iio/common/st_sensors/st_sensors_trigger.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: common: st_sensors: Fix use of uninitialize device structs\n\nThroughout the various probe functions \u0026indio_dev-\u003edev is used before it\nis initialized. This caused a kernel panic in st_sensors_power_enable()\nwhen the call to devm_regulator_bulk_get_enable() fails and then calls\ndev_err_probe() with the uninitialized device.\n\nThis seems to only cause a panic with dev_err_probe(), dev_err(),\ndev_warn() and dev_info() don\u0027t seem to cause a panic, but are fixed\nas well.\n\nThe issue is reported and traced here: [1]"
}
],
"providerMetadata": {
"dateUpdated": "2025-08-16T11:12:24.405Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/610615c9668037e3eca11132063b93b2d945af13"
},
{
"url": "https://git.kernel.org/stable/c/3297a9016a45144883ec990bd4bd5b1d79cafb46"
},
{
"url": "https://git.kernel.org/stable/c/9f92e93e257b33e73622640a9205f8642ec16ddd"
}
],
"title": "iio: common: st_sensors: Fix use of uninitialize device structs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38531",
"datePublished": "2025-08-16T11:12:24.405Z",
"dateReserved": "2025-04-16T04:51:24.023Z",
"dateUpdated": "2025-08-16T11:12:24.405Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38585 (GCVE-0-2025-38585)
Vulnerability from cvelistv5
Published
2025-08-19 17:03
Modified
2025-09-29 05:54
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
staging: media: atomisp: Fix stack buffer overflow in gmin_get_var_int()
When gmin_get_config_var() calls efi.get_variable() and the EFI variable
is larger than the expected buffer size, two behaviors combine to create
a stack buffer overflow:
1. gmin_get_config_var() does not return the proper error code when
efi.get_variable() fails. It returns the stale 'ret' value from
earlier operations instead of indicating the EFI failure.
2. When efi.get_variable() returns EFI_BUFFER_TOO_SMALL, it updates
*out_len to the required buffer size but writes no data to the output
buffer. However, due to bug #1, gmin_get_var_int() believes the call
succeeded.
The caller gmin_get_var_int() then performs:
- Allocates val[CFG_VAR_NAME_MAX + 1] (65 bytes) on stack
- Calls gmin_get_config_var(dev, is_gmin, var, val, &len) with len=64
- If EFI variable is >64 bytes, efi.get_variable() sets len=required_size
- Due to bug #1, thinks call succeeded with len=required_size
- Executes val[len] = 0, writing past end of 65-byte stack buffer
This creates a stack buffer overflow when EFI variables are larger than
64 bytes. Since EFI variables can be controlled by firmware or system
configuration, this could potentially be exploited for code execution.
Fix the bug by returning proper error codes from gmin_get_config_var()
based on EFI status instead of stale 'ret' value.
The gmin_get_var_int() function is called during device initialization
for camera sensor configuration on Intel Bay Trail and Cherry Trail
platforms using the atomisp camera stack.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3d672fe065aa00f4d66f42e3c9720f69a3ed43e7",
"status": "affected",
"version": "38d4f74bc14847491d07bd745dc4a2c274f4987d",
"versionType": "git"
},
{
"lessThan": "e6d3453a002e89537e6136f6c774659b297a549b",
"status": "affected",
"version": "38d4f74bc14847491d07bd745dc4a2c274f4987d",
"versionType": "git"
},
{
"lessThan": "1a7a2f59fb2eb0718a0cff1e5822500cefe50ed9",
"status": "affected",
"version": "38d4f74bc14847491d07bd745dc4a2c274f4987d",
"versionType": "git"
},
{
"lessThan": "ee4cf798202d285dcbe85e4467a094c44f5ed8e6",
"status": "affected",
"version": "38d4f74bc14847491d07bd745dc4a2c274f4987d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: media: atomisp: Fix stack buffer overflow in gmin_get_var_int()\n\nWhen gmin_get_config_var() calls efi.get_variable() and the EFI variable\nis larger than the expected buffer size, two behaviors combine to create\na stack buffer overflow:\n\n1. gmin_get_config_var() does not return the proper error code when\n efi.get_variable() fails. It returns the stale \u0027ret\u0027 value from\n earlier operations instead of indicating the EFI failure.\n\n2. When efi.get_variable() returns EFI_BUFFER_TOO_SMALL, it updates\n *out_len to the required buffer size but writes no data to the output\n buffer. However, due to bug #1, gmin_get_var_int() believes the call\n succeeded.\n\nThe caller gmin_get_var_int() then performs:\n- Allocates val[CFG_VAR_NAME_MAX + 1] (65 bytes) on stack\n- Calls gmin_get_config_var(dev, is_gmin, var, val, \u0026len) with len=64\n- If EFI variable is \u003e64 bytes, efi.get_variable() sets len=required_size\n- Due to bug #1, thinks call succeeded with len=required_size\n- Executes val[len] = 0, writing past end of 65-byte stack buffer\n\nThis creates a stack buffer overflow when EFI variables are larger than\n64 bytes. Since EFI variables can be controlled by firmware or system\nconfiguration, this could potentially be exploited for code execution.\n\nFix the bug by returning proper error codes from gmin_get_config_var()\nbased on EFI status instead of stale \u0027ret\u0027 value.\n\nThe gmin_get_var_int() function is called during device initialization\nfor camera sensor configuration on Intel Bay Trail and Cherry Trail\nplatforms using the atomisp camera stack."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:54:17.156Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3d672fe065aa00f4d66f42e3c9720f69a3ed43e7"
},
{
"url": "https://git.kernel.org/stable/c/e6d3453a002e89537e6136f6c774659b297a549b"
},
{
"url": "https://git.kernel.org/stable/c/1a7a2f59fb2eb0718a0cff1e5822500cefe50ed9"
},
{
"url": "https://git.kernel.org/stable/c/ee4cf798202d285dcbe85e4467a094c44f5ed8e6"
}
],
"title": "staging: media: atomisp: Fix stack buffer overflow in gmin_get_var_int()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38585",
"datePublished": "2025-08-19T17:03:07.084Z",
"dateReserved": "2025-04-16T04:51:24.026Z",
"dateUpdated": "2025-09-29T05:54:17.156Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-58238 (GCVE-0-2024-58238)
Vulnerability from cvelistv5
Published
2025-08-09 14:31
Modified
2025-09-19 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: btnxpuart: Resolve TX timeout error in power save stress test
This fixes the tx timeout issue seen while running a stress test on
btnxpuart for couple of hours, such that the interval between two HCI
commands coincide with the power save timeout value of 2 seconds.
Test procedure using bash script:
<load btnxpuart.ko>
hciconfig hci0 up
//Enable Power Save feature
hcitool -i hci0 cmd 3f 23 02 00 00
while (true)
do
hciconfig hci0 leadv
sleep 2
hciconfig hci0 noleadv
sleep 2
done
Error log, after adding few more debug prints:
Bluetooth: btnxpuart_queue_skb(): 01 0A 20 01 00
Bluetooth: hci0: Set UART break: on, status=0
Bluetooth: hci0: btnxpuart_tx_wakeup() tx_work scheduled
Bluetooth: hci0: btnxpuart_tx_work() dequeue: 01 0A 20 01 00
Can't set advertise mode on hci0: Connection timed out (110)
Bluetooth: hci0: command 0x200a tx timeout
When the power save mechanism turns on UART break, and btnxpuart_tx_work()
is scheduled simultaneously, psdata->ps_state is read as PS_STATE_AWAKE,
which prevents the psdata->work from being scheduled, which is responsible
to turn OFF UART break.
This issue is fixed by adding a ps_lock mutex around UART break on/off as
well as around ps_state read/write.
btnxpuart_tx_wakeup() will now read updated ps_state value. If ps_state is
PS_STATE_SLEEP, it will first schedule psdata->work, and then it will
reschedule itself once UART break has been turned off and ps_state is
PS_STATE_AWAKE.
Tested above script for 50,000 iterations and TX timeout error was not
observed anymore.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/btnxpuart.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9d5df94ce0e213d5b549633f528f96114c736190",
"status": "affected",
"version": "689ca16e523278470c38832a3010645a78c544d8",
"versionType": "git"
},
{
"lessThan": "e4db90e4eb8d5487098712ffb1048f3fa6d25e98",
"status": "affected",
"version": "689ca16e523278470c38832a3010645a78c544d8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/btnxpuart.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.49",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btnxpuart: Resolve TX timeout error in power save stress test\n\nThis fixes the tx timeout issue seen while running a stress test on\nbtnxpuart for couple of hours, such that the interval between two HCI\ncommands coincide with the power save timeout value of 2 seconds.\n\nTest procedure using bash script:\n\u003cload btnxpuart.ko\u003e\nhciconfig hci0 up\n//Enable Power Save feature\nhcitool -i hci0 cmd 3f 23 02 00 00\nwhile (true)\ndo\n hciconfig hci0 leadv\n sleep 2\n hciconfig hci0 noleadv\n sleep 2\ndone\n\nError log, after adding few more debug prints:\nBluetooth: btnxpuart_queue_skb(): 01 0A 20 01 00\nBluetooth: hci0: Set UART break: on, status=0\nBluetooth: hci0: btnxpuart_tx_wakeup() tx_work scheduled\nBluetooth: hci0: btnxpuart_tx_work() dequeue: 01 0A 20 01 00\nCan\u0027t set advertise mode on hci0: Connection timed out (110)\nBluetooth: hci0: command 0x200a tx timeout\n\nWhen the power save mechanism turns on UART break, and btnxpuart_tx_work()\nis scheduled simultaneously, psdata-\u003eps_state is read as PS_STATE_AWAKE,\nwhich prevents the psdata-\u003ework from being scheduled, which is responsible\nto turn OFF UART break.\n\nThis issue is fixed by adding a ps_lock mutex around UART break on/off as\nwell as around ps_state read/write.\nbtnxpuart_tx_wakeup() will now read updated ps_state value. If ps_state is\nPS_STATE_SLEEP, it will first schedule psdata-\u003ework, and then it will\nreschedule itself once UART break has been turned off and ps_state is\nPS_STATE_AWAKE.\n\nTested above script for 50,000 iterations and TX timeout error was not\nobserved anymore."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-19T15:21:43.755Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9d5df94ce0e213d5b549633f528f96114c736190"
},
{
"url": "https://git.kernel.org/stable/c/e4db90e4eb8d5487098712ffb1048f3fa6d25e98"
}
],
"title": "Bluetooth: btnxpuart: Resolve TX timeout error in power save stress test",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-58238",
"datePublished": "2025-08-09T14:31:47.079Z",
"dateReserved": "2025-04-16T07:19:43.804Z",
"dateUpdated": "2025-09-19T15:21:43.755Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21971 (GCVE-0-2025-21971)
Vulnerability from cvelistv5
Published
2025-04-01 15:47
Modified
2025-05-04 07:26
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net_sched: Prevent creation of classes with TC_H_ROOT
The function qdisc_tree_reduce_backlog() uses TC_H_ROOT as a termination
condition when traversing up the qdisc tree to update parent backlog
counters. However, if a class is created with classid TC_H_ROOT, the
traversal terminates prematurely at this class instead of reaching the
actual root qdisc, causing parent statistics to be incorrectly maintained.
In case of DRR, this could lead to a crash as reported by Mingi Cho.
Prevent the creation of any Qdisc class with classid TC_H_ROOT
(0xFFFFFFFF) across all qdisc types, as suggested by Jamal.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 066a3b5b2346febf9a655b444567b7138e3bb939 Version: 066a3b5b2346febf9a655b444567b7138e3bb939 Version: 066a3b5b2346febf9a655b444567b7138e3bb939 Version: 066a3b5b2346febf9a655b444567b7138e3bb939 Version: 066a3b5b2346febf9a655b444567b7138e3bb939 Version: 066a3b5b2346febf9a655b444567b7138e3bb939 Version: 066a3b5b2346febf9a655b444567b7138e3bb939 Version: 066a3b5b2346febf9a655b444567b7138e3bb939 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e05d9938b1b0ac40b6054cc5fa0ccbd9afd5ed4c",
"status": "affected",
"version": "066a3b5b2346febf9a655b444567b7138e3bb939",
"versionType": "git"
},
{
"lessThan": "7a82fe67a9f4d7123d8e5ba8f0f0806c28695006",
"status": "affected",
"version": "066a3b5b2346febf9a655b444567b7138e3bb939",
"versionType": "git"
},
{
"lessThan": "003d92c91cdb5a64b25a9a74cb8543aac9a8bb48",
"status": "affected",
"version": "066a3b5b2346febf9a655b444567b7138e3bb939",
"versionType": "git"
},
{
"lessThan": "e5ee00607bbfc97ef1526ea95b6b2458ac9e7cb7",
"status": "affected",
"version": "066a3b5b2346febf9a655b444567b7138e3bb939",
"versionType": "git"
},
{
"lessThan": "78533c4a29ac3aeddce4b481770beaaa4f3bfb67",
"status": "affected",
"version": "066a3b5b2346febf9a655b444567b7138e3bb939",
"versionType": "git"
},
{
"lessThan": "5c3ca9cb48b51bd72bf76b8b05e24f3cd53db5e7",
"status": "affected",
"version": "066a3b5b2346febf9a655b444567b7138e3bb939",
"versionType": "git"
},
{
"lessThan": "94edfdfb9505ab608e86599d1d1e38c83816fc1c",
"status": "affected",
"version": "066a3b5b2346febf9a655b444567b7138e3bb939",
"versionType": "git"
},
{
"lessThan": "0c3057a5a04d07120b3d0ec9c79568fceb9c921e",
"status": "affected",
"version": "066a3b5b2346febf9a655b444567b7138e3bb939",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.25"
},
{
"lessThan": "2.6.25",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.292",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.236",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.84",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.292",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.236",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.180",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.132",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.84",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.20",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.8",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "2.6.25",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: Prevent creation of classes with TC_H_ROOT\n\nThe function qdisc_tree_reduce_backlog() uses TC_H_ROOT as a termination\ncondition when traversing up the qdisc tree to update parent backlog\ncounters. However, if a class is created with classid TC_H_ROOT, the\ntraversal terminates prematurely at this class instead of reaching the\nactual root qdisc, causing parent statistics to be incorrectly maintained.\nIn case of DRR, this could lead to a crash as reported by Mingi Cho.\n\nPrevent the creation of any Qdisc class with classid TC_H_ROOT\n(0xFFFFFFFF) across all qdisc types, as suggested by Jamal."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:26:09.021Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e05d9938b1b0ac40b6054cc5fa0ccbd9afd5ed4c"
},
{
"url": "https://git.kernel.org/stable/c/7a82fe67a9f4d7123d8e5ba8f0f0806c28695006"
},
{
"url": "https://git.kernel.org/stable/c/003d92c91cdb5a64b25a9a74cb8543aac9a8bb48"
},
{
"url": "https://git.kernel.org/stable/c/e5ee00607bbfc97ef1526ea95b6b2458ac9e7cb7"
},
{
"url": "https://git.kernel.org/stable/c/78533c4a29ac3aeddce4b481770beaaa4f3bfb67"
},
{
"url": "https://git.kernel.org/stable/c/5c3ca9cb48b51bd72bf76b8b05e24f3cd53db5e7"
},
{
"url": "https://git.kernel.org/stable/c/94edfdfb9505ab608e86599d1d1e38c83816fc1c"
},
{
"url": "https://git.kernel.org/stable/c/0c3057a5a04d07120b3d0ec9c79568fceb9c921e"
}
],
"title": "net_sched: Prevent creation of classes with TC_H_ROOT",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21971",
"datePublished": "2025-04-01T15:47:04.448Z",
"dateReserved": "2024-12-29T08:45:45.797Z",
"dateUpdated": "2025-05-04T07:26:09.021Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53117 (GCVE-0-2023-53117)
Vulnerability from cvelistv5
Published
2025-05-02 15:55
Modified
2025-05-04 07:50
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs: prevent out-of-bounds array speculation when closing a file descriptor
Google-Bug-Id: 114199369
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f31cd5da636682caea424fa1c22679016cbfc16b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3d5d9501b634fd268eb56428cda92cd317752d69",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6631c8da02cfad96c53b217cf647b511c7f34faf",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a759905de9cd6ec9ca08ceadf0920272772ed830",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f8cd8754a03a3748384ee438c572423643c9c315",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cec08b7d1ebcd3138d4658b3868ce26aeb1e8e06",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "eea8e4e056a5ffbeb539a13854c017d5d62c756a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "609d54441493c99f21c1823dfd66fa7f4c512ff4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.310",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.278",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.237",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.310",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.278",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.237",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.175",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: prevent out-of-bounds array speculation when closing a file descriptor\n\nGoogle-Bug-Id: 114199369"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:50:11.802Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f31cd5da636682caea424fa1c22679016cbfc16b"
},
{
"url": "https://git.kernel.org/stable/c/3d5d9501b634fd268eb56428cda92cd317752d69"
},
{
"url": "https://git.kernel.org/stable/c/6631c8da02cfad96c53b217cf647b511c7f34faf"
},
{
"url": "https://git.kernel.org/stable/c/a759905de9cd6ec9ca08ceadf0920272772ed830"
},
{
"url": "https://git.kernel.org/stable/c/f8cd8754a03a3748384ee438c572423643c9c315"
},
{
"url": "https://git.kernel.org/stable/c/cec08b7d1ebcd3138d4658b3868ce26aeb1e8e06"
},
{
"url": "https://git.kernel.org/stable/c/eea8e4e056a5ffbeb539a13854c017d5d62c756a"
},
{
"url": "https://git.kernel.org/stable/c/609d54441493c99f21c1823dfd66fa7f4c512ff4"
}
],
"title": "fs: prevent out-of-bounds array speculation when closing a file descriptor",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53117",
"datePublished": "2025-05-02T15:55:55.512Z",
"dateReserved": "2025-05-02T15:51:43.554Z",
"dateUpdated": "2025-05-04T07:50:11.802Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38458 (GCVE-0-2025-38458)
Vulnerability from cvelistv5
Published
2025-07-25 15:27
Modified
2025-07-28 04:22
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
atm: clip: Fix NULL pointer dereference in vcc_sendmsg()
atmarpd_dev_ops does not implement the send method, which may cause crash
as bellow.
BUG: kernel NULL pointer dereference, address: 0000000000000000
PGD 0 P4D 0
Oops: Oops: 0010 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted 6.15.0-rc6-syzkaller-00346-g5723cc3450bc #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffffc9000d3cf778 EFLAGS: 00010246
RAX: 1ffffffff1910dd1 RBX: 00000000000000c0 RCX: dffffc0000000000
RDX: ffffc9000dc82000 RSI: ffff88803e4c4640 RDI: ffff888052cd0000
RBP: ffffc9000d3cf8d0 R08: ffff888052c9143f R09: 1ffff1100a592287
R10: dffffc0000000000 R11: 0000000000000000 R12: 1ffff92001a79f00
R13: ffff888052cd0000 R14: ffff88803e4c4640 R15: ffffffff8c886e88
FS: 00007fbc762566c0(0000) GS:ffff88808d6c2000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 0000000041f1b000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
vcc_sendmsg+0xa10/0xc50 net/atm/common.c:644
sock_sendmsg_nosec net/socket.c:712 [inline]
__sock_sendmsg+0x219/0x270 net/socket.c:727
____sys_sendmsg+0x52d/0x830 net/socket.c:2566
___sys_sendmsg+0x21f/0x2a0 net/socket.c:2620
__sys_sendmmsg+0x227/0x430 net/socket.c:2709
__do_sys_sendmmsg net/socket.c:2736 [inline]
__se_sys_sendmmsg net/socket.c:2733 [inline]
__x64_sys_sendmmsg+0xa0/0xc0 net/socket.c:2733
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/atm/clip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9ec7e943aee5c28c173933f9defd40892fb3be3d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a16fbe6087e91c8e7c4aa50e1af7ad56edbd9e3e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7f1cad84ac1a6af42d9d57e879de47ce37995024",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "27b5bb7ea1a8fa7b8c4cfde4d2bf8650cca2e8e8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "07b585ae3699c0a5026f86ac846f144e34875eee",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "34a09d6240a25185ef6fc5a19dbb3cdbb6a78bc0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7f8a9b396037daae453a108faec5b28886361323",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "22fc46cea91df3dce140a7dc6847c6fcf0354505",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/atm/clip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.240",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.146",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.296",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.240",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.189",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.146",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.99",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.39",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.7",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: clip: Fix NULL pointer dereference in vcc_sendmsg()\n\natmarpd_dev_ops does not implement the send method, which may cause crash\nas bellow.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nPGD 0 P4D 0\nOops: Oops: 0010 [#1] SMP KASAN NOPTI\nCPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted 6.15.0-rc6-syzkaller-00346-g5723cc3450bc #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nRIP: 0010:0x0\nCode: Unable to access opcode bytes at 0xffffffffffffffd6.\nRSP: 0018:ffffc9000d3cf778 EFLAGS: 00010246\nRAX: 1ffffffff1910dd1 RBX: 00000000000000c0 RCX: dffffc0000000000\nRDX: ffffc9000dc82000 RSI: ffff88803e4c4640 RDI: ffff888052cd0000\nRBP: ffffc9000d3cf8d0 R08: ffff888052c9143f R09: 1ffff1100a592287\nR10: dffffc0000000000 R11: 0000000000000000 R12: 1ffff92001a79f00\nR13: ffff888052cd0000 R14: ffff88803e4c4640 R15: ffffffff8c886e88\nFS: 00007fbc762566c0(0000) GS:ffff88808d6c2000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffffffffffffd6 CR3: 0000000041f1b000 CR4: 0000000000352ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n vcc_sendmsg+0xa10/0xc50 net/atm/common.c:644\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg+0x219/0x270 net/socket.c:727\n ____sys_sendmsg+0x52d/0x830 net/socket.c:2566\n ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2620\n __sys_sendmmsg+0x227/0x430 net/socket.c:2709\n __do_sys_sendmmsg net/socket.c:2736 [inline]\n __se_sys_sendmmsg net/socket.c:2733 [inline]\n __x64_sys_sendmmsg+0xa0/0xc0 net/socket.c:2733\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:22:53.053Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9ec7e943aee5c28c173933f9defd40892fb3be3d"
},
{
"url": "https://git.kernel.org/stable/c/a16fbe6087e91c8e7c4aa50e1af7ad56edbd9e3e"
},
{
"url": "https://git.kernel.org/stable/c/7f1cad84ac1a6af42d9d57e879de47ce37995024"
},
{
"url": "https://git.kernel.org/stable/c/27b5bb7ea1a8fa7b8c4cfde4d2bf8650cca2e8e8"
},
{
"url": "https://git.kernel.org/stable/c/07b585ae3699c0a5026f86ac846f144e34875eee"
},
{
"url": "https://git.kernel.org/stable/c/34a09d6240a25185ef6fc5a19dbb3cdbb6a78bc0"
},
{
"url": "https://git.kernel.org/stable/c/7f8a9b396037daae453a108faec5b28886361323"
},
{
"url": "https://git.kernel.org/stable/c/22fc46cea91df3dce140a7dc6847c6fcf0354505"
}
],
"title": "atm: clip: Fix NULL pointer dereference in vcc_sendmsg()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38458",
"datePublished": "2025-07-25T15:27:37.164Z",
"dateReserved": "2025-04-16T04:51:24.019Z",
"dateUpdated": "2025-07-28T04:22:53.053Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50228 (GCVE-0-2022-50228)
Vulnerability from cvelistv5
Published
2025-06-18 11:04
Modified
2025-06-18 11:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: SVM: Don't BUG if userspace injects an interrupt with GIF=0
Don't BUG/WARN on interrupt injection due to GIF being cleared,
since it's trivial for userspace to force the situation via
KVM_SET_VCPU_EVENTS (even if having at least a WARN there would be correct
for KVM internally generated injections).
kernel BUG at arch/x86/kvm/svm/svm.c:3386!
invalid opcode: 0000 [#1] SMP
CPU: 15 PID: 926 Comm: smm_test Not tainted 5.17.0-rc3+ #264
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:svm_inject_irq+0xab/0xb0 [kvm_amd]
Code: <0f> 0b 0f 1f 00 0f 1f 44 00 00 80 3d ac b3 01 00 00 55 48 89 f5 53
RSP: 0018:ffffc90000b37d88 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff88810a234ac0 RCX: 0000000000000006
RDX: 0000000000000000 RSI: ffffc90000b37df7 RDI: ffff88810a234ac0
RBP: ffffc90000b37df7 R08: ffff88810a1fa410 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff888109571000 R14: ffff88810a234ac0 R15: 0000000000000000
FS: 0000000001821380(0000) GS:ffff88846fdc0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f74fc550008 CR3: 000000010a6fe000 CR4: 0000000000350ea0
Call Trace:
<TASK>
inject_pending_event+0x2f7/0x4c0 [kvm]
kvm_arch_vcpu_ioctl_run+0x791/0x17a0 [kvm]
kvm_vcpu_ioctl+0x26d/0x650 [kvm]
__x64_sys_ioctl+0x82/0xb0
do_syscall_64+0x3b/0xc0
entry_SYSCALL_64_after_hwframe+0x44/0xae
</TASK>
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 219b65dcf6c0bad83d51bfa12e25891c02de2414 Version: 219b65dcf6c0bad83d51bfa12e25891c02de2414 Version: 219b65dcf6c0bad83d51bfa12e25891c02de2414 Version: 219b65dcf6c0bad83d51bfa12e25891c02de2414 Version: 219b65dcf6c0bad83d51bfa12e25891c02de2414 Version: 219b65dcf6c0bad83d51bfa12e25891c02de2414 Version: 219b65dcf6c0bad83d51bfa12e25891c02de2414 Version: 219b65dcf6c0bad83d51bfa12e25891c02de2414 Version: 219b65dcf6c0bad83d51bfa12e25891c02de2414 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/svm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2c49adeb020995236e63722ef6d0bee14372f471",
"status": "affected",
"version": "219b65dcf6c0bad83d51bfa12e25891c02de2414",
"versionType": "git"
},
{
"lessThan": "6fcbab82ccbcde915644085f73d3487938bda42d",
"status": "affected",
"version": "219b65dcf6c0bad83d51bfa12e25891c02de2414",
"versionType": "git"
},
{
"lessThan": "c3396c1c8b87510f2ac2a674948156577559d42d",
"status": "affected",
"version": "219b65dcf6c0bad83d51bfa12e25891c02de2414",
"versionType": "git"
},
{
"lessThan": "68e1313bb8809e8addcd9431f2bfea0e8ddbca80",
"status": "affected",
"version": "219b65dcf6c0bad83d51bfa12e25891c02de2414",
"versionType": "git"
},
{
"lessThan": "8bb683490278005b4caf61e22b0828a04d282e86",
"status": "affected",
"version": "219b65dcf6c0bad83d51bfa12e25891c02de2414",
"versionType": "git"
},
{
"lessThan": "6afe88fbb40eac3291a8728688d61fdc745d8008",
"status": "affected",
"version": "219b65dcf6c0bad83d51bfa12e25891c02de2414",
"versionType": "git"
},
{
"lessThan": "3d4e2d884da6312df7c9b85fbf671de49204ead6",
"status": "affected",
"version": "219b65dcf6c0bad83d51bfa12e25891c02de2414",
"versionType": "git"
},
{
"lessThan": "2eee1dba70f57148fc7f8252613bfae6bd4b04e3",
"status": "affected",
"version": "219b65dcf6c0bad83d51bfa12e25891c02de2414",
"versionType": "git"
},
{
"lessThan": "f17c31c48e5cde9895a491d91c424eeeada3e134",
"status": "affected",
"version": "219b65dcf6c0bad83d51bfa12e25891c02de2414",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/svm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.32"
},
{
"lessThan": "2.6.32",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.256",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.211",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.137",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.326",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.291",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.256",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.211",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.137",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.61",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.18",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.2",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0",
"versionStartIncluding": "2.6.32",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: Don\u0027t BUG if userspace injects an interrupt with GIF=0\n\nDon\u0027t BUG/WARN on interrupt injection due to GIF being cleared,\nsince it\u0027s trivial for userspace to force the situation via\nKVM_SET_VCPU_EVENTS (even if having at least a WARN there would be correct\nfor KVM internally generated injections).\n\n kernel BUG at arch/x86/kvm/svm/svm.c:3386!\n invalid opcode: 0000 [#1] SMP\n CPU: 15 PID: 926 Comm: smm_test Not tainted 5.17.0-rc3+ #264\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n RIP: 0010:svm_inject_irq+0xab/0xb0 [kvm_amd]\n Code: \u003c0f\u003e 0b 0f 1f 00 0f 1f 44 00 00 80 3d ac b3 01 00 00 55 48 89 f5 53\n RSP: 0018:ffffc90000b37d88 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: ffff88810a234ac0 RCX: 0000000000000006\n RDX: 0000000000000000 RSI: ffffc90000b37df7 RDI: ffff88810a234ac0\n RBP: ffffc90000b37df7 R08: ffff88810a1fa410 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\n R13: ffff888109571000 R14: ffff88810a234ac0 R15: 0000000000000000\n FS: 0000000001821380(0000) GS:ffff88846fdc0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f74fc550008 CR3: 000000010a6fe000 CR4: 0000000000350ea0\n Call Trace:\n \u003cTASK\u003e\n inject_pending_event+0x2f7/0x4c0 [kvm]\n kvm_arch_vcpu_ioctl_run+0x791/0x17a0 [kvm]\n kvm_vcpu_ioctl+0x26d/0x650 [kvm]\n __x64_sys_ioctl+0x82/0xb0\n do_syscall_64+0x3b/0xc0\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T11:04:05.491Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2c49adeb020995236e63722ef6d0bee14372f471"
},
{
"url": "https://git.kernel.org/stable/c/6fcbab82ccbcde915644085f73d3487938bda42d"
},
{
"url": "https://git.kernel.org/stable/c/c3396c1c8b87510f2ac2a674948156577559d42d"
},
{
"url": "https://git.kernel.org/stable/c/68e1313bb8809e8addcd9431f2bfea0e8ddbca80"
},
{
"url": "https://git.kernel.org/stable/c/8bb683490278005b4caf61e22b0828a04d282e86"
},
{
"url": "https://git.kernel.org/stable/c/6afe88fbb40eac3291a8728688d61fdc745d8008"
},
{
"url": "https://git.kernel.org/stable/c/3d4e2d884da6312df7c9b85fbf671de49204ead6"
},
{
"url": "https://git.kernel.org/stable/c/2eee1dba70f57148fc7f8252613bfae6bd4b04e3"
},
{
"url": "https://git.kernel.org/stable/c/f17c31c48e5cde9895a491d91c424eeeada3e134"
}
],
"title": "KVM: SVM: Don\u0027t BUG if userspace injects an interrupt with GIF=0",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50228",
"datePublished": "2025-06-18T11:04:05.491Z",
"dateReserved": "2025-06-18T10:57:27.432Z",
"dateUpdated": "2025-06-18T11:04:05.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38513 (GCVE-0-2025-38513)
Vulnerability from cvelistv5
Published
2025-08-16 10:55
Modified
2025-08-16 10:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev()
There is a potential NULL pointer dereference in zd_mac_tx_to_dev(). For
example, the following is possible:
T0 T1
zd_mac_tx_to_dev()
/* len == skb_queue_len(q) */
while (len > ZD_MAC_MAX_ACK_WAITERS) {
filter_ack()
spin_lock_irqsave(&q->lock, flags);
/* position == skb_queue_len(q) */
for (i=1; i<position; i++)
skb = __skb_dequeue(q)
if (mac->type == NL80211_IFTYPE_AP)
skb = __skb_dequeue(q);
spin_unlock_irqrestore(&q->lock, flags);
skb_dequeue() -> NULL
Since there is a small gap between checking skb queue length and skb being
unconditionally dequeued in zd_mac_tx_to_dev(), skb_dequeue() can return NULL.
Then the pointer is passed to zd_mac_tx_status() where it is dereferenced.
In order to avoid potential NULL pointer dereference due to situations like
above, check if skb is not NULL before passing it to zd_mac_tx_status().
Found by Linux Verification Center (linuxtesting.org) with SVACE.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 459c51ad6e1fc19e91a53798358433d3c08cd09d Version: 459c51ad6e1fc19e91a53798358433d3c08cd09d Version: 459c51ad6e1fc19e91a53798358433d3c08cd09d Version: 459c51ad6e1fc19e91a53798358433d3c08cd09d Version: 459c51ad6e1fc19e91a53798358433d3c08cd09d Version: 459c51ad6e1fc19e91a53798358433d3c08cd09d Version: 459c51ad6e1fc19e91a53798358433d3c08cd09d Version: 459c51ad6e1fc19e91a53798358433d3c08cd09d |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/zydas/zd1211rw/zd_mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c1958270de947604cc6de05fc96dbba256b49cf0",
"status": "affected",
"version": "459c51ad6e1fc19e91a53798358433d3c08cd09d",
"versionType": "git"
},
{
"lessThan": "014c34dc132015c4f918ada4982e952947ac1047",
"status": "affected",
"version": "459c51ad6e1fc19e91a53798358433d3c08cd09d",
"versionType": "git"
},
{
"lessThan": "b24f65c184540dfb967479320ecf7e8c2e9220dc",
"status": "affected",
"version": "459c51ad6e1fc19e91a53798358433d3c08cd09d",
"versionType": "git"
},
{
"lessThan": "adf08c96b963c7cd7ec1ee1c0c556228d9bedaae",
"status": "affected",
"version": "459c51ad6e1fc19e91a53798358433d3c08cd09d",
"versionType": "git"
},
{
"lessThan": "5420de65efbeb6503bcf1d43451c9df67ad60298",
"status": "affected",
"version": "459c51ad6e1fc19e91a53798358433d3c08cd09d",
"versionType": "git"
},
{
"lessThan": "fcd9c923b58e86501450b9b442ccc7ce4a8d0fda",
"status": "affected",
"version": "459c51ad6e1fc19e91a53798358433d3c08cd09d",
"versionType": "git"
},
{
"lessThan": "602b4eb2f25668de15de69860ec99caf65b3684d",
"status": "affected",
"version": "459c51ad6e1fc19e91a53798358433d3c08cd09d",
"versionType": "git"
},
{
"lessThan": "74b1ec9f5d627d2bdd5e5b6f3f81c23317657023",
"status": "affected",
"version": "459c51ad6e1fc19e91a53798358433d3c08cd09d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/zydas/zd1211rw/zd_mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.25"
},
{
"lessThan": "2.6.25",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.240",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.146",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.296",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.240",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.189",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.146",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.99",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.39",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.7",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.25",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev()\n\nThere is a potential NULL pointer dereference in zd_mac_tx_to_dev(). For\nexample, the following is possible:\n\n \tT0\t\t\t \t\tT1\nzd_mac_tx_to_dev()\n /* len == skb_queue_len(q) */\n while (len \u003e ZD_MAC_MAX_ACK_WAITERS) {\n\n\t\t\t\t\t filter_ack()\n\t\t\t\t\t spin_lock_irqsave(\u0026q-\u003elock, flags);\n\t\t\t\t\t /* position == skb_queue_len(q) */\n\t\t\t\t\t for (i=1; i\u003cposition; i++)\n\t\t\t\t \t skb = __skb_dequeue(q)\n\n\t\t\t\t\t if (mac-\u003etype == NL80211_IFTYPE_AP)\n\t\t\t\t\t skb = __skb_dequeue(q);\n\t\t\t\t\t spin_unlock_irqrestore(\u0026q-\u003elock, flags);\n\n skb_dequeue() -\u003e NULL\n\nSince there is a small gap between checking skb queue length and skb being\nunconditionally dequeued in zd_mac_tx_to_dev(), skb_dequeue() can return NULL.\nThen the pointer is passed to zd_mac_tx_status() where it is dereferenced.\n\nIn order to avoid potential NULL pointer dereference due to situations like\nabove, check if skb is not NULL before passing it to zd_mac_tx_status().\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-16T10:55:00.254Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c1958270de947604cc6de05fc96dbba256b49cf0"
},
{
"url": "https://git.kernel.org/stable/c/014c34dc132015c4f918ada4982e952947ac1047"
},
{
"url": "https://git.kernel.org/stable/c/b24f65c184540dfb967479320ecf7e8c2e9220dc"
},
{
"url": "https://git.kernel.org/stable/c/adf08c96b963c7cd7ec1ee1c0c556228d9bedaae"
},
{
"url": "https://git.kernel.org/stable/c/5420de65efbeb6503bcf1d43451c9df67ad60298"
},
{
"url": "https://git.kernel.org/stable/c/fcd9c923b58e86501450b9b442ccc7ce4a8d0fda"
},
{
"url": "https://git.kernel.org/stable/c/602b4eb2f25668de15de69860ec99caf65b3684d"
},
{
"url": "https://git.kernel.org/stable/c/74b1ec9f5d627d2bdd5e5b6f3f81c23317657023"
}
],
"title": "wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38513",
"datePublished": "2025-08-16T10:55:00.254Z",
"dateReserved": "2025-04-16T04:51:24.023Z",
"dateUpdated": "2025-08-16T10:55:00.254Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38630 (GCVE-0-2025-38630)
Vulnerability from cvelistv5
Published
2025-08-22 16:00
Modified
2025-09-29 05:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref
fb_add_videomode() can fail with -ENOMEM when its internal kmalloc() cannot
allocate a struct fb_modelist. If that happens, the modelist stays empty but
the driver continues to register. Add a check for its return value to prevent
poteintial null-ptr-deref, which is similar to the commit 17186f1f90d3 ("fbdev:
Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var").
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1b6c79361ba5ce30b40f0f7d6fc2421dc5fcbe0c Version: 1b6c79361ba5ce30b40f0f7d6fc2421dc5fcbe0c Version: 1b6c79361ba5ce30b40f0f7d6fc2421dc5fcbe0c Version: 1b6c79361ba5ce30b40f0f7d6fc2421dc5fcbe0c Version: 1b6c79361ba5ce30b40f0f7d6fc2421dc5fcbe0c Version: 1b6c79361ba5ce30b40f0f7d6fc2421dc5fcbe0c Version: 1b6c79361ba5ce30b40f0f7d6fc2421dc5fcbe0c Version: 1b6c79361ba5ce30b40f0f7d6fc2421dc5fcbe0c Version: 1b6c79361ba5ce30b40f0f7d6fc2421dc5fcbe0c |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/imxfb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "69373502c2b5d364842c702c941d1171e4f35a7c",
"status": "affected",
"version": "1b6c79361ba5ce30b40f0f7d6fc2421dc5fcbe0c",
"versionType": "git"
},
{
"lessThan": "f00c29e6755ead56baf2a9c1d3c4c0bb40af3612",
"status": "affected",
"version": "1b6c79361ba5ce30b40f0f7d6fc2421dc5fcbe0c",
"versionType": "git"
},
{
"lessThan": "cca8f5a3991916729b39d797d01499c335137319",
"status": "affected",
"version": "1b6c79361ba5ce30b40f0f7d6fc2421dc5fcbe0c",
"versionType": "git"
},
{
"lessThan": "ac16154cccda8be10ee3ae188f10a06f3890bc5d",
"status": "affected",
"version": "1b6c79361ba5ce30b40f0f7d6fc2421dc5fcbe0c",
"versionType": "git"
},
{
"lessThan": "4b5d36cc3014986e6fac12eaa8433fe56801d4ce",
"status": "affected",
"version": "1b6c79361ba5ce30b40f0f7d6fc2421dc5fcbe0c",
"versionType": "git"
},
{
"lessThan": "40f0a51f6c54d46a94b9f1180339ede7ca7ee190",
"status": "affected",
"version": "1b6c79361ba5ce30b40f0f7d6fc2421dc5fcbe0c",
"versionType": "git"
},
{
"lessThan": "49377bac9e3bec1635065a033c9679214fe7593e",
"status": "affected",
"version": "1b6c79361ba5ce30b40f0f7d6fc2421dc5fcbe0c",
"versionType": "git"
},
{
"lessThan": "f060441c153495750804133555cf0a211a856892",
"status": "affected",
"version": "1b6c79361ba5ce30b40f0f7d6fc2421dc5fcbe0c",
"versionType": "git"
},
{
"lessThan": "da11e6a30e0bb8e911288bdc443b3dc8f6a7cac7",
"status": "affected",
"version": "1b6c79361ba5ce30b40f0f7d6fc2421dc5fcbe0c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/imxfb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.11"
},
{
"lessThan": "3.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref\n\nfb_add_videomode() can fail with -ENOMEM when its internal kmalloc() cannot\nallocate a struct fb_modelist. If that happens, the modelist stays empty but\nthe driver continues to register. Add a check for its return value to prevent\npoteintial null-ptr-deref, which is similar to the commit 17186f1f90d3 (\"fbdev:\nFix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var\")."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:55:08.558Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/69373502c2b5d364842c702c941d1171e4f35a7c"
},
{
"url": "https://git.kernel.org/stable/c/f00c29e6755ead56baf2a9c1d3c4c0bb40af3612"
},
{
"url": "https://git.kernel.org/stable/c/cca8f5a3991916729b39d797d01499c335137319"
},
{
"url": "https://git.kernel.org/stable/c/ac16154cccda8be10ee3ae188f10a06f3890bc5d"
},
{
"url": "https://git.kernel.org/stable/c/4b5d36cc3014986e6fac12eaa8433fe56801d4ce"
},
{
"url": "https://git.kernel.org/stable/c/40f0a51f6c54d46a94b9f1180339ede7ca7ee190"
},
{
"url": "https://git.kernel.org/stable/c/49377bac9e3bec1635065a033c9679214fe7593e"
},
{
"url": "https://git.kernel.org/stable/c/f060441c153495750804133555cf0a211a856892"
},
{
"url": "https://git.kernel.org/stable/c/da11e6a30e0bb8e911288bdc443b3dc8f6a7cac7"
}
],
"title": "fbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38630",
"datePublished": "2025-08-22T16:00:38.678Z",
"dateReserved": "2025-04-16T04:51:24.029Z",
"dateUpdated": "2025-09-29T05:55:08.558Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38610 (GCVE-0-2025-38610)
Vulnerability from cvelistv5
Published
2025-08-19 17:03
Modified
2025-09-29 05:54
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
powercap: dtpm_cpu: Fix NULL pointer dereference in get_pd_power_uw()
The get_pd_power_uw() function can crash with a NULL pointer dereference
when em_cpu_get() returns NULL. This occurs when a CPU becomes impossible
during runtime, causing get_cpu_device() to return NULL, which propagates
through em_cpu_get() and leads to a crash when em_span_cpus() dereferences
the NULL pointer.
Add a NULL check after em_cpu_get() and return 0 if unavailable,
matching the existing fallback behavior in __dtpm_cpu_setup().
[ rjw: Drop an excess empty code line ]
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: eb82bace893169b319c563b7f813c58a0a5a9f76 Version: eb82bace893169b319c563b7f813c58a0a5a9f76 Version: eb82bace893169b319c563b7f813c58a0a5a9f76 Version: eb82bace893169b319c563b7f813c58a0a5a9f76 Version: eb82bace893169b319c563b7f813c58a0a5a9f76 Version: eb82bace893169b319c563b7f813c58a0a5a9f76 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/powercap/dtpm_cpu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "27914f2b795e2b58e9506f281dcdd98fef09d3c2",
"status": "affected",
"version": "eb82bace893169b319c563b7f813c58a0a5a9f76",
"versionType": "git"
},
{
"lessThan": "c6ec27091cf5ac05094c1fe3a6ce914cf711a37c",
"status": "affected",
"version": "eb82bace893169b319c563b7f813c58a0a5a9f76",
"versionType": "git"
},
{
"lessThan": "8374ac7d69a57d737e701a851ffe980a0d27d3ad",
"status": "affected",
"version": "eb82bace893169b319c563b7f813c58a0a5a9f76",
"versionType": "git"
},
{
"lessThan": "27e0318f0ea69fcfa32228847debc384ade14578",
"status": "affected",
"version": "eb82bace893169b319c563b7f813c58a0a5a9f76",
"versionType": "git"
},
{
"lessThan": "2fd001a0075ac01dc64a28a8e21226b3d989a91d",
"status": "affected",
"version": "eb82bace893169b319c563b7f813c58a0a5a9f76",
"versionType": "git"
},
{
"lessThan": "46dc57406887dd02565cb264224194a6776d882b",
"status": "affected",
"version": "eb82bace893169b319c563b7f813c58a0a5a9f76",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/powercap/dtpm_cpu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowercap: dtpm_cpu: Fix NULL pointer dereference in get_pd_power_uw()\n\nThe get_pd_power_uw() function can crash with a NULL pointer dereference\nwhen em_cpu_get() returns NULL. This occurs when a CPU becomes impossible\nduring runtime, causing get_cpu_device() to return NULL, which propagates\nthrough em_cpu_get() and leads to a crash when em_span_cpus() dereferences\nthe NULL pointer.\n\nAdd a NULL check after em_cpu_get() and return 0 if unavailable,\nmatching the existing fallback behavior in __dtpm_cpu_setup().\n\n[ rjw: Drop an excess empty code line ]"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:54:45.207Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/27914f2b795e2b58e9506f281dcdd98fef09d3c2"
},
{
"url": "https://git.kernel.org/stable/c/c6ec27091cf5ac05094c1fe3a6ce914cf711a37c"
},
{
"url": "https://git.kernel.org/stable/c/8374ac7d69a57d737e701a851ffe980a0d27d3ad"
},
{
"url": "https://git.kernel.org/stable/c/27e0318f0ea69fcfa32228847debc384ade14578"
},
{
"url": "https://git.kernel.org/stable/c/2fd001a0075ac01dc64a28a8e21226b3d989a91d"
},
{
"url": "https://git.kernel.org/stable/c/46dc57406887dd02565cb264224194a6776d882b"
}
],
"title": "powercap: dtpm_cpu: Fix NULL pointer dereference in get_pd_power_uw()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38610",
"datePublished": "2025-08-19T17:03:53.255Z",
"dateReserved": "2025-04-16T04:51:24.029Z",
"dateUpdated": "2025-09-29T05:54:45.207Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38125 (GCVE-0-2025-38125)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: stmmac: make sure that ptp_rate is not 0 before configuring EST
If the ptp_rate recorded earlier in the driver happens to be 0, this
bogus value will propagate up to EST configuration, where it will
trigger a division by 0.
Prevent this division by 0 by adding the corresponding check and error
code.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/stmicro/stmmac/stmmac_est.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "451ee661d0f6272017fa012f99617101aa8ddf2c",
"status": "affected",
"version": "8572aec3d0dc43045254fd1bf581fb980bfdbc4b",
"versionType": "git"
},
{
"lessThan": "d5e3bfdba0dc419499b801937128957f77503761",
"status": "affected",
"version": "8572aec3d0dc43045254fd1bf581fb980bfdbc4b",
"versionType": "git"
},
{
"lessThan": "cbefe2ffa7784525ec5d008ba87c7add19ec631a",
"status": "affected",
"version": "8572aec3d0dc43045254fd1bf581fb980bfdbc4b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/stmicro/stmmac/stmmac_est.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.34",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.3",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: make sure that ptp_rate is not 0 before configuring EST\n\nIf the ptp_rate recorded earlier in the driver happens to be 0, this\nbogus value will propagate up to EST configuration, where it will\ntrigger a division by 0.\n\nPrevent this division by 0 by adding the corresponding check and error\ncode."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:12:51.703Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/451ee661d0f6272017fa012f99617101aa8ddf2c"
},
{
"url": "https://git.kernel.org/stable/c/d5e3bfdba0dc419499b801937128957f77503761"
},
{
"url": "https://git.kernel.org/stable/c/cbefe2ffa7784525ec5d008ba87c7add19ec631a"
}
],
"title": "net: stmmac: make sure that ptp_rate is not 0 before configuring EST",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38125",
"datePublished": "2025-07-03T08:35:31.176Z",
"dateReserved": "2025-04-16T04:51:23.986Z",
"dateUpdated": "2025-07-28T04:12:51.703Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38212 (GCVE-0-2025-38212)
Vulnerability from cvelistv5
Published
2025-07-04 13:37
Modified
2025-07-28 04:15
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipc: fix to protect IPCS lookups using RCU
syzbot reported that it discovered a use-after-free vulnerability, [0]
[0]: https://lore.kernel.org/all/67af13f8.050a0220.21dd3.0038.GAE@google.com/
idr_for_each() is protected by rwsem, but this is not enough. If it is
not protected by RCU read-critical region, when idr_for_each() calls
radix_tree_node_free() through call_rcu() to free the radix_tree_node
structure, the node will be freed immediately, and when reading the next
node in radix_tree_for_each_slot(), the already freed memory may be read.
Therefore, we need to add code to make sure that idr_for_each() is
protected within the RCU read-critical region when we call it in
shm_destroy_orphaned().
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: b34a6b1da371ed8af1221459a18c67970f7e3d53 Version: b34a6b1da371ed8af1221459a18c67970f7e3d53 Version: b34a6b1da371ed8af1221459a18c67970f7e3d53 Version: b34a6b1da371ed8af1221459a18c67970f7e3d53 Version: b34a6b1da371ed8af1221459a18c67970f7e3d53 Version: b34a6b1da371ed8af1221459a18c67970f7e3d53 Version: b34a6b1da371ed8af1221459a18c67970f7e3d53 Version: b34a6b1da371ed8af1221459a18c67970f7e3d53 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"ipc/shm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5f1e1573bf103303944fd7225559de5d8297539c",
"status": "affected",
"version": "b34a6b1da371ed8af1221459a18c67970f7e3d53",
"versionType": "git"
},
{
"lessThan": "b968ba8bfd9f90914957bbbd815413bf6a98eca7",
"status": "affected",
"version": "b34a6b1da371ed8af1221459a18c67970f7e3d53",
"versionType": "git"
},
{
"lessThan": "74bc813d11c30e28fc5261dc877cca662ccfac68",
"status": "affected",
"version": "b34a6b1da371ed8af1221459a18c67970f7e3d53",
"versionType": "git"
},
{
"lessThan": "78297d53d3878d43c1d627d20cd09f611fa4b91d",
"status": "affected",
"version": "b34a6b1da371ed8af1221459a18c67970f7e3d53",
"versionType": "git"
},
{
"lessThan": "5180561afff8e0f029073c8c8117c95c6512d1f9",
"status": "affected",
"version": "b34a6b1da371ed8af1221459a18c67970f7e3d53",
"versionType": "git"
},
{
"lessThan": "68c173ea138b66d7dd1fd980c9bc578a18e11884",
"status": "affected",
"version": "b34a6b1da371ed8af1221459a18c67970f7e3d53",
"versionType": "git"
},
{
"lessThan": "b0b6bf90ce2699a574b3683e22c44d0dcdd7a057",
"status": "affected",
"version": "b34a6b1da371ed8af1221459a18c67970f7e3d53",
"versionType": "git"
},
{
"lessThan": "d66adabe91803ef34a8b90613c81267b5ded1472",
"status": "affected",
"version": "b34a6b1da371ed8af1221459a18c67970f7e3d53",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"ipc/shm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.1"
},
{
"lessThan": "3.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.95",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.295",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.239",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.95",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.35",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.4",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipc: fix to protect IPCS lookups using RCU\n\nsyzbot reported that it discovered a use-after-free vulnerability, [0]\n\n[0]: https://lore.kernel.org/all/67af13f8.050a0220.21dd3.0038.GAE@google.com/\n\nidr_for_each() is protected by rwsem, but this is not enough. If it is\nnot protected by RCU read-critical region, when idr_for_each() calls\nradix_tree_node_free() through call_rcu() to free the radix_tree_node\nstructure, the node will be freed immediately, and when reading the next\nnode in radix_tree_for_each_slot(), the already freed memory may be read.\n\nTherefore, we need to add code to make sure that idr_for_each() is\nprotected within the RCU read-critical region when we call it in\nshm_destroy_orphaned()."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:15:19.169Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5f1e1573bf103303944fd7225559de5d8297539c"
},
{
"url": "https://git.kernel.org/stable/c/b968ba8bfd9f90914957bbbd815413bf6a98eca7"
},
{
"url": "https://git.kernel.org/stable/c/74bc813d11c30e28fc5261dc877cca662ccfac68"
},
{
"url": "https://git.kernel.org/stable/c/78297d53d3878d43c1d627d20cd09f611fa4b91d"
},
{
"url": "https://git.kernel.org/stable/c/5180561afff8e0f029073c8c8117c95c6512d1f9"
},
{
"url": "https://git.kernel.org/stable/c/68c173ea138b66d7dd1fd980c9bc578a18e11884"
},
{
"url": "https://git.kernel.org/stable/c/b0b6bf90ce2699a574b3683e22c44d0dcdd7a057"
},
{
"url": "https://git.kernel.org/stable/c/d66adabe91803ef34a8b90613c81267b5ded1472"
}
],
"title": "ipc: fix to protect IPCS lookups using RCU",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38212",
"datePublished": "2025-07-04T13:37:30.957Z",
"dateReserved": "2025-04-16T04:51:23.994Z",
"dateUpdated": "2025-07-28T04:15:19.169Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-58239 (GCVE-0-2024-58239)
Vulnerability from cvelistv5
Published
2025-08-22 13:01
Modified
2025-08-22 13:01
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tls: stop recv() if initial process_rx_list gave us non-DATA
If we have a non-DATA record on the rx_list and another record of the
same type still on the queue, we will end up merging them:
- process_rx_list copies the non-DATA record
- we start the loop and process the first available record since it's
of the same type
- we break out of the loop since the record was not DATA
Just check the record type and jump to the end in case process_rx_list
did some work.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 692d7b5d1f9125a1cf0595e979e3b5fb7210547e Version: 692d7b5d1f9125a1cf0595e979e3b5fb7210547e Version: 692d7b5d1f9125a1cf0595e979e3b5fb7210547e Version: 692d7b5d1f9125a1cf0595e979e3b5fb7210547e Version: 692d7b5d1f9125a1cf0595e979e3b5fb7210547e Version: 692d7b5d1f9125a1cf0595e979e3b5fb7210547e Version: 692d7b5d1f9125a1cf0595e979e3b5fb7210547e |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/tls/tls_sw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f310143961e2d9a0479fca117ce869f8aaecc140",
"status": "affected",
"version": "692d7b5d1f9125a1cf0595e979e3b5fb7210547e",
"versionType": "git"
},
{
"lessThan": "31e10d6cb0c9532ff070cf50da1657c3acee9276",
"status": "affected",
"version": "692d7b5d1f9125a1cf0595e979e3b5fb7210547e",
"versionType": "git"
},
{
"lessThan": "4338032aa90bd1d5b33a4274e8fa8347cda5ee09",
"status": "affected",
"version": "692d7b5d1f9125a1cf0595e979e3b5fb7210547e",
"versionType": "git"
},
{
"lessThan": "6756168add1c6c3ef1c32c335bb843a5d1f99a75",
"status": "affected",
"version": "692d7b5d1f9125a1cf0595e979e3b5fb7210547e",
"versionType": "git"
},
{
"lessThan": "3b952d8fdfcf6fd8ea0b8954bc9277642cf0977f",
"status": "affected",
"version": "692d7b5d1f9125a1cf0595e979e3b5fb7210547e",
"versionType": "git"
},
{
"lessThan": "a4ed943882a8fc057ea5a67643314245e048bbdd",
"status": "affected",
"version": "692d7b5d1f9125a1cf0595e979e3b5fb7210547e",
"versionType": "git"
},
{
"lessThan": "fdfbaec5923d9359698cbb286bc0deadbb717504",
"status": "affected",
"version": "692d7b5d1f9125a1cf0595e979e3b5fb7210547e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/tls/tls_sw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.211",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.270",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.211",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.150",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.80",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.19",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.7",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: stop recv() if initial process_rx_list gave us non-DATA\n\nIf we have a non-DATA record on the rx_list and another record of the\nsame type still on the queue, we will end up merging them:\n - process_rx_list copies the non-DATA record\n - we start the loop and process the first available record since it\u0027s\n of the same type\n - we break out of the loop since the record was not DATA\n\nJust check the record type and jump to the end in case process_rx_list\ndid some work."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-22T13:01:17.440Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f310143961e2d9a0479fca117ce869f8aaecc140"
},
{
"url": "https://git.kernel.org/stable/c/31e10d6cb0c9532ff070cf50da1657c3acee9276"
},
{
"url": "https://git.kernel.org/stable/c/4338032aa90bd1d5b33a4274e8fa8347cda5ee09"
},
{
"url": "https://git.kernel.org/stable/c/6756168add1c6c3ef1c32c335bb843a5d1f99a75"
},
{
"url": "https://git.kernel.org/stable/c/3b952d8fdfcf6fd8ea0b8954bc9277642cf0977f"
},
{
"url": "https://git.kernel.org/stable/c/a4ed943882a8fc057ea5a67643314245e048bbdd"
},
{
"url": "https://git.kernel.org/stable/c/fdfbaec5923d9359698cbb286bc0deadbb717504"
}
],
"title": "tls: stop recv() if initial process_rx_list gave us non-DATA",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-58239",
"datePublished": "2025-08-22T13:01:17.440Z",
"dateReserved": "2025-04-16T07:19:43.804Z",
"dateUpdated": "2025-08-22T13:01:17.440Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38530 (GCVE-0-2025-38530)
Vulnerability from cvelistv5
Published
2025-08-16 11:12
Modified
2025-08-28 14:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
comedi: pcl812: Fix bit shift out of bounds
When checking for a supported IRQ number, the following test is used:
if ((1 << it->options[1]) & board->irq_bits) {
However, `it->options[i]` is an unchecked `int` value from userspace, so
the shift amount could be negative or out of bounds. Fix the test by
requiring `it->options[1]` to be within bounds before proceeding with
the original test. Valid `it->options[1]` values that select the IRQ
will be in the range [1,15]. The value 0 explicitly disables the use of
interrupts.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: fcdb427bc7cf5e9e5d7280cf09c08dec49b49432 Version: fcdb427bc7cf5e9e5d7280cf09c08dec49b49432 Version: fcdb427bc7cf5e9e5d7280cf09c08dec49b49432 Version: fcdb427bc7cf5e9e5d7280cf09c08dec49b49432 Version: fcdb427bc7cf5e9e5d7280cf09c08dec49b49432 Version: fcdb427bc7cf5e9e5d7280cf09c08dec49b49432 Version: fcdb427bc7cf5e9e5d7280cf09c08dec49b49432 Version: fcdb427bc7cf5e9e5d7280cf09c08dec49b49432 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers/pcl812.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "374d9b3eb4b08407997ef1fce96119d31e0c0bc4",
"status": "affected",
"version": "fcdb427bc7cf5e9e5d7280cf09c08dec49b49432",
"versionType": "git"
},
{
"lessThan": "0489c30d080f07cc7f09d04de723d8c2ccdb61ef",
"status": "affected",
"version": "fcdb427bc7cf5e9e5d7280cf09c08dec49b49432",
"versionType": "git"
},
{
"lessThan": "29ef03e5b84431171d6b77b822985b54bc44b793",
"status": "affected",
"version": "fcdb427bc7cf5e9e5d7280cf09c08dec49b49432",
"versionType": "git"
},
{
"lessThan": "5bfa301e1e59a9b1a7b62a800b54852337c97416",
"status": "affected",
"version": "fcdb427bc7cf5e9e5d7280cf09c08dec49b49432",
"versionType": "git"
},
{
"lessThan": "7e470d8efd10725b189ca8951973a8425932398a",
"status": "affected",
"version": "fcdb427bc7cf5e9e5d7280cf09c08dec49b49432",
"versionType": "git"
},
{
"lessThan": "a27e27eee313fe1c450b6af1e80e64412546cab4",
"status": "affected",
"version": "fcdb427bc7cf5e9e5d7280cf09c08dec49b49432",
"versionType": "git"
},
{
"lessThan": "16c173abee315953fd17a279352fec4a1faee862",
"status": "affected",
"version": "fcdb427bc7cf5e9e5d7280cf09c08dec49b49432",
"versionType": "git"
},
{
"lessThan": "b14b076ce593f72585412fc7fd3747e03a5e3632",
"status": "affected",
"version": "fcdb427bc7cf5e9e5d7280cf09c08dec49b49432",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers/pcl812.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.30"
},
{
"lessThan": "2.6.30",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.147",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.147",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.100",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.40",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.8",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: pcl812: Fix bit shift out of bounds\n\nWhen checking for a supported IRQ number, the following test is used:\n\n\tif ((1 \u003c\u003c it-\u003eoptions[1]) \u0026 board-\u003eirq_bits) {\n\nHowever, `it-\u003eoptions[i]` is an unchecked `int` value from userspace, so\nthe shift amount could be negative or out of bounds. Fix the test by\nrequiring `it-\u003eoptions[1]` to be within bounds before proceeding with\nthe original test. Valid `it-\u003eoptions[1]` values that select the IRQ\nwill be in the range [1,15]. The value 0 explicitly disables the use of\ninterrupts."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T14:43:37.414Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/374d9b3eb4b08407997ef1fce96119d31e0c0bc4"
},
{
"url": "https://git.kernel.org/stable/c/0489c30d080f07cc7f09d04de723d8c2ccdb61ef"
},
{
"url": "https://git.kernel.org/stable/c/29ef03e5b84431171d6b77b822985b54bc44b793"
},
{
"url": "https://git.kernel.org/stable/c/5bfa301e1e59a9b1a7b62a800b54852337c97416"
},
{
"url": "https://git.kernel.org/stable/c/7e470d8efd10725b189ca8951973a8425932398a"
},
{
"url": "https://git.kernel.org/stable/c/a27e27eee313fe1c450b6af1e80e64412546cab4"
},
{
"url": "https://git.kernel.org/stable/c/16c173abee315953fd17a279352fec4a1faee862"
},
{
"url": "https://git.kernel.org/stable/c/b14b076ce593f72585412fc7fd3747e03a5e3632"
}
],
"title": "comedi: pcl812: Fix bit shift out of bounds",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38530",
"datePublished": "2025-08-16T11:12:23.368Z",
"dateReserved": "2025-04-16T04:51:24.023Z",
"dateUpdated": "2025-08-28T14:43:37.414Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38459 (GCVE-0-2025-38459)
Vulnerability from cvelistv5
Published
2025-07-25 15:27
Modified
2025-07-28 04:22
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
atm: clip: Fix infinite recursive call of clip_push().
syzbot reported the splat below. [0]
This happens if we call ioctl(ATMARP_MKIP) more than once.
During the first call, clip_mkip() sets clip_push() to vcc->push(),
and the second call copies it to clip_vcc->old_push().
Later, when the socket is close()d, vcc_destroy_socket() passes
NULL skb to clip_push(), which calls clip_vcc->old_push(),
triggering the infinite recursion.
Let's prevent the second ioctl(ATMARP_MKIP) by checking
vcc->user_back, which is allocated by the first call as clip_vcc.
Note also that we use lock_sock() to prevent racy calls.
[0]:
BUG: TASK stack guard page was hit at ffffc9000d66fff8 (stack is ffffc9000d670000..ffffc9000d678000)
Oops: stack guard page: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5322 Comm: syz.0.0 Not tainted 6.16.0-rc4-syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:clip_push+0x5/0x720 net/atm/clip.c:191
Code: e0 8f aa 8c e8 1c ad 5b fa eb ae 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 <41> 57 41 56 41 55 41 54 53 48 83 ec 20 48 89 f3 49 89 fd 48 bd 00
RSP: 0018:ffffc9000d670000 EFLAGS: 00010246
RAX: 1ffff1100235a4a5 RBX: ffff888011ad2508 RCX: ffff8880003c0000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888037f01000
RBP: dffffc0000000000 R08: ffffffff8fa104f7 R09: 1ffffffff1f4209e
R10: dffffc0000000000 R11: ffffffff8a99b300 R12: ffffffff8a99b300
R13: ffff888037f01000 R14: ffff888011ad2500 R15: ffff888037f01578
FS: 000055557ab6d500(0000) GS:ffff88808d250000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc9000d66fff8 CR3: 0000000043172000 CR4: 0000000000352ef0
Call Trace:
<TASK>
clip_push+0x6dc/0x720 net/atm/clip.c:200
clip_push+0x6dc/0x720 net/atm/clip.c:200
clip_push+0x6dc/0x720 net/atm/clip.c:200
...
clip_push+0x6dc/0x720 net/atm/clip.c:200
clip_push+0x6dc/0x720 net/atm/clip.c:200
clip_push+0x6dc/0x720 net/atm/clip.c:200
vcc_destroy_socket net/atm/common.c:183 [inline]
vcc_release+0x157/0x460 net/atm/common.c:205
__sock_release net/socket.c:647 [inline]
sock_close+0xc0/0x240 net/socket.c:1391
__fput+0x449/0xa70 fs/file_table.c:465
task_work_run+0x1d1/0x260 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xec/0x110 kernel/entry/common.c:114
exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline]
do_syscall_64+0x2bd/0x3b0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ff31c98e929
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffb5aa1f78 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 0000000000012747 RCX: 00007ff31c98e929
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 00007ff31cbb7ba0 R08: 0000000000000001 R09: 0000000db5aa226f
R10: 00007ff31c7ff030 R11: 0000000000000246 R12: 00007ff31cbb608c
R13: 00007ff31cbb6080 R14: ffffffffffffffff R15: 00007fffb5aa2090
</TASK>
Modules linked in:
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/atm/clip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f493f31a63847624fd3199ac836a8bd8828e50e2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "125166347d5676466d368aadc0bbc31ee7714352",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5641019dfbaee5e85fe093b590f0451c9dd4d6f8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1579a2777cb914a249de22c789ba4d41b154509f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3f61b997fe014bbfcc208a9fcbd363a1fe7e3a31",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "024876b247a882972095b22087734dcd23396a4e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "df0312d8859763aa15b8b56ac151a1ea4a4e5b88",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c489f3283dbfc0f3c00c312149cae90d27552c45",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/atm/clip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.240",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.146",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.296",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.240",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.189",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.146",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.99",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.39",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.7",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: clip: Fix infinite recursive call of clip_push().\n\nsyzbot reported the splat below. [0]\n\nThis happens if we call ioctl(ATMARP_MKIP) more than once.\n\nDuring the first call, clip_mkip() sets clip_push() to vcc-\u003epush(),\nand the second call copies it to clip_vcc-\u003eold_push().\n\nLater, when the socket is close()d, vcc_destroy_socket() passes\nNULL skb to clip_push(), which calls clip_vcc-\u003eold_push(),\ntriggering the infinite recursion.\n\nLet\u0027s prevent the second ioctl(ATMARP_MKIP) by checking\nvcc-\u003euser_back, which is allocated by the first call as clip_vcc.\n\nNote also that we use lock_sock() to prevent racy calls.\n\n[0]:\nBUG: TASK stack guard page was hit at ffffc9000d66fff8 (stack is ffffc9000d670000..ffffc9000d678000)\nOops: stack guard page: 0000 [#1] SMP KASAN NOPTI\nCPU: 0 UID: 0 PID: 5322 Comm: syz.0.0 Not tainted 6.16.0-rc4-syzkaller #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nRIP: 0010:clip_push+0x5/0x720 net/atm/clip.c:191\nCode: e0 8f aa 8c e8 1c ad 5b fa eb ae 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 \u003c41\u003e 57 41 56 41 55 41 54 53 48 83 ec 20 48 89 f3 49 89 fd 48 bd 00\nRSP: 0018:ffffc9000d670000 EFLAGS: 00010246\nRAX: 1ffff1100235a4a5 RBX: ffff888011ad2508 RCX: ffff8880003c0000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888037f01000\nRBP: dffffc0000000000 R08: ffffffff8fa104f7 R09: 1ffffffff1f4209e\nR10: dffffc0000000000 R11: ffffffff8a99b300 R12: ffffffff8a99b300\nR13: ffff888037f01000 R14: ffff888011ad2500 R15: ffff888037f01578\nFS: 000055557ab6d500(0000) GS:ffff88808d250000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffc9000d66fff8 CR3: 0000000043172000 CR4: 0000000000352ef0\nCall Trace:\n \u003cTASK\u003e\n clip_push+0x6dc/0x720 net/atm/clip.c:200\n clip_push+0x6dc/0x720 net/atm/clip.c:200\n clip_push+0x6dc/0x720 net/atm/clip.c:200\n...\n clip_push+0x6dc/0x720 net/atm/clip.c:200\n clip_push+0x6dc/0x720 net/atm/clip.c:200\n clip_push+0x6dc/0x720 net/atm/clip.c:200\n vcc_destroy_socket net/atm/common.c:183 [inline]\n vcc_release+0x157/0x460 net/atm/common.c:205\n __sock_release net/socket.c:647 [inline]\n sock_close+0xc0/0x240 net/socket.c:1391\n __fput+0x449/0xa70 fs/file_table.c:465\n task_work_run+0x1d1/0x260 kernel/task_work.c:227\n resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]\n exit_to_user_mode_loop+0xec/0x110 kernel/entry/common.c:114\n exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline]\n syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline]\n syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline]\n do_syscall_64+0x2bd/0x3b0 arch/x86/entry/syscall_64.c:100\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7ff31c98e929\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fffb5aa1f78 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4\nRAX: 0000000000000000 RBX: 0000000000012747 RCX: 00007ff31c98e929\nRDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003\nRBP: 00007ff31cbb7ba0 R08: 0000000000000001 R09: 0000000db5aa226f\nR10: 00007ff31c7ff030 R11: 0000000000000246 R12: 00007ff31cbb608c\nR13: 00007ff31cbb6080 R14: ffffffffffffffff R15: 00007fffb5aa2090\n \u003c/TASK\u003e\nModules linked in:"
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:22:59.776Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f493f31a63847624fd3199ac836a8bd8828e50e2"
},
{
"url": "https://git.kernel.org/stable/c/125166347d5676466d368aadc0bbc31ee7714352"
},
{
"url": "https://git.kernel.org/stable/c/5641019dfbaee5e85fe093b590f0451c9dd4d6f8"
},
{
"url": "https://git.kernel.org/stable/c/1579a2777cb914a249de22c789ba4d41b154509f"
},
{
"url": "https://git.kernel.org/stable/c/3f61b997fe014bbfcc208a9fcbd363a1fe7e3a31"
},
{
"url": "https://git.kernel.org/stable/c/024876b247a882972095b22087734dcd23396a4e"
},
{
"url": "https://git.kernel.org/stable/c/df0312d8859763aa15b8b56ac151a1ea4a4e5b88"
},
{
"url": "https://git.kernel.org/stable/c/c489f3283dbfc0f3c00c312149cae90d27552c45"
}
],
"title": "atm: clip: Fix infinite recursive call of clip_push().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38459",
"datePublished": "2025-07-25T15:27:37.893Z",
"dateReserved": "2025-04-16T04:51:24.019Z",
"dateUpdated": "2025-07-28T04:22:59.776Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50162 (GCVE-0-2022-50162)
Vulnerability from cvelistv5
Published
2025-06-18 11:03
Modified
2025-06-18 11:03
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: libertas: Fix possible refcount leak in if_usb_probe()
usb_get_dev will be called before lbs_get_firmware_async which means that
usb_put_dev need to be called when lbs_get_firmware_async fails.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: ce84bb69f50e6f6cfeabc9b965365290f4184417 Version: ce84bb69f50e6f6cfeabc9b965365290f4184417 Version: ce84bb69f50e6f6cfeabc9b965365290f4184417 Version: ce84bb69f50e6f6cfeabc9b965365290f4184417 Version: ce84bb69f50e6f6cfeabc9b965365290f4184417 Version: ce84bb69f50e6f6cfeabc9b965365290f4184417 Version: ce84bb69f50e6f6cfeabc9b965365290f4184417 Version: ce84bb69f50e6f6cfeabc9b965365290f4184417 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/marvell/libertas/if_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "61b2ec97487399c58ae2e34f250f4884e671799b",
"status": "affected",
"version": "ce84bb69f50e6f6cfeabc9b965365290f4184417",
"versionType": "git"
},
{
"lessThan": "4c8e2f9ce1428e44cb103035eeced7aeb6b80980",
"status": "affected",
"version": "ce84bb69f50e6f6cfeabc9b965365290f4184417",
"versionType": "git"
},
{
"lessThan": "878e7f39803a9ab5bb9766956a7a04351d4bf99d",
"status": "affected",
"version": "ce84bb69f50e6f6cfeabc9b965365290f4184417",
"versionType": "git"
},
{
"lessThan": "97e5d3e46a3a2100253a9717a4df98d68aeb10b8",
"status": "affected",
"version": "ce84bb69f50e6f6cfeabc9b965365290f4184417",
"versionType": "git"
},
{
"lessThan": "d7365590d15bbd9008f424ef043d1778ffe29f42",
"status": "affected",
"version": "ce84bb69f50e6f6cfeabc9b965365290f4184417",
"versionType": "git"
},
{
"lessThan": "00d0c4e59c0f8ad1f86874bb64b220394e687028",
"status": "affected",
"version": "ce84bb69f50e6f6cfeabc9b965365290f4184417",
"versionType": "git"
},
{
"lessThan": "5b92f406a5199b6b01dc664b9226d824ae2835f0",
"status": "affected",
"version": "ce84bb69f50e6f6cfeabc9b965365290f4184417",
"versionType": "git"
},
{
"lessThan": "6fd57e1d120bf13d4dc6c200a7cf914e6347a316",
"status": "affected",
"version": "ce84bb69f50e6f6cfeabc9b965365290f4184417",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/marvell/libertas/if_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.5"
},
{
"lessThan": "3.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.256",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.211",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.137",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.291",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.256",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.211",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.137",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.61",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.18",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.2",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0",
"versionStartIncluding": "3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: libertas: Fix possible refcount leak in if_usb_probe()\n\nusb_get_dev will be called before lbs_get_firmware_async which means that\nusb_put_dev need to be called when lbs_get_firmware_async fails."
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T11:03:17.717Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/61b2ec97487399c58ae2e34f250f4884e671799b"
},
{
"url": "https://git.kernel.org/stable/c/4c8e2f9ce1428e44cb103035eeced7aeb6b80980"
},
{
"url": "https://git.kernel.org/stable/c/878e7f39803a9ab5bb9766956a7a04351d4bf99d"
},
{
"url": "https://git.kernel.org/stable/c/97e5d3e46a3a2100253a9717a4df98d68aeb10b8"
},
{
"url": "https://git.kernel.org/stable/c/d7365590d15bbd9008f424ef043d1778ffe29f42"
},
{
"url": "https://git.kernel.org/stable/c/00d0c4e59c0f8ad1f86874bb64b220394e687028"
},
{
"url": "https://git.kernel.org/stable/c/5b92f406a5199b6b01dc664b9226d824ae2835f0"
},
{
"url": "https://git.kernel.org/stable/c/6fd57e1d120bf13d4dc6c200a7cf914e6347a316"
}
],
"title": "wifi: libertas: Fix possible refcount leak in if_usb_probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50162",
"datePublished": "2025-06-18T11:03:17.717Z",
"dateReserved": "2025-06-18T10:57:27.425Z",
"dateUpdated": "2025-06-18T11:03:17.717Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38251 (GCVE-0-2025-38251)
Vulnerability from cvelistv5
Published
2025-07-09 10:42
Modified
2025-07-28 04:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
atm: clip: prevent NULL deref in clip_push()
Blamed commit missed that vcc_destroy_socket() calls
clip_push() with a NULL skb.
If clip_devs is NULL, clip_push() then crashes when reading
skb->truesize.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 93a2014afbace907178afc3c9c1e62c9a338595a Version: 93a2014afbace907178afc3c9c1e62c9a338595a Version: 93a2014afbace907178afc3c9c1e62c9a338595a Version: 93a2014afbace907178afc3c9c1e62c9a338595a Version: 93a2014afbace907178afc3c9c1e62c9a338595a Version: 93a2014afbace907178afc3c9c1e62c9a338595a Version: 93a2014afbace907178afc3c9c1e62c9a338595a |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/atm/clip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "41f6420ee845006354c004839fed07da71e34aee",
"status": "affected",
"version": "93a2014afbace907178afc3c9c1e62c9a338595a",
"versionType": "git"
},
{
"lessThan": "9199e8cb75f13a1650adcb3c6cad42789c43884e",
"status": "affected",
"version": "93a2014afbace907178afc3c9c1e62c9a338595a",
"versionType": "git"
},
{
"lessThan": "88c88f91f4b3563956bb52e7a71a3640f7ece157",
"status": "affected",
"version": "93a2014afbace907178afc3c9c1e62c9a338595a",
"versionType": "git"
},
{
"lessThan": "3c709dce16999bf6a1d2ce377deb5dd6fdd8cb08",
"status": "affected",
"version": "93a2014afbace907178afc3c9c1e62c9a338595a",
"versionType": "git"
},
{
"lessThan": "a07005a77b18ae59b8471e7e4d991fa9f642b3c2",
"status": "affected",
"version": "93a2014afbace907178afc3c9c1e62c9a338595a",
"versionType": "git"
},
{
"lessThan": "ede31ad949ae0d03cb4c5edd79991586ad7c8bb8",
"status": "affected",
"version": "93a2014afbace907178afc3c9c1e62c9a338595a",
"versionType": "git"
},
{
"lessThan": "b993ea46b3b601915ceaaf3c802adf11e7d6bac6",
"status": "affected",
"version": "93a2014afbace907178afc3c9c1e62c9a338595a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/atm/clip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.240",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.187",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.96",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.240",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.187",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.143",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.96",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.36",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.5",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: clip: prevent NULL deref in clip_push()\n\nBlamed commit missed that vcc_destroy_socket() calls\nclip_push() with a NULL skb.\n\nIf clip_devs is NULL, clip_push() then crashes when reading\nskb-\u003etruesize."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:16:13.533Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/41f6420ee845006354c004839fed07da71e34aee"
},
{
"url": "https://git.kernel.org/stable/c/9199e8cb75f13a1650adcb3c6cad42789c43884e"
},
{
"url": "https://git.kernel.org/stable/c/88c88f91f4b3563956bb52e7a71a3640f7ece157"
},
{
"url": "https://git.kernel.org/stable/c/3c709dce16999bf6a1d2ce377deb5dd6fdd8cb08"
},
{
"url": "https://git.kernel.org/stable/c/a07005a77b18ae59b8471e7e4d991fa9f642b3c2"
},
{
"url": "https://git.kernel.org/stable/c/ede31ad949ae0d03cb4c5edd79991586ad7c8bb8"
},
{
"url": "https://git.kernel.org/stable/c/b993ea46b3b601915ceaaf3c802adf11e7d6bac6"
}
],
"title": "atm: clip: prevent NULL deref in clip_push()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38251",
"datePublished": "2025-07-09T10:42:30.877Z",
"dateReserved": "2025-04-16T04:51:23.997Z",
"dateUpdated": "2025-07-28T04:16:13.533Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38360 (GCVE-0-2025-38360)
Vulnerability from cvelistv5
Published
2025-07-25 12:47
Modified
2025-07-28 11:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Add more checks for DSC / HUBP ONO guarantees
[WHY]
For non-zero DSC instances it's possible that the HUBP domain required
to drive it for sequential ONO ASICs isn't met, potentially causing
the logic to the tile to enter an undefined state leading to a system
hang.
[HOW]
Add more checks to ensure that the HUBP domain matching the DSC instance
is appropriately powered.
(cherry picked from commit da63df07112e5a9857a8d2aaa04255c4206754ec)
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "646442758910d13f9afc57f38bc0a537c3575390",
"status": "affected",
"version": "6f8b7565cca4b745da54b7d5f26b7b9265a5f330",
"versionType": "git"
},
{
"lessThan": "3f4e601bc6765e4ff5f42cc2d00993c86b367f7e",
"status": "affected",
"version": "6f8b7565cca4b745da54b7d5f26b7b9265a5f330",
"versionType": "git"
},
{
"lessThan": "0d57dd1765d311111d9885346108c4deeae1deb4",
"status": "affected",
"version": "6f8b7565cca4b745da54b7d5f26b7b9265a5f330",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.37",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.37",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.5",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add more checks for DSC / HUBP ONO guarantees\n\n[WHY]\nFor non-zero DSC instances it\u0027s possible that the HUBP domain required\nto drive it for sequential ONO ASICs isn\u0027t met, potentially causing\nthe logic to the tile to enter an undefined state leading to a system\nhang.\n\n[HOW]\nAdd more checks to ensure that the HUBP domain matching the DSC instance\nis appropriately powered.\n\n(cherry picked from commit da63df07112e5a9857a8d2aaa04255c4206754ec)"
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T11:16:46.594Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/646442758910d13f9afc57f38bc0a537c3575390"
},
{
"url": "https://git.kernel.org/stable/c/3f4e601bc6765e4ff5f42cc2d00993c86b367f7e"
},
{
"url": "https://git.kernel.org/stable/c/0d57dd1765d311111d9885346108c4deeae1deb4"
}
],
"title": "drm/amd/display: Add more checks for DSC / HUBP ONO guarantees",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38360",
"datePublished": "2025-07-25T12:47:31.397Z",
"dateReserved": "2025-04-16T04:51:24.007Z",
"dateUpdated": "2025-07-28T11:16:46.594Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38546 (GCVE-0-2025-38546)
Vulnerability from cvelistv5
Published
2025-08-16 11:22
Modified
2025-08-16 11:22
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
atm: clip: Fix memory leak of struct clip_vcc.
ioctl(ATMARP_MKIP) allocates struct clip_vcc and set it to
vcc->user_back.
The code assumes that vcc_destroy_socket() passes NULL skb
to vcc->push() when the socket is close()d, and then clip_push()
frees clip_vcc.
However, ioctl(ATMARPD_CTRL) sets NULL to vcc->push() in
atm_init_atmarp(), resulting in memory leak.
Let's serialise two ioctl() by lock_sock() and check vcc->push()
in atm_init_atmarp() to prevent memleak.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/atm/clip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2fb37ab3226606cbfc9b2b6f9e301b0b735734c5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9e4dbeee56f614e3f1e166e5d0655a999ea185ef",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1c075e88d5859a2c6b43b27e0e46fb281cef8039",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0c17ff462d98c997d707ee5cf4e4a9b1b52b9d90",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1fb9fb5a4b5cec2d56e26525ef8c519de858fa60",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9f771816f14da6d6157a8c30069091abf6b566fb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cb2e4a2f8f268d8fba6662f663a2e57846f14a8d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "62dba28275a9a3104d4e33595c7b3328d4032d8d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/atm/clip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.240",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.146",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.296",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.240",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.189",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.146",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.99",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.39",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.7",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: clip: Fix memory leak of struct clip_vcc.\n\nioctl(ATMARP_MKIP) allocates struct clip_vcc and set it to\nvcc-\u003euser_back.\n\nThe code assumes that vcc_destroy_socket() passes NULL skb\nto vcc-\u003epush() when the socket is close()d, and then clip_push()\nfrees clip_vcc.\n\nHowever, ioctl(ATMARPD_CTRL) sets NULL to vcc-\u003epush() in\natm_init_atmarp(), resulting in memory leak.\n\nLet\u0027s serialise two ioctl() by lock_sock() and check vcc-\u003epush()\nin atm_init_atmarp() to prevent memleak."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-16T11:22:20.477Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2fb37ab3226606cbfc9b2b6f9e301b0b735734c5"
},
{
"url": "https://git.kernel.org/stable/c/9e4dbeee56f614e3f1e166e5d0655a999ea185ef"
},
{
"url": "https://git.kernel.org/stable/c/1c075e88d5859a2c6b43b27e0e46fb281cef8039"
},
{
"url": "https://git.kernel.org/stable/c/0c17ff462d98c997d707ee5cf4e4a9b1b52b9d90"
},
{
"url": "https://git.kernel.org/stable/c/1fb9fb5a4b5cec2d56e26525ef8c519de858fa60"
},
{
"url": "https://git.kernel.org/stable/c/9f771816f14da6d6157a8c30069091abf6b566fb"
},
{
"url": "https://git.kernel.org/stable/c/cb2e4a2f8f268d8fba6662f663a2e57846f14a8d"
},
{
"url": "https://git.kernel.org/stable/c/62dba28275a9a3104d4e33595c7b3328d4032d8d"
}
],
"title": "atm: clip: Fix memory leak of struct clip_vcc.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38546",
"datePublished": "2025-08-16T11:22:20.477Z",
"dateReserved": "2025-04-16T04:51:24.024Z",
"dateUpdated": "2025-08-16T11:22:20.477Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38608 (GCVE-0-2025-38608)
Vulnerability from cvelistv5
Published
2025-08-19 17:03
Modified
2025-09-29 05:54
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls
When sending plaintext data, we initially calculated the corresponding
ciphertext length. However, if we later reduced the plaintext data length
via socket policy, we failed to recalculate the ciphertext length.
This results in transmitting buffers containing uninitialized data during
ciphertext transmission.
This causes uninitialized bytes to be appended after a complete
"Application Data" packet, leading to errors on the receiving end when
parsing TLS record.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7246d8ed4dcce23f7509949a77be15fa9f0e3d28 Version: 7246d8ed4dcce23f7509949a77be15fa9f0e3d28 Version: 7246d8ed4dcce23f7509949a77be15fa9f0e3d28 Version: 7246d8ed4dcce23f7509949a77be15fa9f0e3d28 Version: 7246d8ed4dcce23f7509949a77be15fa9f0e3d28 Version: 7246d8ed4dcce23f7509949a77be15fa9f0e3d28 Version: 7246d8ed4dcce23f7509949a77be15fa9f0e3d28 Version: 7246d8ed4dcce23f7509949a77be15fa9f0e3d28 Version: 7246d8ed4dcce23f7509949a77be15fa9f0e3d28 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/tls/tls_sw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6ba20ff3cdb96a908b9dc93cf247d0b087672e7c",
"status": "affected",
"version": "7246d8ed4dcce23f7509949a77be15fa9f0e3d28",
"versionType": "git"
},
{
"lessThan": "849d24dc5aed45ebeb3490df429356739256ac40",
"status": "affected",
"version": "7246d8ed4dcce23f7509949a77be15fa9f0e3d28",
"versionType": "git"
},
{
"lessThan": "73fc5d04009d3969ff8e8574f0fd769f04124e59",
"status": "affected",
"version": "7246d8ed4dcce23f7509949a77be15fa9f0e3d28",
"versionType": "git"
},
{
"lessThan": "16aca8bb4ad0d8a13c8b6da4007f4e52d53035bb",
"status": "affected",
"version": "7246d8ed4dcce23f7509949a77be15fa9f0e3d28",
"versionType": "git"
},
{
"lessThan": "0e853c1464bcf61207f8b5c32d2ac5ee495e859d",
"status": "affected",
"version": "7246d8ed4dcce23f7509949a77be15fa9f0e3d28",
"versionType": "git"
},
{
"lessThan": "ee03766d79de0f61ea29ffb6ab1c7b196ea1b02e",
"status": "affected",
"version": "7246d8ed4dcce23f7509949a77be15fa9f0e3d28",
"versionType": "git"
},
{
"lessThan": "90d6ef67440cec2a0aad71a0108c8f216437345c",
"status": "affected",
"version": "7246d8ed4dcce23f7509949a77be15fa9f0e3d28",
"versionType": "git"
},
{
"lessThan": "1e480387d4b42776f8957fb148af9d75ce93b96d",
"status": "affected",
"version": "7246d8ed4dcce23f7509949a77be15fa9f0e3d28",
"versionType": "git"
},
{
"lessThan": "178f6a5c8cb3b6be1602de0964cd440243f493c9",
"status": "affected",
"version": "7246d8ed4dcce23f7509949a77be15fa9f0e3d28",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/tls/tls_sw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls\n\nWhen sending plaintext data, we initially calculated the corresponding\nciphertext length. However, if we later reduced the plaintext data length\nvia socket policy, we failed to recalculate the ciphertext length.\n\nThis results in transmitting buffers containing uninitialized data during\nciphertext transmission.\n\nThis causes uninitialized bytes to be appended after a complete\n\"Application Data\" packet, leading to errors on the receiving end when\nparsing TLS record."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:54:42.829Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6ba20ff3cdb96a908b9dc93cf247d0b087672e7c"
},
{
"url": "https://git.kernel.org/stable/c/849d24dc5aed45ebeb3490df429356739256ac40"
},
{
"url": "https://git.kernel.org/stable/c/73fc5d04009d3969ff8e8574f0fd769f04124e59"
},
{
"url": "https://git.kernel.org/stable/c/16aca8bb4ad0d8a13c8b6da4007f4e52d53035bb"
},
{
"url": "https://git.kernel.org/stable/c/0e853c1464bcf61207f8b5c32d2ac5ee495e859d"
},
{
"url": "https://git.kernel.org/stable/c/ee03766d79de0f61ea29ffb6ab1c7b196ea1b02e"
},
{
"url": "https://git.kernel.org/stable/c/90d6ef67440cec2a0aad71a0108c8f216437345c"
},
{
"url": "https://git.kernel.org/stable/c/1e480387d4b42776f8957fb148af9d75ce93b96d"
},
{
"url": "https://git.kernel.org/stable/c/178f6a5c8cb3b6be1602de0964cd440243f493c9"
}
],
"title": "bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38608",
"datePublished": "2025-08-19T17:03:51.688Z",
"dateReserved": "2025-04-16T04:51:24.028Z",
"dateUpdated": "2025-09-29T05:54:42.829Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38635 (GCVE-0-2025-38635)
Vulnerability from cvelistv5
Published
2025-08-22 16:00
Modified
2025-09-29 05:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: davinci: Add NULL check in davinci_lpsc_clk_register()
devm_kasprintf() returns NULL when memory allocation fails. Currently,
davinci_lpsc_clk_register() does not check for this case, which results
in a NULL pointer dereference.
Add NULL check after devm_kasprintf() to prevent this issue and ensuring
no resources are left allocated.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c6ed4d734bc7f731709dab0ffd69eed499dd5277 Version: c6ed4d734bc7f731709dab0ffd69eed499dd5277 Version: c6ed4d734bc7f731709dab0ffd69eed499dd5277 Version: c6ed4d734bc7f731709dab0ffd69eed499dd5277 Version: c6ed4d734bc7f731709dab0ffd69eed499dd5277 Version: c6ed4d734bc7f731709dab0ffd69eed499dd5277 Version: c6ed4d734bc7f731709dab0ffd69eed499dd5277 Version: c6ed4d734bc7f731709dab0ffd69eed499dd5277 Version: c6ed4d734bc7f731709dab0ffd69eed499dd5277 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/davinci/psc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "77e9ad7a2d0e2a771c9e0be04b9d1639413b5f13",
"status": "affected",
"version": "c6ed4d734bc7f731709dab0ffd69eed499dd5277",
"versionType": "git"
},
{
"lessThan": "7843412e5927dafbb844782c56b6380564064109",
"status": "affected",
"version": "c6ed4d734bc7f731709dab0ffd69eed499dd5277",
"versionType": "git"
},
{
"lessThan": "2adc945b70c4d97e9491a6c0c9f3b217a9eecfba",
"status": "affected",
"version": "c6ed4d734bc7f731709dab0ffd69eed499dd5277",
"versionType": "git"
},
{
"lessThan": "105e8115944a9f93e9412abe7bb07ed96725adf9",
"status": "affected",
"version": "c6ed4d734bc7f731709dab0ffd69eed499dd5277",
"versionType": "git"
},
{
"lessThan": "1d92608a29251278015f57f3572bc950db7519f0",
"status": "affected",
"version": "c6ed4d734bc7f731709dab0ffd69eed499dd5277",
"versionType": "git"
},
{
"lessThan": "7943ed1f05f5cb7372dca2aa227f848747a98791",
"status": "affected",
"version": "c6ed4d734bc7f731709dab0ffd69eed499dd5277",
"versionType": "git"
},
{
"lessThan": "6fb19cdcf040e1dec052a9032acb66cc2ad1d43f",
"status": "affected",
"version": "c6ed4d734bc7f731709dab0ffd69eed499dd5277",
"versionType": "git"
},
{
"lessThan": "23f564326deaafacfd7adf6104755b15216d8320",
"status": "affected",
"version": "c6ed4d734bc7f731709dab0ffd69eed499dd5277",
"versionType": "git"
},
{
"lessThan": "13de464f445d42738fe18c9a28bab056ba3a290a",
"status": "affected",
"version": "c6ed4d734bc7f731709dab0ffd69eed499dd5277",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/davinci/psc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: davinci: Add NULL check in davinci_lpsc_clk_register()\n\ndevm_kasprintf() returns NULL when memory allocation fails. Currently,\ndavinci_lpsc_clk_register() does not check for this case, which results\nin a NULL pointer dereference.\n\nAdd NULL check after devm_kasprintf() to prevent this issue and ensuring\nno resources are left allocated."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:55:14.546Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/77e9ad7a2d0e2a771c9e0be04b9d1639413b5f13"
},
{
"url": "https://git.kernel.org/stable/c/7843412e5927dafbb844782c56b6380564064109"
},
{
"url": "https://git.kernel.org/stable/c/2adc945b70c4d97e9491a6c0c9f3b217a9eecfba"
},
{
"url": "https://git.kernel.org/stable/c/105e8115944a9f93e9412abe7bb07ed96725adf9"
},
{
"url": "https://git.kernel.org/stable/c/1d92608a29251278015f57f3572bc950db7519f0"
},
{
"url": "https://git.kernel.org/stable/c/7943ed1f05f5cb7372dca2aa227f848747a98791"
},
{
"url": "https://git.kernel.org/stable/c/6fb19cdcf040e1dec052a9032acb66cc2ad1d43f"
},
{
"url": "https://git.kernel.org/stable/c/23f564326deaafacfd7adf6104755b15216d8320"
},
{
"url": "https://git.kernel.org/stable/c/13de464f445d42738fe18c9a28bab056ba3a290a"
}
],
"title": "clk: davinci: Add NULL check in davinci_lpsc_clk_register()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38635",
"datePublished": "2025-08-22T16:00:43.181Z",
"dateReserved": "2025-04-16T04:51:24.030Z",
"dateUpdated": "2025-09-29T05:55:14.546Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38670 (GCVE-0-2025-38670)
Vulnerability from cvelistv5
Published
2025-08-22 16:03
Modified
2025-08-28 14:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack()
`cpu_switch_to()` and `call_on_irq_stack()` manipulate SP to change
to different stacks along with the Shadow Call Stack if it is enabled.
Those two stack changes cannot be done atomically and both functions
can be interrupted by SErrors or Debug Exceptions which, though unlikely,
is very much broken : if interrupted, we can end up with mismatched stacks
and Shadow Call Stack leading to clobbered stacks.
In `cpu_switch_to()`, it can happen when SP_EL0 points to the new task,
but x18 stills points to the old task's SCS. When the interrupt handler
tries to save the task's SCS pointer, it will save the old task
SCS pointer (x18) into the new task struct (pointed to by SP_EL0),
clobbering it.
In `call_on_irq_stack()`, it can happen when switching from the task stack
to the IRQ stack and when switching back. In both cases, we can be
interrupted when the SCS pointer points to the IRQ SCS, but SP points to
the task stack. The nested interrupt handler pushes its return addresses
on the IRQ SCS. It then detects that SP points to the task stack,
calls `call_on_irq_stack()` and clobbers the task SCS pointer with
the IRQ SCS pointer, which it will also use !
This leads to tasks returning to addresses on the wrong SCS,
or even on the IRQ SCS, triggering kernel panics via CONFIG_VMAP_STACK
or FPAC if enabled.
This is possible on a default config, but unlikely.
However, when enabling CONFIG_ARM64_PSEUDO_NMI, DAIF is unmasked and
instead the GIC is responsible for filtering what interrupts the CPU
should receive based on priority.
Given the goal of emulating NMIs, pseudo-NMIs can be received by the CPU
even in `cpu_switch_to()` and `call_on_irq_stack()`, possibly *very*
frequently depending on the system configuration and workload, leading
to unpredictable kernel panics.
Completely mask DAIF in `cpu_switch_to()` and restore it when returning.
Do the same in `call_on_irq_stack()`, but restore and mask around
the branch.
Mask DAIF even if CONFIG_SHADOW_CALL_STACK is not enabled for consistency
of behaviour between all configurations.
Introduce and use an assembly macro for saving and masking DAIF,
as the existing one saves but only masks IF.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 402d2b1d54b7085d0c3bfd01fd50c2701dde64b3 Version: 4403c7b7e5e1ad09a266b6e399fd7bf97931508e Version: 59b37fe52f49955791a460752c37145f1afdcad1 Version: 59b37fe52f49955791a460752c37145f1afdcad1 Version: 59b37fe52f49955791a460752c37145f1afdcad1 Version: 59b37fe52f49955791a460752c37145f1afdcad1 Version: e47ce4f11e26fa3ea99b09521da8b3ac3a7b578d |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/include/asm/assembler.h",
"arch/arm64/kernel/entry.S"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "407047893a64399f2d2390ff35cc6061107d805d",
"status": "affected",
"version": "402d2b1d54b7085d0c3bfd01fd50c2701dde64b3",
"versionType": "git"
},
{
"lessThan": "a6b0cb523eaa01efe8a3f76ced493ba60674c6e6",
"status": "affected",
"version": "4403c7b7e5e1ad09a266b6e399fd7bf97931508e",
"versionType": "git"
},
{
"lessThan": "9433a5f437b0948d6a2d8a02ad7a42ab7ca27a61",
"status": "affected",
"version": "59b37fe52f49955791a460752c37145f1afdcad1",
"versionType": "git"
},
{
"lessThan": "708fd522b86d2a9544c34ec6a86fa3fc23336525",
"status": "affected",
"version": "59b37fe52f49955791a460752c37145f1afdcad1",
"versionType": "git"
},
{
"lessThan": "0f67015d72627bad72da3c2084352e0aa134416b",
"status": "affected",
"version": "59b37fe52f49955791a460752c37145f1afdcad1",
"versionType": "git"
},
{
"lessThan": "d42e6c20de6192f8e4ab4cf10be8c694ef27e8cb",
"status": "affected",
"version": "59b37fe52f49955791a460752c37145f1afdcad1",
"versionType": "git"
},
{
"status": "affected",
"version": "e47ce4f11e26fa3ea99b09521da8b3ac3a7b578d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/include/asm/assembler.h",
"arch/arm64/kernel/entry.S"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.101",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.41",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "5.15.111",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "6.1.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.101",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.41",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.9",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.2.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack()\n\n`cpu_switch_to()` and `call_on_irq_stack()` manipulate SP to change\nto different stacks along with the Shadow Call Stack if it is enabled.\nThose two stack changes cannot be done atomically and both functions\ncan be interrupted by SErrors or Debug Exceptions which, though unlikely,\nis very much broken : if interrupted, we can end up with mismatched stacks\nand Shadow Call Stack leading to clobbered stacks.\n\nIn `cpu_switch_to()`, it can happen when SP_EL0 points to the new task,\nbut x18 stills points to the old task\u0027s SCS. When the interrupt handler\ntries to save the task\u0027s SCS pointer, it will save the old task\nSCS pointer (x18) into the new task struct (pointed to by SP_EL0),\nclobbering it.\n\nIn `call_on_irq_stack()`, it can happen when switching from the task stack\nto the IRQ stack and when switching back. In both cases, we can be\ninterrupted when the SCS pointer points to the IRQ SCS, but SP points to\nthe task stack. The nested interrupt handler pushes its return addresses\non the IRQ SCS. It then detects that SP points to the task stack,\ncalls `call_on_irq_stack()` and clobbers the task SCS pointer with\nthe IRQ SCS pointer, which it will also use !\n\nThis leads to tasks returning to addresses on the wrong SCS,\nor even on the IRQ SCS, triggering kernel panics via CONFIG_VMAP_STACK\nor FPAC if enabled.\n\nThis is possible on a default config, but unlikely.\nHowever, when enabling CONFIG_ARM64_PSEUDO_NMI, DAIF is unmasked and\ninstead the GIC is responsible for filtering what interrupts the CPU\nshould receive based on priority.\nGiven the goal of emulating NMIs, pseudo-NMIs can be received by the CPU\neven in `cpu_switch_to()` and `call_on_irq_stack()`, possibly *very*\nfrequently depending on the system configuration and workload, leading\nto unpredictable kernel panics.\n\nCompletely mask DAIF in `cpu_switch_to()` and restore it when returning.\nDo the same in `call_on_irq_stack()`, but restore and mask around\nthe branch.\nMask DAIF even if CONFIG_SHADOW_CALL_STACK is not enabled for consistency\nof behaviour between all configurations.\n\nIntroduce and use an assembly macro for saving and masking DAIF,\nas the existing one saves but only masks IF."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T14:44:36.147Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/407047893a64399f2d2390ff35cc6061107d805d"
},
{
"url": "https://git.kernel.org/stable/c/a6b0cb523eaa01efe8a3f76ced493ba60674c6e6"
},
{
"url": "https://git.kernel.org/stable/c/9433a5f437b0948d6a2d8a02ad7a42ab7ca27a61"
},
{
"url": "https://git.kernel.org/stable/c/708fd522b86d2a9544c34ec6a86fa3fc23336525"
},
{
"url": "https://git.kernel.org/stable/c/0f67015d72627bad72da3c2084352e0aa134416b"
},
{
"url": "https://git.kernel.org/stable/c/d42e6c20de6192f8e4ab4cf10be8c694ef27e8cb"
}
],
"title": "arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38670",
"datePublished": "2025-08-22T16:03:01.242Z",
"dateReserved": "2025-04-16T04:51:24.031Z",
"dateUpdated": "2025-08-28T14:44:36.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38581 (GCVE-0-2025-38581)
Vulnerability from cvelistv5
Published
2025-08-19 17:03
Modified
2025-09-29 05:54
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: ccp - Fix crash when rebind ccp device for ccp.ko
When CONFIG_CRYPTO_DEV_CCP_DEBUGFS is enabled, rebinding
the ccp device causes the following crash:
$ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/unbind
$ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/bind
[ 204.976930] BUG: kernel NULL pointer dereference, address: 0000000000000098
[ 204.978026] #PF: supervisor write access in kernel mode
[ 204.979126] #PF: error_code(0x0002) - not-present page
[ 204.980226] PGD 0 P4D 0
[ 204.981317] Oops: Oops: 0002 [#1] SMP NOPTI
...
[ 204.997852] Call Trace:
[ 204.999074] <TASK>
[ 205.000297] start_creating+0x9f/0x1c0
[ 205.001533] debugfs_create_dir+0x1f/0x170
[ 205.002769] ? srso_return_thunk+0x5/0x5f
[ 205.004000] ccp5_debugfs_setup+0x87/0x170 [ccp]
[ 205.005241] ccp5_init+0x8b2/0x960 [ccp]
[ 205.006469] ccp_dev_init+0xd4/0x150 [ccp]
[ 205.007709] sp_init+0x5f/0x80 [ccp]
[ 205.008942] sp_pci_probe+0x283/0x2e0 [ccp]
[ 205.010165] ? srso_return_thunk+0x5/0x5f
[ 205.011376] local_pci_probe+0x4f/0xb0
[ 205.012584] pci_device_probe+0xdb/0x230
[ 205.013810] really_probe+0xed/0x380
[ 205.015024] __driver_probe_device+0x7e/0x160
[ 205.016240] device_driver_attach+0x2f/0x60
[ 205.017457] bind_store+0x7c/0xb0
[ 205.018663] drv_attr_store+0x28/0x40
[ 205.019868] sysfs_kf_write+0x5f/0x70
[ 205.021065] kernfs_fop_write_iter+0x145/0x1d0
[ 205.022267] vfs_write+0x308/0x440
[ 205.023453] ksys_write+0x6d/0xe0
[ 205.024616] __x64_sys_write+0x1e/0x30
[ 205.025778] x64_sys_call+0x16ba/0x2150
[ 205.026942] do_syscall_64+0x56/0x1e0
[ 205.028108] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 205.029276] RIP: 0033:0x7fbc36f10104
[ 205.030420] Code: 89 02 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 8d 05 e1 08 2e 00 8b 00 85 c0 75 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 f3 c3 66 90 41 54 55 49 89 d4 53 48 89 f5
This patch sets ccp_debugfs_dir to NULL after destroying it in
ccp5_debugfs_destroy, allowing the directory dentry to be
recreated when rebinding the ccp device.
Tested on AMD Ryzen 7 1700X.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0 Version: 3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0 Version: 3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0 Version: 3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0 Version: 3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0 Version: 3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0 Version: 3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0 Version: 3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0 Version: 3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/ccp/ccp-debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a25ab6dfa0ce323ec308966988be6b675eb9d3e5",
"status": "affected",
"version": "3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0",
"versionType": "git"
},
{
"lessThan": "ce63a83925964ab7564bd216bd92b80bc365492e",
"status": "affected",
"version": "3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0",
"versionType": "git"
},
{
"lessThan": "20c0ed8dd65834e6bab464f54cd6ff68659bacb9",
"status": "affected",
"version": "3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0",
"versionType": "git"
},
{
"lessThan": "2d4060f05e74dbee884ba723f6afd9282befc3c5",
"status": "affected",
"version": "3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0",
"versionType": "git"
},
{
"lessThan": "db111468531777cac8b4beb6515a88a54b0c4a74",
"status": "affected",
"version": "3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0",
"versionType": "git"
},
{
"lessThan": "9dea08eac4f6d6fbbae59992978252e2edab995d",
"status": "affected",
"version": "3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0",
"versionType": "git"
},
{
"lessThan": "6eadf50c1d894cb34f3237064063207460946040",
"status": "affected",
"version": "3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0",
"versionType": "git"
},
{
"lessThan": "64ec9a7e7a6398b172ab6feba60e952163a1c3d5",
"status": "affected",
"version": "3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0",
"versionType": "git"
},
{
"lessThan": "181698af38d3f93381229ad89c09b5bd0496661a",
"status": "affected",
"version": "3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/ccp/ccp-debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp - Fix crash when rebind ccp device for ccp.ko\n\nWhen CONFIG_CRYPTO_DEV_CCP_DEBUGFS is enabled, rebinding\nthe ccp device causes the following crash:\n\n$ echo \u00270000:0a:00.2\u0027 \u003e /sys/bus/pci/drivers/ccp/unbind\n$ echo \u00270000:0a:00.2\u0027 \u003e /sys/bus/pci/drivers/ccp/bind\n\n[ 204.976930] BUG: kernel NULL pointer dereference, address: 0000000000000098\n[ 204.978026] #PF: supervisor write access in kernel mode\n[ 204.979126] #PF: error_code(0x0002) - not-present page\n[ 204.980226] PGD 0 P4D 0\n[ 204.981317] Oops: Oops: 0002 [#1] SMP NOPTI\n...\n[ 204.997852] Call Trace:\n[ 204.999074] \u003cTASK\u003e\n[ 205.000297] start_creating+0x9f/0x1c0\n[ 205.001533] debugfs_create_dir+0x1f/0x170\n[ 205.002769] ? srso_return_thunk+0x5/0x5f\n[ 205.004000] ccp5_debugfs_setup+0x87/0x170 [ccp]\n[ 205.005241] ccp5_init+0x8b2/0x960 [ccp]\n[ 205.006469] ccp_dev_init+0xd4/0x150 [ccp]\n[ 205.007709] sp_init+0x5f/0x80 [ccp]\n[ 205.008942] sp_pci_probe+0x283/0x2e0 [ccp]\n[ 205.010165] ? srso_return_thunk+0x5/0x5f\n[ 205.011376] local_pci_probe+0x4f/0xb0\n[ 205.012584] pci_device_probe+0xdb/0x230\n[ 205.013810] really_probe+0xed/0x380\n[ 205.015024] __driver_probe_device+0x7e/0x160\n[ 205.016240] device_driver_attach+0x2f/0x60\n[ 205.017457] bind_store+0x7c/0xb0\n[ 205.018663] drv_attr_store+0x28/0x40\n[ 205.019868] sysfs_kf_write+0x5f/0x70\n[ 205.021065] kernfs_fop_write_iter+0x145/0x1d0\n[ 205.022267] vfs_write+0x308/0x440\n[ 205.023453] ksys_write+0x6d/0xe0\n[ 205.024616] __x64_sys_write+0x1e/0x30\n[ 205.025778] x64_sys_call+0x16ba/0x2150\n[ 205.026942] do_syscall_64+0x56/0x1e0\n[ 205.028108] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 205.029276] RIP: 0033:0x7fbc36f10104\n[ 205.030420] Code: 89 02 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 8d 05 e1 08 2e 00 8b 00 85 c0 75 13 b8 01 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 54 f3 c3 66 90 41 54 55 49 89 d4 53 48 89 f5\n\nThis patch sets ccp_debugfs_dir to NULL after destroying it in\nccp5_debugfs_destroy, allowing the directory dentry to be\nrecreated when rebinding the ccp device.\n\nTested on AMD Ryzen 7 1700X."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:54:12.571Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a25ab6dfa0ce323ec308966988be6b675eb9d3e5"
},
{
"url": "https://git.kernel.org/stable/c/ce63a83925964ab7564bd216bd92b80bc365492e"
},
{
"url": "https://git.kernel.org/stable/c/20c0ed8dd65834e6bab464f54cd6ff68659bacb9"
},
{
"url": "https://git.kernel.org/stable/c/2d4060f05e74dbee884ba723f6afd9282befc3c5"
},
{
"url": "https://git.kernel.org/stable/c/db111468531777cac8b4beb6515a88a54b0c4a74"
},
{
"url": "https://git.kernel.org/stable/c/9dea08eac4f6d6fbbae59992978252e2edab995d"
},
{
"url": "https://git.kernel.org/stable/c/6eadf50c1d894cb34f3237064063207460946040"
},
{
"url": "https://git.kernel.org/stable/c/64ec9a7e7a6398b172ab6feba60e952163a1c3d5"
},
{
"url": "https://git.kernel.org/stable/c/181698af38d3f93381229ad89c09b5bd0496661a"
}
],
"title": "crypto: ccp - Fix crash when rebind ccp device for ccp.ko",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38581",
"datePublished": "2025-08-19T17:03:03.718Z",
"dateReserved": "2025-04-16T04:51:24.026Z",
"dateUpdated": "2025-09-29T05:54:12.571Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38634 (GCVE-0-2025-38634)
Vulnerability from cvelistv5
Published
2025-08-22 16:00
Modified
2025-09-29 05:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
power: supply: cpcap-charger: Fix null check for power_supply_get_by_name
In the cpcap_usb_detect() function, the power_supply_get_by_name()
function may return `NULL` instead of an error pointer.
To prevent potential null pointer dereferences, Added a null check.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: eab4e6d953c1059a30ac0f15826abc7dd2374d3c Version: eab4e6d953c1059a30ac0f15826abc7dd2374d3c Version: eab4e6d953c1059a30ac0f15826abc7dd2374d3c Version: eab4e6d953c1059a30ac0f15826abc7dd2374d3c Version: eab4e6d953c1059a30ac0f15826abc7dd2374d3c Version: eab4e6d953c1059a30ac0f15826abc7dd2374d3c Version: eab4e6d953c1059a30ac0f15826abc7dd2374d3c |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/power/supply/cpcap-charger.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4ebbb9106aaa2fd58e0359bc3a2490953db2ef0c",
"status": "affected",
"version": "eab4e6d953c1059a30ac0f15826abc7dd2374d3c",
"versionType": "git"
},
{
"lessThan": "a2436263144980cc99a9860c7b43335847afbe53",
"status": "affected",
"version": "eab4e6d953c1059a30ac0f15826abc7dd2374d3c",
"versionType": "git"
},
{
"lessThan": "8e9bdb563916287ba1b4258812434e0585ac6d00",
"status": "affected",
"version": "eab4e6d953c1059a30ac0f15826abc7dd2374d3c",
"versionType": "git"
},
{
"lessThan": "f642500aa7ed93d2606e4f929244cce9c7467b3a",
"status": "affected",
"version": "eab4e6d953c1059a30ac0f15826abc7dd2374d3c",
"versionType": "git"
},
{
"lessThan": "9784d832d7c103539cd9afb376534eaa35815d3d",
"status": "affected",
"version": "eab4e6d953c1059a30ac0f15826abc7dd2374d3c",
"versionType": "git"
},
{
"lessThan": "27001e4f146624c4b3389b029bdc0f8049819560",
"status": "affected",
"version": "eab4e6d953c1059a30ac0f15826abc7dd2374d3c",
"versionType": "git"
},
{
"lessThan": "d9fa3aae08f99493e67fb79413c0e95d30fca5e9",
"status": "affected",
"version": "eab4e6d953c1059a30ac0f15826abc7dd2374d3c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/power/supply/cpcap-charger.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npower: supply: cpcap-charger: Fix null check for power_supply_get_by_name\n\nIn the cpcap_usb_detect() function, the power_supply_get_by_name()\nfunction may return `NULL` instead of an error pointer.\nTo prevent potential null pointer dereferences, Added a null check."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:55:13.375Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4ebbb9106aaa2fd58e0359bc3a2490953db2ef0c"
},
{
"url": "https://git.kernel.org/stable/c/a2436263144980cc99a9860c7b43335847afbe53"
},
{
"url": "https://git.kernel.org/stable/c/8e9bdb563916287ba1b4258812434e0585ac6d00"
},
{
"url": "https://git.kernel.org/stable/c/f642500aa7ed93d2606e4f929244cce9c7467b3a"
},
{
"url": "https://git.kernel.org/stable/c/9784d832d7c103539cd9afb376534eaa35815d3d"
},
{
"url": "https://git.kernel.org/stable/c/27001e4f146624c4b3389b029bdc0f8049819560"
},
{
"url": "https://git.kernel.org/stable/c/d9fa3aae08f99493e67fb79413c0e95d30fca5e9"
}
],
"title": "power: supply: cpcap-charger: Fix null check for power_supply_get_by_name",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38634",
"datePublished": "2025-08-22T16:00:42.376Z",
"dateReserved": "2025-04-16T04:51:24.030Z",
"dateUpdated": "2025-09-29T05:55:13.375Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-49867 (GCVE-0-2024-49867)
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2025-05-04 09:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: wait for fixup workers before stopping cleaner kthread during umount
During unmount, at close_ctree(), we have the following steps in this order:
1) Park the cleaner kthread - this doesn't destroy the kthread, it basically
halts its execution (wake ups against it work but do nothing);
2) We stop the cleaner kthread - this results in freeing the respective
struct task_struct;
3) We call btrfs_stop_all_workers() which waits for any jobs running in all
the work queues and then free the work queues.
Syzbot reported a case where a fixup worker resulted in a crash when doing
a delayed iput on its inode while attempting to wake up the cleaner at
btrfs_add_delayed_iput(), because the task_struct of the cleaner kthread
was already freed. This can happen during unmount because we don't wait
for any fixup workers still running before we call kthread_stop() against
the cleaner kthread, which stops and free all its resources.
Fix this by waiting for any fixup workers at close_ctree() before we call
kthread_stop() against the cleaner and run pending delayed iputs.
The stack traces reported by syzbot were the following:
BUG: KASAN: slab-use-after-free in __lock_acquire+0x77/0x2050 kernel/locking/lockdep.c:5065
Read of size 8 at addr ffff8880272a8a18 by task kworker/u8:3/52
CPU: 1 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted 6.12.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: btrfs-fixup btrfs_work_helper
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
__lock_acquire+0x77/0x2050 kernel/locking/lockdep.c:5065
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline]
try_to_wake_up+0xb0/0x1480 kernel/sched/core.c:4154
btrfs_writepage_fixup_worker+0xc16/0xdf0 fs/btrfs/inode.c:2842
btrfs_work_helper+0x390/0xc50 fs/btrfs/async-thread.c:314
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Allocated by task 2:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
unpoison_slab_object mm/kasan/common.c:319 [inline]
__kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345
kasan_slab_alloc include/linux/kasan.h:247 [inline]
slab_post_alloc_hook mm/slub.c:4086 [inline]
slab_alloc_node mm/slub.c:4135 [inline]
kmem_cache_alloc_node_noprof+0x16b/0x320 mm/slub.c:4187
alloc_task_struct_node kernel/fork.c:180 [inline]
dup_task_struct+0x57/0x8c0 kernel/fork.c:1107
copy_process+0x5d1/0x3d50 kernel/fork.c:2206
kernel_clone+0x223/0x880 kernel/fork.c:2787
kernel_thread+0x1bc/0x240 kernel/fork.c:2849
create_kthread kernel/kthread.c:412 [inline]
kthreadd+0x60d/0x810 kernel/kthread.c:765
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Freed by task 61:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_h
---truncated---
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49867",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T13:47:28.241887Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T13:48:52.483Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/disk-io.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cd686dfff63f27d712877aef5b962fbf6b8bc264",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a71349b692ab34ea197949e13e3cc42570fe73d9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "70b60c8d9b42763d6629e44f448aa5d8ae477d61",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4c98fe0dfa2ae83c4631699695506d8941db4bfe",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9da40aea63f8769f28afb91aea0fac4cf6fbbb65",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ed87190e9d9c80aad220fb6b0b03a84d22e2c95b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bf0de0f9a0544c11f96f93206da04ab87dcea1f4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "65d11eb276836d49003a8060cf31fa2284ad1047",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "41fd1e94066a815a7ab0a7025359e9b40e4b3576",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/disk-io.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.323",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.285",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.227",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.323",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.285",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.227",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.168",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.113",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: wait for fixup workers before stopping cleaner kthread during umount\n\nDuring unmount, at close_ctree(), we have the following steps in this order:\n\n1) Park the cleaner kthread - this doesn\u0027t destroy the kthread, it basically\n halts its execution (wake ups against it work but do nothing);\n\n2) We stop the cleaner kthread - this results in freeing the respective\n struct task_struct;\n\n3) We call btrfs_stop_all_workers() which waits for any jobs running in all\n the work queues and then free the work queues.\n\nSyzbot reported a case where a fixup worker resulted in a crash when doing\na delayed iput on its inode while attempting to wake up the cleaner at\nbtrfs_add_delayed_iput(), because the task_struct of the cleaner kthread\nwas already freed. This can happen during unmount because we don\u0027t wait\nfor any fixup workers still running before we call kthread_stop() against\nthe cleaner kthread, which stops and free all its resources.\n\nFix this by waiting for any fixup workers at close_ctree() before we call\nkthread_stop() against the cleaner and run pending delayed iputs.\n\nThe stack traces reported by syzbot were the following:\n\n BUG: KASAN: slab-use-after-free in __lock_acquire+0x77/0x2050 kernel/locking/lockdep.c:5065\n Read of size 8 at addr ffff8880272a8a18 by task kworker/u8:3/52\n\n CPU: 1 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted 6.12.0-rc1-syzkaller #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\n Workqueue: btrfs-fixup btrfs_work_helper\n Call Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n __lock_acquire+0x77/0x2050 kernel/locking/lockdep.c:5065\n lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162\n class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline]\n try_to_wake_up+0xb0/0x1480 kernel/sched/core.c:4154\n btrfs_writepage_fixup_worker+0xc16/0xdf0 fs/btrfs/inode.c:2842\n btrfs_work_helper+0x390/0xc50 fs/btrfs/async-thread.c:314\n process_one_work kernel/workqueue.c:3229 [inline]\n process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310\n worker_thread+0x870/0xd30 kernel/workqueue.c:3391\n kthread+0x2f0/0x390 kernel/kthread.c:389\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n \u003c/TASK\u003e\n\n Allocated by task 2:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n unpoison_slab_object mm/kasan/common.c:319 [inline]\n __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345\n kasan_slab_alloc include/linux/kasan.h:247 [inline]\n slab_post_alloc_hook mm/slub.c:4086 [inline]\n slab_alloc_node mm/slub.c:4135 [inline]\n kmem_cache_alloc_node_noprof+0x16b/0x320 mm/slub.c:4187\n alloc_task_struct_node kernel/fork.c:180 [inline]\n dup_task_struct+0x57/0x8c0 kernel/fork.c:1107\n copy_process+0x5d1/0x3d50 kernel/fork.c:2206\n kernel_clone+0x223/0x880 kernel/fork.c:2787\n kernel_thread+0x1bc/0x240 kernel/fork.c:2849\n create_kthread kernel/kthread.c:412 [inline]\n kthreadd+0x60d/0x810 kernel/kthread.c:765\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n\n Freed by task 61:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579\n poison_slab_object mm/kasan/common.c:247 [inline]\n __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264\n kasan_slab_free include/linux/kasan.h:230 [inline]\n slab_free_h\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:39:55.189Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cd686dfff63f27d712877aef5b962fbf6b8bc264"
},
{
"url": "https://git.kernel.org/stable/c/a71349b692ab34ea197949e13e3cc42570fe73d9"
},
{
"url": "https://git.kernel.org/stable/c/70b60c8d9b42763d6629e44f448aa5d8ae477d61"
},
{
"url": "https://git.kernel.org/stable/c/4c98fe0dfa2ae83c4631699695506d8941db4bfe"
},
{
"url": "https://git.kernel.org/stable/c/9da40aea63f8769f28afb91aea0fac4cf6fbbb65"
},
{
"url": "https://git.kernel.org/stable/c/ed87190e9d9c80aad220fb6b0b03a84d22e2c95b"
},
{
"url": "https://git.kernel.org/stable/c/bf0de0f9a0544c11f96f93206da04ab87dcea1f4"
},
{
"url": "https://git.kernel.org/stable/c/65d11eb276836d49003a8060cf31fa2284ad1047"
},
{
"url": "https://git.kernel.org/stable/c/41fd1e94066a815a7ab0a7025359e9b40e4b3576"
}
],
"title": "btrfs: wait for fixup workers before stopping cleaner kthread during umount",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-49867",
"datePublished": "2024-10-21T18:01:09.962Z",
"dateReserved": "2024-10-21T12:17:06.018Z",
"dateUpdated": "2025-05-04T09:39:55.189Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38464 (GCVE-0-2025-38464)
Vulnerability from cvelistv5
Published
2025-07-25 15:27
Modified
2025-07-28 04:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tipc: Fix use-after-free in tipc_conn_close().
syzbot reported a null-ptr-deref in tipc_conn_close() during netns
dismantle. [0]
tipc_topsrv_stop() iterates tipc_net(net)->topsrv->conn_idr and calls
tipc_conn_close() for each tipc_conn.
The problem is that tipc_conn_close() is called after releasing the
IDR lock.
At the same time, there might be tipc_conn_recv_work() running and it
could call tipc_conn_close() for the same tipc_conn and release its
last ->kref.
Once we release the IDR lock in tipc_topsrv_stop(), there is no
guarantee that the tipc_conn is alive.
Let's hold the ref before releasing the lock and put the ref after
tipc_conn_close() in tipc_topsrv_stop().
[0]:
BUG: KASAN: use-after-free in tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165
Read of size 8 at addr ffff888099305a08 by task kworker/u4:3/435
CPU: 0 PID: 435 Comm: kworker/u4:3 Not tainted 4.19.204-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165
tipc_topsrv_stop net/tipc/topsrv.c:701 [inline]
tipc_topsrv_exit_net+0x27b/0x5c0 net/tipc/topsrv.c:722
ops_exit_list+0xa5/0x150 net/core/net_namespace.c:153
cleanup_net+0x3b4/0x8b0 net/core/net_namespace.c:553
process_one_work+0x864/0x1570 kernel/workqueue.c:2153
worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
kthread+0x33f/0x460 kernel/kthread.c:259
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Allocated by task 23:
kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625
kmalloc include/linux/slab.h:515 [inline]
kzalloc include/linux/slab.h:709 [inline]
tipc_conn_alloc+0x43/0x4f0 net/tipc/topsrv.c:192
tipc_topsrv_accept+0x1b5/0x280 net/tipc/topsrv.c:470
process_one_work+0x864/0x1570 kernel/workqueue.c:2153
worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
kthread+0x33f/0x460 kernel/kthread.c:259
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Freed by task 23:
__cache_free mm/slab.c:3503 [inline]
kfree+0xcc/0x210 mm/slab.c:3822
tipc_conn_kref_release net/tipc/topsrv.c:150 [inline]
kref_put include/linux/kref.h:70 [inline]
conn_put+0x2cd/0x3a0 net/tipc/topsrv.c:155
process_one_work+0x864/0x1570 kernel/workqueue.c:2153
worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
kthread+0x33f/0x460 kernel/kthread.c:259
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
The buggy address belongs to the object at ffff888099305a00
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 8 bytes inside of
512-byte region [ffff888099305a00, ffff888099305c00)
The buggy address belongs to the page:
page:ffffea000264c140 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffffea00028b6b88 ffffea0002cd2b08 ffff88813bff0940
raw: 0000000000000000 ffff888099305000 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888099305900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888099305980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888099305a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888099305a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888099305b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f Version: c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f Version: c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f Version: c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f Version: c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f Version: c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f Version: c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f Version: c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/tipc/topsrv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "03dcdd2558e1e55bf843822fe4363dcb48743f2b",
"status": "affected",
"version": "c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f",
"versionType": "git"
},
{
"lessThan": "15a6f4971e2f157d57e09ea748d1fbc714277aa4",
"status": "affected",
"version": "c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f",
"versionType": "git"
},
{
"lessThan": "dab8ded2e5ff41012a6ff400b44dbe76ccf3592a",
"status": "affected",
"version": "c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f",
"versionType": "git"
},
{
"lessThan": "1dbf7cd2454a28b1da700085b99346b5445aeabb",
"status": "affected",
"version": "c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f",
"versionType": "git"
},
{
"lessThan": "be4b8392da7978294f2f368799d29dd509fb6c4d",
"status": "affected",
"version": "c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f",
"versionType": "git"
},
{
"lessThan": "50aa2d121bc2cfe2d825f8a331ea75dfaaab6a50",
"status": "affected",
"version": "c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f",
"versionType": "git"
},
{
"lessThan": "3b89e17b2fd64012682bed158d9eb3d2e96dec42",
"status": "affected",
"version": "c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f",
"versionType": "git"
},
{
"lessThan": "667eeab4999e981c96b447a4df5f20bdf5c26f13",
"status": "affected",
"version": "c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/tipc/topsrv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.11"
},
{
"lessThan": "3.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.240",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.146",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.296",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.240",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.189",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.146",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.99",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.39",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.7",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "3.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: Fix use-after-free in tipc_conn_close().\n\nsyzbot reported a null-ptr-deref in tipc_conn_close() during netns\ndismantle. [0]\n\ntipc_topsrv_stop() iterates tipc_net(net)-\u003etopsrv-\u003econn_idr and calls\ntipc_conn_close() for each tipc_conn.\n\nThe problem is that tipc_conn_close() is called after releasing the\nIDR lock.\n\nAt the same time, there might be tipc_conn_recv_work() running and it\ncould call tipc_conn_close() for the same tipc_conn and release its\nlast -\u003ekref.\n\nOnce we release the IDR lock in tipc_topsrv_stop(), there is no\nguarantee that the tipc_conn is alive.\n\nLet\u0027s hold the ref before releasing the lock and put the ref after\ntipc_conn_close() in tipc_topsrv_stop().\n\n[0]:\nBUG: KASAN: use-after-free in tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165\nRead of size 8 at addr ffff888099305a08 by task kworker/u4:3/435\n\nCPU: 0 PID: 435 Comm: kworker/u4:3 Not tainted 4.19.204-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nWorkqueue: netns cleanup_net\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x1fc/0x2ef lib/dump_stack.c:118\n print_address_description.cold+0x54/0x219 mm/kasan/report.c:256\n kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354\n kasan_report mm/kasan/report.c:412 [inline]\n __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433\n tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165\n tipc_topsrv_stop net/tipc/topsrv.c:701 [inline]\n tipc_topsrv_exit_net+0x27b/0x5c0 net/tipc/topsrv.c:722\n ops_exit_list+0xa5/0x150 net/core/net_namespace.c:153\n cleanup_net+0x3b4/0x8b0 net/core/net_namespace.c:553\n process_one_work+0x864/0x1570 kernel/workqueue.c:2153\n worker_thread+0x64c/0x1130 kernel/workqueue.c:2296\n kthread+0x33f/0x460 kernel/kthread.c:259\n ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415\n\nAllocated by task 23:\n kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625\n kmalloc include/linux/slab.h:515 [inline]\n kzalloc include/linux/slab.h:709 [inline]\n tipc_conn_alloc+0x43/0x4f0 net/tipc/topsrv.c:192\n tipc_topsrv_accept+0x1b5/0x280 net/tipc/topsrv.c:470\n process_one_work+0x864/0x1570 kernel/workqueue.c:2153\n worker_thread+0x64c/0x1130 kernel/workqueue.c:2296\n kthread+0x33f/0x460 kernel/kthread.c:259\n ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415\n\nFreed by task 23:\n __cache_free mm/slab.c:3503 [inline]\n kfree+0xcc/0x210 mm/slab.c:3822\n tipc_conn_kref_release net/tipc/topsrv.c:150 [inline]\n kref_put include/linux/kref.h:70 [inline]\n conn_put+0x2cd/0x3a0 net/tipc/topsrv.c:155\n process_one_work+0x864/0x1570 kernel/workqueue.c:2153\n worker_thread+0x64c/0x1130 kernel/workqueue.c:2296\n kthread+0x33f/0x460 kernel/kthread.c:259\n ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415\n\nThe buggy address belongs to the object at ffff888099305a00\n which belongs to the cache kmalloc-512 of size 512\nThe buggy address is located 8 bytes inside of\n 512-byte region [ffff888099305a00, ffff888099305c00)\nThe buggy address belongs to the page:\npage:ffffea000264c140 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0\nflags: 0xfff00000000100(slab)\nraw: 00fff00000000100 ffffea00028b6b88 ffffea0002cd2b08 ffff88813bff0940\nraw: 0000000000000000 ffff888099305000 0000000100000006 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffff888099305900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff888099305980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n\u003effff888099305a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ^\n ffff888099305a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff888099305b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb"
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:23:12.269Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/03dcdd2558e1e55bf843822fe4363dcb48743f2b"
},
{
"url": "https://git.kernel.org/stable/c/15a6f4971e2f157d57e09ea748d1fbc714277aa4"
},
{
"url": "https://git.kernel.org/stable/c/dab8ded2e5ff41012a6ff400b44dbe76ccf3592a"
},
{
"url": "https://git.kernel.org/stable/c/1dbf7cd2454a28b1da700085b99346b5445aeabb"
},
{
"url": "https://git.kernel.org/stable/c/be4b8392da7978294f2f368799d29dd509fb6c4d"
},
{
"url": "https://git.kernel.org/stable/c/50aa2d121bc2cfe2d825f8a331ea75dfaaab6a50"
},
{
"url": "https://git.kernel.org/stable/c/3b89e17b2fd64012682bed158d9eb3d2e96dec42"
},
{
"url": "https://git.kernel.org/stable/c/667eeab4999e981c96b447a4df5f20bdf5c26f13"
}
],
"title": "tipc: Fix use-after-free in tipc_conn_close().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38464",
"datePublished": "2025-07-25T15:27:46.708Z",
"dateReserved": "2025-04-16T04:51:24.020Z",
"dateUpdated": "2025-07-28T04:23:12.269Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38565 (GCVE-0-2025-38565)
Vulnerability from cvelistv5
Published
2025-08-19 17:02
Modified
2025-09-29 05:53
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
perf/core: Exit early on perf_mmap() fail
When perf_mmap() fails to allocate a buffer, it still invokes the
event_mapped() callback of the related event. On X86 this might increase
the perf_rdpmc_allowed reference counter. But nothing undoes this as
perf_mmap_close() is never called in this case, which causes another
reference count leak.
Return early on failure to prevent that.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1e0fb9ec679c9273a641f1d6f3d25ea47baef2bb Version: 1e0fb9ec679c9273a641f1d6f3d25ea47baef2bb Version: 1e0fb9ec679c9273a641f1d6f3d25ea47baef2bb Version: 1e0fb9ec679c9273a641f1d6f3d25ea47baef2bb Version: 1e0fb9ec679c9273a641f1d6f3d25ea47baef2bb Version: 1e0fb9ec679c9273a641f1d6f3d25ea47baef2bb Version: 1e0fb9ec679c9273a641f1d6f3d25ea47baef2bb Version: 1e0fb9ec679c9273a641f1d6f3d25ea47baef2bb Version: 1e0fb9ec679c9273a641f1d6f3d25ea47baef2bb |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/events/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5ffda7f3ed76ec8defc19d985e33b3b82ba07839",
"status": "affected",
"version": "1e0fb9ec679c9273a641f1d6f3d25ea47baef2bb",
"versionType": "git"
},
{
"lessThan": "9b90a48c7de828a15c7a4fc565d46999c6e22d6b",
"status": "affected",
"version": "1e0fb9ec679c9273a641f1d6f3d25ea47baef2bb",
"versionType": "git"
},
{
"lessThan": "de85e72598d89880a02170a1cbc27b35a7d978a9",
"status": "affected",
"version": "1e0fb9ec679c9273a641f1d6f3d25ea47baef2bb",
"versionType": "git"
},
{
"lessThan": "27d44145bd576bbef9bf6165bcd78128ec3e6cbd",
"status": "affected",
"version": "1e0fb9ec679c9273a641f1d6f3d25ea47baef2bb",
"versionType": "git"
},
{
"lessThan": "f41e9eba77bf97626e04296dc5677d02816d2432",
"status": "affected",
"version": "1e0fb9ec679c9273a641f1d6f3d25ea47baef2bb",
"versionType": "git"
},
{
"lessThan": "92043120a2e992800580855498ab8507e1b22db9",
"status": "affected",
"version": "1e0fb9ec679c9273a641f1d6f3d25ea47baef2bb",
"versionType": "git"
},
{
"lessThan": "163b0d1a209fe0df5476c1df2330ca12b55abf92",
"status": "affected",
"version": "1e0fb9ec679c9273a641f1d6f3d25ea47baef2bb",
"versionType": "git"
},
{
"lessThan": "7ff8521f30c4c2fcd4e88bd7640486602bf8a650",
"status": "affected",
"version": "1e0fb9ec679c9273a641f1d6f3d25ea47baef2bb",
"versionType": "git"
},
{
"lessThan": "07091aade394f690e7b655578140ef84d0e8d7b0",
"status": "affected",
"version": "1e0fb9ec679c9273a641f1d6f3d25ea47baef2bb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/events/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.0"
},
{
"lessThan": "4.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Exit early on perf_mmap() fail\n\nWhen perf_mmap() fails to allocate a buffer, it still invokes the\nevent_mapped() callback of the related event. On X86 this might increase\nthe perf_rdpmc_allowed reference counter. But nothing undoes this as\nperf_mmap_close() is never called in this case, which causes another\nreference count leak.\n\nReturn early on failure to prevent that."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:53:53.796Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5ffda7f3ed76ec8defc19d985e33b3b82ba07839"
},
{
"url": "https://git.kernel.org/stable/c/9b90a48c7de828a15c7a4fc565d46999c6e22d6b"
},
{
"url": "https://git.kernel.org/stable/c/de85e72598d89880a02170a1cbc27b35a7d978a9"
},
{
"url": "https://git.kernel.org/stable/c/27d44145bd576bbef9bf6165bcd78128ec3e6cbd"
},
{
"url": "https://git.kernel.org/stable/c/f41e9eba77bf97626e04296dc5677d02816d2432"
},
{
"url": "https://git.kernel.org/stable/c/92043120a2e992800580855498ab8507e1b22db9"
},
{
"url": "https://git.kernel.org/stable/c/163b0d1a209fe0df5476c1df2330ca12b55abf92"
},
{
"url": "https://git.kernel.org/stable/c/7ff8521f30c4c2fcd4e88bd7640486602bf8a650"
},
{
"url": "https://git.kernel.org/stable/c/07091aade394f690e7b655578140ef84d0e8d7b0"
}
],
"title": "perf/core: Exit early on perf_mmap() fail",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38565",
"datePublished": "2025-08-19T17:02:41.700Z",
"dateReserved": "2025-04-16T04:51:24.025Z",
"dateUpdated": "2025-09-29T05:53:53.796Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38632 (GCVE-0-2025-38632)
Vulnerability from cvelistv5
Published
2025-08-22 16:00
Modified
2025-09-29 05:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
pinmux: fix race causing mux_owner NULL with active mux_usecount
commit 5a3e85c3c397 ("pinmux: Use sequential access to access
desc->pinmux data") tried to address the issue when two client of the
same gpio calls pinctrl_select_state() for the same functionality, was
resulting in NULL pointer issue while accessing desc->mux_owner.
However, issue was not completely fixed due to the way it was handled
and it can still result in the same NULL pointer.
The issue occurs due to the following interleaving:
cpu0 (process A) cpu1 (process B)
pin_request() { pin_free() {
mutex_lock()
desc->mux_usecount--; //becomes 0
..
mutex_unlock()
mutex_lock(desc->mux)
desc->mux_usecount++; // becomes 1
desc->mux_owner = owner;
mutex_unlock(desc->mux)
mutex_lock(desc->mux)
desc->mux_owner = NULL;
mutex_unlock(desc->mux)
This sequence leads to a state where the pin appears to be in use
(`mux_usecount == 1`) but has no owner (`mux_owner == NULL`), which can
cause NULL pointer on next pin_request on the same pin.
Ensure that updates to mux_usecount and mux_owner are performed
atomically under the same lock. Only clear mux_owner when mux_usecount
reaches zero and no new owner has been assigned.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pinctrl/pinmux.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9b2a3e7189028aa7c4d53a84364f2ea9fb209787",
"status": "affected",
"version": "2da32aed4a97ca1d70fb8b77926f72f30ce5fb4b",
"versionType": "git"
},
{
"lessThan": "9ea3f6b9a67be3476e331ce51cac316c2614a564",
"status": "affected",
"version": "c11e2ec9a780f54982a187ee10ffd1b810715c85",
"versionType": "git"
},
{
"lessThan": "b7bd6e3971eb7f0e34d2fdce1b18b08094e0c804",
"status": "affected",
"version": "5a3e85c3c397c781393ea5fb2f45b1f60f8a4e6e",
"versionType": "git"
},
{
"lessThan": "22b585cbd67d14df3b91529d1b990661c300faa9",
"status": "affected",
"version": "5a3e85c3c397c781393ea5fb2f45b1f60f8a4e6e",
"versionType": "git"
},
{
"lessThan": "0b075c011032f88d1cfde3b45d6dcf08b44140eb",
"status": "affected",
"version": "5a3e85c3c397c781393ea5fb2f45b1f60f8a4e6e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pinctrl/pinmux.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "6.6.66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "6.12.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npinmux: fix race causing mux_owner NULL with active mux_usecount\n\ncommit 5a3e85c3c397 (\"pinmux: Use sequential access to access\ndesc-\u003epinmux data\") tried to address the issue when two client of the\nsame gpio calls pinctrl_select_state() for the same functionality, was\nresulting in NULL pointer issue while accessing desc-\u003emux_owner.\nHowever, issue was not completely fixed due to the way it was handled\nand it can still result in the same NULL pointer.\n\nThe issue occurs due to the following interleaving:\n\n cpu0 (process A) cpu1 (process B)\n\n pin_request() { pin_free() {\n\n mutex_lock()\n desc-\u003emux_usecount--; //becomes 0\n ..\n mutex_unlock()\n\n mutex_lock(desc-\u003emux)\n desc-\u003emux_usecount++; // becomes 1\n desc-\u003emux_owner = owner;\n mutex_unlock(desc-\u003emux)\n\n mutex_lock(desc-\u003emux)\n desc-\u003emux_owner = NULL;\n mutex_unlock(desc-\u003emux)\n\nThis sequence leads to a state where the pin appears to be in use\n(`mux_usecount == 1`) but has no owner (`mux_owner == NULL`), which can\ncause NULL pointer on next pin_request on the same pin.\n\nEnsure that updates to mux_usecount and mux_owner are performed\natomically under the same lock. Only clear mux_owner when mux_usecount\nreaches zero and no new owner has been assigned."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:55:10.837Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9b2a3e7189028aa7c4d53a84364f2ea9fb209787"
},
{
"url": "https://git.kernel.org/stable/c/9ea3f6b9a67be3476e331ce51cac316c2614a564"
},
{
"url": "https://git.kernel.org/stable/c/b7bd6e3971eb7f0e34d2fdce1b18b08094e0c804"
},
{
"url": "https://git.kernel.org/stable/c/22b585cbd67d14df3b91529d1b990661c300faa9"
},
{
"url": "https://git.kernel.org/stable/c/0b075c011032f88d1cfde3b45d6dcf08b44140eb"
}
],
"title": "pinmux: fix race causing mux_owner NULL with active mux_usecount",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38632",
"datePublished": "2025-08-22T16:00:40.423Z",
"dateReserved": "2025-04-16T04:51:24.029Z",
"dateUpdated": "2025-09-29T05:55:10.837Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38146 (GCVE-0-2025-38146)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: openvswitch: Fix the dead loop of MPLS parse
The unexpected MPLS packet may not end with the bottom label stack.
When there are many stacks, The label count value has wrapped around.
A dead loop occurs, soft lockup/CPU stuck finally.
stack backtrace:
UBSAN: array-index-out-of-bounds in /build/linux-0Pa0xK/linux-5.15.0/net/openvswitch/flow.c:662:26
index -1 is out of range for type '__be32 [3]'
CPU: 34 PID: 0 Comm: swapper/34 Kdump: loaded Tainted: G OE 5.15.0-121-generic #131-Ubuntu
Hardware name: Dell Inc. PowerEdge C6420/0JP9TF, BIOS 2.12.2 07/14/2021
Call Trace:
<IRQ>
show_stack+0x52/0x5c
dump_stack_lvl+0x4a/0x63
dump_stack+0x10/0x16
ubsan_epilogue+0x9/0x36
__ubsan_handle_out_of_bounds.cold+0x44/0x49
key_extract_l3l4+0x82a/0x840 [openvswitch]
? kfree_skbmem+0x52/0xa0
key_extract+0x9c/0x2b0 [openvswitch]
ovs_flow_key_extract+0x124/0x350 [openvswitch]
ovs_vport_receive+0x61/0xd0 [openvswitch]
? kernel_init_free_pages.part.0+0x4a/0x70
? get_page_from_freelist+0x353/0x540
netdev_port_receive+0xc4/0x180 [openvswitch]
? netdev_port_receive+0x180/0x180 [openvswitch]
netdev_frame_hook+0x1f/0x40 [openvswitch]
__netif_receive_skb_core.constprop.0+0x23a/0xf00
__netif_receive_skb_list_core+0xfa/0x240
netif_receive_skb_list_internal+0x18e/0x2a0
napi_complete_done+0x7a/0x1c0
bnxt_poll+0x155/0x1c0 [bnxt_en]
__napi_poll+0x30/0x180
net_rx_action+0x126/0x280
? bnxt_msix+0x67/0x80 [bnxt_en]
handle_softirqs+0xda/0x2d0
irq_exit_rcu+0x96/0xc0
common_interrupt+0x8e/0xa0
</IRQ>
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3 Version: fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3 Version: fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3 Version: fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3 Version: fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3 Version: fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3 Version: fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/openvswitch/flow.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4b9a086eedc1fddae632310386098c12155e3d0a",
"status": "affected",
"version": "fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3",
"versionType": "git"
},
{
"lessThan": "ad17eb86d042d72a59fd184ad1adf34f5eb36843",
"status": "affected",
"version": "fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3",
"versionType": "git"
},
{
"lessThan": "f26fe7c3002516dd3c288f1012786df31f4d89e0",
"status": "affected",
"version": "fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3",
"versionType": "git"
},
{
"lessThan": "8ebcd311b4866ab911d1445ead08690e67f0c488",
"status": "affected",
"version": "fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3",
"versionType": "git"
},
{
"lessThan": "69541e58323ec3e3904e1fa87a6213961b1f52f4",
"status": "affected",
"version": "fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3",
"versionType": "git"
},
{
"lessThan": "3c1906a3d50cb94fd0a10e97a1c0a40c0f033cb7",
"status": "affected",
"version": "fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3",
"versionType": "git"
},
{
"lessThan": "0bdc924bfb319fb10d1113cbf091fc26fb7b1f99",
"status": "affected",
"version": "fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/openvswitch/flow.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.239",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.94",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.34",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.3",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: Fix the dead loop of MPLS parse\n\nThe unexpected MPLS packet may not end with the bottom label stack.\nWhen there are many stacks, The label count value has wrapped around.\nA dead loop occurs, soft lockup/CPU stuck finally.\n\nstack backtrace:\nUBSAN: array-index-out-of-bounds in /build/linux-0Pa0xK/linux-5.15.0/net/openvswitch/flow.c:662:26\nindex -1 is out of range for type \u0027__be32 [3]\u0027\nCPU: 34 PID: 0 Comm: swapper/34 Kdump: loaded Tainted: G OE 5.15.0-121-generic #131-Ubuntu\nHardware name: Dell Inc. PowerEdge C6420/0JP9TF, BIOS 2.12.2 07/14/2021\nCall Trace:\n \u003cIRQ\u003e\n show_stack+0x52/0x5c\n dump_stack_lvl+0x4a/0x63\n dump_stack+0x10/0x16\n ubsan_epilogue+0x9/0x36\n __ubsan_handle_out_of_bounds.cold+0x44/0x49\n key_extract_l3l4+0x82a/0x840 [openvswitch]\n ? kfree_skbmem+0x52/0xa0\n key_extract+0x9c/0x2b0 [openvswitch]\n ovs_flow_key_extract+0x124/0x350 [openvswitch]\n ovs_vport_receive+0x61/0xd0 [openvswitch]\n ? kernel_init_free_pages.part.0+0x4a/0x70\n ? get_page_from_freelist+0x353/0x540\n netdev_port_receive+0xc4/0x180 [openvswitch]\n ? netdev_port_receive+0x180/0x180 [openvswitch]\n netdev_frame_hook+0x1f/0x40 [openvswitch]\n __netif_receive_skb_core.constprop.0+0x23a/0xf00\n __netif_receive_skb_list_core+0xfa/0x240\n netif_receive_skb_list_internal+0x18e/0x2a0\n napi_complete_done+0x7a/0x1c0\n bnxt_poll+0x155/0x1c0 [bnxt_en]\n __napi_poll+0x30/0x180\n net_rx_action+0x126/0x280\n ? bnxt_msix+0x67/0x80 [bnxt_en]\n handle_softirqs+0xda/0x2d0\n irq_exit_rcu+0x96/0xc0\n common_interrupt+0x8e/0xa0\n \u003c/IRQ\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:13:28.266Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4b9a086eedc1fddae632310386098c12155e3d0a"
},
{
"url": "https://git.kernel.org/stable/c/ad17eb86d042d72a59fd184ad1adf34f5eb36843"
},
{
"url": "https://git.kernel.org/stable/c/f26fe7c3002516dd3c288f1012786df31f4d89e0"
},
{
"url": "https://git.kernel.org/stable/c/8ebcd311b4866ab911d1445ead08690e67f0c488"
},
{
"url": "https://git.kernel.org/stable/c/69541e58323ec3e3904e1fa87a6213961b1f52f4"
},
{
"url": "https://git.kernel.org/stable/c/3c1906a3d50cb94fd0a10e97a1c0a40c0f033cb7"
},
{
"url": "https://git.kernel.org/stable/c/0bdc924bfb319fb10d1113cbf091fc26fb7b1f99"
}
],
"title": "net: openvswitch: Fix the dead loop of MPLS parse",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38146",
"datePublished": "2025-07-03T08:35:52.230Z",
"dateReserved": "2025-04-16T04:51:23.988Z",
"dateUpdated": "2025-07-28T04:13:28.266Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38214 (GCVE-0-2025-38214)
Vulnerability from cvelistv5
Published
2025-07-04 13:37
Modified
2025-07-28 04:15
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var
If fb_add_videomode() in fb_set_var() fails to allocate memory for
fb_videomode, later it may lead to a null-ptr dereference in
fb_videomode_to_var(), as the fb_info is registered while not having the
mode in modelist that is expected to be there, i.e. the one that is
described in fb_info->var.
================================================================
general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 1 PID: 30371 Comm: syz-executor.1 Not tainted 5.10.226-syzkaller #0
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:fb_videomode_to_var+0x24/0x610 drivers/video/fbdev/core/modedb.c:901
Call Trace:
display_to_var+0x3a/0x7c0 drivers/video/fbdev/core/fbcon.c:929
fbcon_resize+0x3e2/0x8f0 drivers/video/fbdev/core/fbcon.c:2071
resize_screen drivers/tty/vt/vt.c:1176 [inline]
vc_do_resize+0x53a/0x1170 drivers/tty/vt/vt.c:1263
fbcon_modechanged+0x3ac/0x6e0 drivers/video/fbdev/core/fbcon.c:2720
fbcon_update_vcs+0x43/0x60 drivers/video/fbdev/core/fbcon.c:2776
do_fb_ioctl+0x6d2/0x740 drivers/video/fbdev/core/fbmem.c:1128
fb_ioctl+0xe7/0x150 drivers/video/fbdev/core/fbmem.c:1203
vfs_ioctl fs/ioctl.c:48 [inline]
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl fs/ioctl.c:739 [inline]
__x64_sys_ioctl+0x19a/0x210 fs/ioctl.c:739
do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x67/0xd1
================================================================
The reason is that fb_info->var is being modified in fb_set_var(), and
then fb_videomode_to_var() is called. If it fails to add the mode to
fb_info->modelist, fb_set_var() returns error, but does not restore the
old value of fb_info->var. Restore fb_info->var on failure the same way
it is done earlier in the function.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/core/fbmem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ee20216f12d9482cd70e44dae5e7fabb38367c71",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fab201d72fde38d081e2c5d4ad25595c535b7b22",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1a10d91766eb6ddfd5414e4785611e33a4fe0f9b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ff0e037241173b574b385bff53d67567b9816db5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3ca78032a388a0795201792b36e6fc9b6e6e8eed",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b3071bb463ea1e6c686d0dc9638fc940f2f5cf17",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8a3a2887794b2c8e78b3e5d6e3de724527c9f41b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "05f6e183879d9785a3cdf2f08a498bc31b7a20aa",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/core/fbmem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.95",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.295",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.239",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.95",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.35",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.4",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var\n\nIf fb_add_videomode() in fb_set_var() fails to allocate memory for\nfb_videomode, later it may lead to a null-ptr dereference in\nfb_videomode_to_var(), as the fb_info is registered while not having the\nmode in modelist that is expected to be there, i.e. the one that is\ndescribed in fb_info-\u003evar.\n\n================================================================\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 1 PID: 30371 Comm: syz-executor.1 Not tainted 5.10.226-syzkaller #0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\nRIP: 0010:fb_videomode_to_var+0x24/0x610 drivers/video/fbdev/core/modedb.c:901\nCall Trace:\n display_to_var+0x3a/0x7c0 drivers/video/fbdev/core/fbcon.c:929\n fbcon_resize+0x3e2/0x8f0 drivers/video/fbdev/core/fbcon.c:2071\n resize_screen drivers/tty/vt/vt.c:1176 [inline]\n vc_do_resize+0x53a/0x1170 drivers/tty/vt/vt.c:1263\n fbcon_modechanged+0x3ac/0x6e0 drivers/video/fbdev/core/fbcon.c:2720\n fbcon_update_vcs+0x43/0x60 drivers/video/fbdev/core/fbcon.c:2776\n do_fb_ioctl+0x6d2/0x740 drivers/video/fbdev/core/fbmem.c:1128\n fb_ioctl+0xe7/0x150 drivers/video/fbdev/core/fbmem.c:1203\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x19a/0x210 fs/ioctl.c:739\n do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x67/0xd1\n================================================================\n\nThe reason is that fb_info-\u003evar is being modified in fb_set_var(), and\nthen fb_videomode_to_var() is called. If it fails to add the mode to\nfb_info-\u003emodelist, fb_set_var() returns error, but does not restore the\nold value of fb_info-\u003evar. Restore fb_info-\u003evar on failure the same way\nit is done earlier in the function.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:15:21.767Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ee20216f12d9482cd70e44dae5e7fabb38367c71"
},
{
"url": "https://git.kernel.org/stable/c/fab201d72fde38d081e2c5d4ad25595c535b7b22"
},
{
"url": "https://git.kernel.org/stable/c/1a10d91766eb6ddfd5414e4785611e33a4fe0f9b"
},
{
"url": "https://git.kernel.org/stable/c/ff0e037241173b574b385bff53d67567b9816db5"
},
{
"url": "https://git.kernel.org/stable/c/3ca78032a388a0795201792b36e6fc9b6e6e8eed"
},
{
"url": "https://git.kernel.org/stable/c/b3071bb463ea1e6c686d0dc9638fc940f2f5cf17"
},
{
"url": "https://git.kernel.org/stable/c/8a3a2887794b2c8e78b3e5d6e3de724527c9f41b"
},
{
"url": "https://git.kernel.org/stable/c/05f6e183879d9785a3cdf2f08a498bc31b7a20aa"
}
],
"title": "fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38214",
"datePublished": "2025-07-04T13:37:32.410Z",
"dateReserved": "2025-04-16T04:51:23.995Z",
"dateUpdated": "2025-07-28T04:15:21.767Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38499 (GCVE-0-2025-38499)
Vulnerability from cvelistv5
Published
2025-08-11 16:01
Modified
2025-08-28 14:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns
What we want is to verify there is that clone won't expose something
hidden by a mount we wouldn't be able to undo. "Wouldn't be able to undo"
may be a result of MNT_LOCKED on a child, but it may also come from
lacking admin rights in the userns of the namespace mount belongs to.
clone_private_mnt() checks the former, but not the latter.
There's a number of rather confusing CAP_SYS_ADMIN checks in various
userns during the mount, especially with the new mount API; they serve
different purposes and in case of clone_private_mnt() they usually,
but not always end up covering the missing check mentioned above.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 427215d85e8d1476da1a86b8d67aceb485eb3631 Version: 427215d85e8d1476da1a86b8d67aceb485eb3631 Version: 427215d85e8d1476da1a86b8d67aceb485eb3631 Version: 427215d85e8d1476da1a86b8d67aceb485eb3631 Version: 427215d85e8d1476da1a86b8d67aceb485eb3631 Version: 427215d85e8d1476da1a86b8d67aceb485eb3631 Version: c6e8810d25295acb40a7b69ed3962ff181919571 Version: e3eee87c846dc47f6d8eb6d85e7271f24122a279 Version: 517b875dfbf58f0c6c9e32dc90f5cf42d71a42ce Version: 963d85d630dabe75a3cfde44a006fec3304d07b8 Version: 812f39ed5b0b7f34868736de3055c92c7c4cf459 Version: 6a002d48a66076524f67098132538bef17e8445e Version: 41812f4b84484530057513478c6770590347dc30 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/namespace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "36fecd740de2d542d2091d65d36554ee2bcf9c65",
"status": "affected",
"version": "427215d85e8d1476da1a86b8d67aceb485eb3631",
"versionType": "git"
},
{
"lessThan": "d717325b5ecf2a40daca85c61923e17f32306179",
"status": "affected",
"version": "427215d85e8d1476da1a86b8d67aceb485eb3631",
"versionType": "git"
},
{
"lessThan": "dc6a664089f10eab0fb36b6e4f705022210191d2",
"status": "affected",
"version": "427215d85e8d1476da1a86b8d67aceb485eb3631",
"versionType": "git"
},
{
"lessThan": "e77078e52fbf018ab986efb3c79065ab35025607",
"status": "affected",
"version": "427215d85e8d1476da1a86b8d67aceb485eb3631",
"versionType": "git"
},
{
"lessThan": "38628ae06e2a37770cd794802a3f1310cf9846e3",
"status": "affected",
"version": "427215d85e8d1476da1a86b8d67aceb485eb3631",
"versionType": "git"
},
{
"lessThan": "c28f922c9dcee0e4876a2c095939d77fe7e15116",
"status": "affected",
"version": "427215d85e8d1476da1a86b8d67aceb485eb3631",
"versionType": "git"
},
{
"status": "affected",
"version": "c6e8810d25295acb40a7b69ed3962ff181919571",
"versionType": "git"
},
{
"status": "affected",
"version": "e3eee87c846dc47f6d8eb6d85e7271f24122a279",
"versionType": "git"
},
{
"status": "affected",
"version": "517b875dfbf58f0c6c9e32dc90f5cf42d71a42ce",
"versionType": "git"
},
{
"status": "affected",
"version": "963d85d630dabe75a3cfde44a006fec3304d07b8",
"versionType": "git"
},
{
"status": "affected",
"version": "812f39ed5b0b7f34868736de3055c92c7c4cf459",
"versionType": "git"
},
{
"status": "affected",
"version": "6a002d48a66076524f67098132538bef17e8445e",
"versionType": "git"
},
{
"status": "affected",
"version": "41812f4b84484530057513478c6770590347dc30",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/namespace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.147",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.147",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.100",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.40",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.3",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.281",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.280",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.244",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.204",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.141",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.13.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns\n\nWhat we want is to verify there is that clone won\u0027t expose something\nhidden by a mount we wouldn\u0027t be able to undo. \"Wouldn\u0027t be able to undo\"\nmay be a result of MNT_LOCKED on a child, but it may also come from\nlacking admin rights in the userns of the namespace mount belongs to.\n\nclone_private_mnt() checks the former, but not the latter.\n\nThere\u0027s a number of rather confusing CAP_SYS_ADMIN checks in various\nuserns during the mount, especially with the new mount API; they serve\ndifferent purposes and in case of clone_private_mnt() they usually,\nbut not always end up covering the missing check mentioned above."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T14:43:32.428Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/36fecd740de2d542d2091d65d36554ee2bcf9c65"
},
{
"url": "https://git.kernel.org/stable/c/d717325b5ecf2a40daca85c61923e17f32306179"
},
{
"url": "https://git.kernel.org/stable/c/dc6a664089f10eab0fb36b6e4f705022210191d2"
},
{
"url": "https://git.kernel.org/stable/c/e77078e52fbf018ab986efb3c79065ab35025607"
},
{
"url": "https://git.kernel.org/stable/c/38628ae06e2a37770cd794802a3f1310cf9846e3"
},
{
"url": "https://git.kernel.org/stable/c/c28f922c9dcee0e4876a2c095939d77fe7e15116"
}
],
"title": "clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38499",
"datePublished": "2025-08-11T16:01:08.257Z",
"dateReserved": "2025-04-16T04:51:24.022Z",
"dateUpdated": "2025-08-28T14:43:32.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38208 (GCVE-0-2025-38208)
Vulnerability from cvelistv5
Published
2025-07-04 13:37
Modified
2025-07-28 04:15
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: add NULL check in automount_fullpath
page is checked for null in __build_path_from_dentry_optional_prefix
when tcon->origin_fullpath is not set. However, the check is missing when
it is set.
Add a check to prevent a potential NULL pointer dereference.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/namespace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "37166d63e42c34846a16001950ecec96229a8d17",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a9e916fa5c7d0ec2256aa44aa24ddd92f529ce35",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cce8e71ca1f7ad9045707f0d22490c1e9ed1df6c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f1e7a277a1736e12cc4bd6d93b8a5c439b8ca20c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/namespace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.95",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: add NULL check in automount_fullpath\n\npage is checked for null in __build_path_from_dentry_optional_prefix\nwhen tcon-\u003eorigin_fullpath is not set. However, the check is missing when\nit is set.\nAdd a check to prevent a potential NULL pointer dereference."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:15:12.787Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/37166d63e42c34846a16001950ecec96229a8d17"
},
{
"url": "https://git.kernel.org/stable/c/a9e916fa5c7d0ec2256aa44aa24ddd92f529ce35"
},
{
"url": "https://git.kernel.org/stable/c/cce8e71ca1f7ad9045707f0d22490c1e9ed1df6c"
},
{
"url": "https://git.kernel.org/stable/c/f1e7a277a1736e12cc4bd6d93b8a5c439b8ca20c"
}
],
"title": "smb: client: add NULL check in automount_fullpath",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38208",
"datePublished": "2025-07-04T13:37:28.226Z",
"dateReserved": "2025-04-16T04:51:23.994Z",
"dateUpdated": "2025-07-28T04:15:12.787Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38470 (GCVE-0-2025-38470)
Vulnerability from cvelistv5
Published
2025-07-28 11:21
Modified
2025-08-28 14:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime
Assuming the "rx-vlan-filter" feature is enabled on a net device, the
8021q module will automatically add or remove VLAN 0 when the net device
is put administratively up or down, respectively. There are a couple of
problems with the above scheme.
The first problem is a memory leak that can happen if the "rx-vlan-filter"
feature is disabled while the device is running:
# ip link add bond1 up type bond mode 0
# ethtool -K bond1 rx-vlan-filter off
# ip link del dev bond1
When the device is put administratively down the "rx-vlan-filter"
feature is disabled, so the 8021q module will not remove VLAN 0 and the
memory will be leaked [1].
Another problem that can happen is that the kernel can automatically
delete VLAN 0 when the device is put administratively down despite not
adding it when the device was put administratively up since during that
time the "rx-vlan-filter" feature was disabled. null-ptr-unref or
bug_on[2] will be triggered by unregister_vlan_dev() for refcount
imbalance if toggling filtering during runtime:
$ ip link add bond0 type bond mode 0
$ ip link add link bond0 name vlan0 type vlan id 0 protocol 802.1q
$ ethtool -K bond0 rx-vlan-filter off
$ ifconfig bond0 up
$ ethtool -K bond0 rx-vlan-filter on
$ ifconfig bond0 down
$ ip link del vlan0
Root cause is as below:
step1: add vlan0 for real_dev, such as bond, team.
register_vlan_dev
vlan_vid_add(real_dev,htons(ETH_P_8021Q),0) //refcnt=1
step2: disable vlan filter feature and enable real_dev
step3: change filter from 0 to 1
vlan_device_event
vlan_filter_push_vids
ndo_vlan_rx_add_vid //No refcnt added to real_dev vlan0
step4: real_dev down
vlan_device_event
vlan_vid_del(dev, htons(ETH_P_8021Q), 0); //refcnt=0
vlan_info_rcu_free //free vlan0
step5: delete vlan0
unregister_vlan_dev
BUG_ON(!vlan_info); //vlan_info is null
Fix both problems by noting in the VLAN info whether VLAN 0 was
automatically added upon NETDEV_UP and based on that decide whether it
should be deleted upon NETDEV_DOWN, regardless of the state of the
"rx-vlan-filter" feature.
[1]
unreferenced object 0xffff8880068e3100 (size 256):
comm "ip", pid 384, jiffies 4296130254
hex dump (first 32 bytes):
00 20 30 0d 80 88 ff ff 00 00 00 00 00 00 00 00 . 0.............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 81ce31fa):
__kmalloc_cache_noprof+0x2b5/0x340
vlan_vid_add+0x434/0x940
vlan_device_event.cold+0x75/0xa8
notifier_call_chain+0xca/0x150
__dev_notify_flags+0xe3/0x250
rtnl_configure_link+0x193/0x260
rtnl_newlink_create+0x383/0x8e0
__rtnl_newlink+0x22c/0xa40
rtnl_newlink+0x627/0xb00
rtnetlink_rcv_msg+0x6fb/0xb70
netlink_rcv_skb+0x11f/0x350
netlink_unicast+0x426/0x710
netlink_sendmsg+0x75a/0xc20
__sock_sendmsg+0xc1/0x150
____sys_sendmsg+0x5aa/0x7b0
___sys_sendmsg+0xfc/0x180
[2]
kernel BUG at net/8021q/vlan.c:99!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 0 UID: 0 PID: 382 Comm: ip Not tainted 6.16.0-rc3 #61 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:unregister_vlan_dev (net/8021q/vlan.c:99 (discriminator 1))
RSP: 0018:ffff88810badf310 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff88810da84000 RCX: ffffffffb47ceb9a
RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88810e8b43c8
RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff6cefe80
R10: ffffffffb677f407 R11: ffff88810badf3c0 R12: ffff88810e8b4000
R13: 0000000000000000 R14: ffff88810642a5c0 R15: 000000000000017e
FS: 00007f1ff68c20c0(0000) GS:ffff888163a24000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1ff5dad240 CR3: 0000000107e56000 CR4: 00000000000006f0
Call Trace:
<TASK
---truncated---
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: ad1afb00393915a51c21b1ae8704562bf036855f Version: ad1afb00393915a51c21b1ae8704562bf036855f Version: ad1afb00393915a51c21b1ae8704562bf036855f Version: ad1afb00393915a51c21b1ae8704562bf036855f Version: ad1afb00393915a51c21b1ae8704562bf036855f Version: ad1afb00393915a51c21b1ae8704562bf036855f Version: ad1afb00393915a51c21b1ae8704562bf036855f Version: ad1afb00393915a51c21b1ae8704562bf036855f |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/8021q/vlan.c",
"net/8021q/vlan.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ba48d3993af23753e1f1f01c8d592de9c7785f24",
"status": "affected",
"version": "ad1afb00393915a51c21b1ae8704562bf036855f",
"versionType": "git"
},
{
"lessThan": "35142b3816832889e50164d993018ea5810955ae",
"status": "affected",
"version": "ad1afb00393915a51c21b1ae8704562bf036855f",
"versionType": "git"
},
{
"lessThan": "047b61a24d7c866c502aeeea482892969a68f216",
"status": "affected",
"version": "ad1afb00393915a51c21b1ae8704562bf036855f",
"versionType": "git"
},
{
"lessThan": "d43ef15bf4856c8c4c6c3572922331a5f06deb77",
"status": "affected",
"version": "ad1afb00393915a51c21b1ae8704562bf036855f",
"versionType": "git"
},
{
"lessThan": "bb515c41306454937464da055609b5fb0a27821b",
"status": "affected",
"version": "ad1afb00393915a51c21b1ae8704562bf036855f",
"versionType": "git"
},
{
"lessThan": "8984bcbd1edf5bee5be06ad771d157333b790c33",
"status": "affected",
"version": "ad1afb00393915a51c21b1ae8704562bf036855f",
"versionType": "git"
},
{
"lessThan": "93715aa2d80e6c5cea1bb486321fc4585076928b",
"status": "affected",
"version": "ad1afb00393915a51c21b1ae8704562bf036855f",
"versionType": "git"
},
{
"lessThan": "579d4f9ca9a9a605184a9b162355f6ba131f678d",
"status": "affected",
"version": "ad1afb00393915a51c21b1ae8704562bf036855f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/8021q/vlan.c",
"net/8021q/vlan.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.36"
},
{
"lessThan": "2.6.36",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.147",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.147",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.100",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.40",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.8",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.36",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime\n\nAssuming the \"rx-vlan-filter\" feature is enabled on a net device, the\n8021q module will automatically add or remove VLAN 0 when the net device\nis put administratively up or down, respectively. There are a couple of\nproblems with the above scheme.\n\nThe first problem is a memory leak that can happen if the \"rx-vlan-filter\"\nfeature is disabled while the device is running:\n\n # ip link add bond1 up type bond mode 0\n # ethtool -K bond1 rx-vlan-filter off\n # ip link del dev bond1\n\nWhen the device is put administratively down the \"rx-vlan-filter\"\nfeature is disabled, so the 8021q module will not remove VLAN 0 and the\nmemory will be leaked [1].\n\nAnother problem that can happen is that the kernel can automatically\ndelete VLAN 0 when the device is put administratively down despite not\nadding it when the device was put administratively up since during that\ntime the \"rx-vlan-filter\" feature was disabled. null-ptr-unref or\nbug_on[2] will be triggered by unregister_vlan_dev() for refcount\nimbalance if toggling filtering during runtime:\n\n$ ip link add bond0 type bond mode 0\n$ ip link add link bond0 name vlan0 type vlan id 0 protocol 802.1q\n$ ethtool -K bond0 rx-vlan-filter off\n$ ifconfig bond0 up\n$ ethtool -K bond0 rx-vlan-filter on\n$ ifconfig bond0 down\n$ ip link del vlan0\n\nRoot cause is as below:\nstep1: add vlan0 for real_dev, such as bond, team.\nregister_vlan_dev\n vlan_vid_add(real_dev,htons(ETH_P_8021Q),0) //refcnt=1\nstep2: disable vlan filter feature and enable real_dev\nstep3: change filter from 0 to 1\nvlan_device_event\n vlan_filter_push_vids\n ndo_vlan_rx_add_vid //No refcnt added to real_dev vlan0\nstep4: real_dev down\nvlan_device_event\n vlan_vid_del(dev, htons(ETH_P_8021Q), 0); //refcnt=0\n vlan_info_rcu_free //free vlan0\nstep5: delete vlan0\nunregister_vlan_dev\n BUG_ON(!vlan_info); //vlan_info is null\n\nFix both problems by noting in the VLAN info whether VLAN 0 was\nautomatically added upon NETDEV_UP and based on that decide whether it\nshould be deleted upon NETDEV_DOWN, regardless of the state of the\n\"rx-vlan-filter\" feature.\n\n[1]\nunreferenced object 0xffff8880068e3100 (size 256):\n comm \"ip\", pid 384, jiffies 4296130254\n hex dump (first 32 bytes):\n 00 20 30 0d 80 88 ff ff 00 00 00 00 00 00 00 00 . 0.............\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace (crc 81ce31fa):\n __kmalloc_cache_noprof+0x2b5/0x340\n vlan_vid_add+0x434/0x940\n vlan_device_event.cold+0x75/0xa8\n notifier_call_chain+0xca/0x150\n __dev_notify_flags+0xe3/0x250\n rtnl_configure_link+0x193/0x260\n rtnl_newlink_create+0x383/0x8e0\n __rtnl_newlink+0x22c/0xa40\n rtnl_newlink+0x627/0xb00\n rtnetlink_rcv_msg+0x6fb/0xb70\n netlink_rcv_skb+0x11f/0x350\n netlink_unicast+0x426/0x710\n netlink_sendmsg+0x75a/0xc20\n __sock_sendmsg+0xc1/0x150\n ____sys_sendmsg+0x5aa/0x7b0\n ___sys_sendmsg+0xfc/0x180\n\n[2]\nkernel BUG at net/8021q/vlan.c:99!\nOops: invalid opcode: 0000 [#1] SMP KASAN PTI\nCPU: 0 UID: 0 PID: 382 Comm: ip Not tainted 6.16.0-rc3 #61 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996),\nBIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:unregister_vlan_dev (net/8021q/vlan.c:99 (discriminator 1))\nRSP: 0018:ffff88810badf310 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff88810da84000 RCX: ffffffffb47ceb9a\nRDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88810e8b43c8\nRBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff6cefe80\nR10: ffffffffb677f407 R11: ffff88810badf3c0 R12: ffff88810e8b4000\nR13: 0000000000000000 R14: ffff88810642a5c0 R15: 000000000000017e\nFS: 00007f1ff68c20c0(0000) GS:ffff888163a24000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f1ff5dad240 CR3: 0000000107e56000 CR4: 00000000000006f0\nCall Trace:\n \u003cTASK\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T14:43:09.081Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ba48d3993af23753e1f1f01c8d592de9c7785f24"
},
{
"url": "https://git.kernel.org/stable/c/35142b3816832889e50164d993018ea5810955ae"
},
{
"url": "https://git.kernel.org/stable/c/047b61a24d7c866c502aeeea482892969a68f216"
},
{
"url": "https://git.kernel.org/stable/c/d43ef15bf4856c8c4c6c3572922331a5f06deb77"
},
{
"url": "https://git.kernel.org/stable/c/bb515c41306454937464da055609b5fb0a27821b"
},
{
"url": "https://git.kernel.org/stable/c/8984bcbd1edf5bee5be06ad771d157333b790c33"
},
{
"url": "https://git.kernel.org/stable/c/93715aa2d80e6c5cea1bb486321fc4585076928b"
},
{
"url": "https://git.kernel.org/stable/c/579d4f9ca9a9a605184a9b162355f6ba131f678d"
}
],
"title": "net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38470",
"datePublished": "2025-07-28T11:21:32.002Z",
"dateReserved": "2025-04-16T04:51:24.020Z",
"dateUpdated": "2025-08-28T14:43:09.081Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38313 (GCVE-0-2025-38313)
Vulnerability from cvelistv5
Published
2025-07-10 07:42
Modified
2025-07-28 04:18
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bus: fsl-mc: fix double-free on mc_dev
The blamed commit tried to simplify how the deallocations are done but,
in the process, introduced a double-free on the mc_dev variable.
In case the MC device is a DPRC, a new mc_bus is allocated and the
mc_dev variable is just a reference to one of its fields. In this
circumstance, on the error path only the mc_bus should be freed.
This commit introduces back the following checkpatch warning which is a
false-positive.
WARNING: kfree(NULL) is safe and this check is probably not required
+ if (mc_bus)
+ kfree(mc_bus);
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: a042fbed02904493ae6df26ec836045f5a7d3ce2 Version: a042fbed02904493ae6df26ec836045f5a7d3ce2 Version: a042fbed02904493ae6df26ec836045f5a7d3ce2 Version: a042fbed02904493ae6df26ec836045f5a7d3ce2 Version: a042fbed02904493ae6df26ec836045f5a7d3ce2 Version: a042fbed02904493ae6df26ec836045f5a7d3ce2 Version: a042fbed02904493ae6df26ec836045f5a7d3ce2 Version: a042fbed02904493ae6df26ec836045f5a7d3ce2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bus/fsl-mc/fsl-mc-bus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "12e4431e5078847791936820bd39df9e1ee26d2e",
"status": "affected",
"version": "a042fbed02904493ae6df26ec836045f5a7d3ce2",
"versionType": "git"
},
{
"lessThan": "3135e03a92f6b5259d0a7f25f728e9e7866ede3f",
"status": "affected",
"version": "a042fbed02904493ae6df26ec836045f5a7d3ce2",
"versionType": "git"
},
{
"lessThan": "7002b954c4a8b9965ba0f139812ee4a6f71beac8",
"status": "affected",
"version": "a042fbed02904493ae6df26ec836045f5a7d3ce2",
"versionType": "git"
},
{
"lessThan": "b2057374f326303c86d8423415ab58656eebc695",
"status": "affected",
"version": "a042fbed02904493ae6df26ec836045f5a7d3ce2",
"versionType": "git"
},
{
"lessThan": "4b23c46eb2d88924b93aca647bde9a4b9cf62cf9",
"status": "affected",
"version": "a042fbed02904493ae6df26ec836045f5a7d3ce2",
"versionType": "git"
},
{
"lessThan": "1d5baab39e5b09a76870b345cdee7933871b881f",
"status": "affected",
"version": "a042fbed02904493ae6df26ec836045f5a7d3ce2",
"versionType": "git"
},
{
"lessThan": "873d47114fd5e5a1cad2018843671537cc71ac84",
"status": "affected",
"version": "a042fbed02904493ae6df26ec836045f5a7d3ce2",
"versionType": "git"
},
{
"lessThan": "d694bf8a9acdbd061596f3e7549bc8cb70750a60",
"status": "affected",
"version": "a042fbed02904493ae6df26ec836045f5a7d3ce2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bus/fsl-mc/fsl-mc-bus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.295",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.239",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.94",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.34",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.3",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: fsl-mc: fix double-free on mc_dev\n\nThe blamed commit tried to simplify how the deallocations are done but,\nin the process, introduced a double-free on the mc_dev variable.\n\nIn case the MC device is a DPRC, a new mc_bus is allocated and the\nmc_dev variable is just a reference to one of its fields. In this\ncircumstance, on the error path only the mc_bus should be freed.\n\nThis commit introduces back the following checkpatch warning which is a\nfalse-positive.\n\nWARNING: kfree(NULL) is safe and this check is probably not required\n+ if (mc_bus)\n+ kfree(mc_bus);"
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:18:18.573Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/12e4431e5078847791936820bd39df9e1ee26d2e"
},
{
"url": "https://git.kernel.org/stable/c/3135e03a92f6b5259d0a7f25f728e9e7866ede3f"
},
{
"url": "https://git.kernel.org/stable/c/7002b954c4a8b9965ba0f139812ee4a6f71beac8"
},
{
"url": "https://git.kernel.org/stable/c/b2057374f326303c86d8423415ab58656eebc695"
},
{
"url": "https://git.kernel.org/stable/c/4b23c46eb2d88924b93aca647bde9a4b9cf62cf9"
},
{
"url": "https://git.kernel.org/stable/c/1d5baab39e5b09a76870b345cdee7933871b881f"
},
{
"url": "https://git.kernel.org/stable/c/873d47114fd5e5a1cad2018843671537cc71ac84"
},
{
"url": "https://git.kernel.org/stable/c/d694bf8a9acdbd061596f3e7549bc8cb70750a60"
}
],
"title": "bus: fsl-mc: fix double-free on mc_dev",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38313",
"datePublished": "2025-07-10T07:42:21.314Z",
"dateReserved": "2025-04-16T04:51:24.003Z",
"dateUpdated": "2025-07-28T04:18:18.573Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38444 (GCVE-0-2025-38444)
Vulnerability from cvelistv5
Published
2025-07-25 15:27
Modified
2025-07-28 04:22
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
raid10: cleanup memleak at raid10_make_request
If raid10_read_request or raid10_write_request registers a new
request and the REQ_NOWAIT flag is set, the code does not
free the malloc from the mempool.
unreferenced object 0xffff8884802c3200 (size 192):
comm "fio", pid 9197, jiffies 4298078271
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 88 41 02 00 00 00 00 00 .........A......
08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc c1a049a2):
__kmalloc+0x2bb/0x450
mempool_alloc+0x11b/0x320
raid10_make_request+0x19e/0x650 [raid10]
md_handle_request+0x3b3/0x9e0
__submit_bio+0x394/0x560
__submit_bio_noacct+0x145/0x530
submit_bio_noacct_nocheck+0x682/0x830
__blkdev_direct_IO_async+0x4dc/0x6b0
blkdev_read_iter+0x1e5/0x3b0
__io_read+0x230/0x1110
io_read+0x13/0x30
io_issue_sqe+0x134/0x1180
io_submit_sqes+0x48c/0xe90
__do_sys_io_uring_enter+0x574/0x8b0
do_syscall_64+0x5c/0xe0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
V4: changing backing tree to see if CKI tests will pass.
The patch code has not changed between any versions.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 39db562b3fedb93978a7e42dd216b306740959f8 Version: c9aa889b035fca4598ae985a0f0c76ebbb547ad2 Version: c9aa889b035fca4598ae985a0f0c76ebbb547ad2 Version: c9aa889b035fca4598ae985a0f0c76ebbb547ad2 Version: c9aa889b035fca4598ae985a0f0c76ebbb547ad2 Version: c9aa889b035fca4598ae985a0f0c76ebbb547ad2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/raid10.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "10c6021a609deb95f23f0cc2f89aa9d4bffb14c7",
"status": "affected",
"version": "39db562b3fedb93978a7e42dd216b306740959f8",
"versionType": "git"
},
{
"lessThan": "9af149ca9d0dab6e59e813519d309eff62499864",
"status": "affected",
"version": "c9aa889b035fca4598ae985a0f0c76ebbb547ad2",
"versionType": "git"
},
{
"lessThan": "8fc3d7b23d139e3cbc944c15d99b3cdbed797d2d",
"status": "affected",
"version": "c9aa889b035fca4598ae985a0f0c76ebbb547ad2",
"versionType": "git"
},
{
"lessThan": "2941155d9a5ae098b480d551f3a5f8605d4f9af5",
"status": "affected",
"version": "c9aa889b035fca4598ae985a0f0c76ebbb547ad2",
"versionType": "git"
},
{
"lessThan": "ed7bcd9f617e4107ac0813c516e72e6b8f6029bd",
"status": "affected",
"version": "c9aa889b035fca4598ae985a0f0c76ebbb547ad2",
"versionType": "git"
},
{
"lessThan": "43806c3d5b9bb7d74ba4e33a6a8a41ac988bde24",
"status": "affected",
"version": "c9aa889b035fca4598ae985a0f0c76ebbb547ad2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/raid10.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.146",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.189",
"versionStartIncluding": "5.15.111",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.146",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.99",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.39",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.7",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nraid10: cleanup memleak at raid10_make_request\n\nIf raid10_read_request or raid10_write_request registers a new\nrequest and the REQ_NOWAIT flag is set, the code does not\nfree the malloc from the mempool.\n\nunreferenced object 0xffff8884802c3200 (size 192):\n comm \"fio\", pid 9197, jiffies 4298078271\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 88 41 02 00 00 00 00 00 .........A......\n 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace (crc c1a049a2):\n __kmalloc+0x2bb/0x450\n mempool_alloc+0x11b/0x320\n raid10_make_request+0x19e/0x650 [raid10]\n md_handle_request+0x3b3/0x9e0\n __submit_bio+0x394/0x560\n __submit_bio_noacct+0x145/0x530\n submit_bio_noacct_nocheck+0x682/0x830\n __blkdev_direct_IO_async+0x4dc/0x6b0\n blkdev_read_iter+0x1e5/0x3b0\n __io_read+0x230/0x1110\n io_read+0x13/0x30\n io_issue_sqe+0x134/0x1180\n io_submit_sqes+0x48c/0xe90\n __do_sys_io_uring_enter+0x574/0x8b0\n do_syscall_64+0x5c/0xe0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nV4: changing backing tree to see if CKI tests will pass.\nThe patch code has not changed between any versions."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:22:27.102Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/10c6021a609deb95f23f0cc2f89aa9d4bffb14c7"
},
{
"url": "https://git.kernel.org/stable/c/9af149ca9d0dab6e59e813519d309eff62499864"
},
{
"url": "https://git.kernel.org/stable/c/8fc3d7b23d139e3cbc944c15d99b3cdbed797d2d"
},
{
"url": "https://git.kernel.org/stable/c/2941155d9a5ae098b480d551f3a5f8605d4f9af5"
},
{
"url": "https://git.kernel.org/stable/c/ed7bcd9f617e4107ac0813c516e72e6b8f6029bd"
},
{
"url": "https://git.kernel.org/stable/c/43806c3d5b9bb7d74ba4e33a6a8a41ac988bde24"
}
],
"title": "raid10: cleanup memleak at raid10_make_request",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38444",
"datePublished": "2025-07-25T15:27:27.336Z",
"dateReserved": "2025-04-16T04:51:24.017Z",
"dateUpdated": "2025-07-28T04:22:27.102Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38465 (GCVE-0-2025-38465)
Vulnerability from cvelistv5
Published
2025-07-25 15:27
Modified
2025-07-28 04:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netlink: Fix wraparounds of sk->sk_rmem_alloc.
Netlink has this pattern in some places
if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf)
atomic_add(skb->truesize, &sk->sk_rmem_alloc);
, which has the same problem fixed by commit 5a465a0da13e ("udp:
Fix multiple wraparounds of sk->sk_rmem_alloc.").
For example, if we set INT_MAX to SO_RCVBUFFORCE, the condition
is always false as the two operands are of int.
Then, a single socket can eat as many skb as possible until OOM
happens, and we can see multiple wraparounds of sk->sk_rmem_alloc.
Let's fix it by using atomic_add_return() and comparing the two
variables as unsigned int.
Before:
[root@fedora ~]# ss -f netlink
Recv-Q Send-Q Local Address:Port Peer Address:Port
-1668710080 0 rtnl:nl_wraparound/293 *
After:
[root@fedora ~]# ss -f netlink
Recv-Q Send-Q Local Address:Port Peer Address:Port
2147483072 0 rtnl:nl_wraparound/290 *
^
`--- INT_MAX - 576
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netlink/af_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9da025150b7c14a8390fc06aea314c0a4011e82c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c4ceaac5c5ba0b992ee1dc88e2a02421549e5c98",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fd69af06101090eaa60b3d216ae715f9c0a58e5b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "76602d8e13864524382b0687dc32cd8f19164d5a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "55baecb9eb90238f60a8350660d6762046ebd3bd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4b8e18af7bea92f8b7fb92d40aeae729209db250",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cd7ff61bfffd7000143c42bbffb85eeb792466d6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ae8f160e7eb24240a2a79fc4c815c6a0d4ee16cc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netlink/af_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.240",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.146",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.296",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.240",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.189",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.146",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.99",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.39",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.7",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: Fix wraparounds of sk-\u003esk_rmem_alloc.\n\nNetlink has this pattern in some places\n\n if (atomic_read(\u0026sk-\u003esk_rmem_alloc) \u003e sk-\u003esk_rcvbuf)\n \tatomic_add(skb-\u003etruesize, \u0026sk-\u003esk_rmem_alloc);\n\n, which has the same problem fixed by commit 5a465a0da13e (\"udp:\nFix multiple wraparounds of sk-\u003esk_rmem_alloc.\").\n\nFor example, if we set INT_MAX to SO_RCVBUFFORCE, the condition\nis always false as the two operands are of int.\n\nThen, a single socket can eat as many skb as possible until OOM\nhappens, and we can see multiple wraparounds of sk-\u003esk_rmem_alloc.\n\nLet\u0027s fix it by using atomic_add_return() and comparing the two\nvariables as unsigned int.\n\nBefore:\n [root@fedora ~]# ss -f netlink\n Recv-Q Send-Q Local Address:Port Peer Address:Port\n -1668710080 0 rtnl:nl_wraparound/293 *\n\nAfter:\n [root@fedora ~]# ss -f netlink\n Recv-Q Send-Q Local Address:Port Peer Address:Port\n 2147483072 0 rtnl:nl_wraparound/290 *\n ^\n `--- INT_MAX - 576"
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:23:13.790Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9da025150b7c14a8390fc06aea314c0a4011e82c"
},
{
"url": "https://git.kernel.org/stable/c/c4ceaac5c5ba0b992ee1dc88e2a02421549e5c98"
},
{
"url": "https://git.kernel.org/stable/c/fd69af06101090eaa60b3d216ae715f9c0a58e5b"
},
{
"url": "https://git.kernel.org/stable/c/76602d8e13864524382b0687dc32cd8f19164d5a"
},
{
"url": "https://git.kernel.org/stable/c/55baecb9eb90238f60a8350660d6762046ebd3bd"
},
{
"url": "https://git.kernel.org/stable/c/4b8e18af7bea92f8b7fb92d40aeae729209db250"
},
{
"url": "https://git.kernel.org/stable/c/cd7ff61bfffd7000143c42bbffb85eeb792466d6"
},
{
"url": "https://git.kernel.org/stable/c/ae8f160e7eb24240a2a79fc4c815c6a0d4ee16cc"
}
],
"title": "netlink: Fix wraparounds of sk-\u003esk_rmem_alloc.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38465",
"datePublished": "2025-07-25T15:27:47.510Z",
"dateReserved": "2025-04-16T04:51:24.020Z",
"dateUpdated": "2025-07-28T04:23:13.790Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49981 (GCVE-0-2022-49981)
Vulnerability from cvelistv5
Published
2025-06-18 11:00
Modified
2025-07-15 15:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: hidraw: fix memory leak in hidraw_release()
Free the buffered reports before deleting the list entry.
BUG: memory leak
unreferenced object 0xffff88810e72f180 (size 32):
comm "softirq", pid 0, jiffies 4294945143 (age 16.080s)
hex dump (first 32 bytes):
64 f3 c6 6a d1 88 07 04 00 00 00 00 00 00 00 00 d..j............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff814ac6c3>] kmemdup+0x23/0x50 mm/util.c:128
[<ffffffff8357c1d2>] kmemdup include/linux/fortify-string.h:440 [inline]
[<ffffffff8357c1d2>] hidraw_report_event+0xa2/0x150 drivers/hid/hidraw.c:521
[<ffffffff8356ddad>] hid_report_raw_event+0x27d/0x740 drivers/hid/hid-core.c:1992
[<ffffffff8356e41e>] hid_input_report+0x1ae/0x270 drivers/hid/hid-core.c:2065
[<ffffffff835f0d3f>] hid_irq_in+0x1ff/0x250 drivers/hid/usbhid/hid-core.c:284
[<ffffffff82d3c7f9>] __usb_hcd_giveback_urb+0xf9/0x230 drivers/usb/core/hcd.c:1670
[<ffffffff82d3cc26>] usb_hcd_giveback_urb+0x1b6/0x1d0 drivers/usb/core/hcd.c:1747
[<ffffffff82ef1e14>] dummy_timer+0x8e4/0x14c0 drivers/usb/gadget/udc/dummy_hcd.c:1988
[<ffffffff812f50a8>] call_timer_fn+0x38/0x200 kernel/time/timer.c:1474
[<ffffffff812f5586>] expire_timers kernel/time/timer.c:1519 [inline]
[<ffffffff812f5586>] __run_timers.part.0+0x316/0x430 kernel/time/timer.c:1790
[<ffffffff812f56e4>] __run_timers kernel/time/timer.c:1768 [inline]
[<ffffffff812f56e4>] run_timer_softirq+0x44/0x90 kernel/time/timer.c:1803
[<ffffffff848000e6>] __do_softirq+0xe6/0x2ea kernel/softirq.c:571
[<ffffffff81246db0>] invoke_softirq kernel/softirq.c:445 [inline]
[<ffffffff81246db0>] __irq_exit_rcu kernel/softirq.c:650 [inline]
[<ffffffff81246db0>] irq_exit_rcu+0xc0/0x110 kernel/softirq.c:662
[<ffffffff84574f02>] sysvec_apic_timer_interrupt+0xa2/0xd0 arch/x86/kernel/apic/apic.c:1106
[<ffffffff84600c8b>] asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:649
[<ffffffff8458a070>] native_safe_halt arch/x86/include/asm/irqflags.h:51 [inline]
[<ffffffff8458a070>] arch_safe_halt arch/x86/include/asm/irqflags.h:89 [inline]
[<ffffffff8458a070>] acpi_safe_halt drivers/acpi/processor_idle.c:111 [inline]
[<ffffffff8458a070>] acpi_idle_do_entry+0xc0/0xd0 drivers/acpi/processor_idle.c:554
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 86166b7bcda0bcb53525114fa1c87ac432be478e Version: 86166b7bcda0bcb53525114fa1c87ac432be478e Version: 86166b7bcda0bcb53525114fa1c87ac432be478e Version: 86166b7bcda0bcb53525114fa1c87ac432be478e Version: 86166b7bcda0bcb53525114fa1c87ac432be478e Version: 86166b7bcda0bcb53525114fa1c87ac432be478e Version: 86166b7bcda0bcb53525114fa1c87ac432be478e Version: 86166b7bcda0bcb53525114fa1c87ac432be478e |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hidraw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1bea0bbf66001b0c7bf239a4d70eaf47824d3feb",
"status": "affected",
"version": "86166b7bcda0bcb53525114fa1c87ac432be478e",
"versionType": "git"
},
{
"lessThan": "c06b013f5cbfeafe0a9cfa5a7128604c34e0e517",
"status": "affected",
"version": "86166b7bcda0bcb53525114fa1c87ac432be478e",
"versionType": "git"
},
{
"lessThan": "f5b7e9611cffec345d62d5bdd8b6e30e89956818",
"status": "affected",
"version": "86166b7bcda0bcb53525114fa1c87ac432be478e",
"versionType": "git"
},
{
"lessThan": "53c7c4d5d40b45c127cb1193bf3e9670f844c3cf",
"status": "affected",
"version": "86166b7bcda0bcb53525114fa1c87ac432be478e",
"versionType": "git"
},
{
"lessThan": "7e2fa79226580b035b00260d9f240ab9bda4af5d",
"status": "affected",
"version": "86166b7bcda0bcb53525114fa1c87ac432be478e",
"versionType": "git"
},
{
"lessThan": "dfd27a737283313a3e626e97b9d9b2d8d6a94188",
"status": "affected",
"version": "86166b7bcda0bcb53525114fa1c87ac432be478e",
"versionType": "git"
},
{
"lessThan": "52a3c62a815161c2dcf38ac421f6c41d8679462b",
"status": "affected",
"version": "86166b7bcda0bcb53525114fa1c87ac432be478e",
"versionType": "git"
},
{
"lessThan": "a5623a203cffe2d2b84d2f6c989d9017db1856af",
"status": "affected",
"version": "86166b7bcda0bcb53525114fa1c87ac432be478e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hidraw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.24"
},
{
"lessThan": "2.6.24",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.327",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.292",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.212",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.65",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.327",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.292",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.257",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.212",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.141",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.65",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.7",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0",
"versionStartIncluding": "2.6.24",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: hidraw: fix memory leak in hidraw_release()\n\nFree the buffered reports before deleting the list entry.\n\nBUG: memory leak\nunreferenced object 0xffff88810e72f180 (size 32):\n comm \"softirq\", pid 0, jiffies 4294945143 (age 16.080s)\n hex dump (first 32 bytes):\n 64 f3 c6 6a d1 88 07 04 00 00 00 00 00 00 00 00 d..j............\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [\u003cffffffff814ac6c3\u003e] kmemdup+0x23/0x50 mm/util.c:128\n [\u003cffffffff8357c1d2\u003e] kmemdup include/linux/fortify-string.h:440 [inline]\n [\u003cffffffff8357c1d2\u003e] hidraw_report_event+0xa2/0x150 drivers/hid/hidraw.c:521\n [\u003cffffffff8356ddad\u003e] hid_report_raw_event+0x27d/0x740 drivers/hid/hid-core.c:1992\n [\u003cffffffff8356e41e\u003e] hid_input_report+0x1ae/0x270 drivers/hid/hid-core.c:2065\n [\u003cffffffff835f0d3f\u003e] hid_irq_in+0x1ff/0x250 drivers/hid/usbhid/hid-core.c:284\n [\u003cffffffff82d3c7f9\u003e] __usb_hcd_giveback_urb+0xf9/0x230 drivers/usb/core/hcd.c:1670\n [\u003cffffffff82d3cc26\u003e] usb_hcd_giveback_urb+0x1b6/0x1d0 drivers/usb/core/hcd.c:1747\n [\u003cffffffff82ef1e14\u003e] dummy_timer+0x8e4/0x14c0 drivers/usb/gadget/udc/dummy_hcd.c:1988\n [\u003cffffffff812f50a8\u003e] call_timer_fn+0x38/0x200 kernel/time/timer.c:1474\n [\u003cffffffff812f5586\u003e] expire_timers kernel/time/timer.c:1519 [inline]\n [\u003cffffffff812f5586\u003e] __run_timers.part.0+0x316/0x430 kernel/time/timer.c:1790\n [\u003cffffffff812f56e4\u003e] __run_timers kernel/time/timer.c:1768 [inline]\n [\u003cffffffff812f56e4\u003e] run_timer_softirq+0x44/0x90 kernel/time/timer.c:1803\n [\u003cffffffff848000e6\u003e] __do_softirq+0xe6/0x2ea kernel/softirq.c:571\n [\u003cffffffff81246db0\u003e] invoke_softirq kernel/softirq.c:445 [inline]\n [\u003cffffffff81246db0\u003e] __irq_exit_rcu kernel/softirq.c:650 [inline]\n [\u003cffffffff81246db0\u003e] irq_exit_rcu+0xc0/0x110 kernel/softirq.c:662\n [\u003cffffffff84574f02\u003e] sysvec_apic_timer_interrupt+0xa2/0xd0 arch/x86/kernel/apic/apic.c:1106\n [\u003cffffffff84600c8b\u003e] asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:649\n [\u003cffffffff8458a070\u003e] native_safe_halt arch/x86/include/asm/irqflags.h:51 [inline]\n [\u003cffffffff8458a070\u003e] arch_safe_halt arch/x86/include/asm/irqflags.h:89 [inline]\n [\u003cffffffff8458a070\u003e] acpi_safe_halt drivers/acpi/processor_idle.c:111 [inline]\n [\u003cffffffff8458a070\u003e] acpi_idle_do_entry+0xc0/0xd0 drivers/acpi/processor_idle.c:554"
}
],
"providerMetadata": {
"dateUpdated": "2025-07-15T15:43:41.866Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1bea0bbf66001b0c7bf239a4d70eaf47824d3feb"
},
{
"url": "https://git.kernel.org/stable/c/c06b013f5cbfeafe0a9cfa5a7128604c34e0e517"
},
{
"url": "https://git.kernel.org/stable/c/f5b7e9611cffec345d62d5bdd8b6e30e89956818"
},
{
"url": "https://git.kernel.org/stable/c/53c7c4d5d40b45c127cb1193bf3e9670f844c3cf"
},
{
"url": "https://git.kernel.org/stable/c/7e2fa79226580b035b00260d9f240ab9bda4af5d"
},
{
"url": "https://git.kernel.org/stable/c/dfd27a737283313a3e626e97b9d9b2d8d6a94188"
},
{
"url": "https://git.kernel.org/stable/c/52a3c62a815161c2dcf38ac421f6c41d8679462b"
},
{
"url": "https://git.kernel.org/stable/c/a5623a203cffe2d2b84d2f6c989d9017db1856af"
}
],
"title": "HID: hidraw: fix memory leak in hidraw_release()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49981",
"datePublished": "2025-06-18T11:00:43.351Z",
"dateReserved": "2025-06-18T10:57:27.385Z",
"dateUpdated": "2025-07-15T15:43:41.866Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52813 (GCVE-0-2023-52813)
Vulnerability from cvelistv5
Published
2024-05-21 15:31
Modified
2025-07-15 15:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: pcrypt - Fix hungtask for PADATA_RESET
We found a hungtask bug in test_aead_vec_cfg as follows:
INFO: task cryptomgr_test:391009 blocked for more than 120 seconds.
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
Call trace:
__switch_to+0x98/0xe0
__schedule+0x6c4/0xf40
schedule+0xd8/0x1b4
schedule_timeout+0x474/0x560
wait_for_common+0x368/0x4e0
wait_for_completion+0x20/0x30
wait_for_completion+0x20/0x30
test_aead_vec_cfg+0xab4/0xd50
test_aead+0x144/0x1f0
alg_test_aead+0xd8/0x1e0
alg_test+0x634/0x890
cryptomgr_test+0x40/0x70
kthread+0x1e0/0x220
ret_from_fork+0x10/0x18
Kernel panic - not syncing: hung_task: blocked tasks
For padata_do_parallel, when the return err is 0 or -EBUSY, it will call
wait_for_completion(&wait->completion) in test_aead_vec_cfg. In normal
case, aead_request_complete() will be called in pcrypt_aead_serial and the
return err is 0 for padata_do_parallel. But, when pinst->flags is
PADATA_RESET, the return err is -EBUSY for padata_do_parallel, and it
won't call aead_request_complete(). Therefore, test_aead_vec_cfg will
hung at wait_for_completion(&wait->completion), which will cause
hungtask.
The problem comes as following:
(padata_do_parallel) |
rcu_read_lock_bh(); |
err = -EINVAL; | (padata_replace)
| pinst->flags |= PADATA_RESET;
err = -EBUSY |
if (pinst->flags & PADATA_RESET) |
rcu_read_unlock_bh() |
return err
In order to resolve the problem, we replace the return err -EBUSY with
-EAGAIN, which means parallel_data is changing, and the caller should call
it again.
v3:
remove retry and just change the return err.
v2:
introduce padata_try_do_parallel() in pcrypt_aead_encrypt and
pcrypt_aead_decrypt to solve the hungtask.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 16295bec6398a3eedc9377e1af6ff4c71b98c300 Version: 16295bec6398a3eedc9377e1af6ff4c71b98c300 Version: 16295bec6398a3eedc9377e1af6ff4c71b98c300 Version: 16295bec6398a3eedc9377e1af6ff4c71b98c300 Version: 16295bec6398a3eedc9377e1af6ff4c71b98c300 Version: 16295bec6398a3eedc9377e1af6ff4c71b98c300 Version: 16295bec6398a3eedc9377e1af6ff4c71b98c300 Version: 16295bec6398a3eedc9377e1af6ff4c71b98c300 Version: 16295bec6398a3eedc9377e1af6ff4c71b98c300 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-52813",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-23T17:18:51.048604Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:24:13.216Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:11:36.058Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/fb2d3a50a8f29a3c66682bb426144f40e32ab818"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/039fec48e062504f14845124a1a25eb199b2ddc0"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/c9c1334697301c10e6918d747ed38abfbc0c96e7"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e97bf4ada7dddacd184c3e196bd063b0dc71b41d"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/546c1796ad1ed0d87dab3c4b5156d75819be2316"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/c55fc098fd9d2dca475b82d00ffbcaf97879d77e"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e134f3aba98e6c801a693f540912c2d493718ddf"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/372636debe852913529b1716f44addd94fff2d28"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/8f4f68e788c3a7a696546291258bfa5fdb215523"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/pcrypt.c",
"kernel/padata.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fb2d3a50a8f29a3c66682bb426144f40e32ab818",
"status": "affected",
"version": "16295bec6398a3eedc9377e1af6ff4c71b98c300",
"versionType": "git"
},
{
"lessThan": "039fec48e062504f14845124a1a25eb199b2ddc0",
"status": "affected",
"version": "16295bec6398a3eedc9377e1af6ff4c71b98c300",
"versionType": "git"
},
{
"lessThan": "c9c1334697301c10e6918d747ed38abfbc0c96e7",
"status": "affected",
"version": "16295bec6398a3eedc9377e1af6ff4c71b98c300",
"versionType": "git"
},
{
"lessThan": "e97bf4ada7dddacd184c3e196bd063b0dc71b41d",
"status": "affected",
"version": "16295bec6398a3eedc9377e1af6ff4c71b98c300",
"versionType": "git"
},
{
"lessThan": "546c1796ad1ed0d87dab3c4b5156d75819be2316",
"status": "affected",
"version": "16295bec6398a3eedc9377e1af6ff4c71b98c300",
"versionType": "git"
},
{
"lessThan": "c55fc098fd9d2dca475b82d00ffbcaf97879d77e",
"status": "affected",
"version": "16295bec6398a3eedc9377e1af6ff4c71b98c300",
"versionType": "git"
},
{
"lessThan": "e134f3aba98e6c801a693f540912c2d493718ddf",
"status": "affected",
"version": "16295bec6398a3eedc9377e1af6ff4c71b98c300",
"versionType": "git"
},
{
"lessThan": "372636debe852913529b1716f44addd94fff2d28",
"status": "affected",
"version": "16295bec6398a3eedc9377e1af6ff4c71b98c300",
"versionType": "git"
},
{
"lessThan": "8f4f68e788c3a7a696546291258bfa5fdb215523",
"status": "affected",
"version": "16295bec6398a3eedc9377e1af6ff4c71b98c300",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/pcrypt.c",
"kernel/padata.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.34"
},
{
"lessThan": "2.6.34",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.331",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.331",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.300",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.262",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.202",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.140",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.64",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.13",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.3",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7",
"versionStartIncluding": "2.6.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: pcrypt - Fix hungtask for PADATA_RESET\n\nWe found a hungtask bug in test_aead_vec_cfg as follows:\n\nINFO: task cryptomgr_test:391009 blocked for more than 120 seconds.\n\"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\nCall trace:\n __switch_to+0x98/0xe0\n __schedule+0x6c4/0xf40\n schedule+0xd8/0x1b4\n schedule_timeout+0x474/0x560\n wait_for_common+0x368/0x4e0\n wait_for_completion+0x20/0x30\n wait_for_completion+0x20/0x30\n test_aead_vec_cfg+0xab4/0xd50\n test_aead+0x144/0x1f0\n alg_test_aead+0xd8/0x1e0\n alg_test+0x634/0x890\n cryptomgr_test+0x40/0x70\n kthread+0x1e0/0x220\n ret_from_fork+0x10/0x18\n Kernel panic - not syncing: hung_task: blocked tasks\n\nFor padata_do_parallel, when the return err is 0 or -EBUSY, it will call\nwait_for_completion(\u0026wait-\u003ecompletion) in test_aead_vec_cfg. In normal\ncase, aead_request_complete() will be called in pcrypt_aead_serial and the\nreturn err is 0 for padata_do_parallel. But, when pinst-\u003eflags is\nPADATA_RESET, the return err is -EBUSY for padata_do_parallel, and it\nwon\u0027t call aead_request_complete(). Therefore, test_aead_vec_cfg will\nhung at wait_for_completion(\u0026wait-\u003ecompletion), which will cause\nhungtask.\n\nThe problem comes as following:\n(padata_do_parallel) |\n rcu_read_lock_bh(); |\n err = -EINVAL; | (padata_replace)\n | pinst-\u003eflags |= PADATA_RESET;\n err = -EBUSY |\n if (pinst-\u003eflags \u0026 PADATA_RESET) |\n rcu_read_unlock_bh() |\n return err\n\nIn order to resolve the problem, we replace the return err -EBUSY with\n-EAGAIN, which means parallel_data is changing, and the caller should call\nit again.\n\nv3:\nremove retry and just change the return err.\nv2:\nintroduce padata_try_do_parallel() in pcrypt_aead_encrypt and\npcrypt_aead_decrypt to solve the hungtask."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-15T15:43:50.801Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fb2d3a50a8f29a3c66682bb426144f40e32ab818"
},
{
"url": "https://git.kernel.org/stable/c/039fec48e062504f14845124a1a25eb199b2ddc0"
},
{
"url": "https://git.kernel.org/stable/c/c9c1334697301c10e6918d747ed38abfbc0c96e7"
},
{
"url": "https://git.kernel.org/stable/c/e97bf4ada7dddacd184c3e196bd063b0dc71b41d"
},
{
"url": "https://git.kernel.org/stable/c/546c1796ad1ed0d87dab3c4b5156d75819be2316"
},
{
"url": "https://git.kernel.org/stable/c/c55fc098fd9d2dca475b82d00ffbcaf97879d77e"
},
{
"url": "https://git.kernel.org/stable/c/e134f3aba98e6c801a693f540912c2d493718ddf"
},
{
"url": "https://git.kernel.org/stable/c/372636debe852913529b1716f44addd94fff2d28"
},
{
"url": "https://git.kernel.org/stable/c/8f4f68e788c3a7a696546291258bfa5fdb215523"
}
],
"title": "crypto: pcrypt - Fix hungtask for PADATA_RESET",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52813",
"datePublished": "2024-05-21T15:31:21.604Z",
"dateReserved": "2024-05-21T15:19:24.248Z",
"dateUpdated": "2025-07-15T15:43:50.801Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38541 (GCVE-0-2025-38541)
Vulnerability from cvelistv5
Published
2025-08-16 11:22
Modified
2025-08-16 11:22
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: mt7925: Fix null-ptr-deref in mt7925_thermal_init()
devm_kasprintf() returns NULL on error. Currently, mt7925_thermal_init()
does not check for this case, which results in a NULL pointer
dereference.
Add NULL check after devm_kasprintf() to prevent this issue.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7925/init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1bbdf4213711bb6dc365e7628430a63dd3280794",
"status": "affected",
"version": "396e41a74a88654f23e36c46d2995752c91654a5",
"versionType": "git"
},
{
"lessThan": "2e99e9b34ece0b6d3e82cb757e9f60fa414da999",
"status": "affected",
"version": "396e41a74a88654f23e36c46d2995752c91654a5",
"versionType": "git"
},
{
"lessThan": "03ee8f73801a8f46d83dfc2bf73fb9ffa5a21602",
"status": "affected",
"version": "396e41a74a88654f23e36c46d2995752c91654a5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7925/init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.39",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.7",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7925: Fix null-ptr-deref in mt7925_thermal_init()\n\ndevm_kasprintf() returns NULL on error. Currently, mt7925_thermal_init()\ndoes not check for this case, which results in a NULL pointer\ndereference.\n\nAdd NULL check after devm_kasprintf() to prevent this issue."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-16T11:22:15.776Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1bbdf4213711bb6dc365e7628430a63dd3280794"
},
{
"url": "https://git.kernel.org/stable/c/2e99e9b34ece0b6d3e82cb757e9f60fa414da999"
},
{
"url": "https://git.kernel.org/stable/c/03ee8f73801a8f46d83dfc2bf73fb9ffa5a21602"
}
],
"title": "wifi: mt76: mt7925: Fix null-ptr-deref in mt7925_thermal_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38541",
"datePublished": "2025-08-16T11:22:15.776Z",
"dateReserved": "2025-04-16T04:51:24.024Z",
"dateUpdated": "2025-08-16T11:22:15.776Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38663 (GCVE-0-2025-38663)
Vulnerability from cvelistv5
Published
2025-08-22 16:02
Modified
2025-08-28 14:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: reject invalid file types when reading inodes
To prevent inodes with invalid file types from tripping through the vfs
and causing malfunctions or assertion failures, add a missing sanity check
when reading an inode from a block device. If the file type is not valid,
treat it as a filesystem error.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 05fe58fdc10df9ebea04c0eaed57adc47af5c184 Version: 05fe58fdc10df9ebea04c0eaed57adc47af5c184 Version: 05fe58fdc10df9ebea04c0eaed57adc47af5c184 Version: 05fe58fdc10df9ebea04c0eaed57adc47af5c184 Version: 05fe58fdc10df9ebea04c0eaed57adc47af5c184 Version: 05fe58fdc10df9ebea04c0eaed57adc47af5c184 Version: 05fe58fdc10df9ebea04c0eaed57adc47af5c184 Version: 05fe58fdc10df9ebea04c0eaed57adc47af5c184 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nilfs2/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dd298c0b889acd3ecaf48b6e840c9ab91882e342",
"status": "affected",
"version": "05fe58fdc10df9ebea04c0eaed57adc47af5c184",
"versionType": "git"
},
{
"lessThan": "2cf0c4130bf340be3935d097a3dcbfefdcf65815",
"status": "affected",
"version": "05fe58fdc10df9ebea04c0eaed57adc47af5c184",
"versionType": "git"
},
{
"lessThan": "98872a934ea6a95985fb6a3655a78a5f0c114e82",
"status": "affected",
"version": "05fe58fdc10df9ebea04c0eaed57adc47af5c184",
"versionType": "git"
},
{
"lessThan": "1a5c204e175a78556b8ef1f7683249fa5197295a",
"status": "affected",
"version": "05fe58fdc10df9ebea04c0eaed57adc47af5c184",
"versionType": "git"
},
{
"lessThan": "bf585ee198bba4ff25b0d80a0891df4656cb0d08",
"status": "affected",
"version": "05fe58fdc10df9ebea04c0eaed57adc47af5c184",
"versionType": "git"
},
{
"lessThan": "79663a15a1c70ca84f86f2dbba07b423fe7d5d4f",
"status": "affected",
"version": "05fe58fdc10df9ebea04c0eaed57adc47af5c184",
"versionType": "git"
},
{
"lessThan": "42cd46b3a8b1497b9258dc7ac445dbd6beb73e2f",
"status": "affected",
"version": "05fe58fdc10df9ebea04c0eaed57adc47af5c184",
"versionType": "git"
},
{
"lessThan": "4aead50caf67e01020c8be1945c3201e8a972a27",
"status": "affected",
"version": "05fe58fdc10df9ebea04c0eaed57adc47af5c184",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nilfs2/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.30"
},
{
"lessThan": "2.6.30",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.101",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.41",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.101",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.41",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.9",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: reject invalid file types when reading inodes\n\nTo prevent inodes with invalid file types from tripping through the vfs\nand causing malfunctions or assertion failures, add a missing sanity check\nwhen reading an inode from a block device. If the file type is not valid,\ntreat it as a filesystem error."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T14:44:30.852Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dd298c0b889acd3ecaf48b6e840c9ab91882e342"
},
{
"url": "https://git.kernel.org/stable/c/2cf0c4130bf340be3935d097a3dcbfefdcf65815"
},
{
"url": "https://git.kernel.org/stable/c/98872a934ea6a95985fb6a3655a78a5f0c114e82"
},
{
"url": "https://git.kernel.org/stable/c/1a5c204e175a78556b8ef1f7683249fa5197295a"
},
{
"url": "https://git.kernel.org/stable/c/bf585ee198bba4ff25b0d80a0891df4656cb0d08"
},
{
"url": "https://git.kernel.org/stable/c/79663a15a1c70ca84f86f2dbba07b423fe7d5d4f"
},
{
"url": "https://git.kernel.org/stable/c/42cd46b3a8b1497b9258dc7ac445dbd6beb73e2f"
},
{
"url": "https://git.kernel.org/stable/c/4aead50caf67e01020c8be1945c3201e8a972a27"
}
],
"title": "nilfs2: reject invalid file types when reading inodes",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38663",
"datePublished": "2025-08-22T16:02:55.856Z",
"dateReserved": "2025-04-16T04:51:24.031Z",
"dateUpdated": "2025-08-28T14:44:30.852Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49980 (GCVE-0-2022-49980)
Vulnerability from cvelistv5
Published
2025-06-18 11:00
Modified
2025-06-18 11:00
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
USB: gadget: Fix use-after-free Read in usb_udc_uevent()
The syzbot fuzzer found a race between uevent callbacks and gadget
driver unregistration that can cause a use-after-free bug:
---------------------------------------------------------------
BUG: KASAN: use-after-free in usb_udc_uevent+0x11f/0x130
drivers/usb/gadget/udc/core.c:1732
Read of size 8 at addr ffff888078ce2050 by task udevd/2968
CPU: 1 PID: 2968 Comm: udevd Not tainted 5.19.0-rc4-next-20220628-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
06/29/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:317 [inline]
print_report.cold+0x2ba/0x719 mm/kasan/report.c:433
kasan_report+0xbe/0x1f0 mm/kasan/report.c:495
usb_udc_uevent+0x11f/0x130 drivers/usb/gadget/udc/core.c:1732
dev_uevent+0x290/0x770 drivers/base/core.c:2424
---------------------------------------------------------------
The bug occurs because usb_udc_uevent() dereferences udc->driver but
does so without acquiring the udc_lock mutex, which protects this
field. If the gadget driver is unbound from the udc concurrently with
uevent processing, the driver structure may be accessed after it has
been deallocated.
To prevent the race, we make sure that the routine holds the mutex
around the racing accesses.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/udc/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f44b0b95d50fffeca036e1ba36770390e0b519dd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2191c00855b03aa59c20e698be713d952d51fc18",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/udc/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: gadget: Fix use-after-free Read in usb_udc_uevent()\n\nThe syzbot fuzzer found a race between uevent callbacks and gadget\ndriver unregistration that can cause a use-after-free bug:\n\n---------------------------------------------------------------\nBUG: KASAN: use-after-free in usb_udc_uevent+0x11f/0x130\ndrivers/usb/gadget/udc/core.c:1732\nRead of size 8 at addr ffff888078ce2050 by task udevd/2968\n\nCPU: 1 PID: 2968 Comm: udevd Not tainted 5.19.0-rc4-next-20220628-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google\n06/29/2022\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:317 [inline]\n print_report.cold+0x2ba/0x719 mm/kasan/report.c:433\n kasan_report+0xbe/0x1f0 mm/kasan/report.c:495\n usb_udc_uevent+0x11f/0x130 drivers/usb/gadget/udc/core.c:1732\n dev_uevent+0x290/0x770 drivers/base/core.c:2424\n---------------------------------------------------------------\n\nThe bug occurs because usb_udc_uevent() dereferences udc-\u003edriver but\ndoes so without acquiring the udc_lock mutex, which protects this\nfield. If the gadget driver is unbound from the udc concurrently with\nuevent processing, the driver structure may be accessed after it has\nbeen deallocated.\n\nTo prevent the race, we make sure that the routine holds the mutex\naround the racing accesses."
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T11:00:42.433Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f44b0b95d50fffeca036e1ba36770390e0b519dd"
},
{
"url": "https://git.kernel.org/stable/c/2191c00855b03aa59c20e698be713d952d51fc18"
}
],
"title": "USB: gadget: Fix use-after-free Read in usb_udc_uevent()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49980",
"datePublished": "2025-06-18T11:00:42.433Z",
"dateReserved": "2025-06-18T10:57:27.385Z",
"dateUpdated": "2025-06-18T11:00:42.433Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50138 (GCVE-0-2022-50138)
Vulnerability from cvelistv5
Published
2025-06-18 11:03
Modified
2025-06-18 11:03
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/qedr: Fix potential memory leak in __qedr_alloc_mr()
__qedr_alloc_mr() allocates a memory chunk for "mr->info.pbl_table" with
init_mr_info(). When rdma_alloc_tid() and rdma_register_tid() fail, "mr"
is released while "mr->info.pbl_table" is not released, which will lead
to a memory leak.
We should release the "mr->info.pbl_table" with qedr_free_pbl() when error
occurs to fix the memory leak.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/qedr/verbs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "79ce50dddaf28b5c57911ecc80a2be17a0b17f83",
"status": "affected",
"version": "e0290cce6ac02f8e5ec501f25f6f6900f384550c",
"versionType": "git"
},
{
"lessThan": "7e647a8d5fc0a2c8e0f36f585a6388286a25bb15",
"status": "affected",
"version": "e0290cce6ac02f8e5ec501f25f6f6900f384550c",
"versionType": "git"
},
{
"lessThan": "07ba048df306dc93fc4d2ef670b9e24644a2069f",
"status": "affected",
"version": "e0290cce6ac02f8e5ec501f25f6f6900f384550c",
"versionType": "git"
},
{
"lessThan": "b4c9f7db9f0148423557539af0fdf513338efe08",
"status": "affected",
"version": "e0290cce6ac02f8e5ec501f25f6f6900f384550c",
"versionType": "git"
},
{
"lessThan": "b3236a64ddd125a455ef5b5316c1b9051b732974",
"status": "affected",
"version": "e0290cce6ac02f8e5ec501f25f6f6900f384550c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/qedr/verbs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.137",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.137",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.61",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.18",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.2",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/qedr: Fix potential memory leak in __qedr_alloc_mr()\n\n__qedr_alloc_mr() allocates a memory chunk for \"mr-\u003einfo.pbl_table\" with\ninit_mr_info(). When rdma_alloc_tid() and rdma_register_tid() fail, \"mr\"\nis released while \"mr-\u003einfo.pbl_table\" is not released, which will lead\nto a memory leak.\n\nWe should release the \"mr-\u003einfo.pbl_table\" with qedr_free_pbl() when error\noccurs to fix the memory leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T11:03:01.557Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/79ce50dddaf28b5c57911ecc80a2be17a0b17f83"
},
{
"url": "https://git.kernel.org/stable/c/7e647a8d5fc0a2c8e0f36f585a6388286a25bb15"
},
{
"url": "https://git.kernel.org/stable/c/07ba048df306dc93fc4d2ef670b9e24644a2069f"
},
{
"url": "https://git.kernel.org/stable/c/b4c9f7db9f0148423557539af0fdf513338efe08"
},
{
"url": "https://git.kernel.org/stable/c/b3236a64ddd125a455ef5b5316c1b9051b732974"
}
],
"title": "RDMA/qedr: Fix potential memory leak in __qedr_alloc_mr()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50138",
"datePublished": "2025-06-18T11:03:01.557Z",
"dateReserved": "2025-06-18T10:57:27.422Z",
"dateUpdated": "2025-06-18T11:03:01.557Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-53164 (GCVE-0-2024-53164)
Vulnerability from cvelistv5
Published
2024-12-27 13:38
Modified
2025-05-04 09:54
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: sched: fix ordering of qlen adjustment
Changes to sch->q.qlen around qdisc_tree_reduce_backlog() need to happen
_before_ a call to said function because otherwise it may fail to notify
parent qdiscs when the child is about to become empty.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_cake.c",
"net/sched/sch_choke.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "44782565e1e6174c94bddfa72ac7267cd09c1648",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5e473f462a16f1a34e49ea4289a667d2e4f35b52",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "33db36b3c53d0fda2699ea39ba72bee4de8336e8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "489422e2befff88a1de52b2acebe7b333bded025",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "97e13434b5da8e91bdf965352fad2141d13d72d3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e3e54ad9eff8bdaa70f897e5342e34b76109497f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5eb7de8cd58e73851cd37ff8d0666517d9926948",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_cake.c",
"net/sched/sch_choke.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.289",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.233",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.289",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.233",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.176",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: fix ordering of qlen adjustment\n\nChanges to sch-\u003eq.qlen around qdisc_tree_reduce_backlog() need to happen\n_before_ a call to said function because otherwise it may fail to notify\nparent qdiscs when the child is about to become empty."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:54:38.982Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/44782565e1e6174c94bddfa72ac7267cd09c1648"
},
{
"url": "https://git.kernel.org/stable/c/5e473f462a16f1a34e49ea4289a667d2e4f35b52"
},
{
"url": "https://git.kernel.org/stable/c/33db36b3c53d0fda2699ea39ba72bee4de8336e8"
},
{
"url": "https://git.kernel.org/stable/c/489422e2befff88a1de52b2acebe7b333bded025"
},
{
"url": "https://git.kernel.org/stable/c/97e13434b5da8e91bdf965352fad2141d13d72d3"
},
{
"url": "https://git.kernel.org/stable/c/e3e54ad9eff8bdaa70f897e5342e34b76109497f"
},
{
"url": "https://git.kernel.org/stable/c/5eb7de8cd58e73851cd37ff8d0666517d9926948"
}
],
"title": "net: sched: fix ordering of qlen adjustment",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-53164",
"datePublished": "2024-12-27T13:38:43.407Z",
"dateReserved": "2024-11-19T17:17:25.004Z",
"dateUpdated": "2025-05-04T09:54:38.982Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-23141 (GCVE-0-2025-23141)
Vulnerability from cvelistv5
Published
2025-05-01 12:55
Modified
2025-05-26 05:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses
Acquire a lock on kvm->srcu when userspace is getting MP state to handle a
rather extreme edge case where "accepting" APIC events, i.e. processing
pending INIT or SIPI, can trigger accesses to guest memory. If the vCPU
is in L2 with INIT *and* a TRIPLE_FAULT request pending, then getting MP
state will trigger a nested VM-Exit by way of ->check_nested_events(), and
emuating the nested VM-Exit can access guest memory.
The splat was originally hit by syzkaller on a Google-internal kernel, and
reproduced on an upstream kernel by hacking the triple_fault_event_test
selftest to stuff a pending INIT, store an MSR on VM-Exit (to generate a
memory access on VMX), and do vcpu_mp_state_get() to trigger the scenario.
=============================
WARNING: suspicious RCU usage
6.14.0-rc3-b112d356288b-vmx/pi_lockdep_false_pos-lock #3 Not tainted
-----------------------------
include/linux/kvm_host.h:1058 suspicious rcu_dereference_check() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
1 lock held by triple_fault_ev/1256:
#0: ffff88810df5a330 (&vcpu->mutex){+.+.}-{4:4}, at: kvm_vcpu_ioctl+0x8b/0x9a0 [kvm]
stack backtrace:
CPU: 11 UID: 1000 PID: 1256 Comm: triple_fault_ev Not tainted 6.14.0-rc3-b112d356288b-vmx #3
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
Call Trace:
<TASK>
dump_stack_lvl+0x7f/0x90
lockdep_rcu_suspicious+0x144/0x190
kvm_vcpu_gfn_to_memslot+0x156/0x180 [kvm]
kvm_vcpu_read_guest+0x3e/0x90 [kvm]
read_and_check_msr_entry+0x2e/0x180 [kvm_intel]
__nested_vmx_vmexit+0x550/0xde0 [kvm_intel]
kvm_check_nested_events+0x1b/0x30 [kvm]
kvm_apic_accept_events+0x33/0x100 [kvm]
kvm_arch_vcpu_ioctl_get_mpstate+0x30/0x1d0 [kvm]
kvm_vcpu_ioctl+0x33e/0x9a0 [kvm]
__x64_sys_ioctl+0x8b/0xb0
do_syscall_64+0x6c/0x170
entry_SYSCALL_64_after_hwframe+0x4b/0x53
</TASK>
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/x86.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0357c8406dfa09430dd9858ebe813feb65524b6e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8a3df0aa1087a89f5ce55f4aba816bfcb1ecf1be",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7bc5c360375d28ba5ef6298b0d53e735c81d66a1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f5cbe725b7477b4cd677be1b86b4e08f90572997",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "592e040572f216d916f465047c8ce4a308fcca44",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ef01cac401f18647d62720cf773d7bb0541827da",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/x86.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.135",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses\n\nAcquire a lock on kvm-\u003esrcu when userspace is getting MP state to handle a\nrather extreme edge case where \"accepting\" APIC events, i.e. processing\npending INIT or SIPI, can trigger accesses to guest memory. If the vCPU\nis in L2 with INIT *and* a TRIPLE_FAULT request pending, then getting MP\nstate will trigger a nested VM-Exit by way of -\u003echeck_nested_events(), and\nemuating the nested VM-Exit can access guest memory.\n\nThe splat was originally hit by syzkaller on a Google-internal kernel, and\nreproduced on an upstream kernel by hacking the triple_fault_event_test\nselftest to stuff a pending INIT, store an MSR on VM-Exit (to generate a\nmemory access on VMX), and do vcpu_mp_state_get() to trigger the scenario.\n\n =============================\n WARNING: suspicious RCU usage\n 6.14.0-rc3-b112d356288b-vmx/pi_lockdep_false_pos-lock #3 Not tainted\n -----------------------------\n include/linux/kvm_host.h:1058 suspicious rcu_dereference_check() usage!\n\n other info that might help us debug this:\n\n rcu_scheduler_active = 2, debug_locks = 1\n 1 lock held by triple_fault_ev/1256:\n #0: ffff88810df5a330 (\u0026vcpu-\u003emutex){+.+.}-{4:4}, at: kvm_vcpu_ioctl+0x8b/0x9a0 [kvm]\n\n stack backtrace:\n CPU: 11 UID: 1000 PID: 1256 Comm: triple_fault_ev Not tainted 6.14.0-rc3-b112d356288b-vmx #3\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x7f/0x90\n lockdep_rcu_suspicious+0x144/0x190\n kvm_vcpu_gfn_to_memslot+0x156/0x180 [kvm]\n kvm_vcpu_read_guest+0x3e/0x90 [kvm]\n read_and_check_msr_entry+0x2e/0x180 [kvm_intel]\n __nested_vmx_vmexit+0x550/0xde0 [kvm_intel]\n kvm_check_nested_events+0x1b/0x30 [kvm]\n kvm_apic_accept_events+0x33/0x100 [kvm]\n kvm_arch_vcpu_ioctl_get_mpstate+0x30/0x1d0 [kvm]\n kvm_vcpu_ioctl+0x33e/0x9a0 [kvm]\n __x64_sys_ioctl+0x8b/0xb0\n do_syscall_64+0x6c/0x170\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-26T05:19:20.200Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0357c8406dfa09430dd9858ebe813feb65524b6e"
},
{
"url": "https://git.kernel.org/stable/c/8a3df0aa1087a89f5ce55f4aba816bfcb1ecf1be"
},
{
"url": "https://git.kernel.org/stable/c/7bc5c360375d28ba5ef6298b0d53e735c81d66a1"
},
{
"url": "https://git.kernel.org/stable/c/f5cbe725b7477b4cd677be1b86b4e08f90572997"
},
{
"url": "https://git.kernel.org/stable/c/592e040572f216d916f465047c8ce4a308fcca44"
},
{
"url": "https://git.kernel.org/stable/c/ef01cac401f18647d62720cf773d7bb0541827da"
}
],
"title": "KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-23141",
"datePublished": "2025-05-01T12:55:31.525Z",
"dateReserved": "2025-01-11T14:28:41.512Z",
"dateUpdated": "2025-05-26T05:19:20.200Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38201 (GCVE-0-2025-38201)
Vulnerability from cvelistv5
Published
2025-07-04 13:37
Modified
2025-07-28 04:14
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX
Otherwise, it is possible to hit WARN_ON_ONCE in __kvmalloc_node_noprof()
when resizing hashtable because __GFP_NOWARN is unset.
Similar to:
b541ba7d1f5a ("netfilter: conntrack: clamp maximum hashtable size to INT_MAX")
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_set_pipapo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0ab3de047808f375a36cd345225572eb3366f3c6",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
},
{
"lessThan": "d2768016f091f8a5264076b433fd7c3fabb6eb97",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
},
{
"lessThan": "b85e3367a5716ed3662a4fe266525190d2af76df",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_set_pipapo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.35",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.4",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX\n\nOtherwise, it is possible to hit WARN_ON_ONCE in __kvmalloc_node_noprof()\nwhen resizing hashtable because __GFP_NOWARN is unset.\n\nSimilar to:\n\n b541ba7d1f5a (\"netfilter: conntrack: clamp maximum hashtable size to INT_MAX\")"
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:14:56.757Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0ab3de047808f375a36cd345225572eb3366f3c6"
},
{
"url": "https://git.kernel.org/stable/c/d2768016f091f8a5264076b433fd7c3fabb6eb97"
},
{
"url": "https://git.kernel.org/stable/c/b85e3367a5716ed3662a4fe266525190d2af76df"
}
],
"title": "netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38201",
"datePublished": "2025-07-04T13:37:22.732Z",
"dateReserved": "2025-04-16T04:51:23.993Z",
"dateUpdated": "2025-07-28T04:14:56.757Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38671 (GCVE-0-2025-38671)
Vulnerability from cvelistv5
Published
2025-08-22 16:03
Modified
2025-08-28 14:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
i2c: qup: jump out of the loop in case of timeout
Original logic only sets the return value but doesn't jump out of the
loop if the bus is kept active by a client. This is not expected. A
malicious or buggy i2c client can hang the kernel in this case and
should be avoided. This is observed during a long time test with a
PCA953x GPIO extender.
Fix it by changing the logic to not only sets the return value, but also
jumps out of the loop and return to the caller with -ETIMEDOUT.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: fbfab1ab065879370541caf0e514987368eb41b2 Version: fbfab1ab065879370541caf0e514987368eb41b2 Version: fbfab1ab065879370541caf0e514987368eb41b2 Version: fbfab1ab065879370541caf0e514987368eb41b2 Version: fbfab1ab065879370541caf0e514987368eb41b2 Version: fbfab1ab065879370541caf0e514987368eb41b2 Version: fbfab1ab065879370541caf0e514987368eb41b2 Version: fbfab1ab065879370541caf0e514987368eb41b2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/i2c/busses/i2c-qup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cbec4406998185e0311ae97dfacc649f9cd79b0b",
"status": "affected",
"version": "fbfab1ab065879370541caf0e514987368eb41b2",
"versionType": "git"
},
{
"lessThan": "acfa2948be630ad857535cb36153697f3cbf9ca9",
"status": "affected",
"version": "fbfab1ab065879370541caf0e514987368eb41b2",
"versionType": "git"
},
{
"lessThan": "d05ec13aa3eb868a60dc961b489053a643863ddc",
"status": "affected",
"version": "fbfab1ab065879370541caf0e514987368eb41b2",
"versionType": "git"
},
{
"lessThan": "c523bfba46c4b4d7676fb050909533a766698ecd",
"status": "affected",
"version": "fbfab1ab065879370541caf0e514987368eb41b2",
"versionType": "git"
},
{
"lessThan": "0d33913fce67a93c1eb83396c3c9d6b411dcab33",
"status": "affected",
"version": "fbfab1ab065879370541caf0e514987368eb41b2",
"versionType": "git"
},
{
"lessThan": "42c4471b30fa203249f476dd42321cd7efb7f6a8",
"status": "affected",
"version": "fbfab1ab065879370541caf0e514987368eb41b2",
"versionType": "git"
},
{
"lessThan": "89459f168b78e5c801dc8b7ad037b62898bc4f57",
"status": "affected",
"version": "fbfab1ab065879370541caf0e514987368eb41b2",
"versionType": "git"
},
{
"lessThan": "a7982a14b3012527a9583d12525cd0dc9f8d8934",
"status": "affected",
"version": "fbfab1ab065879370541caf0e514987368eb41b2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/i2c/busses/i2c-qup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.101",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.41",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.101",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.41",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.9",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: qup: jump out of the loop in case of timeout\n\nOriginal logic only sets the return value but doesn\u0027t jump out of the\nloop if the bus is kept active by a client. This is not expected. A\nmalicious or buggy i2c client can hang the kernel in this case and\nshould be avoided. This is observed during a long time test with a\nPCA953x GPIO extender.\n\nFix it by changing the logic to not only sets the return value, but also\njumps out of the loop and return to the caller with -ETIMEDOUT."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T14:44:37.404Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cbec4406998185e0311ae97dfacc649f9cd79b0b"
},
{
"url": "https://git.kernel.org/stable/c/acfa2948be630ad857535cb36153697f3cbf9ca9"
},
{
"url": "https://git.kernel.org/stable/c/d05ec13aa3eb868a60dc961b489053a643863ddc"
},
{
"url": "https://git.kernel.org/stable/c/c523bfba46c4b4d7676fb050909533a766698ecd"
},
{
"url": "https://git.kernel.org/stable/c/0d33913fce67a93c1eb83396c3c9d6b411dcab33"
},
{
"url": "https://git.kernel.org/stable/c/42c4471b30fa203249f476dd42321cd7efb7f6a8"
},
{
"url": "https://git.kernel.org/stable/c/89459f168b78e5c801dc8b7ad037b62898bc4f57"
},
{
"url": "https://git.kernel.org/stable/c/a7982a14b3012527a9583d12525cd0dc9f8d8934"
}
],
"title": "i2c: qup: jump out of the loop in case of timeout",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38671",
"datePublished": "2025-08-22T16:03:02.151Z",
"dateReserved": "2025-04-16T04:51:24.031Z",
"dateUpdated": "2025-08-28T14:44:37.404Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26661 (GCVE-0-2024-26661)
Vulnerability from cvelistv5
Published
2024-04-02 06:22
Modified
2025-05-04 08:53
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()'
In "u32 otg_inst = pipe_ctx->stream_res.tg->inst;"
pipe_ctx->stream_res.tg could be NULL, it is relying on the caller to
ensure the tg is not NULL.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-26661",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-02T17:47:14.668657Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T19:20:51.968Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:14:12.654Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/3f3c237a706580326d3b7a1b97697e5031ca4667"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/39f24c08363af1cd945abad84e3c87fd3e3c845a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/66951d98d9bf45ba25acf37fe0747253fafdf298"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/hwss/dcn21/dcn21_hwseq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3f3c237a706580326d3b7a1b97697e5031ca4667",
"status": "affected",
"version": "474ac4a875ca6fea3fc5183d3ad22ef7523dca53",
"versionType": "git"
},
{
"lessThan": "39f24c08363af1cd945abad84e3c87fd3e3c845a",
"status": "affected",
"version": "474ac4a875ca6fea3fc5183d3ad22ef7523dca53",
"versionType": "git"
},
{
"lessThan": "66951d98d9bf45ba25acf37fe0747253fafdf298",
"status": "affected",
"version": "474ac4a875ca6fea3fc5183d3ad22ef7523dca53",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/hwss/dcn21/dcn21_hwseq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.17",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.5",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add NULL test for \u0027timing generator\u0027 in \u0027dcn21_set_pipe()\u0027\n\nIn \"u32 otg_inst = pipe_ctx-\u003estream_res.tg-\u003einst;\"\npipe_ctx-\u003estream_res.tg could be NULL, it is relying on the caller to\nensure the tg is not NULL."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:53:21.527Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3f3c237a706580326d3b7a1b97697e5031ca4667"
},
{
"url": "https://git.kernel.org/stable/c/39f24c08363af1cd945abad84e3c87fd3e3c845a"
},
{
"url": "https://git.kernel.org/stable/c/66951d98d9bf45ba25acf37fe0747253fafdf298"
}
],
"title": "drm/amd/display: Add NULL test for \u0027timing generator\u0027 in \u0027dcn21_set_pipe()\u0027",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26661",
"datePublished": "2024-04-02T06:22:10.989Z",
"dateReserved": "2024-02-19T14:20:24.148Z",
"dateUpdated": "2025-05-04T08:53:21.527Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38441 (GCVE-0-2025-38441)
Vulnerability from cvelistv5
Published
2025-07-25 15:27
Modified
2025-07-28 04:22
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto()
syzbot found a potential access to uninit-value in nf_flow_pppoe_proto()
Blamed commit forgot the Ethernet header.
BUG: KMSAN: uninit-value in nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27
nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27
nf_hook_entry_hookfn include/linux/netfilter.h:157 [inline]
nf_hook_slow+0xe1/0x3d0 net/netfilter/core.c:623
nf_hook_ingress include/linux/netfilter_netdev.h:34 [inline]
nf_ingress net/core/dev.c:5742 [inline]
__netif_receive_skb_core+0x4aff/0x70c0 net/core/dev.c:5837
__netif_receive_skb_one_core net/core/dev.c:5975 [inline]
__netif_receive_skb+0xcc/0xac0 net/core/dev.c:6090
netif_receive_skb_internal net/core/dev.c:6176 [inline]
netif_receive_skb+0x57/0x630 net/core/dev.c:6235
tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485
tun_get_user+0x4ee0/0x6b40 drivers/net/tun.c:1938
tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1984
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0xb4b/0x1580 fs/read_write.c:686
ksys_write fs/read_write.c:738 [inline]
__do_sys_write fs/read_write.c:749 [inline]
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d06977b9a4109f8738bb276125eb6a0b772bc433 Version: 8bf7c76a2a207ca2b4cfda0a279192adf27678d7 Version: a2471d271042ea18e8a6babc132a8716bb2f08b9 Version: 87b3593bed1868b2d9fe096c01bcdf0ea86cbebf Version: 87b3593bed1868b2d9fe096c01bcdf0ea86cbebf Version: 87b3593bed1868b2d9fe096c01bcdf0ea86cbebf Version: cf366ee3bc1b7d1c76a882640ba3b3f8f1039163 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/netfilter/nf_flow_table.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a3aea97d55964e70a1e6426aa4cafdc036e8a2dd",
"status": "affected",
"version": "d06977b9a4109f8738bb276125eb6a0b772bc433",
"versionType": "git"
},
{
"lessThan": "eed8960b289327235185b7c32649c3470a3e969b",
"status": "affected",
"version": "8bf7c76a2a207ca2b4cfda0a279192adf27678d7",
"versionType": "git"
},
{
"lessThan": "9fbc49429a23b02595ba82536c5ea425fdabb221",
"status": "affected",
"version": "a2471d271042ea18e8a6babc132a8716bb2f08b9",
"versionType": "git"
},
{
"lessThan": "e0dd2e9729660f3f4fcb16e0aef87342911528ef",
"status": "affected",
"version": "87b3593bed1868b2d9fe096c01bcdf0ea86cbebf",
"versionType": "git"
},
{
"lessThan": "cfbf0665969af2c69d10c377d4c3d306e717efb4",
"status": "affected",
"version": "87b3593bed1868b2d9fe096c01bcdf0ea86cbebf",
"versionType": "git"
},
{
"lessThan": "18cdb3d982da8976b28d57691eb256ec5688fad2",
"status": "affected",
"version": "87b3593bed1868b2d9fe096c01bcdf0ea86cbebf",
"versionType": "git"
},
{
"status": "affected",
"version": "cf366ee3bc1b7d1c76a882640ba3b3f8f1039163",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/netfilter/nf_flow_table.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.146",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.189",
"versionStartIncluding": "5.15.157",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.146",
"versionStartIncluding": "6.1.88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.99",
"versionStartIncluding": "6.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.39",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.7",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.8.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto()\n\nsyzbot found a potential access to uninit-value in nf_flow_pppoe_proto()\n\nBlamed commit forgot the Ethernet header.\n\nBUG: KMSAN: uninit-value in nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27\n nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27\n nf_hook_entry_hookfn include/linux/netfilter.h:157 [inline]\n nf_hook_slow+0xe1/0x3d0 net/netfilter/core.c:623\n nf_hook_ingress include/linux/netfilter_netdev.h:34 [inline]\n nf_ingress net/core/dev.c:5742 [inline]\n __netif_receive_skb_core+0x4aff/0x70c0 net/core/dev.c:5837\n __netif_receive_skb_one_core net/core/dev.c:5975 [inline]\n __netif_receive_skb+0xcc/0xac0 net/core/dev.c:6090\n netif_receive_skb_internal net/core/dev.c:6176 [inline]\n netif_receive_skb+0x57/0x630 net/core/dev.c:6235\n tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485\n tun_get_user+0x4ee0/0x6b40 drivers/net/tun.c:1938\n tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1984\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0xb4b/0x1580 fs/read_write.c:686\n ksys_write fs/read_write.c:738 [inline]\n __do_sys_write fs/read_write.c:749 [inline]"
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:22:22.394Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a3aea97d55964e70a1e6426aa4cafdc036e8a2dd"
},
{
"url": "https://git.kernel.org/stable/c/eed8960b289327235185b7c32649c3470a3e969b"
},
{
"url": "https://git.kernel.org/stable/c/9fbc49429a23b02595ba82536c5ea425fdabb221"
},
{
"url": "https://git.kernel.org/stable/c/e0dd2e9729660f3f4fcb16e0aef87342911528ef"
},
{
"url": "https://git.kernel.org/stable/c/cfbf0665969af2c69d10c377d4c3d306e717efb4"
},
{
"url": "https://git.kernel.org/stable/c/18cdb3d982da8976b28d57691eb256ec5688fad2"
}
],
"title": "netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38441",
"datePublished": "2025-07-25T15:27:20.276Z",
"dateReserved": "2025-04-16T04:51:24.016Z",
"dateUpdated": "2025-07-28T04:22:22.394Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38568 (GCVE-0-2025-38568)
Vulnerability from cvelistv5
Published
2025-08-19 17:02
Modified
2025-09-29 05:53
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: mqprio: fix stack out-of-bounds write in tc entry parsing
TCA_MQPRIO_TC_ENTRY_INDEX is validated using
NLA_POLICY_MAX(NLA_U32, TC_QOPT_MAX_QUEUE), which allows the value
TC_QOPT_MAX_QUEUE (16). This leads to a 4-byte out-of-bounds stack
write in the fp[] array, which only has room for 16 elements (0–15).
Fix this by changing the policy to allow only up to TC_QOPT_MAX_QUEUE - 1.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_mqprio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "39491e859fd494d0b51adc5c7d54c8a7dcf1d198",
"status": "affected",
"version": "f62af20bed2d9e824f51cfc97ff01bc261f40e58",
"versionType": "git"
},
{
"lessThan": "d00e4125680f7074c4f42ce3c297336f23128e70",
"status": "affected",
"version": "f62af20bed2d9e824f51cfc97ff01bc261f40e58",
"versionType": "git"
},
{
"lessThan": "66fc2ebdd9d5dd6e5a9c7edeace5a61a0ab2cd86",
"status": "affected",
"version": "f62af20bed2d9e824f51cfc97ff01bc261f40e58",
"versionType": "git"
},
{
"lessThan": "f1a9dbcb7d17bf0abb325cdc984957cfabc59693",
"status": "affected",
"version": "f62af20bed2d9e824f51cfc97ff01bc261f40e58",
"versionType": "git"
},
{
"lessThan": "ffd2dc4c6c49ff4f1e5d34e454a6a55608104c17",
"status": "affected",
"version": "f62af20bed2d9e824f51cfc97ff01bc261f40e58",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_mqprio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: mqprio: fix stack out-of-bounds write in tc entry parsing\n\nTCA_MQPRIO_TC_ENTRY_INDEX is validated using\nNLA_POLICY_MAX(NLA_U32, TC_QOPT_MAX_QUEUE), which allows the value\nTC_QOPT_MAX_QUEUE (16). This leads to a 4-byte out-of-bounds stack\nwrite in the fp[] array, which only has room for 16 elements (0\u201315).\n\nFix this by changing the policy to allow only up to TC_QOPT_MAX_QUEUE - 1."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:53:57.182Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/39491e859fd494d0b51adc5c7d54c8a7dcf1d198"
},
{
"url": "https://git.kernel.org/stable/c/d00e4125680f7074c4f42ce3c297336f23128e70"
},
{
"url": "https://git.kernel.org/stable/c/66fc2ebdd9d5dd6e5a9c7edeace5a61a0ab2cd86"
},
{
"url": "https://git.kernel.org/stable/c/f1a9dbcb7d17bf0abb325cdc984957cfabc59693"
},
{
"url": "https://git.kernel.org/stable/c/ffd2dc4c6c49ff4f1e5d34e454a6a55608104c17"
}
],
"title": "net/sched: mqprio: fix stack out-of-bounds write in tc entry parsing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38568",
"datePublished": "2025-08-19T17:02:49.278Z",
"dateReserved": "2025-04-16T04:51:24.025Z",
"dateUpdated": "2025-09-29T05:53:57.182Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49967 (GCVE-0-2022-49967)
Vulnerability from cvelistv5
Published
2025-06-18 11:00
Modified
2025-06-18 11:00
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix a data-race around bpf_jit_limit.
While reading bpf_jit_limit, it can be changed concurrently via sysctl,
WRITE_ONCE() in __do_proc_doulongvec_minmax(). The size of bpf_jit_limit
is long, so we need to add a paired READ_ONCE() to avoid load-tearing.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ba632ad0bacb13197a8f38e7526448974e87f292",
"status": "affected",
"version": "ede95a63b5e84ddeea6b0c473b36ab8bfd8c6ce3",
"versionType": "git"
},
{
"lessThan": "0947ae1121083d363d522ff7518ee72b55bd8d29",
"status": "affected",
"version": "ede95a63b5e84ddeea6b0c473b36ab8bfd8c6ce3",
"versionType": "git"
},
{
"status": "affected",
"version": "c98446e1bab6253ddce7144cc2a91c400a323839",
"versionType": "git"
},
{
"status": "affected",
"version": "a1fe647042affe713a17243cd10e9b25f3d83948",
"versionType": "git"
},
{
"status": "affected",
"version": "43caa29c99db5a41b204e8ced01b00e151335ca8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.8",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.140",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.47",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix a data-race around bpf_jit_limit.\n\nWhile reading bpf_jit_limit, it can be changed concurrently via sysctl,\nWRITE_ONCE() in __do_proc_doulongvec_minmax(). The size of bpf_jit_limit\nis long, so we need to add a paired READ_ONCE() to avoid load-tearing."
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T11:00:31.782Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ba632ad0bacb13197a8f38e7526448974e87f292"
},
{
"url": "https://git.kernel.org/stable/c/0947ae1121083d363d522ff7518ee72b55bd8d29"
}
],
"title": "bpf: Fix a data-race around bpf_jit_limit.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49967",
"datePublished": "2025-06-18T11:00:31.782Z",
"dateReserved": "2025-06-18T10:57:27.384Z",
"dateUpdated": "2025-06-18T11:00:31.782Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38449 (GCVE-0-2025-38449)
Vulnerability from cvelistv5
Published
2025-07-25 15:27
Modified
2025-07-28 04:22
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/gem: Acquire references on GEM handles for framebuffers
A GEM handle can be released while the GEM buffer object is attached
to a DRM framebuffer. This leads to the release of the dma-buf backing
the buffer object, if any. [1] Trying to use the framebuffer in further
mode-setting operations leads to a segmentation fault. Most easily
happens with driver that use shadow planes for vmap-ing the dma-buf
during a page flip. An example is shown below.
[ 156.791968] ------------[ cut here ]------------
[ 156.796830] WARNING: CPU: 2 PID: 2255 at drivers/dma-buf/dma-buf.c:1527 dma_buf_vmap+0x224/0x430
[...]
[ 156.942028] RIP: 0010:dma_buf_vmap+0x224/0x430
[ 157.043420] Call Trace:
[ 157.045898] <TASK>
[ 157.048030] ? show_trace_log_lvl+0x1af/0x2c0
[ 157.052436] ? show_trace_log_lvl+0x1af/0x2c0
[ 157.056836] ? show_trace_log_lvl+0x1af/0x2c0
[ 157.061253] ? drm_gem_shmem_vmap+0x74/0x710
[ 157.065567] ? dma_buf_vmap+0x224/0x430
[ 157.069446] ? __warn.cold+0x58/0xe4
[ 157.073061] ? dma_buf_vmap+0x224/0x430
[ 157.077111] ? report_bug+0x1dd/0x390
[ 157.080842] ? handle_bug+0x5e/0xa0
[ 157.084389] ? exc_invalid_op+0x14/0x50
[ 157.088291] ? asm_exc_invalid_op+0x16/0x20
[ 157.092548] ? dma_buf_vmap+0x224/0x430
[ 157.096663] ? dma_resv_get_singleton+0x6d/0x230
[ 157.101341] ? __pfx_dma_buf_vmap+0x10/0x10
[ 157.105588] ? __pfx_dma_resv_get_singleton+0x10/0x10
[ 157.110697] drm_gem_shmem_vmap+0x74/0x710
[ 157.114866] drm_gem_vmap+0xa9/0x1b0
[ 157.118763] drm_gem_vmap_unlocked+0x46/0xa0
[ 157.123086] drm_gem_fb_vmap+0xab/0x300
[ 157.126979] drm_atomic_helper_prepare_planes.part.0+0x487/0xb10
[ 157.133032] ? lockdep_init_map_type+0x19d/0x880
[ 157.137701] drm_atomic_helper_commit+0x13d/0x2e0
[ 157.142671] ? drm_atomic_nonblocking_commit+0xa0/0x180
[ 157.147988] drm_mode_atomic_ioctl+0x766/0xe40
[...]
[ 157.346424] ---[ end trace 0000000000000000 ]---
Acquiring GEM handles for the framebuffer's GEM buffer objects prevents
this from happening. The framebuffer's cleanup later puts the handle
references.
Commit 1a148af06000 ("drm/gem-shmem: Use dma_buf from GEM object
instance") triggers the segmentation fault easily by using the dma-buf
field more widely. The underlying issue with reference counting has
been present before.
v2:
- acquire the handle instead of the BO (Christian)
- fix comment style (Christian)
- drop the Fixes tag (Christian)
- rename err_ gotos
- add missing Link tag
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_gem.c",
"drivers/gpu/drm/drm_gem_framebuffer_helper.c",
"drivers/gpu/drm/drm_internal.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cb4c956a15f8b7f870649454771fc3761f504b5f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "08480e285c6a82ce689008d643e4a51db0aaef8b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3cf520d9860d4ec9f7f32068825da31f18dd3f25",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5307dce878d4126e1b375587318955bd019c3741",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_gem.c",
"drivers/gpu/drm/drm_gem_framebuffer_helper.c",
"drivers/gpu/drm/drm_internal.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/gem: Acquire references on GEM handles for framebuffers\n\nA GEM handle can be released while the GEM buffer object is attached\nto a DRM framebuffer. This leads to the release of the dma-buf backing\nthe buffer object, if any. [1] Trying to use the framebuffer in further\nmode-setting operations leads to a segmentation fault. Most easily\nhappens with driver that use shadow planes for vmap-ing the dma-buf\nduring a page flip. An example is shown below.\n\n[ 156.791968] ------------[ cut here ]------------\n[ 156.796830] WARNING: CPU: 2 PID: 2255 at drivers/dma-buf/dma-buf.c:1527 dma_buf_vmap+0x224/0x430\n[...]\n[ 156.942028] RIP: 0010:dma_buf_vmap+0x224/0x430\n[ 157.043420] Call Trace:\n[ 157.045898] \u003cTASK\u003e\n[ 157.048030] ? show_trace_log_lvl+0x1af/0x2c0\n[ 157.052436] ? show_trace_log_lvl+0x1af/0x2c0\n[ 157.056836] ? show_trace_log_lvl+0x1af/0x2c0\n[ 157.061253] ? drm_gem_shmem_vmap+0x74/0x710\n[ 157.065567] ? dma_buf_vmap+0x224/0x430\n[ 157.069446] ? __warn.cold+0x58/0xe4\n[ 157.073061] ? dma_buf_vmap+0x224/0x430\n[ 157.077111] ? report_bug+0x1dd/0x390\n[ 157.080842] ? handle_bug+0x5e/0xa0\n[ 157.084389] ? exc_invalid_op+0x14/0x50\n[ 157.088291] ? asm_exc_invalid_op+0x16/0x20\n[ 157.092548] ? dma_buf_vmap+0x224/0x430\n[ 157.096663] ? dma_resv_get_singleton+0x6d/0x230\n[ 157.101341] ? __pfx_dma_buf_vmap+0x10/0x10\n[ 157.105588] ? __pfx_dma_resv_get_singleton+0x10/0x10\n[ 157.110697] drm_gem_shmem_vmap+0x74/0x710\n[ 157.114866] drm_gem_vmap+0xa9/0x1b0\n[ 157.118763] drm_gem_vmap_unlocked+0x46/0xa0\n[ 157.123086] drm_gem_fb_vmap+0xab/0x300\n[ 157.126979] drm_atomic_helper_prepare_planes.part.0+0x487/0xb10\n[ 157.133032] ? lockdep_init_map_type+0x19d/0x880\n[ 157.137701] drm_atomic_helper_commit+0x13d/0x2e0\n[ 157.142671] ? drm_atomic_nonblocking_commit+0xa0/0x180\n[ 157.147988] drm_mode_atomic_ioctl+0x766/0xe40\n[...]\n[ 157.346424] ---[ end trace 0000000000000000 ]---\n\nAcquiring GEM handles for the framebuffer\u0027s GEM buffer objects prevents\nthis from happening. The framebuffer\u0027s cleanup later puts the handle\nreferences.\n\nCommit 1a148af06000 (\"drm/gem-shmem: Use dma_buf from GEM object\ninstance\") triggers the segmentation fault easily by using the dma-buf\nfield more widely. The underlying issue with reference counting has\nbeen present before.\n\nv2:\n- acquire the handle instead of the BO (Christian)\n- fix comment style (Christian)\n- drop the Fixes tag (Christian)\n- rename err_ gotos\n- add missing Link tag"
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:22:34.886Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cb4c956a15f8b7f870649454771fc3761f504b5f"
},
{
"url": "https://git.kernel.org/stable/c/08480e285c6a82ce689008d643e4a51db0aaef8b"
},
{
"url": "https://git.kernel.org/stable/c/3cf520d9860d4ec9f7f32068825da31f18dd3f25"
},
{
"url": "https://git.kernel.org/stable/c/5307dce878d4126e1b375587318955bd019c3741"
}
],
"title": "drm/gem: Acquire references on GEM handles for framebuffers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38449",
"datePublished": "2025-07-25T15:27:30.702Z",
"dateReserved": "2025-04-16T04:51:24.018Z",
"dateUpdated": "2025-07-28T04:22:34.886Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38503 (GCVE-0-2025-38503)
Vulnerability from cvelistv5
Published
2025-08-16 10:54
Modified
2025-08-16 10:54
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix assertion when building free space tree
When building the free space tree with the block group tree feature
enabled, we can hit an assertion failure like this:
BTRFS info (device loop0 state M): rebuilding free space tree
assertion failed: ret == 0, in fs/btrfs/free-space-tree.c:1102
------------[ cut here ]------------
kernel BUG at fs/btrfs/free-space-tree.c:1102!
Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
Modules linked in:
CPU: 1 UID: 0 PID: 6592 Comm: syz-executor322 Not tainted 6.15.0-rc7-syzkaller-gd7fa1af5b33e #0 PREEMPT
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : populate_free_space_tree+0x514/0x518 fs/btrfs/free-space-tree.c:1102
lr : populate_free_space_tree+0x514/0x518 fs/btrfs/free-space-tree.c:1102
sp : ffff8000a4ce7600
x29: ffff8000a4ce76e0 x28: ffff0000c9bc6000 x27: ffff0000ddfff3d8
x26: ffff0000ddfff378 x25: dfff800000000000 x24: 0000000000000001
x23: ffff8000a4ce7660 x22: ffff70001499cecc x21: ffff0000e1d8c160
x20: ffff0000e1cb7800 x19: ffff0000e1d8c0b0 x18: 00000000ffffffff
x17: ffff800092f39000 x16: ffff80008ad27e48 x15: ffff700011e740c0
x14: 1ffff00011e740c0 x13: 0000000000000004 x12: ffffffffffffffff
x11: ffff700011e740c0 x10: 0000000000ff0100 x9 : 94ef24f55d2dbc00
x8 : 94ef24f55d2dbc00 x7 : 0000000000000001 x6 : 0000000000000001
x5 : ffff8000a4ce6f98 x4 : ffff80008f415ba0 x3 : ffff800080548ef0
x2 : 0000000000000000 x1 : 0000000100000000 x0 : 000000000000003e
Call trace:
populate_free_space_tree+0x514/0x518 fs/btrfs/free-space-tree.c:1102 (P)
btrfs_rebuild_free_space_tree+0x14c/0x54c fs/btrfs/free-space-tree.c:1337
btrfs_start_pre_rw_mount+0xa78/0xe10 fs/btrfs/disk-io.c:3074
btrfs_remount_rw fs/btrfs/super.c:1319 [inline]
btrfs_reconfigure+0x828/0x2418 fs/btrfs/super.c:1543
reconfigure_super+0x1d4/0x6f0 fs/super.c:1083
do_remount fs/namespace.c:3365 [inline]
path_mount+0xb34/0xde0 fs/namespace.c:4200
do_mount fs/namespace.c:4221 [inline]
__do_sys_mount fs/namespace.c:4432 [inline]
__se_sys_mount fs/namespace.c:4409 [inline]
__arm64_sys_mount+0x3e8/0x468 fs/namespace.c:4409
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767
el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
Code: f0047182 91178042 528089c3 9771d47b (d4210000)
---[ end trace 0000000000000000 ]---
This happens because we are processing an empty block group, which has
no extents allocated from it, there are no items for this block group,
including the block group item since block group items are stored in a
dedicated tree when using the block group tree feature. It also means
this is the block group with the highest start offset, so there are no
higher keys in the extent root, hence btrfs_search_slot_for_read()
returns 1 (no higher key found).
Fix this by asserting 'ret' is 0 only if the block group tree feature
is not enabled, in which case we should find a block group item for
the block group since it's stored in the extent root and block group
item keys are greater than extent item keys (the value for
BTRFS_BLOCK_GROUP_ITEM_KEY is 192 and for BTRFS_EXTENT_ITEM_KEY and
BTRFS_METADATA_ITEM_KEY the values are 168 and 169 respectively).
In case 'ret' is 1, we just need to add a record to the free space
tree which spans the whole block group, and we can achieve this by
making 'ret == 0' as the while loop's condition.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/free-space-tree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7c77df23324f60bcff0ea44392e2c82e9486640c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f4428b2d4c68732653e93f748f538bdee639ff80",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0bcc14f36c7ad37121cf5c0ae18cdde5bfad9c4e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6bbe6530b1db7b4365ce9e86144c18c5d73b2c5b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1961d20f6fa8903266ed9bd77c691924c22c8f02",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/free-space-tree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.146",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.146",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix assertion when building free space tree\n\nWhen building the free space tree with the block group tree feature\nenabled, we can hit an assertion failure like this:\n\n BTRFS info (device loop0 state M): rebuilding free space tree\n assertion failed: ret == 0, in fs/btrfs/free-space-tree.c:1102\n ------------[ cut here ]------------\n kernel BUG at fs/btrfs/free-space-tree.c:1102!\n Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n Modules linked in:\n CPU: 1 UID: 0 PID: 6592 Comm: syz-executor322 Not tainted 6.15.0-rc7-syzkaller-gd7fa1af5b33e #0 PREEMPT\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\n pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : populate_free_space_tree+0x514/0x518 fs/btrfs/free-space-tree.c:1102\n lr : populate_free_space_tree+0x514/0x518 fs/btrfs/free-space-tree.c:1102\n sp : ffff8000a4ce7600\n x29: ffff8000a4ce76e0 x28: ffff0000c9bc6000 x27: ffff0000ddfff3d8\n x26: ffff0000ddfff378 x25: dfff800000000000 x24: 0000000000000001\n x23: ffff8000a4ce7660 x22: ffff70001499cecc x21: ffff0000e1d8c160\n x20: ffff0000e1cb7800 x19: ffff0000e1d8c0b0 x18: 00000000ffffffff\n x17: ffff800092f39000 x16: ffff80008ad27e48 x15: ffff700011e740c0\n x14: 1ffff00011e740c0 x13: 0000000000000004 x12: ffffffffffffffff\n x11: ffff700011e740c0 x10: 0000000000ff0100 x9 : 94ef24f55d2dbc00\n x8 : 94ef24f55d2dbc00 x7 : 0000000000000001 x6 : 0000000000000001\n x5 : ffff8000a4ce6f98 x4 : ffff80008f415ba0 x3 : ffff800080548ef0\n x2 : 0000000000000000 x1 : 0000000100000000 x0 : 000000000000003e\n Call trace:\n populate_free_space_tree+0x514/0x518 fs/btrfs/free-space-tree.c:1102 (P)\n btrfs_rebuild_free_space_tree+0x14c/0x54c fs/btrfs/free-space-tree.c:1337\n btrfs_start_pre_rw_mount+0xa78/0xe10 fs/btrfs/disk-io.c:3074\n btrfs_remount_rw fs/btrfs/super.c:1319 [inline]\n btrfs_reconfigure+0x828/0x2418 fs/btrfs/super.c:1543\n reconfigure_super+0x1d4/0x6f0 fs/super.c:1083\n do_remount fs/namespace.c:3365 [inline]\n path_mount+0xb34/0xde0 fs/namespace.c:4200\n do_mount fs/namespace.c:4221 [inline]\n __do_sys_mount fs/namespace.c:4432 [inline]\n __se_sys_mount fs/namespace.c:4409 [inline]\n __arm64_sys_mount+0x3e8/0x468 fs/namespace.c:4409\n __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49\n el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132\n do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151\n el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767\n el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786\n el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600\n Code: f0047182 91178042 528089c3 9771d47b (d4210000)\n ---[ end trace 0000000000000000 ]---\n\nThis happens because we are processing an empty block group, which has\nno extents allocated from it, there are no items for this block group,\nincluding the block group item since block group items are stored in a\ndedicated tree when using the block group tree feature. It also means\nthis is the block group with the highest start offset, so there are no\nhigher keys in the extent root, hence btrfs_search_slot_for_read()\nreturns 1 (no higher key found).\n\nFix this by asserting \u0027ret\u0027 is 0 only if the block group tree feature\nis not enabled, in which case we should find a block group item for\nthe block group since it\u0027s stored in the extent root and block group\nitem keys are greater than extent item keys (the value for\nBTRFS_BLOCK_GROUP_ITEM_KEY is 192 and for BTRFS_EXTENT_ITEM_KEY and\nBTRFS_METADATA_ITEM_KEY the values are 168 and 169 respectively).\nIn case \u0027ret\u0027 is 1, we just need to add a record to the free space\ntree which spans the whole block group, and we can achieve this by\nmaking \u0027ret == 0\u0027 as the while loop\u0027s condition."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-16T10:54:41.004Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7c77df23324f60bcff0ea44392e2c82e9486640c"
},
{
"url": "https://git.kernel.org/stable/c/f4428b2d4c68732653e93f748f538bdee639ff80"
},
{
"url": "https://git.kernel.org/stable/c/0bcc14f36c7ad37121cf5c0ae18cdde5bfad9c4e"
},
{
"url": "https://git.kernel.org/stable/c/6bbe6530b1db7b4365ce9e86144c18c5d73b2c5b"
},
{
"url": "https://git.kernel.org/stable/c/1961d20f6fa8903266ed9bd77c691924c22c8f02"
}
],
"title": "btrfs: fix assertion when building free space tree",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38503",
"datePublished": "2025-08-16T10:54:41.004Z",
"dateReserved": "2025-04-16T04:51:24.022Z",
"dateUpdated": "2025-08-16T10:54:41.004Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38200 (GCVE-0-2025-38200)
Vulnerability from cvelistv5
Published
2025-07-04 13:37
Modified
2025-07-28 04:14
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
i40e: fix MMIO write access to an invalid page in i40e_clear_hw
When the device sends a specific input, an integer underflow can occur, leading
to MMIO write access to an invalid page.
Prevent the integer underflow by changing the type of related variables.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1bff652941c4d94f97610c9a30473aad6f5b2fff Version: 1bff652941c4d94f97610c9a30473aad6f5b2fff Version: 1bff652941c4d94f97610c9a30473aad6f5b2fff Version: 1bff652941c4d94f97610c9a30473aad6f5b2fff Version: 1bff652941c4d94f97610c9a30473aad6f5b2fff Version: 1bff652941c4d94f97610c9a30473aad6f5b2fff Version: 1bff652941c4d94f97610c9a30473aad6f5b2fff Version: 1bff652941c4d94f97610c9a30473aad6f5b2fff |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "872607632c658d3739e4e7889e4f3c419ae2c193",
"status": "affected",
"version": "1bff652941c4d94f97610c9a30473aad6f5b2fff",
"versionType": "git"
},
{
"lessThan": "5e75c9082987479e647c75ec8fdf18fa68263c42",
"status": "affected",
"version": "1bff652941c4d94f97610c9a30473aad6f5b2fff",
"versionType": "git"
},
{
"lessThan": "fecb2fc3fc10c95724407cc45ea35af4a65cdde2",
"status": "affected",
"version": "1bff652941c4d94f97610c9a30473aad6f5b2fff",
"versionType": "git"
},
{
"lessThan": "d88a1e8f024ba26e19350958fecbf771a9960352",
"status": "affected",
"version": "1bff652941c4d94f97610c9a30473aad6f5b2fff",
"versionType": "git"
},
{
"lessThan": "8cde755f56163281ec2c46b4ae8b61f532758a6f",
"status": "affected",
"version": "1bff652941c4d94f97610c9a30473aad6f5b2fff",
"versionType": "git"
},
{
"lessThan": "3502dd42f178dae9d54696013386bb52b4f2e655",
"status": "affected",
"version": "1bff652941c4d94f97610c9a30473aad6f5b2fff",
"versionType": "git"
},
{
"lessThan": "2a1f4f2e36442a9bdf771acf6ee86f3cf876e5ca",
"status": "affected",
"version": "1bff652941c4d94f97610c9a30473aad6f5b2fff",
"versionType": "git"
},
{
"lessThan": "015bac5daca978448f2671478c553ce1f300c21e",
"status": "affected",
"version": "1bff652941c4d94f97610c9a30473aad6f5b2fff",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.95",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.295",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.239",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.95",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.35",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.4",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: fix MMIO write access to an invalid page in i40e_clear_hw\n\nWhen the device sends a specific input, an integer underflow can occur, leading\nto MMIO write access to an invalid page.\n\nPrevent the integer underflow by changing the type of related variables."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:14:55.301Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/872607632c658d3739e4e7889e4f3c419ae2c193"
},
{
"url": "https://git.kernel.org/stable/c/5e75c9082987479e647c75ec8fdf18fa68263c42"
},
{
"url": "https://git.kernel.org/stable/c/fecb2fc3fc10c95724407cc45ea35af4a65cdde2"
},
{
"url": "https://git.kernel.org/stable/c/d88a1e8f024ba26e19350958fecbf771a9960352"
},
{
"url": "https://git.kernel.org/stable/c/8cde755f56163281ec2c46b4ae8b61f532758a6f"
},
{
"url": "https://git.kernel.org/stable/c/3502dd42f178dae9d54696013386bb52b4f2e655"
},
{
"url": "https://git.kernel.org/stable/c/2a1f4f2e36442a9bdf771acf6ee86f3cf876e5ca"
},
{
"url": "https://git.kernel.org/stable/c/015bac5daca978448f2671478c553ce1f300c21e"
}
],
"title": "i40e: fix MMIO write access to an invalid page in i40e_clear_hw",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38200",
"datePublished": "2025-07-04T13:37:22.076Z",
"dateReserved": "2025-04-16T04:51:23.993Z",
"dateUpdated": "2025-07-28T04:14:55.301Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38102 (GCVE-0-2025-38102)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify
During our test, it is found that a warning can be trigger in try_grab_folio
as follow:
------------[ cut here ]------------
WARNING: CPU: 0 PID: 1678 at mm/gup.c:147 try_grab_folio+0x106/0x130
Modules linked in:
CPU: 0 UID: 0 PID: 1678 Comm: syz.3.31 Not tainted 6.15.0-rc5 #163 PREEMPT(undef)
RIP: 0010:try_grab_folio+0x106/0x130
Call Trace:
<TASK>
follow_huge_pmd+0x240/0x8e0
follow_pmd_mask.constprop.0.isra.0+0x40b/0x5c0
follow_pud_mask.constprop.0.isra.0+0x14a/0x170
follow_page_mask+0x1c2/0x1f0
__get_user_pages+0x176/0x950
__gup_longterm_locked+0x15b/0x1060
? gup_fast+0x120/0x1f0
gup_fast_fallback+0x17e/0x230
get_user_pages_fast+0x5f/0x80
vmci_host_unlocked_ioctl+0x21c/0xf80
RIP: 0033:0x54d2cd
---[ end trace 0000000000000000 ]---
Digging into the source, context->notify_page may init by get_user_pages_fast
and can be seen in vmci_ctx_unset_notify which will try to put_page. However
get_user_pages_fast is not finished here and lead to following
try_grab_folio warning. The race condition is shown as follow:
cpu0 cpu1
vmci_host_do_set_notify
vmci_host_setup_notify
get_user_pages_fast(uva, 1, FOLL_WRITE, &context->notify_page);
lockless_pages_from_mm
gup_pgd_range
gup_huge_pmd // update &context->notify_page
vmci_host_do_set_notify
vmci_ctx_unset_notify
notify_page = context->notify_page;
if (notify_page)
put_page(notify_page); // page is freed
__gup_longterm_locked
__get_user_pages
follow_trans_huge_pmd
try_grab_folio // warn here
To slove this, use local variable page to make notify_page can be seen
after finish get_user_pages_fast.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: a1d88436d53a75e950db15834b3d2f8c0c358fdc Version: a1d88436d53a75e950db15834b3d2f8c0c358fdc Version: a1d88436d53a75e950db15834b3d2f8c0c358fdc Version: a1d88436d53a75e950db15834b3d2f8c0c358fdc Version: a1d88436d53a75e950db15834b3d2f8c0c358fdc Version: a1d88436d53a75e950db15834b3d2f8c0c358fdc Version: a1d88436d53a75e950db15834b3d2f8c0c358fdc Version: a1d88436d53a75e950db15834b3d2f8c0c358fdc |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/misc/vmw_vmci/vmci_host.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "74095bbbb19ca74a0368d857603a2438c88ca86c",
"status": "affected",
"version": "a1d88436d53a75e950db15834b3d2f8c0c358fdc",
"versionType": "git"
},
{
"lessThan": "468aec888f838ce5174b96e0cb4396790d6f60ca",
"status": "affected",
"version": "a1d88436d53a75e950db15834b3d2f8c0c358fdc",
"versionType": "git"
},
{
"lessThan": "b4209e4b778e4e57d0636e1c9fc07a924dbc6043",
"status": "affected",
"version": "a1d88436d53a75e950db15834b3d2f8c0c358fdc",
"versionType": "git"
},
{
"lessThan": "58a90db70aa6616411e5f69d1982d9b1dd97d774",
"status": "affected",
"version": "a1d88436d53a75e950db15834b3d2f8c0c358fdc",
"versionType": "git"
},
{
"lessThan": "6e3af836805ed1d7a699f76ec798626198917aa4",
"status": "affected",
"version": "a1d88436d53a75e950db15834b3d2f8c0c358fdc",
"versionType": "git"
},
{
"lessThan": "00ddc7dad55b7bbb78df80d6e174d0c4764dea0c",
"status": "affected",
"version": "a1d88436d53a75e950db15834b3d2f8c0c358fdc",
"versionType": "git"
},
{
"lessThan": "75b5313c80c39a26d27cbb602f968a05576c36f9",
"status": "affected",
"version": "a1d88436d53a75e950db15834b3d2f8c0c358fdc",
"versionType": "git"
},
{
"lessThan": "1bd6406fb5f36c2bb1e96e27d4c3e9f4d09edde4",
"status": "affected",
"version": "a1d88436d53a75e950db15834b3d2f8c0c358fdc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/misc/vmw_vmci/vmci_host.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.0"
},
{
"lessThan": "4.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.240",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.296",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.240",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.94",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.34",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.3",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nVMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify\n\nDuring our test, it is found that a warning can be trigger in try_grab_folio\nas follow:\n\n ------------[ cut here ]------------\n WARNING: CPU: 0 PID: 1678 at mm/gup.c:147 try_grab_folio+0x106/0x130\n Modules linked in:\n CPU: 0 UID: 0 PID: 1678 Comm: syz.3.31 Not tainted 6.15.0-rc5 #163 PREEMPT(undef)\n RIP: 0010:try_grab_folio+0x106/0x130\n Call Trace:\n \u003cTASK\u003e\n follow_huge_pmd+0x240/0x8e0\n follow_pmd_mask.constprop.0.isra.0+0x40b/0x5c0\n follow_pud_mask.constprop.0.isra.0+0x14a/0x170\n follow_page_mask+0x1c2/0x1f0\n __get_user_pages+0x176/0x950\n __gup_longterm_locked+0x15b/0x1060\n ? gup_fast+0x120/0x1f0\n gup_fast_fallback+0x17e/0x230\n get_user_pages_fast+0x5f/0x80\n vmci_host_unlocked_ioctl+0x21c/0xf80\n RIP: 0033:0x54d2cd\n ---[ end trace 0000000000000000 ]---\n\nDigging into the source, context-\u003enotify_page may init by get_user_pages_fast\nand can be seen in vmci_ctx_unset_notify which will try to put_page. However\nget_user_pages_fast is not finished here and lead to following\ntry_grab_folio warning. The race condition is shown as follow:\n\ncpu0\t\t\tcpu1\nvmci_host_do_set_notify\nvmci_host_setup_notify\nget_user_pages_fast(uva, 1, FOLL_WRITE, \u0026context-\u003enotify_page);\nlockless_pages_from_mm\ngup_pgd_range\ngup_huge_pmd // update \u0026context-\u003enotify_page\n\t\t\tvmci_host_do_set_notify\n\t\t\tvmci_ctx_unset_notify\n\t\t\tnotify_page = context-\u003enotify_page;\n\t\t\tif (notify_page)\n\t\t\tput_page(notify_page);\t// page is freed\n__gup_longterm_locked\n__get_user_pages\nfollow_trans_huge_pmd\ntry_grab_folio // warn here\n\nTo slove this, use local variable page to make notify_page can be seen\nafter finish get_user_pages_fast."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:12:16.696Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/74095bbbb19ca74a0368d857603a2438c88ca86c"
},
{
"url": "https://git.kernel.org/stable/c/468aec888f838ce5174b96e0cb4396790d6f60ca"
},
{
"url": "https://git.kernel.org/stable/c/b4209e4b778e4e57d0636e1c9fc07a924dbc6043"
},
{
"url": "https://git.kernel.org/stable/c/58a90db70aa6616411e5f69d1982d9b1dd97d774"
},
{
"url": "https://git.kernel.org/stable/c/6e3af836805ed1d7a699f76ec798626198917aa4"
},
{
"url": "https://git.kernel.org/stable/c/00ddc7dad55b7bbb78df80d6e174d0c4764dea0c"
},
{
"url": "https://git.kernel.org/stable/c/75b5313c80c39a26d27cbb602f968a05576c36f9"
},
{
"url": "https://git.kernel.org/stable/c/1bd6406fb5f36c2bb1e96e27d4c3e9f4d09edde4"
}
],
"title": "VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38102",
"datePublished": "2025-07-03T08:35:12.255Z",
"dateReserved": "2025-04-16T04:51:23.985Z",
"dateUpdated": "2025-07-28T04:12:16.696Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38510 (GCVE-0-2025-38510)
Vulnerability from cvelistv5
Published
2025-08-16 10:54
Modified
2025-08-16 10:54
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
kasan: remove kasan_find_vm_area() to prevent possible deadlock
find_vm_area() couldn't be called in atomic_context. If find_vm_area() is
called to reports vm area information, kasan can trigger deadlock like:
CPU0 CPU1
vmalloc();
alloc_vmap_area();
spin_lock(&vn->busy.lock)
spin_lock_bh(&some_lock);
<interrupt occurs>
<in softirq>
spin_lock(&some_lock);
<access invalid address>
kasan_report();
print_report();
print_address_description();
kasan_find_vm_area();
find_vm_area();
spin_lock(&vn->busy.lock) // deadlock!
To prevent possible deadlock while kasan reports, remove kasan_find_vm_area().
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/kasan/report.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "595f78d99b9051600233c0a5c4c47e1097e6ed01",
"status": "affected",
"version": "c056a364e9546bd513d1f5205f0ee316d8acb910",
"versionType": "git"
},
{
"lessThan": "8377d7744bdce5c4b3f1b58924eebd3fdc078dfc",
"status": "affected",
"version": "c056a364e9546bd513d1f5205f0ee316d8acb910",
"versionType": "git"
},
{
"lessThan": "2d89dab1ea6086e6cbe6fe92531b496fb6808cb9",
"status": "affected",
"version": "c056a364e9546bd513d1f5205f0ee316d8acb910",
"versionType": "git"
},
{
"lessThan": "0c3566d831def922cd56322c772a7b20d8b0e0c0",
"status": "affected",
"version": "c056a364e9546bd513d1f5205f0ee316d8acb910",
"versionType": "git"
},
{
"lessThan": "6ee9b3d84775944fb8c8a447961cd01274ac671c",
"status": "affected",
"version": "c056a364e9546bd513d1f5205f0ee316d8acb910",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/kasan/report.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.146",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.146",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.99",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.39",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.7",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkasan: remove kasan_find_vm_area() to prevent possible deadlock\n\nfind_vm_area() couldn\u0027t be called in atomic_context. If find_vm_area() is\ncalled to reports vm area information, kasan can trigger deadlock like:\n\nCPU0 CPU1\nvmalloc();\n alloc_vmap_area();\n spin_lock(\u0026vn-\u003ebusy.lock)\n spin_lock_bh(\u0026some_lock);\n \u003cinterrupt occurs\u003e\n \u003cin softirq\u003e\n spin_lock(\u0026some_lock);\n \u003caccess invalid address\u003e\n kasan_report();\n print_report();\n print_address_description();\n kasan_find_vm_area();\n find_vm_area();\n spin_lock(\u0026vn-\u003ebusy.lock) // deadlock!\n\nTo prevent possible deadlock while kasan reports, remove kasan_find_vm_area()."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-16T10:54:52.438Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/595f78d99b9051600233c0a5c4c47e1097e6ed01"
},
{
"url": "https://git.kernel.org/stable/c/8377d7744bdce5c4b3f1b58924eebd3fdc078dfc"
},
{
"url": "https://git.kernel.org/stable/c/2d89dab1ea6086e6cbe6fe92531b496fb6808cb9"
},
{
"url": "https://git.kernel.org/stable/c/0c3566d831def922cd56322c772a7b20d8b0e0c0"
},
{
"url": "https://git.kernel.org/stable/c/6ee9b3d84775944fb8c8a447961cd01274ac671c"
}
],
"title": "kasan: remove kasan_find_vm_area() to prevent possible deadlock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38510",
"datePublished": "2025-08-16T10:54:52.438Z",
"dateReserved": "2025-04-16T04:51:24.022Z",
"dateUpdated": "2025-08-16T10:54:52.438Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38516 (GCVE-0-2025-38516)
Vulnerability from cvelistv5
Published
2025-08-16 10:55
Modified
2025-08-16 10:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
pinctrl: qcom: msm: mark certain pins as invalid for interrupts
On some platforms, the UFS-reset pin has no interrupt logic in TLMM but
is nevertheless registered as a GPIO in the kernel. This enables the
user-space to trigger a BUG() in the pinctrl-msm driver by running, for
example: `gpiomon -c 0 113` on RB2.
The exact culprit is requesting pins whose intr_detection_width setting
is not 1 or 2 for interrupts. This hits a BUG() in
msm_gpio_irq_set_type(). Potentially crashing the kernel due to an
invalid request from user-space is not optimal, so let's go through the
pins and mark those that would fail the check as invalid for the irq chip
as we should not even register them as available irqs.
This function can be extended if we determine that there are more
corner-cases like this.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f365be0925729508fd8e62f8bdb504ef896cb6e0 Version: f365be0925729508fd8e62f8bdb504ef896cb6e0 Version: f365be0925729508fd8e62f8bdb504ef896cb6e0 Version: f365be0925729508fd8e62f8bdb504ef896cb6e0 Version: f365be0925729508fd8e62f8bdb504ef896cb6e0 Version: f365be0925729508fd8e62f8bdb504ef896cb6e0 Version: f365be0925729508fd8e62f8bdb504ef896cb6e0 Version: f365be0925729508fd8e62f8bdb504ef896cb6e0 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pinctrl/qcom/pinctrl-msm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6a89563ccf9cd0d745e2291302878a061508573f",
"status": "affected",
"version": "f365be0925729508fd8e62f8bdb504ef896cb6e0",
"versionType": "git"
},
{
"lessThan": "3f8fc02c2582c1dfad1785e9c7bc8b4e1521af0a",
"status": "affected",
"version": "f365be0925729508fd8e62f8bdb504ef896cb6e0",
"versionType": "git"
},
{
"lessThan": "cb4b08a095b1fa4b3fca782757517e4e9a917d8e",
"status": "affected",
"version": "f365be0925729508fd8e62f8bdb504ef896cb6e0",
"versionType": "git"
},
{
"lessThan": "cc145e02d6b8494c48f91958d52fa76b7e577f7b",
"status": "affected",
"version": "f365be0925729508fd8e62f8bdb504ef896cb6e0",
"versionType": "git"
},
{
"lessThan": "1d57f7132662e96aace3b8a000616efde289aae1",
"status": "affected",
"version": "f365be0925729508fd8e62f8bdb504ef896cb6e0",
"versionType": "git"
},
{
"lessThan": "275605a8b48002fe98675a5c06f3e39c09067ff2",
"status": "affected",
"version": "f365be0925729508fd8e62f8bdb504ef896cb6e0",
"versionType": "git"
},
{
"lessThan": "97c9c7daeeb00c6e1d5e84084041f79c2d2dce22",
"status": "affected",
"version": "f365be0925729508fd8e62f8bdb504ef896cb6e0",
"versionType": "git"
},
{
"lessThan": "93712205ce2f1fb047739494c0399a26ea4f0890",
"status": "affected",
"version": "f365be0925729508fd8e62f8bdb504ef896cb6e0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pinctrl/qcom/pinctrl-msm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.14"
},
{
"lessThan": "3.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.240",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.146",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.296",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.240",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.189",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.146",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.99",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.39",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.7",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "3.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: qcom: msm: mark certain pins as invalid for interrupts\n\nOn some platforms, the UFS-reset pin has no interrupt logic in TLMM but\nis nevertheless registered as a GPIO in the kernel. This enables the\nuser-space to trigger a BUG() in the pinctrl-msm driver by running, for\nexample: `gpiomon -c 0 113` on RB2.\n\nThe exact culprit is requesting pins whose intr_detection_width setting\nis not 1 or 2 for interrupts. This hits a BUG() in\nmsm_gpio_irq_set_type(). Potentially crashing the kernel due to an\ninvalid request from user-space is not optimal, so let\u0027s go through the\npins and mark those that would fail the check as invalid for the irq chip\nas we should not even register them as available irqs.\n\nThis function can be extended if we determine that there are more\ncorner-cases like this."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-16T10:55:03.161Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6a89563ccf9cd0d745e2291302878a061508573f"
},
{
"url": "https://git.kernel.org/stable/c/3f8fc02c2582c1dfad1785e9c7bc8b4e1521af0a"
},
{
"url": "https://git.kernel.org/stable/c/cb4b08a095b1fa4b3fca782757517e4e9a917d8e"
},
{
"url": "https://git.kernel.org/stable/c/cc145e02d6b8494c48f91958d52fa76b7e577f7b"
},
{
"url": "https://git.kernel.org/stable/c/1d57f7132662e96aace3b8a000616efde289aae1"
},
{
"url": "https://git.kernel.org/stable/c/275605a8b48002fe98675a5c06f3e39c09067ff2"
},
{
"url": "https://git.kernel.org/stable/c/97c9c7daeeb00c6e1d5e84084041f79c2d2dce22"
},
{
"url": "https://git.kernel.org/stable/c/93712205ce2f1fb047739494c0399a26ea4f0890"
}
],
"title": "pinctrl: qcom: msm: mark certain pins as invalid for interrupts",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38516",
"datePublished": "2025-08-16T10:55:03.161Z",
"dateReserved": "2025-04-16T04:51:24.023Z",
"dateUpdated": "2025-08-16T10:55:03.161Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38117 (GCVE-0-2025-38117)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: MGMT: Protect mgmt_pending list with its own lock
This uses a mutex to protect from concurrent access of mgmt_pending
list which can cause crashes like:
==================================================================
BUG: KASAN: slab-use-after-free in hci_sock_get_channel+0x60/0x68 net/bluetooth/hci_sock.c:91
Read of size 2 at addr ffff0000c48885b2 by task syz.4.334/7318
CPU: 0 UID: 0 PID: 7318 Comm: syz.4.334 Not tainted 6.15.0-rc7-syzkaller-g187899f4124a #0 PREEMPT
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call trace:
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)
__dump_stack+0x30/0x40 lib/dump_stack.c:94
dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
print_address_description+0xa8/0x254 mm/kasan/report.c:408
print_report+0x68/0x84 mm/kasan/report.c:521
kasan_report+0xb0/0x110 mm/kasan/report.c:634
__asan_report_load2_noabort+0x20/0x2c mm/kasan/report_generic.c:379
hci_sock_get_channel+0x60/0x68 net/bluetooth/hci_sock.c:91
mgmt_pending_find+0x7c/0x140 net/bluetooth/mgmt_util.c:223
pending_find net/bluetooth/mgmt.c:947 [inline]
remove_adv_monitor+0x44/0x1a4 net/bluetooth/mgmt.c:5445
hci_mgmt_cmd+0x780/0xc00 net/bluetooth/hci_sock.c:1712
hci_sock_sendmsg+0x544/0xbb0 net/bluetooth/hci_sock.c:1832
sock_sendmsg_nosec net/socket.c:712 [inline]
__sock_sendmsg net/socket.c:727 [inline]
sock_write_iter+0x25c/0x378 net/socket.c:1131
new_sync_write fs/read_write.c:591 [inline]
vfs_write+0x62c/0x97c fs/read_write.c:684
ksys_write+0x120/0x210 fs/read_write.c:736
__do_sys_write fs/read_write.c:747 [inline]
__se_sys_write fs/read_write.c:744 [inline]
__arm64_sys_write+0x7c/0x90 fs/read_write.c:744
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767
el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
Allocated by task 7037:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x40/0x78 mm/kasan/common.c:68
kasan_save_alloc_info+0x44/0x54 mm/kasan/generic.c:562
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x9c/0xb4 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4327 [inline]
__kmalloc_noprof+0x2fc/0x4c8 mm/slub.c:4339
kmalloc_noprof include/linux/slab.h:909 [inline]
sk_prot_alloc+0xc4/0x1f0 net/core/sock.c:2198
sk_alloc+0x44/0x3ac net/core/sock.c:2254
bt_sock_alloc+0x4c/0x300 net/bluetooth/af_bluetooth.c:148
hci_sock_create+0xa8/0x194 net/bluetooth/hci_sock.c:2202
bt_sock_create+0x14c/0x24c net/bluetooth/af_bluetooth.c:132
__sock_create+0x43c/0x91c net/socket.c:1541
sock_create net/socket.c:1599 [inline]
__sys_socket_create net/socket.c:1636 [inline]
__sys_socket+0xd4/0x1c0 net/socket.c:1683
__do_sys_socket net/socket.c:1697 [inline]
__se_sys_socket net/socket.c:1695 [inline]
__arm64_sys_socket+0x7c/0x94 net/socket.c:1695
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767
el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
Freed by task 6607:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x40/0x78 mm/kasan/common.c:68
kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x68/0x88 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline
---truncated---
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/bluetooth/hci_core.h",
"net/bluetooth/hci_core.c",
"net/bluetooth/mgmt.c",
"net/bluetooth/mgmt_util.c",
"net/bluetooth/mgmt_util.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bdd56875c6926d8009914f427df71797693e90d4",
"status": "affected",
"version": "a380b6cff1a2d2139772e88219d08330f84d0381",
"versionType": "git"
},
{
"lessThan": "4e83f2dbb2bf677e614109df24426c4dded472d4",
"status": "affected",
"version": "a380b6cff1a2d2139772e88219d08330f84d0381",
"versionType": "git"
},
{
"lessThan": "d7882db79135c829a922daf3571f33ea1e056ae3",
"status": "affected",
"version": "a380b6cff1a2d2139772e88219d08330f84d0381",
"versionType": "git"
},
{
"lessThan": "6fe26f694c824b8a4dbf50c635bee1302e3f099c",
"status": "affected",
"version": "a380b6cff1a2d2139772e88219d08330f84d0381",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/bluetooth/hci_core.h",
"net/bluetooth/hci_core.c",
"net/bluetooth/mgmt.c",
"net/bluetooth/mgmt_util.c",
"net/bluetooth/mgmt_util.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.1"
},
{
"lessThan": "4.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.94",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.34",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.3",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "4.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Protect mgmt_pending list with its own lock\n\nThis uses a mutex to protect from concurrent access of mgmt_pending\nlist which can cause crashes like:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in hci_sock_get_channel+0x60/0x68 net/bluetooth/hci_sock.c:91\nRead of size 2 at addr ffff0000c48885b2 by task syz.4.334/7318\n\nCPU: 0 UID: 0 PID: 7318 Comm: syz.4.334 Not tainted 6.15.0-rc7-syzkaller-g187899f4124a #0 PREEMPT\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025\nCall trace:\n show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)\n __dump_stack+0x30/0x40 lib/dump_stack.c:94\n dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120\n print_address_description+0xa8/0x254 mm/kasan/report.c:408\n print_report+0x68/0x84 mm/kasan/report.c:521\n kasan_report+0xb0/0x110 mm/kasan/report.c:634\n __asan_report_load2_noabort+0x20/0x2c mm/kasan/report_generic.c:379\n hci_sock_get_channel+0x60/0x68 net/bluetooth/hci_sock.c:91\n mgmt_pending_find+0x7c/0x140 net/bluetooth/mgmt_util.c:223\n pending_find net/bluetooth/mgmt.c:947 [inline]\n remove_adv_monitor+0x44/0x1a4 net/bluetooth/mgmt.c:5445\n hci_mgmt_cmd+0x780/0xc00 net/bluetooth/hci_sock.c:1712\n hci_sock_sendmsg+0x544/0xbb0 net/bluetooth/hci_sock.c:1832\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg net/socket.c:727 [inline]\n sock_write_iter+0x25c/0x378 net/socket.c:1131\n new_sync_write fs/read_write.c:591 [inline]\n vfs_write+0x62c/0x97c fs/read_write.c:684\n ksys_write+0x120/0x210 fs/read_write.c:736\n __do_sys_write fs/read_write.c:747 [inline]\n __se_sys_write fs/read_write.c:744 [inline]\n __arm64_sys_write+0x7c/0x90 fs/read_write.c:744\n __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49\n el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132\n do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151\n el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767\n el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786\n el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600\n\nAllocated by task 7037:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x40/0x78 mm/kasan/common.c:68\n kasan_save_alloc_info+0x44/0x54 mm/kasan/generic.c:562\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0x9c/0xb4 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __do_kmalloc_node mm/slub.c:4327 [inline]\n __kmalloc_noprof+0x2fc/0x4c8 mm/slub.c:4339\n kmalloc_noprof include/linux/slab.h:909 [inline]\n sk_prot_alloc+0xc4/0x1f0 net/core/sock.c:2198\n sk_alloc+0x44/0x3ac net/core/sock.c:2254\n bt_sock_alloc+0x4c/0x300 net/bluetooth/af_bluetooth.c:148\n hci_sock_create+0xa8/0x194 net/bluetooth/hci_sock.c:2202\n bt_sock_create+0x14c/0x24c net/bluetooth/af_bluetooth.c:132\n __sock_create+0x43c/0x91c net/socket.c:1541\n sock_create net/socket.c:1599 [inline]\n __sys_socket_create net/socket.c:1636 [inline]\n __sys_socket+0xd4/0x1c0 net/socket.c:1683\n __do_sys_socket net/socket.c:1697 [inline]\n __se_sys_socket net/socket.c:1695 [inline]\n __arm64_sys_socket+0x7c/0x94 net/socket.c:1695\n __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49\n el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132\n do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151\n el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767\n el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786\n el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600\n\nFreed by task 6607:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x40/0x78 mm/kasan/common.c:68\n kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:576\n poison_slab_object mm/kasan/common.c:247 [inline]\n __kasan_slab_free+0x68/0x88 mm/kasan/common.c:264\n kasan_slab_free include/linux/kasan.h:233 [inline\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:12:35.763Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bdd56875c6926d8009914f427df71797693e90d4"
},
{
"url": "https://git.kernel.org/stable/c/4e83f2dbb2bf677e614109df24426c4dded472d4"
},
{
"url": "https://git.kernel.org/stable/c/d7882db79135c829a922daf3571f33ea1e056ae3"
},
{
"url": "https://git.kernel.org/stable/c/6fe26f694c824b8a4dbf50c635bee1302e3f099c"
}
],
"title": "Bluetooth: MGMT: Protect mgmt_pending list with its own lock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38117",
"datePublished": "2025-07-03T08:35:25.060Z",
"dateReserved": "2025-04-16T04:51:23.986Z",
"dateUpdated": "2025-07-28T04:12:35.763Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38087 (GCVE-0-2025-38087)
Vulnerability from cvelistv5
Published
2025-06-30 07:29
Modified
2025-07-28 04:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: fix use-after-free in taprio_dev_notifier
Since taprio’s taprio_dev_notifier() isn’t protected by an
RCU read-side critical section, a race with advance_sched()
can lead to a use-after-free.
Adding rcu_read_lock() inside taprio_dev_notifier() prevents this.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_taprio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8c5713ce1ced75f9e9ed5c642ea3d2ba06ead69c",
"status": "affected",
"version": "fed87cc6718ad5f80aa739fee3c5979a8b09d3a6",
"versionType": "git"
},
{
"lessThan": "8a008c89e5e5c5332e4c0a33d707db9ddd529f8a",
"status": "affected",
"version": "fed87cc6718ad5f80aa739fee3c5979a8b09d3a6",
"versionType": "git"
},
{
"lessThan": "b1547d28ba468bc3b88764efd13e4319bab63be8",
"status": "affected",
"version": "fed87cc6718ad5f80aa739fee3c5979a8b09d3a6",
"versionType": "git"
},
{
"lessThan": "b160766e26d4e2e2d6fe2294e0b02f92baefcec5",
"status": "affected",
"version": "fed87cc6718ad5f80aa739fee3c5979a8b09d3a6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_taprio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.95",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.95",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.35",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.4",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: fix use-after-free in taprio_dev_notifier\n\nSince taprio\u2019s taprio_dev_notifier() isn\u2019t protected by an\nRCU read-side critical section, a race with advance_sched()\ncan lead to a use-after-free.\n\nAdding rcu_read_lock() inside taprio_dev_notifier() prevents this."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:12:01.642Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8c5713ce1ced75f9e9ed5c642ea3d2ba06ead69c"
},
{
"url": "https://git.kernel.org/stable/c/8a008c89e5e5c5332e4c0a33d707db9ddd529f8a"
},
{
"url": "https://git.kernel.org/stable/c/b1547d28ba468bc3b88764efd13e4319bab63be8"
},
{
"url": "https://git.kernel.org/stable/c/b160766e26d4e2e2d6fe2294e0b02f92baefcec5"
}
],
"title": "net/sched: fix use-after-free in taprio_dev_notifier",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38087",
"datePublished": "2025-06-30T07:29:43.325Z",
"dateReserved": "2025-04-16T04:51:23.982Z",
"dateUpdated": "2025-07-28T04:12:01.642Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38474 (GCVE-0-2025-38474)
Vulnerability from cvelistv5
Published
2025-07-28 11:21
Modified
2025-08-28 14:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: net: sierra: check for no status endpoint
The driver checks for having three endpoints and
having bulk in and out endpoints, but not that
the third endpoint is interrupt input.
Rectify the omission.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d Version: eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d Version: eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d Version: eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d Version: eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d Version: eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d Version: eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d Version: eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/sierra_net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0a263ccb905b4ae2af381cd4280bd8d2477b98b8",
"status": "affected",
"version": "eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d",
"versionType": "git"
},
{
"lessThan": "5408cc668e596c81cdd29e137225432aa40d1785",
"status": "affected",
"version": "eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d",
"versionType": "git"
},
{
"lessThan": "a6a238c4126eb3ddb495d3f960193ca5bb778d92",
"status": "affected",
"version": "eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d",
"versionType": "git"
},
{
"lessThan": "5849980faea1c792d1d5e54fdbf1e69ac0a9bfb9",
"status": "affected",
"version": "eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d",
"versionType": "git"
},
{
"lessThan": "5dd6a441748dad2f02e27b256984ca0b2d4546b6",
"status": "affected",
"version": "eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d",
"versionType": "git"
},
{
"lessThan": "65c666aff44eb7f9079c55331abd9687fb77ba2d",
"status": "affected",
"version": "eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d",
"versionType": "git"
},
{
"lessThan": "bfe8ef373986e8f185d3d6613eb1801a8749837a",
"status": "affected",
"version": "eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d",
"versionType": "git"
},
{
"lessThan": "4c4ca3c46167518f8534ed70f6e3b4bf86c4d158",
"status": "affected",
"version": "eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/sierra_net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.34"
},
{
"lessThan": "2.6.34",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.147",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.147",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.100",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.40",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.8",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: net: sierra: check for no status endpoint\n\nThe driver checks for having three endpoints and\nhaving bulk in and out endpoints, but not that\nthe third endpoint is interrupt input.\nRectify the omission."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T14:43:11.557Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0a263ccb905b4ae2af381cd4280bd8d2477b98b8"
},
{
"url": "https://git.kernel.org/stable/c/5408cc668e596c81cdd29e137225432aa40d1785"
},
{
"url": "https://git.kernel.org/stable/c/a6a238c4126eb3ddb495d3f960193ca5bb778d92"
},
{
"url": "https://git.kernel.org/stable/c/5849980faea1c792d1d5e54fdbf1e69ac0a9bfb9"
},
{
"url": "https://git.kernel.org/stable/c/5dd6a441748dad2f02e27b256984ca0b2d4546b6"
},
{
"url": "https://git.kernel.org/stable/c/65c666aff44eb7f9079c55331abd9687fb77ba2d"
},
{
"url": "https://git.kernel.org/stable/c/bfe8ef373986e8f185d3d6613eb1801a8749837a"
},
{
"url": "https://git.kernel.org/stable/c/4c4ca3c46167518f8534ed70f6e3b4bf86c4d158"
}
],
"title": "usb: net: sierra: check for no status endpoint",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38474",
"datePublished": "2025-07-28T11:21:35.570Z",
"dateReserved": "2025-04-16T04:51:24.021Z",
"dateUpdated": "2025-08-28T14:43:11.557Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38548 (GCVE-0-2025-38548)
Vulnerability from cvelistv5
Published
2025-08-16 11:34
Modified
2025-08-28 14:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
hwmon: (corsair-cpro) Validate the size of the received input buffer
Add buffer_recv_size to store the size of the received bytes.
Validate buffer_recv_size in send_usb_cmd().
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 40c3a445422579db8ad96c234dbe6c0ab3f6b936 Version: 40c3a445422579db8ad96c234dbe6c0ab3f6b936 Version: 40c3a445422579db8ad96c234dbe6c0ab3f6b936 Version: 40c3a445422579db8ad96c234dbe6c0ab3f6b936 Version: 40c3a445422579db8ad96c234dbe6c0ab3f6b936 Version: 40c3a445422579db8ad96c234dbe6c0ab3f6b936 Version: 40c3a445422579db8ad96c234dbe6c0ab3f6b936 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hwmon/corsair-cpro.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2e6f4d9cfbda52700c126c5a2b93dd2042e8680c",
"status": "affected",
"version": "40c3a445422579db8ad96c234dbe6c0ab3f6b936",
"versionType": "git"
},
{
"lessThan": "4eb5cc48399f89b63acdbfe912fa5c8fe2900147",
"status": "affected",
"version": "40c3a445422579db8ad96c234dbe6c0ab3f6b936",
"versionType": "git"
},
{
"lessThan": "0db770e2922389753ddbd6663a5516a32b97b743",
"status": "affected",
"version": "40c3a445422579db8ad96c234dbe6c0ab3f6b936",
"versionType": "git"
},
{
"lessThan": "eda5e38cc4dd2dcb422840540374910ef2818494",
"status": "affected",
"version": "40c3a445422579db8ad96c234dbe6c0ab3f6b936",
"versionType": "git"
},
{
"lessThan": "3c4bdc8a852e446080adc8ceb90ddd67a56e1bb8",
"status": "affected",
"version": "40c3a445422579db8ad96c234dbe6c0ab3f6b936",
"versionType": "git"
},
{
"lessThan": "2771d2ee3d95700f34e1e4df6a445c90565cd4e9",
"status": "affected",
"version": "40c3a445422579db8ad96c234dbe6c0ab3f6b936",
"versionType": "git"
},
{
"lessThan": "495a4f0dce9c8c4478c242209748f1ee9e4d5820",
"status": "affected",
"version": "40c3a445422579db8ad96c234dbe6c0ab3f6b936",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hwmon/corsair-cpro.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.147",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.147",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.100",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.40",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.8",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (corsair-cpro) Validate the size of the received input buffer\n\nAdd buffer_recv_size to store the size of the received bytes.\nValidate buffer_recv_size in send_usb_cmd()."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T14:43:42.387Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2e6f4d9cfbda52700c126c5a2b93dd2042e8680c"
},
{
"url": "https://git.kernel.org/stable/c/4eb5cc48399f89b63acdbfe912fa5c8fe2900147"
},
{
"url": "https://git.kernel.org/stable/c/0db770e2922389753ddbd6663a5516a32b97b743"
},
{
"url": "https://git.kernel.org/stable/c/eda5e38cc4dd2dcb422840540374910ef2818494"
},
{
"url": "https://git.kernel.org/stable/c/3c4bdc8a852e446080adc8ceb90ddd67a56e1bb8"
},
{
"url": "https://git.kernel.org/stable/c/2771d2ee3d95700f34e1e4df6a445c90565cd4e9"
},
{
"url": "https://git.kernel.org/stable/c/495a4f0dce9c8c4478c242209748f1ee9e4d5820"
}
],
"title": "hwmon: (corsair-cpro) Validate the size of the received input buffer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38548",
"datePublished": "2025-08-16T11:34:16.889Z",
"dateReserved": "2025-04-16T04:51:24.024Z",
"dateUpdated": "2025-08-28T14:43:42.387Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28956 (GCVE-0-2024-28956)
Vulnerability from cvelistv5
Published
2025-05-13 21:02
Modified
2025-05-14 14:43
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Information Disclosure
- CWE-1421 - Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution
Summary
Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Intel(R) Processors |
Version: See references |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-05-13T22:03:18.846Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://xenbits.xen.org/xsa/advisory-469.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/05/12/5"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28956",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-14T14:42:03.518493Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T14:43:48.581Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Intel(R) Processors",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "See references"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en"
},
{
"cweId": "CWE-1421",
"description": "Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T21:02:56.170Z",
"orgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce",
"shortName": "intel"
},
"references": [
{
"name": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01153.html",
"url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01153.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce",
"assignerShortName": "intel",
"cveId": "CVE-2024-28956",
"datePublished": "2025-05-13T21:02:56.170Z",
"dateReserved": "2024-05-23T17:14:54.799Z",
"dateUpdated": "2025-05-14T14:43:48.581Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38644 (GCVE-0-2025-38644)
Vulnerability from cvelistv5
Published
2025-08-22 16:00
Modified
2025-09-29 05:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: reject TDLS operations when station is not associated
syzbot triggered a WARN in ieee80211_tdls_oper() by sending
NL80211_TDLS_ENABLE_LINK immediately after NL80211_CMD_CONNECT,
before association completed and without prior TDLS setup.
This left internal state like sdata->u.mgd.tdls_peer uninitialized,
leading to a WARN_ON() in code paths that assumed it was valid.
Reject the operation early if not in station mode or not associated.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 81dd2b8822410e56048b927be779d95a2b6dc186 Version: 81dd2b8822410e56048b927be779d95a2b6dc186 Version: 81dd2b8822410e56048b927be779d95a2b6dc186 Version: 81dd2b8822410e56048b927be779d95a2b6dc186 Version: 81dd2b8822410e56048b927be779d95a2b6dc186 Version: 81dd2b8822410e56048b927be779d95a2b6dc186 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mac80211/tdls.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0c84204cf0bbe89e454a5caccc6a908bc7db1542",
"status": "affected",
"version": "81dd2b8822410e56048b927be779d95a2b6dc186",
"versionType": "git"
},
{
"lessThan": "378ae9ccaea3f445838a087962a067b5cb2e8577",
"status": "affected",
"version": "81dd2b8822410e56048b927be779d95a2b6dc186",
"versionType": "git"
},
{
"lessThan": "af72badd5ee423eb16f6ad7fe0a62f1b4252d848",
"status": "affected",
"version": "81dd2b8822410e56048b927be779d95a2b6dc186",
"versionType": "git"
},
{
"lessThan": "4df663d4c1ca386dcab2f743dfc9f0cc07aef73c",
"status": "affected",
"version": "81dd2b8822410e56048b927be779d95a2b6dc186",
"versionType": "git"
},
{
"lessThan": "31af06b574394530f68a4310c45ecbe2f68853c4",
"status": "affected",
"version": "81dd2b8822410e56048b927be779d95a2b6dc186",
"versionType": "git"
},
{
"lessThan": "16ecdab5446f15a61ec88eb0d23d25d009821db0",
"status": "affected",
"version": "81dd2b8822410e56048b927be779d95a2b6dc186",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mac80211/tdls.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: reject TDLS operations when station is not associated\n\nsyzbot triggered a WARN in ieee80211_tdls_oper() by sending\nNL80211_TDLS_ENABLE_LINK immediately after NL80211_CMD_CONNECT,\nbefore association completed and without prior TDLS setup.\n\nThis left internal state like sdata-\u003eu.mgd.tdls_peer uninitialized,\nleading to a WARN_ON() in code paths that assumed it was valid.\n\nReject the operation early if not in station mode or not associated."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:55:24.140Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0c84204cf0bbe89e454a5caccc6a908bc7db1542"
},
{
"url": "https://git.kernel.org/stable/c/378ae9ccaea3f445838a087962a067b5cb2e8577"
},
{
"url": "https://git.kernel.org/stable/c/af72badd5ee423eb16f6ad7fe0a62f1b4252d848"
},
{
"url": "https://git.kernel.org/stable/c/4df663d4c1ca386dcab2f743dfc9f0cc07aef73c"
},
{
"url": "https://git.kernel.org/stable/c/31af06b574394530f68a4310c45ecbe2f68853c4"
},
{
"url": "https://git.kernel.org/stable/c/16ecdab5446f15a61ec88eb0d23d25d009821db0"
}
],
"title": "wifi: mac80211: reject TDLS operations when station is not associated",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38644",
"datePublished": "2025-08-22T16:00:49.899Z",
"dateReserved": "2025-04-16T04:51:24.030Z",
"dateUpdated": "2025-09-29T05:55:24.140Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38576 (GCVE-0-2025-38576)
Vulnerability from cvelistv5
Published
2025-08-19 17:02
Modified
2025-09-29 05:54
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/eeh: Make EEH driver device hotplug safe
Multiple race conditions existed between the PCIe hotplug driver and the
EEH driver, leading to a variety of kernel oopses of the same general
nature:
<pcie device unplug>
<eeh driver trigger>
<hotplug removal trigger>
<pcie tree reconfiguration>
<eeh recovery next step>
<oops in EEH driver bus iteration loop>
A second class of oops is also seen when the underlying bus disappears
during device recovery.
Refactor the EEH module to be PCI rescan and remove safe. Also clean
up a few minor formatting / readability issues.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/kernel/eeh_driver.c",
"arch/powerpc/kernel/eeh_pe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "502f08831a9afb72dc98a56ae6504da43e93b250",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f56e004b781719d8fdf6c9619b15caf2579bc1f2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "59c6d3d81d42bf543c90597b4f38c53d6874c5a1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a426e8a6ae161f51888585b065db0f8f93ab2e16",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d2c60a8a387e9fcc28447ef36c03f8e49fd052a6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d42bbd8f30ac38b1ce54715bf08ec3dac18d6b25",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "19d5036e7ad766cf212aebec23b9f1d7924a62bc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1010b4c012b0d78dfb9d3132b49aa2ef024a07a7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/kernel/eeh_driver.c",
"arch/powerpc/kernel/eeh_pe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/eeh: Make EEH driver device hotplug safe\n\nMultiple race conditions existed between the PCIe hotplug driver and the\nEEH driver, leading to a variety of kernel oopses of the same general\nnature:\n\n\u003cpcie device unplug\u003e\n\u003ceeh driver trigger\u003e\n\u003chotplug removal trigger\u003e\n\u003cpcie tree reconfiguration\u003e\n\u003ceeh recovery next step\u003e\n\u003coops in EEH driver bus iteration loop\u003e\n\nA second class of oops is also seen when the underlying bus disappears\nduring device recovery.\n\nRefactor the EEH module to be PCI rescan and remove safe. Also clean\nup a few minor formatting / readability issues."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:54:06.789Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/502f08831a9afb72dc98a56ae6504da43e93b250"
},
{
"url": "https://git.kernel.org/stable/c/f56e004b781719d8fdf6c9619b15caf2579bc1f2"
},
{
"url": "https://git.kernel.org/stable/c/59c6d3d81d42bf543c90597b4f38c53d6874c5a1"
},
{
"url": "https://git.kernel.org/stable/c/a426e8a6ae161f51888585b065db0f8f93ab2e16"
},
{
"url": "https://git.kernel.org/stable/c/d2c60a8a387e9fcc28447ef36c03f8e49fd052a6"
},
{
"url": "https://git.kernel.org/stable/c/d42bbd8f30ac38b1ce54715bf08ec3dac18d6b25"
},
{
"url": "https://git.kernel.org/stable/c/19d5036e7ad766cf212aebec23b9f1d7924a62bc"
},
{
"url": "https://git.kernel.org/stable/c/1010b4c012b0d78dfb9d3132b49aa2ef024a07a7"
}
],
"title": "powerpc/eeh: Make EEH driver device hotplug safe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38576",
"datePublished": "2025-08-19T17:02:59.623Z",
"dateReserved": "2025-04-16T04:51:24.025Z",
"dateUpdated": "2025-09-29T05:54:06.789Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38665 (GCVE-0-2025-38665)
Vulnerability from cvelistv5
Published
2025-08-22 16:02
Modified
2025-08-22 16:02
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode
Andrei Lalaev reported a NULL pointer deref when a CAN device is
restarted from Bus Off and the driver does not implement the struct
can_priv::do_set_mode callback.
There are 2 code path that call struct can_priv::do_set_mode:
- directly by a manual restart from the user space, via
can_changelink()
- delayed automatic restart after bus off (deactivated by default)
To prevent the NULL pointer deference, refuse a manual restart or
configure the automatic restart delay in can_changelink() and report
the error via extack to user space.
As an additional safety measure let can_restart() return an error if
can_priv::do_set_mode is not set instead of dereferencing it
unchecked.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/dev/dev.c",
"drivers/net/can/dev/netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6bbcf37c5114926c99a1d1e6993a5b35689d2599",
"status": "affected",
"version": "39549eef3587f1c1e8c65c88a2400d10fd30ea17",
"versionType": "git"
},
{
"lessThan": "cf81a60a973358dea163f6b14062f17831ceb894",
"status": "affected",
"version": "39549eef3587f1c1e8c65c88a2400d10fd30ea17",
"versionType": "git"
},
{
"lessThan": "0ca816a96fdcf32644c80cbe7a82c7b6ce6ddda5",
"status": "affected",
"version": "39549eef3587f1c1e8c65c88a2400d10fd30ea17",
"versionType": "git"
},
{
"lessThan": "6acceb46180f9e160d4f0c56fcaf39ba562822ae",
"status": "affected",
"version": "39549eef3587f1c1e8c65c88a2400d10fd30ea17",
"versionType": "git"
},
{
"lessThan": "c1f3f9797c1f44a762e6f5f72520b2e520537b52",
"status": "affected",
"version": "39549eef3587f1c1e8c65c88a2400d10fd30ea17",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/dev/dev.c",
"drivers/net/can/dev/netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.31"
},
{
"lessThan": "2.6.31",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.101",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.41",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.101",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.41",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.9",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.31",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode\n\nAndrei Lalaev reported a NULL pointer deref when a CAN device is\nrestarted from Bus Off and the driver does not implement the struct\ncan_priv::do_set_mode callback.\n\nThere are 2 code path that call struct can_priv::do_set_mode:\n- directly by a manual restart from the user space, via\n can_changelink()\n- delayed automatic restart after bus off (deactivated by default)\n\nTo prevent the NULL pointer deference, refuse a manual restart or\nconfigure the automatic restart delay in can_changelink() and report\nthe error via extack to user space.\n\nAs an additional safety measure let can_restart() return an error if\ncan_priv::do_set_mode is not set instead of dereferencing it\nunchecked."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-22T16:02:57.458Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6bbcf37c5114926c99a1d1e6993a5b35689d2599"
},
{
"url": "https://git.kernel.org/stable/c/cf81a60a973358dea163f6b14062f17831ceb894"
},
{
"url": "https://git.kernel.org/stable/c/0ca816a96fdcf32644c80cbe7a82c7b6ce6ddda5"
},
{
"url": "https://git.kernel.org/stable/c/6acceb46180f9e160d4f0c56fcaf39ba562822ae"
},
{
"url": "https://git.kernel.org/stable/c/c1f3f9797c1f44a762e6f5f72520b2e520537b52"
}
],
"title": "can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38665",
"datePublished": "2025-08-22T16:02:57.458Z",
"dateReserved": "2025-04-16T04:51:24.031Z",
"dateUpdated": "2025-08-22T16:02:57.458Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38498 (GCVE-0-2025-38498)
Vulnerability from cvelistv5
Published
2025-07-30 06:03
Modified
2025-07-30 06:03
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
do_change_type(): refuse to operate on unmounted/not ours mounts
Ensure that propagation settings can only be changed for mounts located
in the caller's mount namespace. This change aligns permission checking
with the rest of mount(2).
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 07b20889e3052c7e77d6a6a54e7e83446eb1ba84 Version: 07b20889e3052c7e77d6a6a54e7e83446eb1ba84 Version: 07b20889e3052c7e77d6a6a54e7e83446eb1ba84 Version: 07b20889e3052c7e77d6a6a54e7e83446eb1ba84 Version: 07b20889e3052c7e77d6a6a54e7e83446eb1ba84 Version: 07b20889e3052c7e77d6a6a54e7e83446eb1ba84 Version: 07b20889e3052c7e77d6a6a54e7e83446eb1ba84 Version: 07b20889e3052c7e77d6a6a54e7e83446eb1ba84 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/namespace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "787937c4e373f1722c4343e5a5a4eb0f8543e589",
"status": "affected",
"version": "07b20889e3052c7e77d6a6a54e7e83446eb1ba84",
"versionType": "git"
},
{
"lessThan": "c7d11fdf8e5db5f34a6c062c7e6ba3a0971879d2",
"status": "affected",
"version": "07b20889e3052c7e77d6a6a54e7e83446eb1ba84",
"versionType": "git"
},
{
"lessThan": "432a171d60056489270c462e651e6c3a13f855b1",
"status": "affected",
"version": "07b20889e3052c7e77d6a6a54e7e83446eb1ba84",
"versionType": "git"
},
{
"lessThan": "064014f7812744451d5d0592f3d2bcd727f2ee93",
"status": "affected",
"version": "07b20889e3052c7e77d6a6a54e7e83446eb1ba84",
"versionType": "git"
},
{
"lessThan": "4f091ad0862b02dc42a19a120b7048de848561f8",
"status": "affected",
"version": "07b20889e3052c7e77d6a6a54e7e83446eb1ba84",
"versionType": "git"
},
{
"lessThan": "9c1ddfeb662b668fff69c5f1cfdd9f5d23d55d23",
"status": "affected",
"version": "07b20889e3052c7e77d6a6a54e7e83446eb1ba84",
"versionType": "git"
},
{
"lessThan": "19554c79a2095ddde850906a067915c1ef3a4114",
"status": "affected",
"version": "07b20889e3052c7e77d6a6a54e7e83446eb1ba84",
"versionType": "git"
},
{
"lessThan": "12f147ddd6de7382dad54812e65f3f08d05809fc",
"status": "affected",
"version": "07b20889e3052c7e77d6a6a54e7e83446eb1ba84",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/namespace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.15"
},
{
"lessThan": "2.6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.295",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.239",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.94",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.34",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.3",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndo_change_type(): refuse to operate on unmounted/not ours mounts\n\nEnsure that propagation settings can only be changed for mounts located\nin the caller\u0027s mount namespace. This change aligns permission checking\nwith the rest of mount(2)."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T06:03:36.483Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/787937c4e373f1722c4343e5a5a4eb0f8543e589"
},
{
"url": "https://git.kernel.org/stable/c/c7d11fdf8e5db5f34a6c062c7e6ba3a0971879d2"
},
{
"url": "https://git.kernel.org/stable/c/432a171d60056489270c462e651e6c3a13f855b1"
},
{
"url": "https://git.kernel.org/stable/c/064014f7812744451d5d0592f3d2bcd727f2ee93"
},
{
"url": "https://git.kernel.org/stable/c/4f091ad0862b02dc42a19a120b7048de848561f8"
},
{
"url": "https://git.kernel.org/stable/c/9c1ddfeb662b668fff69c5f1cfdd9f5d23d55d23"
},
{
"url": "https://git.kernel.org/stable/c/19554c79a2095ddde850906a067915c1ef3a4114"
},
{
"url": "https://git.kernel.org/stable/c/12f147ddd6de7382dad54812e65f3f08d05809fc"
}
],
"title": "do_change_type(): refuse to operate on unmounted/not ours mounts",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38498",
"datePublished": "2025-07-30T06:03:36.483Z",
"dateReserved": "2025-04-16T04:51:24.022Z",
"dateUpdated": "2025-07-30T06:03:36.483Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38601 (GCVE-0-2025-38601)
Vulnerability from cvelistv5
Published
2025-08-19 17:03
Modified
2025-09-29 05:54
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: clear initialized flag for deinit-ed srng lists
In a number of cases we see kernel panics on resume due
to ath11k kernel page fault, which happens under the
following circumstances:
1) First ath11k_hal_dump_srng_stats() call
Last interrupt received for each group:
ath11k_pci 0000:01:00.0: group_id 0 22511ms before
ath11k_pci 0000:01:00.0: group_id 1 14440788ms before
[..]
ath11k_pci 0000:01:00.0: failed to receive control response completion, polling..
ath11k_pci 0000:01:00.0: Service connect timeout
ath11k_pci 0000:01:00.0: failed to connect to HTT: -110
ath11k_pci 0000:01:00.0: failed to start core: -110
ath11k_pci 0000:01:00.0: firmware crashed: MHI_CB_EE_RDDM
ath11k_pci 0000:01:00.0: already resetting count 2
ath11k_pci 0000:01:00.0: failed to wait wlan mode request (mode 4): -110
ath11k_pci 0000:01:00.0: qmi failed to send wlan mode off: -110
ath11k_pci 0000:01:00.0: failed to reconfigure driver on crash recovery
[..]
2) At this point reconfiguration fails (we have 2 resets) and
ath11k_core_reconfigure_on_crash() calls ath11k_hal_srng_deinit()
which destroys srng lists. However, it does not reset per-list
->initialized flag.
3) Second ath11k_hal_dump_srng_stats() call sees stale ->initialized
flag and attempts to dump srng stats:
Last interrupt received for each group:
ath11k_pci 0000:01:00.0: group_id 0 66785ms before
ath11k_pci 0000:01:00.0: group_id 1 14485062ms before
ath11k_pci 0000:01:00.0: group_id 2 14485062ms before
ath11k_pci 0000:01:00.0: group_id 3 14485062ms before
ath11k_pci 0000:01:00.0: group_id 4 14780845ms before
ath11k_pci 0000:01:00.0: group_id 5 14780845ms before
ath11k_pci 0000:01:00.0: group_id 6 14485062ms before
ath11k_pci 0000:01:00.0: group_id 7 66814ms before
ath11k_pci 0000:01:00.0: group_id 8 68997ms before
ath11k_pci 0000:01:00.0: group_id 9 67588ms before
ath11k_pci 0000:01:00.0: group_id 10 69511ms before
BUG: unable to handle page fault for address: ffffa007404eb010
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 100000067 P4D 100000067 PUD 10022d067 PMD 100b01067 PTE 0
Oops: 0000 [#1] PREEMPT SMP NOPTI
RIP: 0010:ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k]
Call Trace:
<TASK>
? __die_body+0xae/0xb0
? page_fault_oops+0x381/0x3e0
? exc_page_fault+0x69/0xa0
? asm_exc_page_fault+0x22/0x30
? ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k (HASH:6cea 4)]
ath11k_qmi_driver_event_work+0xbd/0x1050 [ath11k (HASH:6cea 4)]
worker_thread+0x389/0x930
kthread+0x149/0x170
Clear per-list ->initialized flag in ath11k_hal_srng_deinit().
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 5118935b1bc28d0bce9427e584e11e905e68ee9a Version: 5118935b1bc28d0bce9427e584e11e905e68ee9a Version: 5118935b1bc28d0bce9427e584e11e905e68ee9a Version: 5118935b1bc28d0bce9427e584e11e905e68ee9a Version: 5118935b1bc28d0bce9427e584e11e905e68ee9a Version: 5118935b1bc28d0bce9427e584e11e905e68ee9a Version: 5118935b1bc28d0bce9427e584e11e905e68ee9a Version: 5118935b1bc28d0bce9427e584e11e905e68ee9a |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/hal.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3a6daae987a829534636fd85ed6f84d5f0ad7fa4",
"status": "affected",
"version": "5118935b1bc28d0bce9427e584e11e905e68ee9a",
"versionType": "git"
},
{
"lessThan": "eff3bb53c18c0ed4ab6f43d412b3ed3aecad52d5",
"status": "affected",
"version": "5118935b1bc28d0bce9427e584e11e905e68ee9a",
"versionType": "git"
},
{
"lessThan": "916ac18d526a26f6072866b1a97622cf1351ef1c",
"status": "affected",
"version": "5118935b1bc28d0bce9427e584e11e905e68ee9a",
"versionType": "git"
},
{
"lessThan": "5bf201c55fdf303e79005038648dfa1e8af48f54",
"status": "affected",
"version": "5118935b1bc28d0bce9427e584e11e905e68ee9a",
"versionType": "git"
},
{
"lessThan": "72a48be1f53942793f3bc68a37fad1f38b53b082",
"status": "affected",
"version": "5118935b1bc28d0bce9427e584e11e905e68ee9a",
"versionType": "git"
},
{
"lessThan": "0ebb5fe494501c19f31270008b26ab95201af6fd",
"status": "affected",
"version": "5118935b1bc28d0bce9427e584e11e905e68ee9a",
"versionType": "git"
},
{
"lessThan": "16872194c80f2724472fc207991712895ac8a230",
"status": "affected",
"version": "5118935b1bc28d0bce9427e584e11e905e68ee9a",
"versionType": "git"
},
{
"lessThan": "a5b46aa7cf5f05c213316a018e49a8e086efd98e",
"status": "affected",
"version": "5118935b1bc28d0bce9427e584e11e905e68ee9a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/hal.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: clear initialized flag for deinit-ed srng lists\n\nIn a number of cases we see kernel panics on resume due\nto ath11k kernel page fault, which happens under the\nfollowing circumstances:\n\n1) First ath11k_hal_dump_srng_stats() call\n\n Last interrupt received for each group:\n ath11k_pci 0000:01:00.0: group_id 0 22511ms before\n ath11k_pci 0000:01:00.0: group_id 1 14440788ms before\n [..]\n ath11k_pci 0000:01:00.0: failed to receive control response completion, polling..\n ath11k_pci 0000:01:00.0: Service connect timeout\n ath11k_pci 0000:01:00.0: failed to connect to HTT: -110\n ath11k_pci 0000:01:00.0: failed to start core: -110\n ath11k_pci 0000:01:00.0: firmware crashed: MHI_CB_EE_RDDM\n ath11k_pci 0000:01:00.0: already resetting count 2\n ath11k_pci 0000:01:00.0: failed to wait wlan mode request (mode 4): -110\n ath11k_pci 0000:01:00.0: qmi failed to send wlan mode off: -110\n ath11k_pci 0000:01:00.0: failed to reconfigure driver on crash recovery\n [..]\n\n2) At this point reconfiguration fails (we have 2 resets) and\n ath11k_core_reconfigure_on_crash() calls ath11k_hal_srng_deinit()\n which destroys srng lists. However, it does not reset per-list\n -\u003einitialized flag.\n\n3) Second ath11k_hal_dump_srng_stats() call sees stale -\u003einitialized\n flag and attempts to dump srng stats:\n\n Last interrupt received for each group:\n ath11k_pci 0000:01:00.0: group_id 0 66785ms before\n ath11k_pci 0000:01:00.0: group_id 1 14485062ms before\n ath11k_pci 0000:01:00.0: group_id 2 14485062ms before\n ath11k_pci 0000:01:00.0: group_id 3 14485062ms before\n ath11k_pci 0000:01:00.0: group_id 4 14780845ms before\n ath11k_pci 0000:01:00.0: group_id 5 14780845ms before\n ath11k_pci 0000:01:00.0: group_id 6 14485062ms before\n ath11k_pci 0000:01:00.0: group_id 7 66814ms before\n ath11k_pci 0000:01:00.0: group_id 8 68997ms before\n ath11k_pci 0000:01:00.0: group_id 9 67588ms before\n ath11k_pci 0000:01:00.0: group_id 10 69511ms before\n BUG: unable to handle page fault for address: ffffa007404eb010\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 100000067 P4D 100000067 PUD 10022d067 PMD 100b01067 PTE 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n RIP: 0010:ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k]\n Call Trace:\n \u003cTASK\u003e\n ? __die_body+0xae/0xb0\n ? page_fault_oops+0x381/0x3e0\n ? exc_page_fault+0x69/0xa0\n ? asm_exc_page_fault+0x22/0x30\n ? ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k (HASH:6cea 4)]\n ath11k_qmi_driver_event_work+0xbd/0x1050 [ath11k (HASH:6cea 4)]\n worker_thread+0x389/0x930\n kthread+0x149/0x170\n\nClear per-list -\u003einitialized flag in ath11k_hal_srng_deinit()."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:54:35.931Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3a6daae987a829534636fd85ed6f84d5f0ad7fa4"
},
{
"url": "https://git.kernel.org/stable/c/eff3bb53c18c0ed4ab6f43d412b3ed3aecad52d5"
},
{
"url": "https://git.kernel.org/stable/c/916ac18d526a26f6072866b1a97622cf1351ef1c"
},
{
"url": "https://git.kernel.org/stable/c/5bf201c55fdf303e79005038648dfa1e8af48f54"
},
{
"url": "https://git.kernel.org/stable/c/72a48be1f53942793f3bc68a37fad1f38b53b082"
},
{
"url": "https://git.kernel.org/stable/c/0ebb5fe494501c19f31270008b26ab95201af6fd"
},
{
"url": "https://git.kernel.org/stable/c/16872194c80f2724472fc207991712895ac8a230"
},
{
"url": "https://git.kernel.org/stable/c/a5b46aa7cf5f05c213316a018e49a8e086efd98e"
}
],
"title": "wifi: ath11k: clear initialized flag for deinit-ed srng lists",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38601",
"datePublished": "2025-08-19T17:03:35.798Z",
"dateReserved": "2025-04-16T04:51:24.028Z",
"dateUpdated": "2025-09-29T05:54:35.931Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38650 (GCVE-0-2025-38650)
Vulnerability from cvelistv5
Published
2025-08-22 16:00
Modified
2025-09-29 05:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfsplus: remove mutex_lock check in hfsplus_free_extents
Syzbot reported an issue in hfsplus filesystem:
------------[ cut here ]------------
WARNING: CPU: 0 PID: 4400 at fs/hfsplus/extents.c:346
hfsplus_free_extents+0x700/0xad0
Call Trace:
<TASK>
hfsplus_file_truncate+0x768/0xbb0 fs/hfsplus/extents.c:606
hfsplus_write_begin+0xc2/0xd0 fs/hfsplus/inode.c:56
cont_expand_zero fs/buffer.c:2383 [inline]
cont_write_begin+0x2cf/0x860 fs/buffer.c:2446
hfsplus_write_begin+0x86/0xd0 fs/hfsplus/inode.c:52
generic_cont_expand_simple+0x151/0x250 fs/buffer.c:2347
hfsplus_setattr+0x168/0x280 fs/hfsplus/inode.c:263
notify_change+0xe38/0x10f0 fs/attr.c:420
do_truncate+0x1fb/0x2e0 fs/open.c:65
do_sys_ftruncate+0x2eb/0x380 fs/open.c:193
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
To avoid deadlock, Commit 31651c607151 ("hfsplus: avoid deadlock
on file truncation") unlock extree before hfsplus_free_extents(),
and add check wheather extree is locked in hfsplus_free_extents().
However, when operations such as hfsplus_file_release,
hfsplus_setattr, hfsplus_unlink, and hfsplus_get_block are executed
concurrently in different files, it is very likely to trigger the
WARN_ON, which will lead syzbot and xfstest to consider it as an
abnormality.
The comment above this warning also describes one of the easy
triggering situations, which can easily trigger and cause
xfstest&syzbot to report errors.
[task A] [task B]
->hfsplus_file_release
->hfsplus_file_truncate
->hfs_find_init
->mutex_lock
->mutex_unlock
->hfsplus_write_begin
->hfsplus_get_block
->hfsplus_file_extend
->hfsplus_ext_read_extent
->hfs_find_init
->mutex_lock
->hfsplus_free_extents
WARN_ON(mutex_is_locked) !!!
Several threads could try to lock the shared extents tree.
And warning can be triggered in one thread when another thread
has locked the tree. This is the wrong behavior of the code and
we need to remove the warning.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 31651c607151f1034cfb57e5a78678bea54c362b Version: 31651c607151f1034cfb57e5a78678bea54c362b Version: 31651c607151f1034cfb57e5a78678bea54c362b Version: 31651c607151f1034cfb57e5a78678bea54c362b Version: 31651c607151f1034cfb57e5a78678bea54c362b Version: 31651c607151f1034cfb57e5a78678bea54c362b Version: 31651c607151f1034cfb57e5a78678bea54c362b Version: 31651c607151f1034cfb57e5a78678bea54c362b Version: 31651c607151f1034cfb57e5a78678bea54c362b |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/extents.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0807e4ac59a546f2346961c5e26a98901594b205",
"status": "affected",
"version": "31651c607151f1034cfb57e5a78678bea54c362b",
"versionType": "git"
},
{
"lessThan": "fdd6aca652122d6e97787e88d7dd53ddc8b74e7e",
"status": "affected",
"version": "31651c607151f1034cfb57e5a78678bea54c362b",
"versionType": "git"
},
{
"lessThan": "14922f0cc92e010b160121679c0a6ca072f4e975",
"status": "affected",
"version": "31651c607151f1034cfb57e5a78678bea54c362b",
"versionType": "git"
},
{
"lessThan": "a19ce9230b22a0866313932e7964cf05557a6008",
"status": "affected",
"version": "31651c607151f1034cfb57e5a78678bea54c362b",
"versionType": "git"
},
{
"lessThan": "084933961ecda7561dedfb78c4676ccb90c91ada",
"status": "affected",
"version": "31651c607151f1034cfb57e5a78678bea54c362b",
"versionType": "git"
},
{
"lessThan": "5055b7db94110f228961dea6b74eed0a93a50b01",
"status": "affected",
"version": "31651c607151f1034cfb57e5a78678bea54c362b",
"versionType": "git"
},
{
"lessThan": "9764b8bb9f5f94df105cd2ac43829dd0d2c82b9f",
"status": "affected",
"version": "31651c607151f1034cfb57e5a78678bea54c362b",
"versionType": "git"
},
{
"lessThan": "314310166ba1fdff7660dfd9d18ea42d7058f7ae",
"status": "affected",
"version": "31651c607151f1034cfb57e5a78678bea54c362b",
"versionType": "git"
},
{
"lessThan": "fcb96956c921f1aae7e7b477f2435c56f77a31b4",
"status": "affected",
"version": "31651c607151f1034cfb57e5a78678bea54c362b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/extents.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: remove mutex_lock check in hfsplus_free_extents\n\nSyzbot reported an issue in hfsplus filesystem:\n\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 4400 at fs/hfsplus/extents.c:346\n\thfsplus_free_extents+0x700/0xad0\nCall Trace:\n\u003cTASK\u003e\nhfsplus_file_truncate+0x768/0xbb0 fs/hfsplus/extents.c:606\nhfsplus_write_begin+0xc2/0xd0 fs/hfsplus/inode.c:56\ncont_expand_zero fs/buffer.c:2383 [inline]\ncont_write_begin+0x2cf/0x860 fs/buffer.c:2446\nhfsplus_write_begin+0x86/0xd0 fs/hfsplus/inode.c:52\ngeneric_cont_expand_simple+0x151/0x250 fs/buffer.c:2347\nhfsplus_setattr+0x168/0x280 fs/hfsplus/inode.c:263\nnotify_change+0xe38/0x10f0 fs/attr.c:420\ndo_truncate+0x1fb/0x2e0 fs/open.c:65\ndo_sys_ftruncate+0x2eb/0x380 fs/open.c:193\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nTo avoid deadlock, Commit 31651c607151 (\"hfsplus: avoid deadlock\non file truncation\") unlock extree before hfsplus_free_extents(),\nand add check wheather extree is locked in hfsplus_free_extents().\n\nHowever, when operations such as hfsplus_file_release,\nhfsplus_setattr, hfsplus_unlink, and hfsplus_get_block are executed\nconcurrently in different files, it is very likely to trigger the\nWARN_ON, which will lead syzbot and xfstest to consider it as an\nabnormality.\n\nThe comment above this warning also describes one of the easy\ntriggering situations, which can easily trigger and cause\nxfstest\u0026syzbot to report errors.\n\n[task A]\t\t\t[task B]\n-\u003ehfsplus_file_release\n -\u003ehfsplus_file_truncate\n -\u003ehfs_find_init\n -\u003emutex_lock\n -\u003emutex_unlock\n\t\t\t\t-\u003ehfsplus_write_begin\n\t\t\t\t -\u003ehfsplus_get_block\n\t\t\t\t -\u003ehfsplus_file_extend\n\t\t\t\t -\u003ehfsplus_ext_read_extent\n\t\t\t\t -\u003ehfs_find_init\n\t\t\t\t\t -\u003emutex_lock\n -\u003ehfsplus_free_extents\n WARN_ON(mutex_is_locked) !!!\n\nSeveral threads could try to lock the shared extents tree.\nAnd warning can be triggered in one thread when another thread\nhas locked the tree. This is the wrong behavior of the code and\nwe need to remove the warning."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:55:31.043Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0807e4ac59a546f2346961c5e26a98901594b205"
},
{
"url": "https://git.kernel.org/stable/c/fdd6aca652122d6e97787e88d7dd53ddc8b74e7e"
},
{
"url": "https://git.kernel.org/stable/c/14922f0cc92e010b160121679c0a6ca072f4e975"
},
{
"url": "https://git.kernel.org/stable/c/a19ce9230b22a0866313932e7964cf05557a6008"
},
{
"url": "https://git.kernel.org/stable/c/084933961ecda7561dedfb78c4676ccb90c91ada"
},
{
"url": "https://git.kernel.org/stable/c/5055b7db94110f228961dea6b74eed0a93a50b01"
},
{
"url": "https://git.kernel.org/stable/c/9764b8bb9f5f94df105cd2ac43829dd0d2c82b9f"
},
{
"url": "https://git.kernel.org/stable/c/314310166ba1fdff7660dfd9d18ea42d7058f7ae"
},
{
"url": "https://git.kernel.org/stable/c/fcb96956c921f1aae7e7b477f2435c56f77a31b4"
}
],
"title": "hfsplus: remove mutex_lock check in hfsplus_free_extents",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38650",
"datePublished": "2025-08-22T16:00:54.556Z",
"dateReserved": "2025-04-16T04:51:24.030Z",
"dateUpdated": "2025-09-29T05:55:31.043Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38618 (GCVE-0-2025-38618)
Vulnerability from cvelistv5
Published
2025-08-22 13:01
Modified
2025-09-29 05:54
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
vsock: Do not allow binding to VMADDR_PORT_ANY
It is possible for a vsock to autobind to VMADDR_PORT_ANY. This can
cause a use-after-free when a connection is made to the bound socket.
The socket returned by accept() also has port VMADDR_PORT_ANY but is not
on the list of unbound sockets. Binding it will result in an extra
refcount decrement similar to the one fixed in fcdd2242c023 (vsock: Keep
the binding until socket destruction).
Modify the check in __vsock_bind_connectible() to also prevent binding
to VMADDR_PORT_ANY.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d021c344051af91f42c5ba9fdedc176740cbd238 Version: d021c344051af91f42c5ba9fdedc176740cbd238 Version: d021c344051af91f42c5ba9fdedc176740cbd238 Version: d021c344051af91f42c5ba9fdedc176740cbd238 Version: d021c344051af91f42c5ba9fdedc176740cbd238 Version: d021c344051af91f42c5ba9fdedc176740cbd238 Version: d021c344051af91f42c5ba9fdedc176740cbd238 Version: d021c344051af91f42c5ba9fdedc176740cbd238 Version: d021c344051af91f42c5ba9fdedc176740cbd238 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/vmw_vsock/af_vsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c04a2c1ca25b9b23104124d3b2d349d934e302de",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "d1a5b1964cef42727668ac0d8532dae4f8c19386",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "cf86704798c1b9c46fa59dfc2d662f57d1394d79",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "f138be5d7f301fddad4e65ec66dfc3ceebf79be3",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "44bd006d5c93f6a8f28b106cbae2428c5d0275b7",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "32950b1907919be86a7a2697d6f93d57068b3865",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "8f01093646b49f6330bb2d36761983fd829472b1",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "d73960f0cf03ef1dc9e96ec7a20e538accc26d87",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "aba0c94f61ec05315fa7815d21aefa4c87f6a9f4",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/vmw_vsock/af_vsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: Do not allow binding to VMADDR_PORT_ANY\n\nIt is possible for a vsock to autobind to VMADDR_PORT_ANY. This can\ncause a use-after-free when a connection is made to the bound socket.\nThe socket returned by accept() also has port VMADDR_PORT_ANY but is not\non the list of unbound sockets. Binding it will result in an extra\nrefcount decrement similar to the one fixed in fcdd2242c023 (vsock: Keep\nthe binding until socket destruction).\n\nModify the check in __vsock_bind_connectible() to also prevent binding\nto VMADDR_PORT_ANY."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:54:53.408Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c04a2c1ca25b9b23104124d3b2d349d934e302de"
},
{
"url": "https://git.kernel.org/stable/c/d1a5b1964cef42727668ac0d8532dae4f8c19386"
},
{
"url": "https://git.kernel.org/stable/c/cf86704798c1b9c46fa59dfc2d662f57d1394d79"
},
{
"url": "https://git.kernel.org/stable/c/f138be5d7f301fddad4e65ec66dfc3ceebf79be3"
},
{
"url": "https://git.kernel.org/stable/c/44bd006d5c93f6a8f28b106cbae2428c5d0275b7"
},
{
"url": "https://git.kernel.org/stable/c/32950b1907919be86a7a2697d6f93d57068b3865"
},
{
"url": "https://git.kernel.org/stable/c/8f01093646b49f6330bb2d36761983fd829472b1"
},
{
"url": "https://git.kernel.org/stable/c/d73960f0cf03ef1dc9e96ec7a20e538accc26d87"
},
{
"url": "https://git.kernel.org/stable/c/aba0c94f61ec05315fa7815d21aefa4c87f6a9f4"
}
],
"title": "vsock: Do not allow binding to VMADDR_PORT_ANY",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38618",
"datePublished": "2025-08-22T13:01:24.678Z",
"dateReserved": "2025-04-16T04:51:24.029Z",
"dateUpdated": "2025-09-29T05:54:53.408Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38263 (GCVE-0-2025-38263)
Vulnerability from cvelistv5
Published
2025-07-09 10:42
Modified
2025-07-28 04:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bcache: fix NULL pointer in cache_set_flush()
1. LINE#1794 - LINE#1887 is some codes about function of
bch_cache_set_alloc().
2. LINE#2078 - LINE#2142 is some codes about function of
register_cache_set().
3. register_cache_set() will call bch_cache_set_alloc() in LINE#2098.
1794 struct cache_set *bch_cache_set_alloc(struct cache_sb *sb)
1795 {
...
1860 if (!(c->devices = kcalloc(c->nr_uuids, sizeof(void *), GFP_KERNEL)) ||
1861 mempool_init_slab_pool(&c->search, 32, bch_search_cache) ||
1862 mempool_init_kmalloc_pool(&c->bio_meta, 2,
1863 sizeof(struct bbio) + sizeof(struct bio_vec) *
1864 bucket_pages(c)) ||
1865 mempool_init_kmalloc_pool(&c->fill_iter, 1, iter_size) ||
1866 bioset_init(&c->bio_split, 4, offsetof(struct bbio, bio),
1867 BIOSET_NEED_BVECS|BIOSET_NEED_RESCUER) ||
1868 !(c->uuids = alloc_bucket_pages(GFP_KERNEL, c)) ||
1869 !(c->moving_gc_wq = alloc_workqueue("bcache_gc",
1870 WQ_MEM_RECLAIM, 0)) ||
1871 bch_journal_alloc(c) ||
1872 bch_btree_cache_alloc(c) ||
1873 bch_open_buckets_alloc(c) ||
1874 bch_bset_sort_state_init(&c->sort, ilog2(c->btree_pages)))
1875 goto err;
^^^^^^^^
1876
...
1883 return c;
1884 err:
1885 bch_cache_set_unregister(c);
^^^^^^^^^^^^^^^^^^^^^^^^^^^
1886 return NULL;
1887 }
...
2078 static const char *register_cache_set(struct cache *ca)
2079 {
...
2098 c = bch_cache_set_alloc(&ca->sb);
2099 if (!c)
2100 return err;
^^^^^^^^^^
...
2128 ca->set = c;
2129 ca->set->cache[ca->sb.nr_this_dev] = ca;
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
...
2138 return NULL;
2139 err:
2140 bch_cache_set_unregister(c);
2141 return err;
2142 }
(1) If LINE#1860 - LINE#1874 is true, then do 'goto err'(LINE#1875) and
call bch_cache_set_unregister()(LINE#1885).
(2) As (1) return NULL(LINE#1886), LINE#2098 - LINE#2100 would return.
(3) As (2) has returned, LINE#2128 - LINE#2129 would do *not* give the
value to c->cache[], it means that c->cache[] is NULL.
LINE#1624 - LINE#1665 is some codes about function of cache_set_flush().
As (1), in LINE#1885 call
bch_cache_set_unregister()
---> bch_cache_set_stop()
---> closure_queue()
-.-> cache_set_flush() (as below LINE#1624)
1624 static void cache_set_flush(struct closure *cl)
1625 {
...
1654 for_each_cache(ca, c, i)
1655 if (ca->alloc_thread)
^^
1656 kthread_stop(ca->alloc_thread);
...
1665 }
(4) In LINE#1655 ca is NULL(see (3)) in cache_set_flush() then the
kernel crash occurred as below:
[ 846.712887] bcache: register_cache() error drbd6: cannot allocate memory
[ 846.713242] bcache: register_bcache() error : failed to register device
[ 846.713336] bcache: cache_set_free() Cache set 2f84bdc1-498a-4f2f-98a7-01946bf54287 unregistered
[ 846.713768] BUG: unable to handle kernel NULL pointer dereference at 00000000000009f8
[ 846.714790] PGD 0 P4D 0
[ 846.715129] Oops: 0000 [#1] SMP PTI
[ 846.715472] CPU: 19 PID: 5057 Comm: kworker/19:16 Kdump: loaded Tainted: G OE --------- - - 4.18.0-147.5.1.el8_1.5es.3.x86_64 #1
[ 846.716082] Hardware name: ESPAN GI-25212/X11DPL-i, BIOS 2.1 06/15/2018
[ 846.716451] Workqueue: events cache_set_flush [bcache]
[ 846.716808] RIP: 0010:cache_set_flush+0xc9/0x1b0 [bcache]
[ 846.717155] Code: 00 4c 89 a5 b0 03 00 00 48 8b 85 68 f6 ff ff a8 08 0f 84 88 00 00 00 31 db 66 83 bd 3c f7 ff ff 00 48 8b 85 48 ff ff ff 74 28 <48> 8b b8 f8 09 00 0
---truncated---
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: cafe563591446cf80bfbc2fe3bc72a2e36cf1060 Version: cafe563591446cf80bfbc2fe3bc72a2e36cf1060 Version: cafe563591446cf80bfbc2fe3bc72a2e36cf1060 Version: cafe563591446cf80bfbc2fe3bc72a2e36cf1060 Version: cafe563591446cf80bfbc2fe3bc72a2e36cf1060 Version: cafe563591446cf80bfbc2fe3bc72a2e36cf1060 Version: cafe563591446cf80bfbc2fe3bc72a2e36cf1060 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/bcache/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d54681938b777488e5dfb781b566d16adad991de",
"status": "affected",
"version": "cafe563591446cf80bfbc2fe3bc72a2e36cf1060",
"versionType": "git"
},
{
"lessThan": "1f25f2d3fa29325320c19a30abf787e0bd5fc91b",
"status": "affected",
"version": "cafe563591446cf80bfbc2fe3bc72a2e36cf1060",
"versionType": "git"
},
{
"lessThan": "c4f5e7e417034b05f5d2f5fa9a872db897da69bd",
"status": "affected",
"version": "cafe563591446cf80bfbc2fe3bc72a2e36cf1060",
"versionType": "git"
},
{
"lessThan": "553f560e0a74a7008ad9dba05c3fd05da296befb",
"status": "affected",
"version": "cafe563591446cf80bfbc2fe3bc72a2e36cf1060",
"versionType": "git"
},
{
"lessThan": "667c3f52373ff5354cb3543e27237eb7df7b2333",
"status": "affected",
"version": "cafe563591446cf80bfbc2fe3bc72a2e36cf1060",
"versionType": "git"
},
{
"lessThan": "3f9e128186c99a117e304f1dce6d0b9e50c63cd8",
"status": "affected",
"version": "cafe563591446cf80bfbc2fe3bc72a2e36cf1060",
"versionType": "git"
},
{
"lessThan": "1e46ed947ec658f89f1a910d880cd05e42d3763e",
"status": "affected",
"version": "cafe563591446cf80bfbc2fe3bc72a2e36cf1060",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/bcache/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.240",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.187",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.96",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.240",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.187",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.143",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.96",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.36",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.5",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcache: fix NULL pointer in cache_set_flush()\n\n1. LINE#1794 - LINE#1887 is some codes about function of\n bch_cache_set_alloc().\n2. LINE#2078 - LINE#2142 is some codes about function of\n register_cache_set().\n3. register_cache_set() will call bch_cache_set_alloc() in LINE#2098.\n\n 1794 struct cache_set *bch_cache_set_alloc(struct cache_sb *sb)\n 1795 {\n ...\n 1860 if (!(c-\u003edevices = kcalloc(c-\u003enr_uuids, sizeof(void *), GFP_KERNEL)) ||\n 1861 mempool_init_slab_pool(\u0026c-\u003esearch, 32, bch_search_cache) ||\n 1862 mempool_init_kmalloc_pool(\u0026c-\u003ebio_meta, 2,\n 1863 sizeof(struct bbio) + sizeof(struct bio_vec) *\n 1864 bucket_pages(c)) ||\n 1865 mempool_init_kmalloc_pool(\u0026c-\u003efill_iter, 1, iter_size) ||\n 1866 bioset_init(\u0026c-\u003ebio_split, 4, offsetof(struct bbio, bio),\n 1867 BIOSET_NEED_BVECS|BIOSET_NEED_RESCUER) ||\n 1868 !(c-\u003euuids = alloc_bucket_pages(GFP_KERNEL, c)) ||\n 1869 !(c-\u003emoving_gc_wq = alloc_workqueue(\"bcache_gc\",\n 1870 WQ_MEM_RECLAIM, 0)) ||\n 1871 bch_journal_alloc(c) ||\n 1872 bch_btree_cache_alloc(c) ||\n 1873 bch_open_buckets_alloc(c) ||\n 1874 bch_bset_sort_state_init(\u0026c-\u003esort, ilog2(c-\u003ebtree_pages)))\n 1875 goto err;\n ^^^^^^^^\n 1876\n ...\n 1883 return c;\n 1884 err:\n 1885 bch_cache_set_unregister(c);\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^\n 1886 return NULL;\n 1887 }\n ...\n 2078 static const char *register_cache_set(struct cache *ca)\n 2079 {\n ...\n 2098 c = bch_cache_set_alloc(\u0026ca-\u003esb);\n 2099 if (!c)\n 2100 return err;\n ^^^^^^^^^^\n ...\n 2128 ca-\u003eset = c;\n 2129 ca-\u003eset-\u003ecache[ca-\u003esb.nr_this_dev] = ca;\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n ...\n 2138 return NULL;\n 2139 err:\n 2140 bch_cache_set_unregister(c);\n 2141 return err;\n 2142 }\n\n(1) If LINE#1860 - LINE#1874 is true, then do \u0027goto err\u0027(LINE#1875) and\n call bch_cache_set_unregister()(LINE#1885).\n(2) As (1) return NULL(LINE#1886), LINE#2098 - LINE#2100 would return.\n(3) As (2) has returned, LINE#2128 - LINE#2129 would do *not* give the\n value to c-\u003ecache[], it means that c-\u003ecache[] is NULL.\n\nLINE#1624 - LINE#1665 is some codes about function of cache_set_flush().\nAs (1), in LINE#1885 call\nbch_cache_set_unregister()\n---\u003e bch_cache_set_stop()\n ---\u003e closure_queue()\n -.-\u003e cache_set_flush() (as below LINE#1624)\n\n 1624 static void cache_set_flush(struct closure *cl)\n 1625 {\n ...\n 1654 for_each_cache(ca, c, i)\n 1655 if (ca-\u003ealloc_thread)\n ^^\n 1656 kthread_stop(ca-\u003ealloc_thread);\n ...\n 1665 }\n\n(4) In LINE#1655 ca is NULL(see (3)) in cache_set_flush() then the\n kernel crash occurred as below:\n[ 846.712887] bcache: register_cache() error drbd6: cannot allocate memory\n[ 846.713242] bcache: register_bcache() error : failed to register device\n[ 846.713336] bcache: cache_set_free() Cache set 2f84bdc1-498a-4f2f-98a7-01946bf54287 unregistered\n[ 846.713768] BUG: unable to handle kernel NULL pointer dereference at 00000000000009f8\n[ 846.714790] PGD 0 P4D 0\n[ 846.715129] Oops: 0000 [#1] SMP PTI\n[ 846.715472] CPU: 19 PID: 5057 Comm: kworker/19:16 Kdump: loaded Tainted: G OE --------- - - 4.18.0-147.5.1.el8_1.5es.3.x86_64 #1\n[ 846.716082] Hardware name: ESPAN GI-25212/X11DPL-i, BIOS 2.1 06/15/2018\n[ 846.716451] Workqueue: events cache_set_flush [bcache]\n[ 846.716808] RIP: 0010:cache_set_flush+0xc9/0x1b0 [bcache]\n[ 846.717155] Code: 00 4c 89 a5 b0 03 00 00 48 8b 85 68 f6 ff ff a8 08 0f 84 88 00 00 00 31 db 66 83 bd 3c f7 ff ff 00 48 8b 85 48 ff ff ff 74 28 \u003c48\u003e 8b b8 f8 09 00 0\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:16:36.043Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d54681938b777488e5dfb781b566d16adad991de"
},
{
"url": "https://git.kernel.org/stable/c/1f25f2d3fa29325320c19a30abf787e0bd5fc91b"
},
{
"url": "https://git.kernel.org/stable/c/c4f5e7e417034b05f5d2f5fa9a872db897da69bd"
},
{
"url": "https://git.kernel.org/stable/c/553f560e0a74a7008ad9dba05c3fd05da296befb"
},
{
"url": "https://git.kernel.org/stable/c/667c3f52373ff5354cb3543e27237eb7df7b2333"
},
{
"url": "https://git.kernel.org/stable/c/3f9e128186c99a117e304f1dce6d0b9e50c63cd8"
},
{
"url": "https://git.kernel.org/stable/c/1e46ed947ec658f89f1a910d880cd05e42d3763e"
}
],
"title": "bcache: fix NULL pointer in cache_set_flush()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38263",
"datePublished": "2025-07-09T10:42:37.990Z",
"dateReserved": "2025-04-16T04:51:23.997Z",
"dateUpdated": "2025-07-28T04:16:36.043Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38491 (GCVE-0-2025-38491)
Vulnerability from cvelistv5
Published
2025-07-28 11:21
Modified
2025-08-28 14:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: make fallback action and fallback decision atomic
Syzkaller reported the following splat:
WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 __mptcp_do_fallback net/mptcp/protocol.h:1223 [inline]
WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcp_do_fallback net/mptcp/protocol.h:1244 [inline]
WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 check_fully_established net/mptcp/options.c:982 [inline]
WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcp_incoming_options+0x21a8/0x2510 net/mptcp/options.c:1153
Modules linked in:
CPU: 1 UID: 0 PID: 7704 Comm: syz.3.1419 Not tainted 6.16.0-rc3-gbd5ce2324dba #20 PREEMPT(voluntary)
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:__mptcp_do_fallback net/mptcp/protocol.h:1223 [inline]
RIP: 0010:mptcp_do_fallback net/mptcp/protocol.h:1244 [inline]
RIP: 0010:check_fully_established net/mptcp/options.c:982 [inline]
RIP: 0010:mptcp_incoming_options+0x21a8/0x2510 net/mptcp/options.c:1153
Code: 24 18 e8 bb 2a 00 fd e9 1b df ff ff e8 b1 21 0f 00 e8 ec 5f c4 fc 44 0f b7 ac 24 b0 00 00 00 e9 54 f1 ff ff e8 d9 5f c4 fc 90 <0f> 0b 90 e9 b8 f4 ff ff e8 8b 2a 00 fd e9 8d e6 ff ff e8 81 2a 00
RSP: 0018:ffff8880a3f08448 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8880180a8000 RCX: ffffffff84afcf45
RDX: ffff888090223700 RSI: ffffffff84afdaa7 RDI: 0000000000000001
RBP: ffff888017955780 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff8880180a8910 R14: ffff8880a3e9d058 R15: 0000000000000000
FS: 00005555791b8500(0000) GS:ffff88811c495000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000110c2800b7 CR3: 0000000058e44000 CR4: 0000000000350ef0
Call Trace:
<IRQ>
tcp_reset+0x26f/0x2b0 net/ipv4/tcp_input.c:4432
tcp_validate_incoming+0x1057/0x1b60 net/ipv4/tcp_input.c:5975
tcp_rcv_established+0x5b5/0x21f0 net/ipv4/tcp_input.c:6166
tcp_v4_do_rcv+0x5dc/0xa70 net/ipv4/tcp_ipv4.c:1925
tcp_v4_rcv+0x3473/0x44a0 net/ipv4/tcp_ipv4.c:2363
ip_protocol_deliver_rcu+0xba/0x480 net/ipv4/ip_input.c:205
ip_local_deliver_finish+0x2f1/0x500 net/ipv4/ip_input.c:233
NF_HOOK include/linux/netfilter.h:317 [inline]
NF_HOOK include/linux/netfilter.h:311 [inline]
ip_local_deliver+0x1be/0x560 net/ipv4/ip_input.c:254
dst_input include/net/dst.h:469 [inline]
ip_rcv_finish net/ipv4/ip_input.c:447 [inline]
NF_HOOK include/linux/netfilter.h:317 [inline]
NF_HOOK include/linux/netfilter.h:311 [inline]
ip_rcv+0x514/0x810 net/ipv4/ip_input.c:567
__netif_receive_skb_one_core+0x197/0x1e0 net/core/dev.c:5975
__netif_receive_skb+0x1f/0x120 net/core/dev.c:6088
process_backlog+0x301/0x1360 net/core/dev.c:6440
__napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7453
napi_poll net/core/dev.c:7517 [inline]
net_rx_action+0xb44/0x1010 net/core/dev.c:7644
handle_softirqs+0x1d0/0x770 kernel/softirq.c:579
do_softirq+0x3f/0x90 kernel/softirq.c:480
</IRQ>
<TASK>
__local_bh_enable_ip+0xed/0x110 kernel/softirq.c:407
local_bh_enable include/linux/bottom_half.h:33 [inline]
inet_csk_listen_stop+0x2c5/0x1070 net/ipv4/inet_connection_sock.c:1524
mptcp_check_listen_stop.part.0+0x1cc/0x220 net/mptcp/protocol.c:2985
mptcp_check_listen_stop net/mptcp/mib.h:118 [inline]
__mptcp_close+0x9b9/0xbd0 net/mptcp/protocol.c:3000
mptcp_close+0x2f/0x140 net/mptcp/protocol.c:3066
inet_release+0xed/0x200 net/ipv4/af_inet.c:435
inet6_release+0x4f/0x70 net/ipv6/af_inet6.c:487
__sock_release+0xb3/0x270 net/socket.c:649
sock_close+0x1c/0x30 net/socket.c:1439
__fput+0x402/0xb70 fs/file_table.c:465
task_work_run+0x150/0x240 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xd4
---truncated---
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 0530020a7c8f2204e784f0dbdc882bbd961fdbde Version: 0530020a7c8f2204e784f0dbdc882bbd961fdbde Version: 0530020a7c8f2204e784f0dbdc882bbd961fdbde Version: 0530020a7c8f2204e784f0dbdc882bbd961fdbde Version: 0530020a7c8f2204e784f0dbdc882bbd961fdbde Version: 609937aa962a62e93acfc04dd370b665e6152dfb Version: 6654efe264b014d8ea9fc38f79efb568b1b79069 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mptcp/options.c",
"net/mptcp/protocol.c",
"net/mptcp/protocol.h",
"net/mptcp/subflow.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5586518bec27666c747cd52aabb62d485686d0bf",
"status": "affected",
"version": "0530020a7c8f2204e784f0dbdc882bbd961fdbde",
"versionType": "git"
},
{
"lessThan": "75a4c9ab8a7af0d76b31ccd1188ed178c38b35d2",
"status": "affected",
"version": "0530020a7c8f2204e784f0dbdc882bbd961fdbde",
"versionType": "git"
},
{
"lessThan": "54999dea879fecb761225e28f274b40662918c30",
"status": "affected",
"version": "0530020a7c8f2204e784f0dbdc882bbd961fdbde",
"versionType": "git"
},
{
"lessThan": "1d82a8fe6ee4afdc92f4e8808c9dad2a6095bbc5",
"status": "affected",
"version": "0530020a7c8f2204e784f0dbdc882bbd961fdbde",
"versionType": "git"
},
{
"lessThan": "f8a1d9b18c5efc76784f5a326e905f641f839894",
"status": "affected",
"version": "0530020a7c8f2204e784f0dbdc882bbd961fdbde",
"versionType": "git"
},
{
"status": "affected",
"version": "609937aa962a62e93acfc04dd370b665e6152dfb",
"versionType": "git"
},
{
"status": "affected",
"version": "6654efe264b014d8ea9fc38f79efb568b1b79069",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mptcp/options.c",
"net/mptcp/protocol.c",
"net/mptcp/protocol.h",
"net/mptcp/subflow.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.101",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.101",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.40",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.8",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.228",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.169",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: make fallback action and fallback decision atomic\n\nSyzkaller reported the following splat:\n\n WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 __mptcp_do_fallback net/mptcp/protocol.h:1223 [inline]\n WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcp_do_fallback net/mptcp/protocol.h:1244 [inline]\n WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 check_fully_established net/mptcp/options.c:982 [inline]\n WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcp_incoming_options+0x21a8/0x2510 net/mptcp/options.c:1153\n Modules linked in:\n CPU: 1 UID: 0 PID: 7704 Comm: syz.3.1419 Not tainted 6.16.0-rc3-gbd5ce2324dba #20 PREEMPT(voluntary)\n Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n RIP: 0010:__mptcp_do_fallback net/mptcp/protocol.h:1223 [inline]\n RIP: 0010:mptcp_do_fallback net/mptcp/protocol.h:1244 [inline]\n RIP: 0010:check_fully_established net/mptcp/options.c:982 [inline]\n RIP: 0010:mptcp_incoming_options+0x21a8/0x2510 net/mptcp/options.c:1153\n Code: 24 18 e8 bb 2a 00 fd e9 1b df ff ff e8 b1 21 0f 00 e8 ec 5f c4 fc 44 0f b7 ac 24 b0 00 00 00 e9 54 f1 ff ff e8 d9 5f c4 fc 90 \u003c0f\u003e 0b 90 e9 b8 f4 ff ff e8 8b 2a 00 fd e9 8d e6 ff ff e8 81 2a 00\n RSP: 0018:ffff8880a3f08448 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: ffff8880180a8000 RCX: ffffffff84afcf45\n RDX: ffff888090223700 RSI: ffffffff84afdaa7 RDI: 0000000000000001\n RBP: ffff888017955780 R08: 0000000000000001 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\n R13: ffff8880180a8910 R14: ffff8880a3e9d058 R15: 0000000000000000\n FS: 00005555791b8500(0000) GS:ffff88811c495000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000110c2800b7 CR3: 0000000058e44000 CR4: 0000000000350ef0\n Call Trace:\n \u003cIRQ\u003e\n tcp_reset+0x26f/0x2b0 net/ipv4/tcp_input.c:4432\n tcp_validate_incoming+0x1057/0x1b60 net/ipv4/tcp_input.c:5975\n tcp_rcv_established+0x5b5/0x21f0 net/ipv4/tcp_input.c:6166\n tcp_v4_do_rcv+0x5dc/0xa70 net/ipv4/tcp_ipv4.c:1925\n tcp_v4_rcv+0x3473/0x44a0 net/ipv4/tcp_ipv4.c:2363\n ip_protocol_deliver_rcu+0xba/0x480 net/ipv4/ip_input.c:205\n ip_local_deliver_finish+0x2f1/0x500 net/ipv4/ip_input.c:233\n NF_HOOK include/linux/netfilter.h:317 [inline]\n NF_HOOK include/linux/netfilter.h:311 [inline]\n ip_local_deliver+0x1be/0x560 net/ipv4/ip_input.c:254\n dst_input include/net/dst.h:469 [inline]\n ip_rcv_finish net/ipv4/ip_input.c:447 [inline]\n NF_HOOK include/linux/netfilter.h:317 [inline]\n NF_HOOK include/linux/netfilter.h:311 [inline]\n ip_rcv+0x514/0x810 net/ipv4/ip_input.c:567\n __netif_receive_skb_one_core+0x197/0x1e0 net/core/dev.c:5975\n __netif_receive_skb+0x1f/0x120 net/core/dev.c:6088\n process_backlog+0x301/0x1360 net/core/dev.c:6440\n __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7453\n napi_poll net/core/dev.c:7517 [inline]\n net_rx_action+0xb44/0x1010 net/core/dev.c:7644\n handle_softirqs+0x1d0/0x770 kernel/softirq.c:579\n do_softirq+0x3f/0x90 kernel/softirq.c:480\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n __local_bh_enable_ip+0xed/0x110 kernel/softirq.c:407\n local_bh_enable include/linux/bottom_half.h:33 [inline]\n inet_csk_listen_stop+0x2c5/0x1070 net/ipv4/inet_connection_sock.c:1524\n mptcp_check_listen_stop.part.0+0x1cc/0x220 net/mptcp/protocol.c:2985\n mptcp_check_listen_stop net/mptcp/mib.h:118 [inline]\n __mptcp_close+0x9b9/0xbd0 net/mptcp/protocol.c:3000\n mptcp_close+0x2f/0x140 net/mptcp/protocol.c:3066\n inet_release+0xed/0x200 net/ipv4/af_inet.c:435\n inet6_release+0x4f/0x70 net/ipv6/af_inet6.c:487\n __sock_release+0xb3/0x270 net/socket.c:649\n sock_close+0x1c/0x30 net/socket.c:1439\n __fput+0x402/0xb70 fs/file_table.c:465\n task_work_run+0x150/0x240 kernel/task_work.c:227\n resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]\n exit_to_user_mode_loop+0xd4\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T14:43:27.453Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5586518bec27666c747cd52aabb62d485686d0bf"
},
{
"url": "https://git.kernel.org/stable/c/75a4c9ab8a7af0d76b31ccd1188ed178c38b35d2"
},
{
"url": "https://git.kernel.org/stable/c/54999dea879fecb761225e28f274b40662918c30"
},
{
"url": "https://git.kernel.org/stable/c/1d82a8fe6ee4afdc92f4e8808c9dad2a6095bbc5"
},
{
"url": "https://git.kernel.org/stable/c/f8a1d9b18c5efc76784f5a326e905f641f839894"
}
],
"title": "mptcp: make fallback action and fallback decision atomic",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38491",
"datePublished": "2025-07-28T11:21:59.852Z",
"dateReserved": "2025-04-16T04:51:24.021Z",
"dateUpdated": "2025-08-28T14:43:27.453Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47674 (GCVE-0-2024-47674)
Vulnerability from cvelistv5
Published
2024-10-15 10:48
Modified
2025-05-04 09:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm: avoid leaving partial pfn mappings around in error case
As Jann points out, PFN mappings are special, because unlike normal
memory mappings, there is no lifetime information associated with the
mapping - it is just a raw mapping of PFNs with no reference counting of
a 'struct page'.
That's all very much intentional, but it does mean that it's easy to
mess up the cleanup in case of errors. Yes, a failed mmap() will always
eventually clean up any partial mappings, but without any explicit
lifetime in the page table mapping itself, it's very easy to do the
error handling in the wrong order.
In particular, it's easy to mistakenly free the physical backing store
before the page tables are actually cleaned up and (temporarily) have
stale dangling PTE entries.
To make this situation less error-prone, just make sure that any partial
pfn mapping is torn down early, before any other error handling.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47674",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T12:44:14.464782Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T12:44:33.228Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/memory.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3213fdcab961026203dd587a4533600c70b3336b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "35770ca6180caa24a2b258c99a87bd437a1ee10f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5b2c8b34f6d76bfbd1dd4936eb8a0fbfb9af3959",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "65d0db500d7c07f0f76fc24a4d837791c4862cd2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a95a24fcaee1b892e47d5e6dcc403f713874ee80",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "954fd4c81f22c4b6ba65379a81fd252971bf4ef3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "79a61cc3fc0466ad2b7b89618a6157785f0293b3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/memory.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.286",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.52",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.11",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.286",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.229",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.168",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.111",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: avoid leaving partial pfn mappings around in error case\n\nAs Jann points out, PFN mappings are special, because unlike normal\nmemory mappings, there is no lifetime information associated with the\nmapping - it is just a raw mapping of PFNs with no reference counting of\na \u0027struct page\u0027.\n\nThat\u0027s all very much intentional, but it does mean that it\u0027s easy to\nmess up the cleanup in case of errors. Yes, a failed mmap() will always\neventually clean up any partial mappings, but without any explicit\nlifetime in the page table mapping itself, it\u0027s very easy to do the\nerror handling in the wrong order.\n\nIn particular, it\u0027s easy to mistakenly free the physical backing store\nbefore the page tables are actually cleaned up and (temporarily) have\nstale dangling PTE entries.\n\nTo make this situation less error-prone, just make sure that any partial\npfn mapping is torn down early, before any other error handling."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:36:57.350Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3213fdcab961026203dd587a4533600c70b3336b"
},
{
"url": "https://git.kernel.org/stable/c/35770ca6180caa24a2b258c99a87bd437a1ee10f"
},
{
"url": "https://git.kernel.org/stable/c/5b2c8b34f6d76bfbd1dd4936eb8a0fbfb9af3959"
},
{
"url": "https://git.kernel.org/stable/c/65d0db500d7c07f0f76fc24a4d837791c4862cd2"
},
{
"url": "https://git.kernel.org/stable/c/a95a24fcaee1b892e47d5e6dcc403f713874ee80"
},
{
"url": "https://git.kernel.org/stable/c/954fd4c81f22c4b6ba65379a81fd252971bf4ef3"
},
{
"url": "https://git.kernel.org/stable/c/79a61cc3fc0466ad2b7b89618a6157785f0293b3"
},
{
"url": "https://project-zero.issues.chromium.org/issues/366053091"
}
],
"title": "mm: avoid leaving partial pfn mappings around in error case",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-47674",
"datePublished": "2024-10-15T10:48:33.481Z",
"dateReserved": "2024-09-30T16:00:12.937Z",
"dateUpdated": "2025-05-04T09:36:57.350Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38174 (GCVE-0-2025-38174)
Vulnerability from cvelistv5
Published
2025-07-04 10:39
Modified
2025-07-28 04:14
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
thunderbolt: Do not double dequeue a configuration request
Some of our devices crash in tb_cfg_request_dequeue():
general protection fault, probably for non-canonical address 0xdead000000000122
CPU: 6 PID: 91007 Comm: kworker/6:2 Tainted: G U W 6.6.65
RIP: 0010:tb_cfg_request_dequeue+0x2d/0xa0
Call Trace:
<TASK>
? tb_cfg_request_dequeue+0x2d/0xa0
tb_cfg_request_work+0x33/0x80
worker_thread+0x386/0x8f0
kthread+0xed/0x110
ret_from_fork+0x38/0x50
ret_from_fork_asm+0x1b/0x30
The circumstances are unclear, however, the theory is that
tb_cfg_request_work() can be scheduled twice for a request:
first time via frame.callback from ring_work() and second
time from tb_cfg_request(). Both times kworkers will execute
tb_cfg_request_dequeue(), which results in double list_del()
from the ctl->request_queue (the list poison deference hints
at it: 0xdead000000000122).
Do not dequeue requests that don't have TB_CFG_REQUEST_ACTIVE
bit set.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 16603153666d22df544ae9f9b3764fd18da28eeb Version: 16603153666d22df544ae9f9b3764fd18da28eeb Version: 16603153666d22df544ae9f9b3764fd18da28eeb Version: 16603153666d22df544ae9f9b3764fd18da28eeb Version: 16603153666d22df544ae9f9b3764fd18da28eeb Version: 16603153666d22df544ae9f9b3764fd18da28eeb Version: 16603153666d22df544ae9f9b3764fd18da28eeb Version: 16603153666d22df544ae9f9b3764fd18da28eeb Version: 16603153666d22df544ae9f9b3764fd18da28eeb |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/thunderbolt/ctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e49e994cd83705f7ca30eda1e304abddfd96a37a",
"status": "affected",
"version": "16603153666d22df544ae9f9b3764fd18da28eeb",
"versionType": "git"
},
{
"lessThan": "0a3011d47dbc92a33621861c423cb64833d7fe57",
"status": "affected",
"version": "16603153666d22df544ae9f9b3764fd18da28eeb",
"versionType": "git"
},
{
"lessThan": "2f62eda4d974c26bc595425eafd429067541f2c9",
"status": "affected",
"version": "16603153666d22df544ae9f9b3764fd18da28eeb",
"versionType": "git"
},
{
"lessThan": "85286e634ebbaf9c0fb1cdf580add2f33fc7628c",
"status": "affected",
"version": "16603153666d22df544ae9f9b3764fd18da28eeb",
"versionType": "git"
},
{
"lessThan": "5a057f261539720165d03d85024da2b52e67f63d",
"status": "affected",
"version": "16603153666d22df544ae9f9b3764fd18da28eeb",
"versionType": "git"
},
{
"lessThan": "eb2d5e794fb966b3ef8bde99eb8561446a53509f",
"status": "affected",
"version": "16603153666d22df544ae9f9b3764fd18da28eeb",
"versionType": "git"
},
{
"lessThan": "0771bcbe2f6e5d5f263cf466efe571d2754a46da",
"status": "affected",
"version": "16603153666d22df544ae9f9b3764fd18da28eeb",
"versionType": "git"
},
{
"lessThan": "cdb4feab2f39e75a66239e3a112beced279612a8",
"status": "affected",
"version": "16603153666d22df544ae9f9b3764fd18da28eeb",
"versionType": "git"
},
{
"lessThan": "0f73628e9da1ee39daf5f188190cdbaee5e0c98c",
"status": "affected",
"version": "16603153666d22df544ae9f9b3764fd18da28eeb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/thunderbolt/ctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.295",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.239",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.94",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.33",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.11",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.2",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "3.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nthunderbolt: Do not double dequeue a configuration request\n\nSome of our devices crash in tb_cfg_request_dequeue():\n\n general protection fault, probably for non-canonical address 0xdead000000000122\n\n CPU: 6 PID: 91007 Comm: kworker/6:2 Tainted: G U W 6.6.65\n RIP: 0010:tb_cfg_request_dequeue+0x2d/0xa0\n Call Trace:\n \u003cTASK\u003e\n ? tb_cfg_request_dequeue+0x2d/0xa0\n tb_cfg_request_work+0x33/0x80\n worker_thread+0x386/0x8f0\n kthread+0xed/0x110\n ret_from_fork+0x38/0x50\n ret_from_fork_asm+0x1b/0x30\n\nThe circumstances are unclear, however, the theory is that\ntb_cfg_request_work() can be scheduled twice for a request:\nfirst time via frame.callback from ring_work() and second\ntime from tb_cfg_request(). Both times kworkers will execute\ntb_cfg_request_dequeue(), which results in double list_del()\nfrom the ctl-\u003erequest_queue (the list poison deference hints\nat it: 0xdead000000000122).\n\nDo not dequeue requests that don\u0027t have TB_CFG_REQUEST_ACTIVE\nbit set."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:14:16.356Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e49e994cd83705f7ca30eda1e304abddfd96a37a"
},
{
"url": "https://git.kernel.org/stable/c/0a3011d47dbc92a33621861c423cb64833d7fe57"
},
{
"url": "https://git.kernel.org/stable/c/2f62eda4d974c26bc595425eafd429067541f2c9"
},
{
"url": "https://git.kernel.org/stable/c/85286e634ebbaf9c0fb1cdf580add2f33fc7628c"
},
{
"url": "https://git.kernel.org/stable/c/5a057f261539720165d03d85024da2b52e67f63d"
},
{
"url": "https://git.kernel.org/stable/c/eb2d5e794fb966b3ef8bde99eb8561446a53509f"
},
{
"url": "https://git.kernel.org/stable/c/0771bcbe2f6e5d5f263cf466efe571d2754a46da"
},
{
"url": "https://git.kernel.org/stable/c/cdb4feab2f39e75a66239e3a112beced279612a8"
},
{
"url": "https://git.kernel.org/stable/c/0f73628e9da1ee39daf5f188190cdbaee5e0c98c"
}
],
"title": "thunderbolt: Do not double dequeue a configuration request",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38174",
"datePublished": "2025-07-04T10:39:55.732Z",
"dateReserved": "2025-04-16T04:51:23.991Z",
"dateUpdated": "2025-07-28T04:14:16.356Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4130 (GCVE-0-2023-4130)
Vulnerability from cvelistv5
Published
2025-08-16 13:27
Modified
2025-08-19 05:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix wrong next length validation of ea buffer in smb2_set_ea()
There are multiple smb2_ea_info buffers in FILE_FULL_EA_INFORMATION request
from client. ksmbd find next smb2_ea_info using ->NextEntryOffset of
current smb2_ea_info. ksmbd need to validate buffer length Before
accessing the next ea. ksmbd should check buffer length using buf_len,
not next variable. next is the start offset of current ea that got from
previous ea.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "aeb974907642be095e38ecb1a400ca583958b2b0",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "f339d76a3a972601d0738b881b099d49ebbdc3a2",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "4bf629262f9118ee91b1c3a518ebf2b3bcb22180",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "79ed288cef201f1f212dfb934bcaac75572fb8f6",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.127",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.46",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix wrong next length validation of ea buffer in smb2_set_ea()\n\nThere are multiple smb2_ea_info buffers in FILE_FULL_EA_INFORMATION request\nfrom client. ksmbd find next smb2_ea_info using -\u003eNextEntryOffset of\ncurrent smb2_ea_info. ksmbd need to validate buffer length Before\naccessing the next ea. ksmbd should check buffer length using buf_len,\nnot next variable. next is the start offset of current ea that got from\nprevious ea."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-19T05:47:15.732Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/aeb974907642be095e38ecb1a400ca583958b2b0"
},
{
"url": "https://git.kernel.org/stable/c/f339d76a3a972601d0738b881b099d49ebbdc3a2"
},
{
"url": "https://git.kernel.org/stable/c/4bf629262f9118ee91b1c3a518ebf2b3bcb22180"
},
{
"url": "https://git.kernel.org/stable/c/79ed288cef201f1f212dfb934bcaac75572fb8f6"
}
],
"title": "ksmbd: fix wrong next length validation of ea buffer in smb2_set_ea()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-4130",
"datePublished": "2025-08-16T13:27:58.227Z",
"dateReserved": "2023-08-03T08:12:08.227Z",
"dateUpdated": "2025-08-19T05:47:15.732Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38500 (GCVE-0-2025-38500)
Vulnerability from cvelistv5
Published
2025-08-12 16:02
Modified
2025-10-01 18:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfrm: interface: fix use-after-free after changing collect_md xfrm interface
collect_md property on xfrm interfaces can only be set on device creation,
thus xfrmi_changelink() should fail when called on such interfaces.
The check to enforce this was done only in the case where the xi was
returned from xfrmi_locate() which doesn't look for the collect_md
interface, and thus the validation was never reached.
Calling changelink would thus errornously place the special interface xi
in the xfrmi_net->xfrmi hash, but since it also exists in the
xfrmi_net->collect_md_xfrmi pointer it would lead to a double free when
the net namespace was taken down [1].
Change the check to use the xi from netdev_priv which is available earlier
in the function to prevent changes in xfrm collect_md interfaces.
[1] resulting oops:
[ 8.516540] kernel BUG at net/core/dev.c:12029!
[ 8.516552] Oops: invalid opcode: 0000 [#1] SMP NOPTI
[ 8.516559] CPU: 0 UID: 0 PID: 12 Comm: kworker/u80:0 Not tainted 6.15.0-virtme #5 PREEMPT(voluntary)
[ 8.516565] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 8.516569] Workqueue: netns cleanup_net
[ 8.516579] RIP: 0010:unregister_netdevice_many_notify+0x101/0xab0
[ 8.516590] Code: 90 0f 0b 90 48 8b b0 78 01 00 00 48 8b 90 80 01 00 00 48 89 56 08 48 89 32 4c 89 80 78 01 00 00 48 89 b8 80 01 00 00 eb ac 90 <0f> 0b 48 8b 45 00 4c 8d a0 88 fe ff ff 48 39 c5 74 5c 41 80 bc 24
[ 8.516593] RSP: 0018:ffffa93b8006bd30 EFLAGS: 00010206
[ 8.516598] RAX: ffff98fe4226e000 RBX: ffffa93b8006bd58 RCX: ffffa93b8006bc60
[ 8.516601] RDX: 0000000000000004 RSI: 0000000000000000 RDI: dead000000000122
[ 8.516603] RBP: ffffa93b8006bdd8 R08: dead000000000100 R09: ffff98fe4133c100
[ 8.516605] R10: 0000000000000000 R11: 00000000000003d2 R12: ffffa93b8006be00
[ 8.516608] R13: ffffffff96c1a510 R14: ffffffff96c1a510 R15: ffffa93b8006be00
[ 8.516615] FS: 0000000000000000(0000) GS:ffff98fee73b7000(0000) knlGS:0000000000000000
[ 8.516619] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 8.516622] CR2: 00007fcd2abd0700 CR3: 000000003aa40000 CR4: 0000000000752ef0
[ 8.516625] PKRU: 55555554
[ 8.516627] Call Trace:
[ 8.516632] <TASK>
[ 8.516635] ? rtnl_is_locked+0x15/0x20
[ 8.516641] ? unregister_netdevice_queue+0x29/0xf0
[ 8.516650] ops_undo_list+0x1f2/0x220
[ 8.516659] cleanup_net+0x1ad/0x2e0
[ 8.516664] process_one_work+0x160/0x380
[ 8.516673] worker_thread+0x2aa/0x3c0
[ 8.516679] ? __pfx_worker_thread+0x10/0x10
[ 8.516686] kthread+0xfb/0x200
[ 8.516690] ? __pfx_kthread+0x10/0x10
[ 8.516693] ? __pfx_kthread+0x10/0x10
[ 8.516697] ret_from_fork+0x82/0xf0
[ 8.516705] ? __pfx_kthread+0x10/0x10
[ 8.516709] ret_from_fork_asm+0x1a/0x30
[ 8.516718] </TASK>
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-38500",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T18:10:59.896187Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T18:12:31.018Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_interface_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a8d4748b954584ab7bd800f1a4e46d5b0eeb5ce4",
"status": "affected",
"version": "abc340b38ba25cd6c7aa2c0bd9150d30738c82d0",
"versionType": "git"
},
{
"lessThan": "bfebdb85496e1da21d3cf05de099210915c3e706",
"status": "affected",
"version": "abc340b38ba25cd6c7aa2c0bd9150d30738c82d0",
"versionType": "git"
},
{
"lessThan": "5918c3f4800a3aef2173865e5903370f21e24f47",
"status": "affected",
"version": "abc340b38ba25cd6c7aa2c0bd9150d30738c82d0",
"versionType": "git"
},
{
"lessThan": "69a31f7a6a81f5ffd3812c442e09ff0be22960f1",
"status": "affected",
"version": "abc340b38ba25cd6c7aa2c0bd9150d30738c82d0",
"versionType": "git"
},
{
"lessThan": "a90b2a1aaacbcf0f91d7e4868ad6c51c5dee814b",
"status": "affected",
"version": "abc340b38ba25cd6c7aa2c0bd9150d30738c82d0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_interface_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.101",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.41",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.101",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.41",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.9",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: interface: fix use-after-free after changing collect_md xfrm interface\n\ncollect_md property on xfrm interfaces can only be set on device creation,\nthus xfrmi_changelink() should fail when called on such interfaces.\n\nThe check to enforce this was done only in the case where the xi was\nreturned from xfrmi_locate() which doesn\u0027t look for the collect_md\ninterface, and thus the validation was never reached.\n\nCalling changelink would thus errornously place the special interface xi\nin the xfrmi_net-\u003exfrmi hash, but since it also exists in the\nxfrmi_net-\u003ecollect_md_xfrmi pointer it would lead to a double free when\nthe net namespace was taken down [1].\n\nChange the check to use the xi from netdev_priv which is available earlier\nin the function to prevent changes in xfrm collect_md interfaces.\n\n[1] resulting oops:\n[ 8.516540] kernel BUG at net/core/dev.c:12029!\n[ 8.516552] Oops: invalid opcode: 0000 [#1] SMP NOPTI\n[ 8.516559] CPU: 0 UID: 0 PID: 12 Comm: kworker/u80:0 Not tainted 6.15.0-virtme #5 PREEMPT(voluntary)\n[ 8.516565] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 8.516569] Workqueue: netns cleanup_net\n[ 8.516579] RIP: 0010:unregister_netdevice_many_notify+0x101/0xab0\n[ 8.516590] Code: 90 0f 0b 90 48 8b b0 78 01 00 00 48 8b 90 80 01 00 00 48 89 56 08 48 89 32 4c 89 80 78 01 00 00 48 89 b8 80 01 00 00 eb ac 90 \u003c0f\u003e 0b 48 8b 45 00 4c 8d a0 88 fe ff ff 48 39 c5 74 5c 41 80 bc 24\n[ 8.516593] RSP: 0018:ffffa93b8006bd30 EFLAGS: 00010206\n[ 8.516598] RAX: ffff98fe4226e000 RBX: ffffa93b8006bd58 RCX: ffffa93b8006bc60\n[ 8.516601] RDX: 0000000000000004 RSI: 0000000000000000 RDI: dead000000000122\n[ 8.516603] RBP: ffffa93b8006bdd8 R08: dead000000000100 R09: ffff98fe4133c100\n[ 8.516605] R10: 0000000000000000 R11: 00000000000003d2 R12: ffffa93b8006be00\n[ 8.516608] R13: ffffffff96c1a510 R14: ffffffff96c1a510 R15: ffffa93b8006be00\n[ 8.516615] FS: 0000000000000000(0000) GS:ffff98fee73b7000(0000) knlGS:0000000000000000\n[ 8.516619] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 8.516622] CR2: 00007fcd2abd0700 CR3: 000000003aa40000 CR4: 0000000000752ef0\n[ 8.516625] PKRU: 55555554\n[ 8.516627] Call Trace:\n[ 8.516632] \u003cTASK\u003e\n[ 8.516635] ? rtnl_is_locked+0x15/0x20\n[ 8.516641] ? unregister_netdevice_queue+0x29/0xf0\n[ 8.516650] ops_undo_list+0x1f2/0x220\n[ 8.516659] cleanup_net+0x1ad/0x2e0\n[ 8.516664] process_one_work+0x160/0x380\n[ 8.516673] worker_thread+0x2aa/0x3c0\n[ 8.516679] ? __pfx_worker_thread+0x10/0x10\n[ 8.516686] kthread+0xfb/0x200\n[ 8.516690] ? __pfx_kthread+0x10/0x10\n[ 8.516693] ? __pfx_kthread+0x10/0x10\n[ 8.516697] ret_from_fork+0x82/0xf0\n[ 8.516705] ? __pfx_kthread+0x10/0x10\n[ 8.516709] ret_from_fork_asm+0x1a/0x30\n[ 8.516718] \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-08-15T15:16:37.105Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a8d4748b954584ab7bd800f1a4e46d5b0eeb5ce4"
},
{
"url": "https://git.kernel.org/stable/c/bfebdb85496e1da21d3cf05de099210915c3e706"
},
{
"url": "https://git.kernel.org/stable/c/5918c3f4800a3aef2173865e5903370f21e24f47"
},
{
"url": "https://git.kernel.org/stable/c/69a31f7a6a81f5ffd3812c442e09ff0be22960f1"
},
{
"url": "https://git.kernel.org/stable/c/a90b2a1aaacbcf0f91d7e4868ad6c51c5dee814b"
}
],
"title": "xfrm: interface: fix use-after-free after changing collect_md xfrm interface",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38500",
"datePublished": "2025-08-12T16:02:42.363Z",
"dateReserved": "2025-04-16T04:51:24.022Z",
"dateUpdated": "2025-10-01T18:12:31.018Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38520 (GCVE-0-2025-38520)
Vulnerability from cvelistv5
Published
2025-08-16 10:55
Modified
2025-08-16 10:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdkfd: Don't call mmput from MMU notifier callback
If the process is exiting, the mmput inside mmu notifier callback from
compactd or fork or numa balancing could release the last reference
of mm struct to call exit_mmap and free_pgtable, this triggers deadlock
with below backtrace.
The deadlock will leak kfd process as mmu notifier release is not called
and cause VRAM leaking.
The fix is to take mm reference mmget_non_zero when adding prange to the
deferred list to pair with mmput in deferred list work.
If prange split and add into pchild list, the pchild work_item.mm is not
used, so remove the mm parameter from svm_range_unmap_split and
svm_range_add_child.
The backtrace of hung task:
INFO: task python:348105 blocked for more than 64512 seconds.
Call Trace:
__schedule+0x1c3/0x550
schedule+0x46/0xb0
rwsem_down_write_slowpath+0x24b/0x4c0
unlink_anon_vmas+0xb1/0x1c0
free_pgtables+0xa9/0x130
exit_mmap+0xbc/0x1a0
mmput+0x5a/0x140
svm_range_cpu_invalidate_pagetables+0x2b/0x40 [amdgpu]
mn_itree_invalidate+0x72/0xc0
__mmu_notifier_invalidate_range_start+0x48/0x60
try_to_unmap_one+0x10fa/0x1400
rmap_walk_anon+0x196/0x460
try_to_unmap+0xbb/0x210
migrate_page_unmap+0x54d/0x7e0
migrate_pages_batch+0x1c3/0xae0
migrate_pages_sync+0x98/0x240
migrate_pages+0x25c/0x520
compact_zone+0x29d/0x590
compact_zone_order+0xb6/0xf0
try_to_compact_pages+0xbe/0x220
__alloc_pages_direct_compact+0x96/0x1a0
__alloc_pages_slowpath+0x410/0x930
__alloc_pages_nodemask+0x3a9/0x3e0
do_huge_pmd_anonymous_page+0xd7/0x3e0
__handle_mm_fault+0x5e3/0x5f0
handle_mm_fault+0xf7/0x2e0
hmm_vma_fault.isra.0+0x4d/0xa0
walk_pmd_range.isra.0+0xa8/0x310
walk_pud_range+0x167/0x240
walk_pgd_range+0x55/0x100
__walk_page_range+0x87/0x90
walk_page_range+0xf6/0x160
hmm_range_fault+0x4f/0x90
amdgpu_hmm_range_get_pages+0x123/0x230 [amdgpu]
amdgpu_ttm_tt_get_user_pages+0xb1/0x150 [amdgpu]
init_user_pages+0xb1/0x2a0 [amdgpu]
amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x543/0x7d0 [amdgpu]
kfd_ioctl_alloc_memory_of_gpu+0x24c/0x4e0 [amdgpu]
kfd_ioctl+0x29d/0x500 [amdgpu]
(cherry picked from commit a29e067bd38946f752b0ef855f3dfff87e77bec7)
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: fa582c6f3684ac0098a9d02ddf0ed52a02b37127 Version: fa582c6f3684ac0098a9d02ddf0ed52a02b37127 Version: fa582c6f3684ac0098a9d02ddf0ed52a02b37127 Version: fa582c6f3684ac0098a9d02ddf0ed52a02b37127 Version: fa582c6f3684ac0098a9d02ddf0ed52a02b37127 Version: 09c5cdbc62d99fc6306a21b24b60eb11a3bd0963 Version: 4b29b8d7c20f54eec0ff266b4a3f419bd251ed83 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_svm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c1bde9d48e09933c361521720f77a8072083c83a",
"status": "affected",
"version": "fa582c6f3684ac0098a9d02ddf0ed52a02b37127",
"versionType": "git"
},
{
"lessThan": "145a56bd68f4bff098d59fbc7c263d20dfef4fc4",
"status": "affected",
"version": "fa582c6f3684ac0098a9d02ddf0ed52a02b37127",
"versionType": "git"
},
{
"lessThan": "e90ee15ce28c61f6d83a0511c3e02e2662478350",
"status": "affected",
"version": "fa582c6f3684ac0098a9d02ddf0ed52a02b37127",
"versionType": "git"
},
{
"lessThan": "a7eb0a25010a674c8fdfbece38353ef7be8c5834",
"status": "affected",
"version": "fa582c6f3684ac0098a9d02ddf0ed52a02b37127",
"versionType": "git"
},
{
"lessThan": "cf234231fcbc7d391e2135b9518613218cc5347f",
"status": "affected",
"version": "fa582c6f3684ac0098a9d02ddf0ed52a02b37127",
"versionType": "git"
},
{
"status": "affected",
"version": "09c5cdbc62d99fc6306a21b24b60eb11a3bd0963",
"versionType": "git"
},
{
"status": "affected",
"version": "4b29b8d7c20f54eec0ff266b4a3f419bd251ed83",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_svm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.101",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.101",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.39",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.7",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.18.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Don\u0027t call mmput from MMU notifier callback\n\nIf the process is exiting, the mmput inside mmu notifier callback from\ncompactd or fork or numa balancing could release the last reference\nof mm struct to call exit_mmap and free_pgtable, this triggers deadlock\nwith below backtrace.\n\nThe deadlock will leak kfd process as mmu notifier release is not called\nand cause VRAM leaking.\n\nThe fix is to take mm reference mmget_non_zero when adding prange to the\ndeferred list to pair with mmput in deferred list work.\n\nIf prange split and add into pchild list, the pchild work_item.mm is not\nused, so remove the mm parameter from svm_range_unmap_split and\nsvm_range_add_child.\n\nThe backtrace of hung task:\n\n INFO: task python:348105 blocked for more than 64512 seconds.\n Call Trace:\n __schedule+0x1c3/0x550\n schedule+0x46/0xb0\n rwsem_down_write_slowpath+0x24b/0x4c0\n unlink_anon_vmas+0xb1/0x1c0\n free_pgtables+0xa9/0x130\n exit_mmap+0xbc/0x1a0\n mmput+0x5a/0x140\n svm_range_cpu_invalidate_pagetables+0x2b/0x40 [amdgpu]\n mn_itree_invalidate+0x72/0xc0\n __mmu_notifier_invalidate_range_start+0x48/0x60\n try_to_unmap_one+0x10fa/0x1400\n rmap_walk_anon+0x196/0x460\n try_to_unmap+0xbb/0x210\n migrate_page_unmap+0x54d/0x7e0\n migrate_pages_batch+0x1c3/0xae0\n migrate_pages_sync+0x98/0x240\n migrate_pages+0x25c/0x520\n compact_zone+0x29d/0x590\n compact_zone_order+0xb6/0xf0\n try_to_compact_pages+0xbe/0x220\n __alloc_pages_direct_compact+0x96/0x1a0\n __alloc_pages_slowpath+0x410/0x930\n __alloc_pages_nodemask+0x3a9/0x3e0\n do_huge_pmd_anonymous_page+0xd7/0x3e0\n __handle_mm_fault+0x5e3/0x5f0\n handle_mm_fault+0xf7/0x2e0\n hmm_vma_fault.isra.0+0x4d/0xa0\n walk_pmd_range.isra.0+0xa8/0x310\n walk_pud_range+0x167/0x240\n walk_pgd_range+0x55/0x100\n __walk_page_range+0x87/0x90\n walk_page_range+0xf6/0x160\n hmm_range_fault+0x4f/0x90\n amdgpu_hmm_range_get_pages+0x123/0x230 [amdgpu]\n amdgpu_ttm_tt_get_user_pages+0xb1/0x150 [amdgpu]\n init_user_pages+0xb1/0x2a0 [amdgpu]\n amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x543/0x7d0 [amdgpu]\n kfd_ioctl_alloc_memory_of_gpu+0x24c/0x4e0 [amdgpu]\n kfd_ioctl+0x29d/0x500 [amdgpu]\n\n(cherry picked from commit a29e067bd38946f752b0ef855f3dfff87e77bec7)"
}
],
"providerMetadata": {
"dateUpdated": "2025-08-16T10:55:07.114Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c1bde9d48e09933c361521720f77a8072083c83a"
},
{
"url": "https://git.kernel.org/stable/c/145a56bd68f4bff098d59fbc7c263d20dfef4fc4"
},
{
"url": "https://git.kernel.org/stable/c/e90ee15ce28c61f6d83a0511c3e02e2662478350"
},
{
"url": "https://git.kernel.org/stable/c/a7eb0a25010a674c8fdfbece38353ef7be8c5834"
},
{
"url": "https://git.kernel.org/stable/c/cf234231fcbc7d391e2135b9518613218cc5347f"
}
],
"title": "drm/amdkfd: Don\u0027t call mmput from MMU notifier callback",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38520",
"datePublished": "2025-08-16T10:55:07.114Z",
"dateReserved": "2025-04-16T04:51:24.023Z",
"dateUpdated": "2025-08-16T10:55:07.114Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38591 (GCVE-0-2025-38591)
Vulnerability from cvelistv5
Published
2025-08-19 17:03
Modified
2025-09-29 05:54
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Reject narrower access to pointer ctx fields
The following BPF program, simplified from a syzkaller repro, causes a
kernel warning:
r0 = *(u8 *)(r1 + 169);
exit;
With pointer field sk being at offset 168 in __sk_buff. This access is
detected as a narrower read in bpf_skb_is_valid_access because it
doesn't match offsetof(struct __sk_buff, sk). It is therefore allowed
and later proceeds to bpf_convert_ctx_access. Note that for the
"is_narrower_load" case in the convert_ctx_accesses(), the insn->off
is aligned, so the cnt may not be 0 because it matches the
offsetof(struct __sk_buff, sk) in the bpf_convert_ctx_access. However,
the target_size stays 0 and the verifier errors with a kernel warning:
verifier bug: error during ctx access conversion(1)
This patch fixes that to return a proper "invalid bpf_context access
off=X size=Y" error on the load instruction.
The same issue affects multiple other fields in context structures that
allow narrow access. Some other non-affected fields (for sk_msg,
sk_lookup, and sockopt) were also changed to use bpf_ctx_range_ptr for
consistency.
Note this syzkaller crash was reported in the "Closes" link below, which
used to be about a different bug, fixed in
commit fce7bd8e385a ("bpf/verifier: Handle BPF_LOAD_ACQ instructions
in insn_def_regno()"). Because syzbot somehow confused the two bugs,
the new crash and repro didn't get reported to the mailing list.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/cgroup.c",
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "202900ceeef67458c964c2af6e1427c8e533ea7c",
"status": "affected",
"version": "f96da09473b52c09125cc9bf7d7d4576ae8229e0",
"versionType": "git"
},
{
"lessThan": "e09299225d5ba3916c91ef70565f7d2187e4cca0",
"status": "affected",
"version": "f96da09473b52c09125cc9bf7d7d4576ae8229e0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/cgroup.c",
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Reject narrower access to pointer ctx fields\n\nThe following BPF program, simplified from a syzkaller repro, causes a\nkernel warning:\n\n r0 = *(u8 *)(r1 + 169);\n exit;\n\nWith pointer field sk being at offset 168 in __sk_buff. This access is\ndetected as a narrower read in bpf_skb_is_valid_access because it\ndoesn\u0027t match offsetof(struct __sk_buff, sk). It is therefore allowed\nand later proceeds to bpf_convert_ctx_access. Note that for the\n\"is_narrower_load\" case in the convert_ctx_accesses(), the insn-\u003eoff\nis aligned, so the cnt may not be 0 because it matches the\noffsetof(struct __sk_buff, sk) in the bpf_convert_ctx_access. However,\nthe target_size stays 0 and the verifier errors with a kernel warning:\n\n verifier bug: error during ctx access conversion(1)\n\nThis patch fixes that to return a proper \"invalid bpf_context access\noff=X size=Y\" error on the load instruction.\n\nThe same issue affects multiple other fields in context structures that\nallow narrow access. Some other non-affected fields (for sk_msg,\nsk_lookup, and sockopt) were also changed to use bpf_ctx_range_ptr for\nconsistency.\n\nNote this syzkaller crash was reported in the \"Closes\" link below, which\nused to be about a different bug, fixed in\ncommit fce7bd8e385a (\"bpf/verifier: Handle BPF_LOAD_ACQ instructions\nin insn_def_regno()\"). Because syzbot somehow confused the two bugs,\nthe new crash and repro didn\u0027t get reported to the mailing list."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:54:24.048Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/202900ceeef67458c964c2af6e1427c8e533ea7c"
},
{
"url": "https://git.kernel.org/stable/c/e09299225d5ba3916c91ef70565f7d2187e4cca0"
}
],
"title": "bpf: Reject narrower access to pointer ctx fields",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38591",
"datePublished": "2025-08-19T17:03:12.508Z",
"dateReserved": "2025-04-16T04:51:24.026Z",
"dateUpdated": "2025-09-29T05:54:24.048Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38430 (GCVE-0-2025-38430)
Vulnerability from cvelistv5
Published
2025-07-25 14:16
Modified
2025-07-28 04:22
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request
If the request being processed is not a v4 compound request, then
examining the cstate can have undefined results.
This patch adds a check that the rpc procedure being executed
(rq_procinfo) is the NFSPROC4_COMPOUND procedure.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4proc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bf78a2706ce975981eb5167f2d3b609eb5d24c19",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b1d0323a09a29f81572c7391e0d80d78724729c9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "425efc6b3292a3c79bfee4a1661cf043dcd9cf2f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "64a723b0281ecaa59d31aad73ef8e408a84cb603",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e7e943ddd1c6731812357a28e7954ade3a7d8517",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7a75a956692aa64211a9e95781af1ec461642de4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2c54bd5a380ebf646fb9efbc4ae782ff3a83a5af",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1244f0b2c3cecd3f349a877006e67c9492b41807",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4proc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.95",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.295",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.239",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: nfsd4_spo_must_allow() must check this is a v4 compound request\n\nIf the request being processed is not a v4 compound request, then\nexamining the cstate can have undefined results.\n\nThis patch adds a check that the rpc procedure being executed\n(rq_procinfo) is the NFSPROC4_COMPOUND procedure."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:22:01.846Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bf78a2706ce975981eb5167f2d3b609eb5d24c19"
},
{
"url": "https://git.kernel.org/stable/c/b1d0323a09a29f81572c7391e0d80d78724729c9"
},
{
"url": "https://git.kernel.org/stable/c/425efc6b3292a3c79bfee4a1661cf043dcd9cf2f"
},
{
"url": "https://git.kernel.org/stable/c/64a723b0281ecaa59d31aad73ef8e408a84cb603"
},
{
"url": "https://git.kernel.org/stable/c/e7e943ddd1c6731812357a28e7954ade3a7d8517"
},
{
"url": "https://git.kernel.org/stable/c/7a75a956692aa64211a9e95781af1ec461642de4"
},
{
"url": "https://git.kernel.org/stable/c/2c54bd5a380ebf646fb9efbc4ae782ff3a83a5af"
},
{
"url": "https://git.kernel.org/stable/c/1244f0b2c3cecd3f349a877006e67c9492b41807"
}
],
"title": "nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38430",
"datePublished": "2025-07-25T14:16:49.443Z",
"dateReserved": "2025-04-16T04:51:24.015Z",
"dateUpdated": "2025-07-28T04:22:01.846Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38583 (GCVE-0-2025-38583)
Vulnerability from cvelistv5
Published
2025-08-19 17:03
Modified
2025-09-29 05:54
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: xilinx: vcu: unregister pll_post only if registered correctly
If registration of pll_post is failed, it will be set to NULL or ERR,
unregistering same will fail with following call trace:
Unable to handle kernel NULL pointer dereference at virtual address 008
pc : clk_hw_unregister+0xc/0x20
lr : clk_hw_unregister_fixed_factor+0x18/0x30
sp : ffff800011923850
...
Call trace:
clk_hw_unregister+0xc/0x20
clk_hw_unregister_fixed_factor+0x18/0x30
xvcu_unregister_clock_provider+0xcc/0xf4 [xlnx_vcu]
xvcu_probe+0x2bc/0x53c [xlnx_vcu]
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 4472e1849db7f719bbf625890096e0269b5849fe Version: 4472e1849db7f719bbf625890096e0269b5849fe Version: 4472e1849db7f719bbf625890096e0269b5849fe Version: 4472e1849db7f719bbf625890096e0269b5849fe Version: 4472e1849db7f719bbf625890096e0269b5849fe Version: 4472e1849db7f719bbf625890096e0269b5849fe Version: 4472e1849db7f719bbf625890096e0269b5849fe |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/xilinx/xlnx_vcu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7e903da71f8bec4beb7c06707900e1ed8db843ca",
"status": "affected",
"version": "4472e1849db7f719bbf625890096e0269b5849fe",
"versionType": "git"
},
{
"lessThan": "88bd875b7f9c3652c27d6e4bb7a23701b764f762",
"status": "affected",
"version": "4472e1849db7f719bbf625890096e0269b5849fe",
"versionType": "git"
},
{
"lessThan": "51990eecf22f446550befdfd1a9f54147eafd636",
"status": "affected",
"version": "4472e1849db7f719bbf625890096e0269b5849fe",
"versionType": "git"
},
{
"lessThan": "f1a1be99d5ae53d3b404415f1665eb59e8e02a8c",
"status": "affected",
"version": "4472e1849db7f719bbf625890096e0269b5849fe",
"versionType": "git"
},
{
"lessThan": "86124c5cfceb5ac04d2fddbf1b6f7147332d96a3",
"status": "affected",
"version": "4472e1849db7f719bbf625890096e0269b5849fe",
"versionType": "git"
},
{
"lessThan": "a72b1c2d3b53e088bfaeb593949ff6fbd2cbe8ed",
"status": "affected",
"version": "4472e1849db7f719bbf625890096e0269b5849fe",
"versionType": "git"
},
{
"lessThan": "3b0abc443ac22f7d4f61ddbbbbc5dbb06c87139d",
"status": "affected",
"version": "4472e1849db7f719bbf625890096e0269b5849fe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/xilinx/xlnx_vcu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: xilinx: vcu: unregister pll_post only if registered correctly\n\nIf registration of pll_post is failed, it will be set to NULL or ERR,\nunregistering same will fail with following call trace:\n\nUnable to handle kernel NULL pointer dereference at virtual address 008\npc : clk_hw_unregister+0xc/0x20\nlr : clk_hw_unregister_fixed_factor+0x18/0x30\nsp : ffff800011923850\n...\nCall trace:\n clk_hw_unregister+0xc/0x20\n clk_hw_unregister_fixed_factor+0x18/0x30\n xvcu_unregister_clock_provider+0xcc/0xf4 [xlnx_vcu]\n xvcu_probe+0x2bc/0x53c [xlnx_vcu]"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:54:14.851Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7e903da71f8bec4beb7c06707900e1ed8db843ca"
},
{
"url": "https://git.kernel.org/stable/c/88bd875b7f9c3652c27d6e4bb7a23701b764f762"
},
{
"url": "https://git.kernel.org/stable/c/51990eecf22f446550befdfd1a9f54147eafd636"
},
{
"url": "https://git.kernel.org/stable/c/f1a1be99d5ae53d3b404415f1665eb59e8e02a8c"
},
{
"url": "https://git.kernel.org/stable/c/86124c5cfceb5ac04d2fddbf1b6f7147332d96a3"
},
{
"url": "https://git.kernel.org/stable/c/a72b1c2d3b53e088bfaeb593949ff6fbd2cbe8ed"
},
{
"url": "https://git.kernel.org/stable/c/3b0abc443ac22f7d4f61ddbbbbc5dbb06c87139d"
}
],
"title": "clk: xilinx: vcu: unregister pll_post only if registered correctly",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38583",
"datePublished": "2025-08-19T17:03:05.340Z",
"dateReserved": "2025-04-16T04:51:24.026Z",
"dateUpdated": "2025-09-29T05:54:14.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38424 (GCVE-0-2025-38424)
Vulnerability from cvelistv5
Published
2025-07-25 14:16
Modified
2025-07-28 04:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
perf: Fix sample vs do_exit()
Baisheng Gao reported an ARM64 crash, which Mark decoded as being a
synchronous external abort -- most likely due to trying to access
MMIO in bad ways.
The crash further shows perf trying to do a user stack sample while in
exit_mmap()'s tlb_finish_mmu() -- i.e. while tearing down the address
space it is trying to access.
It turns out that we stop perf after we tear down the userspace mm; a
receipie for disaster, since perf likes to access userspace for
various reasons.
Flip this order by moving up where we stop perf in do_exit().
Additionally, harden PERF_SAMPLE_CALLCHAIN and PERF_SAMPLE_STACK_USER
to abort when the current task does not have an mm (exit_mm() makes
sure to set current->mm = NULL; before commencing with the actual
teardown). Such that CPU wide events don't trip on this same problem.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c5ebcedb566ef17bda7b02686e0d658a7bb42ee7 Version: c5ebcedb566ef17bda7b02686e0d658a7bb42ee7 Version: c5ebcedb566ef17bda7b02686e0d658a7bb42ee7 Version: c5ebcedb566ef17bda7b02686e0d658a7bb42ee7 Version: c5ebcedb566ef17bda7b02686e0d658a7bb42ee7 Version: c5ebcedb566ef17bda7b02686e0d658a7bb42ee7 Version: c5ebcedb566ef17bda7b02686e0d658a7bb42ee7 Version: c5ebcedb566ef17bda7b02686e0d658a7bb42ee7 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/events/core.c",
"kernel/exit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7b8f3c72175c6a63a95cf2e219f8b78e2baad34e",
"status": "affected",
"version": "c5ebcedb566ef17bda7b02686e0d658a7bb42ee7",
"versionType": "git"
},
{
"lessThan": "507c9a595bad3abd107c6a8857d7fd125d89f386",
"status": "affected",
"version": "c5ebcedb566ef17bda7b02686e0d658a7bb42ee7",
"versionType": "git"
},
{
"lessThan": "a9f6aab7910a0ef2895797f15c947f6d1053160f",
"status": "affected",
"version": "c5ebcedb566ef17bda7b02686e0d658a7bb42ee7",
"versionType": "git"
},
{
"lessThan": "975ffddfa2e19823c719459d2364fcaa17673964",
"status": "affected",
"version": "c5ebcedb566ef17bda7b02686e0d658a7bb42ee7",
"versionType": "git"
},
{
"lessThan": "2ee6044a693735396bb47eeaba1ac3ae26c1c99b",
"status": "affected",
"version": "c5ebcedb566ef17bda7b02686e0d658a7bb42ee7",
"versionType": "git"
},
{
"lessThan": "456019adaa2f5366b89c868dea9b483179bece54",
"status": "affected",
"version": "c5ebcedb566ef17bda7b02686e0d658a7bb42ee7",
"versionType": "git"
},
{
"lessThan": "7311970d07c4606362081250da95f2c7901fc0db",
"status": "affected",
"version": "c5ebcedb566ef17bda7b02686e0d658a7bb42ee7",
"versionType": "git"
},
{
"lessThan": "4f6fc782128355931527cefe3eb45338abd8ab39",
"status": "affected",
"version": "c5ebcedb566ef17bda7b02686e0d658a7bb42ee7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/events/core.c",
"kernel/exit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.7"
},
{
"lessThan": "3.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.95",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.295",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.239",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.95",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.35",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.4",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "3.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix sample vs do_exit()\n\nBaisheng Gao reported an ARM64 crash, which Mark decoded as being a\nsynchronous external abort -- most likely due to trying to access\nMMIO in bad ways.\n\nThe crash further shows perf trying to do a user stack sample while in\nexit_mmap()\u0027s tlb_finish_mmu() -- i.e. while tearing down the address\nspace it is trying to access.\n\nIt turns out that we stop perf after we tear down the userspace mm; a\nreceipie for disaster, since perf likes to access userspace for\nvarious reasons.\n\nFlip this order by moving up where we stop perf in do_exit().\n\nAdditionally, harden PERF_SAMPLE_CALLCHAIN and PERF_SAMPLE_STACK_USER\nto abort when the current task does not have an mm (exit_mm() makes\nsure to set current-\u003emm = NULL; before commencing with the actual\nteardown). Such that CPU wide events don\u0027t trip on this same problem."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:21:47.788Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7b8f3c72175c6a63a95cf2e219f8b78e2baad34e"
},
{
"url": "https://git.kernel.org/stable/c/507c9a595bad3abd107c6a8857d7fd125d89f386"
},
{
"url": "https://git.kernel.org/stable/c/a9f6aab7910a0ef2895797f15c947f6d1053160f"
},
{
"url": "https://git.kernel.org/stable/c/975ffddfa2e19823c719459d2364fcaa17673964"
},
{
"url": "https://git.kernel.org/stable/c/2ee6044a693735396bb47eeaba1ac3ae26c1c99b"
},
{
"url": "https://git.kernel.org/stable/c/456019adaa2f5366b89c868dea9b483179bece54"
},
{
"url": "https://git.kernel.org/stable/c/7311970d07c4606362081250da95f2c7901fc0db"
},
{
"url": "https://git.kernel.org/stable/c/4f6fc782128355931527cefe3eb45338abd8ab39"
}
],
"title": "perf: Fix sample vs do_exit()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38424",
"datePublished": "2025-07-25T14:16:44.846Z",
"dateReserved": "2025-04-16T04:51:24.014Z",
"dateUpdated": "2025-07-28T04:21:47.788Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38604 (GCVE-0-2025-38604)
Vulnerability from cvelistv5
Published
2025-08-19 17:03
Modified
2025-09-29 05:54
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtl818x: Kill URBs before clearing tx status queue
In rtl8187_stop() move the call of usb_kill_anchored_urbs() before clearing
b_tx_status.queue. This change prevents callbacks from using already freed
skb due to anchor was not killed before freeing such skb.
BUG: kernel NULL pointer dereference, address: 0000000000000080
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Not tainted 6.15.0 #8 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015
RIP: 0010:ieee80211_tx_status_irqsafe+0x21/0xc0 [mac80211]
Call Trace:
<IRQ>
rtl8187_tx_cb+0x116/0x150 [rtl8187]
__usb_hcd_giveback_urb+0x9d/0x120
usb_giveback_urb_bh+0xbb/0x140
process_one_work+0x19b/0x3c0
bh_worker+0x1a7/0x210
tasklet_action+0x10/0x30
handle_softirqs+0xf0/0x340
__irq_exit_rcu+0xcd/0xf0
common_interrupt+0x85/0xa0
</IRQ>
Tested on RTL8187BvE device.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c1db52b9d27ee6e15a7136e67e4a21dc916cd07f Version: c1db52b9d27ee6e15a7136e67e4a21dc916cd07f Version: c1db52b9d27ee6e15a7136e67e4a21dc916cd07f Version: c1db52b9d27ee6e15a7136e67e4a21dc916cd07f Version: c1db52b9d27ee6e15a7136e67e4a21dc916cd07f Version: c1db52b9d27ee6e15a7136e67e4a21dc916cd07f Version: c1db52b9d27ee6e15a7136e67e4a21dc916cd07f Version: c1db52b9d27ee6e15a7136e67e4a21dc916cd07f Version: c1db52b9d27ee6e15a7136e67e4a21dc916cd07f |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e64732ebff9e24258e7326f07adbe2f2b990daf8",
"status": "affected",
"version": "c1db52b9d27ee6e15a7136e67e4a21dc916cd07f",
"versionType": "git"
},
{
"lessThan": "789415771422f4fb9f444044f86ecfaec55df1bd",
"status": "affected",
"version": "c1db52b9d27ee6e15a7136e67e4a21dc916cd07f",
"versionType": "git"
},
{
"lessThan": "c73c773b09e313278f9b960303a2809b8440bac6",
"status": "affected",
"version": "c1db52b9d27ee6e15a7136e67e4a21dc916cd07f",
"versionType": "git"
},
{
"lessThan": "8c767727f331fb9455b0f81daad832b5925688cb",
"status": "affected",
"version": "c1db52b9d27ee6e15a7136e67e4a21dc916cd07f",
"versionType": "git"
},
{
"lessThan": "14ca6952691fa8cc91e7644512e6ff24a595283f",
"status": "affected",
"version": "c1db52b9d27ee6e15a7136e67e4a21dc916cd07f",
"versionType": "git"
},
{
"lessThan": "7858a95566f4ebf59524666683d2dcdba3fca968",
"status": "affected",
"version": "c1db52b9d27ee6e15a7136e67e4a21dc916cd07f",
"versionType": "git"
},
{
"lessThan": "c51a45ad9070a6d296174fcbe5c466352836c12b",
"status": "affected",
"version": "c1db52b9d27ee6e15a7136e67e4a21dc916cd07f",
"versionType": "git"
},
{
"lessThan": "81cfe34d0630de4e23ae804dcc08fb6f861dc37d",
"status": "affected",
"version": "c1db52b9d27ee6e15a7136e67e4a21dc916cd07f",
"versionType": "git"
},
{
"lessThan": "16d8fd74dbfca0ea58645cd2fca13be10cae3cdd",
"status": "affected",
"version": "c1db52b9d27ee6e15a7136e67e4a21dc916cd07f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtl818x: Kill URBs before clearing tx status queue\n\nIn rtl8187_stop() move the call of usb_kill_anchored_urbs() before clearing\nb_tx_status.queue. This change prevents callbacks from using already freed\nskb due to anchor was not killed before freeing such skb.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000080\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Not tainted 6.15.0 #8 PREEMPT(voluntary)\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015\n RIP: 0010:ieee80211_tx_status_irqsafe+0x21/0xc0 [mac80211]\n Call Trace:\n \u003cIRQ\u003e\n rtl8187_tx_cb+0x116/0x150 [rtl8187]\n __usb_hcd_giveback_urb+0x9d/0x120\n usb_giveback_urb_bh+0xbb/0x140\n process_one_work+0x19b/0x3c0\n bh_worker+0x1a7/0x210\n tasklet_action+0x10/0x30\n handle_softirqs+0xf0/0x340\n __irq_exit_rcu+0xcd/0xf0\n common_interrupt+0x85/0xa0\n \u003c/IRQ\u003e\n\nTested on RTL8187BvE device.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:54:38.215Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e64732ebff9e24258e7326f07adbe2f2b990daf8"
},
{
"url": "https://git.kernel.org/stable/c/789415771422f4fb9f444044f86ecfaec55df1bd"
},
{
"url": "https://git.kernel.org/stable/c/c73c773b09e313278f9b960303a2809b8440bac6"
},
{
"url": "https://git.kernel.org/stable/c/8c767727f331fb9455b0f81daad832b5925688cb"
},
{
"url": "https://git.kernel.org/stable/c/14ca6952691fa8cc91e7644512e6ff24a595283f"
},
{
"url": "https://git.kernel.org/stable/c/7858a95566f4ebf59524666683d2dcdba3fca968"
},
{
"url": "https://git.kernel.org/stable/c/c51a45ad9070a6d296174fcbe5c466352836c12b"
},
{
"url": "https://git.kernel.org/stable/c/81cfe34d0630de4e23ae804dcc08fb6f861dc37d"
},
{
"url": "https://git.kernel.org/stable/c/16d8fd74dbfca0ea58645cd2fca13be10cae3cdd"
}
],
"title": "wifi: rtl818x: Kill URBs before clearing tx status queue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38604",
"datePublished": "2025-08-19T17:03:43.358Z",
"dateReserved": "2025-04-16T04:51:24.028Z",
"dateUpdated": "2025-09-29T05:54:38.215Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50185 (GCVE-0-2022-50185)
Vulnerability from cvelistv5
Published
2025-06-18 11:03
Modified
2025-06-18 11:03
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/radeon: fix potential buffer overflow in ni_set_mc_special_registers()
The last case label can write two buffers 'mc_reg_address[j]' and
'mc_data[j]' with 'j' offset equal to SMC_NISLANDS_MC_REGISTER_ARRAY_SIZE
since there are no checks for this value in both case labels after the
last 'j++'.
Instead of changing '>' to '>=' there, add the bounds check at the start
of the second 'case' (the first one already has it).
Also, remove redundant last checks for 'j' index bigger than array size.
The expression is always false. Moreover, before or after the patch
'table->last' can be equal to SMC_NISLANDS_MC_REGISTER_ARRAY_SIZE and it
seems it can be a valid value.
Detected using the static analysis tool - Svace.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 69e0b57a91adca2e3eb56ed4db39ab90f3ae1043 Version: 69e0b57a91adca2e3eb56ed4db39ab90f3ae1043 Version: 69e0b57a91adca2e3eb56ed4db39ab90f3ae1043 Version: 69e0b57a91adca2e3eb56ed4db39ab90f3ae1043 Version: 69e0b57a91adca2e3eb56ed4db39ab90f3ae1043 Version: 69e0b57a91adca2e3eb56ed4db39ab90f3ae1043 Version: 69e0b57a91adca2e3eb56ed4db39ab90f3ae1043 Version: 69e0b57a91adca2e3eb56ed4db39ab90f3ae1043 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/radeon/ni_dpm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ea73869df6ef386fc0feeb28ff66742ca835b18f",
"status": "affected",
"version": "69e0b57a91adca2e3eb56ed4db39ab90f3ae1043",
"versionType": "git"
},
{
"lessThan": "1f341053852be76f82610ce47a505d930512f05c",
"status": "affected",
"version": "69e0b57a91adca2e3eb56ed4db39ab90f3ae1043",
"versionType": "git"
},
{
"lessThan": "db1a9add3f90ff1c641974d5bb910c16b87af4ef",
"status": "affected",
"version": "69e0b57a91adca2e3eb56ed4db39ab90f3ae1043",
"versionType": "git"
},
{
"lessThan": "8508d6d23a247c29792ce2fc0df3f3404d6a6a80",
"status": "affected",
"version": "69e0b57a91adca2e3eb56ed4db39ab90f3ae1043",
"versionType": "git"
},
{
"lessThan": "deb603c5928e546609c0d5798e231d0205748943",
"status": "affected",
"version": "69e0b57a91adca2e3eb56ed4db39ab90f3ae1043",
"versionType": "git"
},
{
"lessThan": "782e413e38dffd37cc85b08b1ccb982adb4a93ce",
"status": "affected",
"version": "69e0b57a91adca2e3eb56ed4db39ab90f3ae1043",
"versionType": "git"
},
{
"lessThan": "9faff03617afeced1c4e5daa89e79b3906374342",
"status": "affected",
"version": "69e0b57a91adca2e3eb56ed4db39ab90f3ae1043",
"versionType": "git"
},
{
"lessThan": "136f614931a2bb73616b292cf542da3a18daefd5",
"status": "affected",
"version": "69e0b57a91adca2e3eb56ed4db39ab90f3ae1043",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/radeon/ni_dpm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.11"
},
{
"lessThan": "3.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.256",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.211",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.137",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.291",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.256",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.211",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.137",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.61",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.18",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.2",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0",
"versionStartIncluding": "3.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: fix potential buffer overflow in ni_set_mc_special_registers()\n\nThe last case label can write two buffers \u0027mc_reg_address[j]\u0027 and\n\u0027mc_data[j]\u0027 with \u0027j\u0027 offset equal to SMC_NISLANDS_MC_REGISTER_ARRAY_SIZE\nsince there are no checks for this value in both case labels after the\nlast \u0027j++\u0027.\n\nInstead of changing \u0027\u003e\u0027 to \u0027\u003e=\u0027 there, add the bounds check at the start\nof the second \u0027case\u0027 (the first one already has it).\n\nAlso, remove redundant last checks for \u0027j\u0027 index bigger than array size.\nThe expression is always false. Moreover, before or after the patch\n\u0027table-\u003elast\u0027 can be equal to SMC_NISLANDS_MC_REGISTER_ARRAY_SIZE and it\nseems it can be a valid value.\n\nDetected using the static analysis tool - Svace."
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T11:03:32.843Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ea73869df6ef386fc0feeb28ff66742ca835b18f"
},
{
"url": "https://git.kernel.org/stable/c/1f341053852be76f82610ce47a505d930512f05c"
},
{
"url": "https://git.kernel.org/stable/c/db1a9add3f90ff1c641974d5bb910c16b87af4ef"
},
{
"url": "https://git.kernel.org/stable/c/8508d6d23a247c29792ce2fc0df3f3404d6a6a80"
},
{
"url": "https://git.kernel.org/stable/c/deb603c5928e546609c0d5798e231d0205748943"
},
{
"url": "https://git.kernel.org/stable/c/782e413e38dffd37cc85b08b1ccb982adb4a93ce"
},
{
"url": "https://git.kernel.org/stable/c/9faff03617afeced1c4e5daa89e79b3906374342"
},
{
"url": "https://git.kernel.org/stable/c/136f614931a2bb73616b292cf542da3a18daefd5"
}
],
"title": "drm/radeon: fix potential buffer overflow in ni_set_mc_special_registers()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50185",
"datePublished": "2025-06-18T11:03:32.843Z",
"dateReserved": "2025-06-18T10:57:27.427Z",
"dateUpdated": "2025-06-18T11:03:32.843Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38352 (GCVE-0-2025-38352)
Vulnerability from cvelistv5
Published
2025-07-22 08:04
Modified
2025-09-05 03:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()
If an exiting non-autoreaping task has already passed exit_notify() and
calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent
or debugger right after unlock_task_sighand().
If a concurrent posix_cpu_timer_del() runs at that moment, it won't be
able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or
lock_task_sighand() will fail.
Add the tsk->exit_state check into run_posix_cpu_timers() to fix this.
This fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because
exit_task_work() is called before exit_notify(). But the check still
makes sense, task_work_add(&tsk->posix_cputimers_work.work) will fail
anyway in this case.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 0bdd2ed4138ec04e09b4f8165981efc99e439f55 Version: 0bdd2ed4138ec04e09b4f8165981efc99e439f55 Version: 0bdd2ed4138ec04e09b4f8165981efc99e439f55 Version: 0bdd2ed4138ec04e09b4f8165981efc99e439f55 Version: 0bdd2ed4138ec04e09b4f8165981efc99e439f55 Version: 0bdd2ed4138ec04e09b4f8165981efc99e439f55 Version: 0bdd2ed4138ec04e09b4f8165981efc99e439f55 Version: 0bdd2ed4138ec04e09b4f8165981efc99e439f55 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-38352",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-02T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-09-04",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-38352"
},
"type": "kev"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-367",
"description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-05T03:55:31.046Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"timeline": [
{
"lang": "en",
"time": "2025-09-04T00:00:00+00:00",
"value": "CVE-2025-38352 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/time/posix-cpu-timers.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "78a4b8e3795b31dae58762bc091bb0f4f74a2200",
"status": "affected",
"version": "0bdd2ed4138ec04e09b4f8165981efc99e439f55",
"versionType": "git"
},
{
"lessThan": "c076635b3a42771ace7d276de8dc3bc76ee2ba1b",
"status": "affected",
"version": "0bdd2ed4138ec04e09b4f8165981efc99e439f55",
"versionType": "git"
},
{
"lessThan": "2f3daa04a9328220de46f0d5c919a6c0073a9f0b",
"status": "affected",
"version": "0bdd2ed4138ec04e09b4f8165981efc99e439f55",
"versionType": "git"
},
{
"lessThan": "764a7a5dfda23f69919441f2eac2a83e7db6e5bb",
"status": "affected",
"version": "0bdd2ed4138ec04e09b4f8165981efc99e439f55",
"versionType": "git"
},
{
"lessThan": "2c72fe18cc5f9f1750f5bc148cf1c94c29e106ff",
"status": "affected",
"version": "0bdd2ed4138ec04e09b4f8165981efc99e439f55",
"versionType": "git"
},
{
"lessThan": "c29d5318708e67ac13c1b6fc1007d179fb65b4d7",
"status": "affected",
"version": "0bdd2ed4138ec04e09b4f8165981efc99e439f55",
"versionType": "git"
},
{
"lessThan": "460188bc042a3f40f72d34b9f7fc6ee66b0b757b",
"status": "affected",
"version": "0bdd2ed4138ec04e09b4f8165981efc99e439f55",
"versionType": "git"
},
{
"lessThan": "f90fff1e152dedf52b932240ebbd670d83330eca",
"status": "affected",
"version": "0bdd2ed4138ec04e09b4f8165981efc99e439f55",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/time/posix-cpu-timers.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.36"
},
{
"lessThan": "2.6.36",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.295",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.239",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.94",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.34",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.3",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.36",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nposix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()\n\nIf an exiting non-autoreaping task has already passed exit_notify() and\ncalls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent\nor debugger right after unlock_task_sighand().\n\nIf a concurrent posix_cpu_timer_del() runs at that moment, it won\u0027t be\nable to detect timer-\u003eit.cpu.firing != 0: cpu_timer_task_rcu() and/or\nlock_task_sighand() will fail.\n\nAdd the tsk-\u003eexit_state check into run_posix_cpu_timers() to fix this.\n\nThis fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because\nexit_task_work() is called before exit_notify(). But the check still\nmakes sense, task_work_add(\u0026tsk-\u003eposix_cputimers_work.work) will fail\nanyway in this case."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:19:41.105Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/78a4b8e3795b31dae58762bc091bb0f4f74a2200"
},
{
"url": "https://git.kernel.org/stable/c/c076635b3a42771ace7d276de8dc3bc76ee2ba1b"
},
{
"url": "https://git.kernel.org/stable/c/2f3daa04a9328220de46f0d5c919a6c0073a9f0b"
},
{
"url": "https://git.kernel.org/stable/c/764a7a5dfda23f69919441f2eac2a83e7db6e5bb"
},
{
"url": "https://git.kernel.org/stable/c/2c72fe18cc5f9f1750f5bc148cf1c94c29e106ff"
},
{
"url": "https://git.kernel.org/stable/c/c29d5318708e67ac13c1b6fc1007d179fb65b4d7"
},
{
"url": "https://git.kernel.org/stable/c/460188bc042a3f40f72d34b9f7fc6ee66b0b757b"
},
{
"url": "https://git.kernel.org/stable/c/f90fff1e152dedf52b932240ebbd670d83330eca"
}
],
"title": "posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38352",
"datePublished": "2025-07-22T08:04:25.277Z",
"dateReserved": "2025-04-16T04:51:24.006Z",
"dateUpdated": "2025-09-05T03:55:31.046Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38560 (GCVE-0-2025-38560)
Vulnerability from cvelistv5
Published
2025-08-19 17:02
Modified
2025-09-29 05:53
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/sev: Evict cache lines during SNP memory validation
An SNP cache coherency vulnerability requires a cache line eviction
mitigation when validating memory after a page state change to private.
The specific mitigation is to touch the first and last byte of each 4K
page that is being validated. There is no need to perform the mitigation
when performing a page state change to shared and rescinding validation.
CPUID bit Fn8000001F_EBX[31] defines the COHERENCY_SFW_NO CPUID bit
that, when set, indicates that the software mitigation for this
vulnerability is not needed.
Implement the mitigation and invoke it when validating memory (making it
private) and the COHERENCY_SFW_NO bit is not set, indicating the SNP
guest is vulnerable.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/boot/cpuflags.c",
"arch/x86/boot/startup/sev-shared.c",
"arch/x86/coco/sev/core.c",
"arch/x86/include/asm/cpufeatures.h",
"arch/x86/include/asm/sev.h",
"arch/x86/kernel/cpu/scattered.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1fec416c03d0a64cc21aa04ce4aa14254b017e6a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1fb873971e23c35c53823c62809a474a92bc3022",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "aed15fc08f15dbb15822b2a0b653f67e76aa0fdf",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a762a4c8d9e768b538b3cc60615361a8cf377de8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f92af52e6dbd8d066d77beba451e0230482dc45b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7b306dfa326f70114312b320d083b21fa9481e1e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/boot/cpuflags.c",
"arch/x86/boot/startup/sev-shared.c",
"arch/x86/coco/sev/core.c",
"arch/x86/include/asm/cpufeatures.h",
"arch/x86/include/asm/sev.h",
"arch/x86/kernel/cpu/scattered.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/sev: Evict cache lines during SNP memory validation\n\nAn SNP cache coherency vulnerability requires a cache line eviction\nmitigation when validating memory after a page state change to private.\nThe specific mitigation is to touch the first and last byte of each 4K\npage that is being validated. There is no need to perform the mitigation\nwhen performing a page state change to shared and rescinding validation.\n\nCPUID bit Fn8000001F_EBX[31] defines the COHERENCY_SFW_NO CPUID bit\nthat, when set, indicates that the software mitigation for this\nvulnerability is not needed.\n\nImplement the mitigation and invoke it when validating memory (making it\nprivate) and the COHERENCY_SFW_NO bit is not set, indicating the SNP\nguest is vulnerable."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:53:47.992Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1fec416c03d0a64cc21aa04ce4aa14254b017e6a"
},
{
"url": "https://git.kernel.org/stable/c/1fb873971e23c35c53823c62809a474a92bc3022"
},
{
"url": "https://git.kernel.org/stable/c/aed15fc08f15dbb15822b2a0b653f67e76aa0fdf"
},
{
"url": "https://git.kernel.org/stable/c/a762a4c8d9e768b538b3cc60615361a8cf377de8"
},
{
"url": "https://git.kernel.org/stable/c/f92af52e6dbd8d066d77beba451e0230482dc45b"
},
{
"url": "https://git.kernel.org/stable/c/7b306dfa326f70114312b320d083b21fa9481e1e"
}
],
"title": "x86/sev: Evict cache lines during SNP memory validation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38560",
"datePublished": "2025-08-19T17:02:37.792Z",
"dateReserved": "2025-04-16T04:51:24.025Z",
"dateUpdated": "2025-09-29T05:53:47.992Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50080 (GCVE-0-2022-50080)
Vulnerability from cvelistv5
Published
2025-06-18 11:02
Modified
2025-06-18 11:02
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tee: add overflow check in register_shm_helper()
With special lengths supplied by user space, register_shm_helper() has
an integer overflow when calculating the number of pages covered by a
supplied user space memory region.
This causes internal_get_user_pages_fast() a helper function of
pin_user_pages_fast() to do a NULL pointer dereference:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010
Modules linked in:
CPU: 1 PID: 173 Comm: optee_example_a Not tainted 5.19.0 #11
Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
pc : internal_get_user_pages_fast+0x474/0xa80
Call trace:
internal_get_user_pages_fast+0x474/0xa80
pin_user_pages_fast+0x24/0x4c
register_shm_helper+0x194/0x330
tee_shm_register_user_buf+0x78/0x120
tee_ioctl+0xd0/0x11a0
__arm64_sys_ioctl+0xa8/0xec
invoke_syscall+0x48/0x114
Fix this by adding an an explicit call to access_ok() in
tee_shm_register_user_buf() to catch an invalid user space address
early.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 033ddf12bcf5326b93bd604f50a7474a434a35f9 Version: 033ddf12bcf5326b93bd604f50a7474a434a35f9 Version: 033ddf12bcf5326b93bd604f50a7474a434a35f9 Version: 033ddf12bcf5326b93bd604f50a7474a434a35f9 Version: 033ddf12bcf5326b93bd604f50a7474a434a35f9 Version: 033ddf12bcf5326b93bd604f50a7474a434a35f9 Version: 033ddf12bcf5326b93bd604f50a7474a434a35f9 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tee/tee_shm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b37e0f17653c00b586cdbcdf0dbca475358ecffd",
"status": "affected",
"version": "033ddf12bcf5326b93bd604f50a7474a434a35f9",
"versionType": "git"
},
{
"lessThan": "965333345fe952cc7eebc8e3a565ffc709441af2",
"status": "affected",
"version": "033ddf12bcf5326b93bd604f50a7474a434a35f9",
"versionType": "git"
},
{
"lessThan": "578c349570d2a912401963783b36e0ec7a25c053",
"status": "affected",
"version": "033ddf12bcf5326b93bd604f50a7474a434a35f9",
"versionType": "git"
},
{
"lessThan": "c12f0e6126ad223806a365084e86370511654bf1",
"status": "affected",
"version": "033ddf12bcf5326b93bd604f50a7474a434a35f9",
"versionType": "git"
},
{
"lessThan": "2f8e79a1a6128214cb9b205a9869341af5dfb16b",
"status": "affected",
"version": "033ddf12bcf5326b93bd604f50a7474a434a35f9",
"versionType": "git"
},
{
"lessThan": "58c008d4d398f792ca67f35650610864725518fd",
"status": "affected",
"version": "033ddf12bcf5326b93bd604f50a7474a434a35f9",
"versionType": "git"
},
{
"lessThan": "573ae4f13f630d6660008f1974c0a8a29c30e18a",
"status": "affected",
"version": "033ddf12bcf5326b93bd604f50a7474a434a35f9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tee/tee_shm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.256",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.211",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.137",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.256",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.211",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.137",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.62",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.19",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.3",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntee: add overflow check in register_shm_helper()\n\nWith special lengths supplied by user space, register_shm_helper() has\nan integer overflow when calculating the number of pages covered by a\nsupplied user space memory region.\n\nThis causes internal_get_user_pages_fast() a helper function of\npin_user_pages_fast() to do a NULL pointer dereference:\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010\n Modules linked in:\n CPU: 1 PID: 173 Comm: optee_example_a Not tainted 5.19.0 #11\n Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015\n pc : internal_get_user_pages_fast+0x474/0xa80\n Call trace:\n internal_get_user_pages_fast+0x474/0xa80\n pin_user_pages_fast+0x24/0x4c\n register_shm_helper+0x194/0x330\n tee_shm_register_user_buf+0x78/0x120\n tee_ioctl+0xd0/0x11a0\n __arm64_sys_ioctl+0xa8/0xec\n invoke_syscall+0x48/0x114\n\nFix this by adding an an explicit call to access_ok() in\ntee_shm_register_user_buf() to catch an invalid user space address\nearly."
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T11:02:23.003Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b37e0f17653c00b586cdbcdf0dbca475358ecffd"
},
{
"url": "https://git.kernel.org/stable/c/965333345fe952cc7eebc8e3a565ffc709441af2"
},
{
"url": "https://git.kernel.org/stable/c/578c349570d2a912401963783b36e0ec7a25c053"
},
{
"url": "https://git.kernel.org/stable/c/c12f0e6126ad223806a365084e86370511654bf1"
},
{
"url": "https://git.kernel.org/stable/c/2f8e79a1a6128214cb9b205a9869341af5dfb16b"
},
{
"url": "https://git.kernel.org/stable/c/58c008d4d398f792ca67f35650610864725518fd"
},
{
"url": "https://git.kernel.org/stable/c/573ae4f13f630d6660008f1974c0a8a29c30e18a"
}
],
"title": "tee: add overflow check in register_shm_helper()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50080",
"datePublished": "2025-06-18T11:02:23.003Z",
"dateReserved": "2025-06-18T10:57:27.409Z",
"dateUpdated": "2025-06-18T11:02:23.003Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38445 (GCVE-0-2025-38445)
Vulnerability from cvelistv5
Published
2025-07-25 15:27
Modified
2025-07-28 04:22
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
md/raid1: Fix stack memory use after return in raid1_reshape
In the raid1_reshape function, newpool is
allocated on the stack and assigned to conf->r1bio_pool.
This results in conf->r1bio_pool.wait.head pointing
to a stack address.
Accessing this address later can lead to a kernel panic.
Example access path:
raid1_reshape()
{
// newpool is on the stack
mempool_t newpool, oldpool;
// initialize newpool.wait.head to stack address
mempool_init(&newpool, ...);
conf->r1bio_pool = newpool;
}
raid1_read_request() or raid1_write_request()
{
alloc_r1bio()
{
mempool_alloc()
{
// if pool->alloc fails
remove_element()
{
--pool->curr_nr;
}
}
}
}
mempool_free()
{
if (pool->curr_nr < pool->min_nr) {
// pool->wait.head is a stack address
// wake_up() will try to access this invalid address
// which leads to a kernel panic
return;
wake_up(&pool->wait);
}
}
Fix:
reinit conf->r1bio_pool.wait after assigning newpool.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: afeee514ce7f4cab605beedd03be71ebaf0c5fc8 Version: afeee514ce7f4cab605beedd03be71ebaf0c5fc8 Version: afeee514ce7f4cab605beedd03be71ebaf0c5fc8 Version: afeee514ce7f4cab605beedd03be71ebaf0c5fc8 Version: afeee514ce7f4cab605beedd03be71ebaf0c5fc8 Version: afeee514ce7f4cab605beedd03be71ebaf0c5fc8 Version: afeee514ce7f4cab605beedd03be71ebaf0c5fc8 Version: afeee514ce7f4cab605beedd03be71ebaf0c5fc8 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/raid1.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d8a6853d00fbaa810765c8ed2f452a5832273968",
"status": "affected",
"version": "afeee514ce7f4cab605beedd03be71ebaf0c5fc8",
"versionType": "git"
},
{
"lessThan": "12b00ec99624f8da8c325f2dd6e807df26df0025",
"status": "affected",
"version": "afeee514ce7f4cab605beedd03be71ebaf0c5fc8",
"versionType": "git"
},
{
"lessThan": "48da050b4f54ed639b66278d0ae6f4107b2c4e2d",
"status": "affected",
"version": "afeee514ce7f4cab605beedd03be71ebaf0c5fc8",
"versionType": "git"
},
{
"lessThan": "5f35e48b76655e45522df338876dfef88dafcc71",
"status": "affected",
"version": "afeee514ce7f4cab605beedd03be71ebaf0c5fc8",
"versionType": "git"
},
{
"lessThan": "df5894014a92ff0196dbc212a7764e97366fd2b7",
"status": "affected",
"version": "afeee514ce7f4cab605beedd03be71ebaf0c5fc8",
"versionType": "git"
},
{
"lessThan": "776e6186dc9ecbdb8a1b706e989166c8a99bbf64",
"status": "affected",
"version": "afeee514ce7f4cab605beedd03be71ebaf0c5fc8",
"versionType": "git"
},
{
"lessThan": "61fd5e93006cf82ec8ee5c115ab5cf4bbd104bdb",
"status": "affected",
"version": "afeee514ce7f4cab605beedd03be71ebaf0c5fc8",
"versionType": "git"
},
{
"lessThan": "d67ed2ccd2d1dcfda9292c0ea8697a9d0f2f0d98",
"status": "affected",
"version": "afeee514ce7f4cab605beedd03be71ebaf0c5fc8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/raid1.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.240",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.146",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.296",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.240",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.189",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.146",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.99",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.39",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.7",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid1: Fix stack memory use after return in raid1_reshape\n\nIn the raid1_reshape function, newpool is\nallocated on the stack and assigned to conf-\u003er1bio_pool.\nThis results in conf-\u003er1bio_pool.wait.head pointing\nto a stack address.\nAccessing this address later can lead to a kernel panic.\n\nExample access path:\n\nraid1_reshape()\n{\n\t// newpool is on the stack\n\tmempool_t newpool, oldpool;\n\t// initialize newpool.wait.head to stack address\n\tmempool_init(\u0026newpool, ...);\n\tconf-\u003er1bio_pool = newpool;\n}\n\nraid1_read_request() or raid1_write_request()\n{\n\talloc_r1bio()\n\t{\n\t\tmempool_alloc()\n\t\t{\n\t\t\t// if pool-\u003ealloc fails\n\t\t\tremove_element()\n\t\t\t{\n\t\t\t\t--pool-\u003ecurr_nr;\n\t\t\t}\n\t\t}\n\t}\n}\n\nmempool_free()\n{\n\tif (pool-\u003ecurr_nr \u003c pool-\u003emin_nr) {\n\t\t// pool-\u003ewait.head is a stack address\n\t\t// wake_up() will try to access this invalid address\n\t\t// which leads to a kernel panic\n\t\treturn;\n\t\twake_up(\u0026pool-\u003ewait);\n\t}\n}\n\nFix:\nreinit conf-\u003er1bio_pool.wait after assigning newpool."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:22:28.949Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d8a6853d00fbaa810765c8ed2f452a5832273968"
},
{
"url": "https://git.kernel.org/stable/c/12b00ec99624f8da8c325f2dd6e807df26df0025"
},
{
"url": "https://git.kernel.org/stable/c/48da050b4f54ed639b66278d0ae6f4107b2c4e2d"
},
{
"url": "https://git.kernel.org/stable/c/5f35e48b76655e45522df338876dfef88dafcc71"
},
{
"url": "https://git.kernel.org/stable/c/df5894014a92ff0196dbc212a7764e97366fd2b7"
},
{
"url": "https://git.kernel.org/stable/c/776e6186dc9ecbdb8a1b706e989166c8a99bbf64"
},
{
"url": "https://git.kernel.org/stable/c/61fd5e93006cf82ec8ee5c115ab5cf4bbd104bdb"
},
{
"url": "https://git.kernel.org/stable/c/d67ed2ccd2d1dcfda9292c0ea8697a9d0f2f0d98"
}
],
"title": "md/raid1: Fix stack memory use after return in raid1_reshape",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38445",
"datePublished": "2025-07-25T15:27:28.035Z",
"dateReserved": "2025-04-16T04:51:24.017Z",
"dateUpdated": "2025-07-28T04:22:28.949Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50141 (GCVE-0-2022-50141)
Vulnerability from cvelistv5
Published
2025-06-18 11:03
Modified
2025-06-18 11:03
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mmc: sdhci-of-esdhc: Fix refcount leak in esdhc_signal_voltage_switch
of_find_matching_node() returns a node pointer with refcount
incremented, we should use of_node_put() on it when not need anymore.
Add missing of_node_put() to avoid refcount leak.
of_node_put() checks null pointer.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: ea35645a3c66a74af92d3bbb4eb131220fc3e58a Version: ea35645a3c66a74af92d3bbb4eb131220fc3e58a Version: ea35645a3c66a74af92d3bbb4eb131220fc3e58a Version: ea35645a3c66a74af92d3bbb4eb131220fc3e58a Version: ea35645a3c66a74af92d3bbb4eb131220fc3e58a Version: ea35645a3c66a74af92d3bbb4eb131220fc3e58a Version: ea35645a3c66a74af92d3bbb4eb131220fc3e58a Version: ea35645a3c66a74af92d3bbb4eb131220fc3e58a |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mmc/host/sdhci-of-esdhc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a63d5d01e83b984b1b9c7ae8fc9c8c93697a3820",
"status": "affected",
"version": "ea35645a3c66a74af92d3bbb4eb131220fc3e58a",
"versionType": "git"
},
{
"lessThan": "547db1dd98d1815574ebea7358015a17199a93bc",
"status": "affected",
"version": "ea35645a3c66a74af92d3bbb4eb131220fc3e58a",
"versionType": "git"
},
{
"lessThan": "4c472a2c9ed6ea9d272268d7f484d4303c549f1a",
"status": "affected",
"version": "ea35645a3c66a74af92d3bbb4eb131220fc3e58a",
"versionType": "git"
},
{
"lessThan": "b305475df756256a186623f0991d05a816de881a",
"status": "affected",
"version": "ea35645a3c66a74af92d3bbb4eb131220fc3e58a",
"versionType": "git"
},
{
"lessThan": "352377cf74710bc3368dddf78f17210dfe456933",
"status": "affected",
"version": "ea35645a3c66a74af92d3bbb4eb131220fc3e58a",
"versionType": "git"
},
{
"lessThan": "b074f1e8060836baeb0ee91181f4194b9a0ee16a",
"status": "affected",
"version": "ea35645a3c66a74af92d3bbb4eb131220fc3e58a",
"versionType": "git"
},
{
"lessThan": "8b902840f6a3584f702bcb59834691b30f3d7c5a",
"status": "affected",
"version": "ea35645a3c66a74af92d3bbb4eb131220fc3e58a",
"versionType": "git"
},
{
"lessThan": "b5899a3e2f783a27b268e38d37f9b24c71bddf45",
"status": "affected",
"version": "ea35645a3c66a74af92d3bbb4eb131220fc3e58a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mmc/host/sdhci-of-esdhc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.256",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.211",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.137",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.291",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.256",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.211",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.137",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.61",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.18",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.2",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: sdhci-of-esdhc: Fix refcount leak in esdhc_signal_voltage_switch\n\nof_find_matching_node() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak.\nof_node_put() checks null pointer."
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T11:03:03.704Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a63d5d01e83b984b1b9c7ae8fc9c8c93697a3820"
},
{
"url": "https://git.kernel.org/stable/c/547db1dd98d1815574ebea7358015a17199a93bc"
},
{
"url": "https://git.kernel.org/stable/c/4c472a2c9ed6ea9d272268d7f484d4303c549f1a"
},
{
"url": "https://git.kernel.org/stable/c/b305475df756256a186623f0991d05a816de881a"
},
{
"url": "https://git.kernel.org/stable/c/352377cf74710bc3368dddf78f17210dfe456933"
},
{
"url": "https://git.kernel.org/stable/c/b074f1e8060836baeb0ee91181f4194b9a0ee16a"
},
{
"url": "https://git.kernel.org/stable/c/8b902840f6a3584f702bcb59834691b30f3d7c5a"
},
{
"url": "https://git.kernel.org/stable/c/b5899a3e2f783a27b268e38d37f9b24c71bddf45"
}
],
"title": "mmc: sdhci-of-esdhc: Fix refcount leak in esdhc_signal_voltage_switch",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50141",
"datePublished": "2025-06-18T11:03:03.704Z",
"dateReserved": "2025-06-18T10:57:27.423Z",
"dateUpdated": "2025-06-18T11:03:03.704Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38535 (GCVE-0-2025-38535)
Vulnerability from cvelistv5
Published
2025-08-16 11:12
Modified
2025-08-28 14:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode
When transitioning from USB_ROLE_DEVICE to USB_ROLE_NONE, the code
assumed that the regulator should be disabled. However, if the regulator
is marked as always-on, regulator_is_enabled() continues to return true,
leading to an incorrect attempt to disable a regulator which is not
enabled.
This can result in warnings such as:
[ 250.155624] WARNING: CPU: 1 PID: 7326 at drivers/regulator/core.c:3004
_regulator_disable+0xe4/0x1a0
[ 250.155652] unbalanced disables for VIN_SYS_5V0
To fix this, we move the regulator control logic into
tegra186_xusb_padctl_id_override() function since it's directly related
to the ID override state. The regulator is now only disabled when the role
transitions from USB_ROLE_HOST to USB_ROLE_NONE, by checking the VBUS_ID
register. This ensures that regulator enable/disable operations are
properly balanced and only occur when actually transitioning to/from host
mode.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 49d46e3c7e597e8b00c6fc16e6fd7a92044f4371 Version: 49d46e3c7e597e8b00c6fc16e6fd7a92044f4371 Version: 49d46e3c7e597e8b00c6fc16e6fd7a92044f4371 Version: 49d46e3c7e597e8b00c6fc16e6fd7a92044f4371 Version: 49d46e3c7e597e8b00c6fc16e6fd7a92044f4371 Version: 49d46e3c7e597e8b00c6fc16e6fd7a92044f4371 Version: 49d46e3c7e597e8b00c6fc16e6fd7a92044f4371 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/phy/tegra/xusb-tegra186.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ceb645ac6ce052609ee5c8f819a80e8881789b04",
"status": "affected",
"version": "49d46e3c7e597e8b00c6fc16e6fd7a92044f4371",
"versionType": "git"
},
{
"lessThan": "cdcb0ffd6448f6be898956913a42bd08e59fb2ae",
"status": "affected",
"version": "49d46e3c7e597e8b00c6fc16e6fd7a92044f4371",
"versionType": "git"
},
{
"lessThan": "1bb85b5c2bd43b687c3d54eb6328917f90dd38fc",
"status": "affected",
"version": "49d46e3c7e597e8b00c6fc16e6fd7a92044f4371",
"versionType": "git"
},
{
"lessThan": "5367cdeb75cb6c687ca468450bceb2602ab239d8",
"status": "affected",
"version": "49d46e3c7e597e8b00c6fc16e6fd7a92044f4371",
"versionType": "git"
},
{
"lessThan": "ec7f98ff05f0649af0adeb4808c7ba23d6111ef9",
"status": "affected",
"version": "49d46e3c7e597e8b00c6fc16e6fd7a92044f4371",
"versionType": "git"
},
{
"lessThan": "eaa420339658615d26c1cc95cd6cf720b9aebfca",
"status": "affected",
"version": "49d46e3c7e597e8b00c6fc16e6fd7a92044f4371",
"versionType": "git"
},
{
"lessThan": "cefc1caee9dd06c69e2d807edc5949b329f52b22",
"status": "affected",
"version": "49d46e3c7e597e8b00c6fc16e6fd7a92044f4371",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/phy/tegra/xusb-tegra186.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.147",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.147",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.100",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.40",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.8",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode\n\nWhen transitioning from USB_ROLE_DEVICE to USB_ROLE_NONE, the code\nassumed that the regulator should be disabled. However, if the regulator\nis marked as always-on, regulator_is_enabled() continues to return true,\nleading to an incorrect attempt to disable a regulator which is not\nenabled.\n\nThis can result in warnings such as:\n\n[ 250.155624] WARNING: CPU: 1 PID: 7326 at drivers/regulator/core.c:3004\n_regulator_disable+0xe4/0x1a0\n[ 250.155652] unbalanced disables for VIN_SYS_5V0\n\nTo fix this, we move the regulator control logic into\ntegra186_xusb_padctl_id_override() function since it\u0027s directly related\nto the ID override state. The regulator is now only disabled when the role\ntransitions from USB_ROLE_HOST to USB_ROLE_NONE, by checking the VBUS_ID\nregister. This ensures that regulator enable/disable operations are\nproperly balanced and only occur when actually transitioning to/from host\nmode."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T14:43:38.656Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ceb645ac6ce052609ee5c8f819a80e8881789b04"
},
{
"url": "https://git.kernel.org/stable/c/cdcb0ffd6448f6be898956913a42bd08e59fb2ae"
},
{
"url": "https://git.kernel.org/stable/c/1bb85b5c2bd43b687c3d54eb6328917f90dd38fc"
},
{
"url": "https://git.kernel.org/stable/c/5367cdeb75cb6c687ca468450bceb2602ab239d8"
},
{
"url": "https://git.kernel.org/stable/c/ec7f98ff05f0649af0adeb4808c7ba23d6111ef9"
},
{
"url": "https://git.kernel.org/stable/c/eaa420339658615d26c1cc95cd6cf720b9aebfca"
},
{
"url": "https://git.kernel.org/stable/c/cefc1caee9dd06c69e2d807edc5949b329f52b22"
}
],
"title": "phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38535",
"datePublished": "2025-08-16T11:12:27.873Z",
"dateReserved": "2025-04-16T04:51:24.024Z",
"dateUpdated": "2025-08-28T14:43:38.656Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38185 (GCVE-0-2025-38185)
Vulnerability from cvelistv5
Published
2025-07-04 13:37
Modified
2025-07-28 04:14
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
atm: atmtcp: Free invalid length skb in atmtcp_c_send().
syzbot reported the splat below. [0]
vcc_sendmsg() copies data passed from userspace to skb and passes
it to vcc->dev->ops->send().
atmtcp_c_send() accesses skb->data as struct atmtcp_hdr after
checking if skb->len is 0, but it's not enough.
Also, when skb->len == 0, skb and sk (vcc) were leaked because
dev_kfree_skb() is not called and sk_wmem_alloc adjustment is missing
to revert atm_account_tx() in vcc_sendmsg(), which is expected
to be done in atm_pop_raw().
Let's properly free skb with an invalid length in atmtcp_c_send().
[0]:
BUG: KMSAN: uninit-value in atmtcp_c_send+0x255/0xed0 drivers/atm/atmtcp.c:294
atmtcp_c_send+0x255/0xed0 drivers/atm/atmtcp.c:294
vcc_sendmsg+0xd7c/0xff0 net/atm/common.c:644
sock_sendmsg_nosec net/socket.c:712 [inline]
__sock_sendmsg+0x330/0x3d0 net/socket.c:727
____sys_sendmsg+0x7e0/0xd80 net/socket.c:2566
___sys_sendmsg+0x271/0x3b0 net/socket.c:2620
__sys_sendmsg net/socket.c:2652 [inline]
__do_sys_sendmsg net/socket.c:2657 [inline]
__se_sys_sendmsg net/socket.c:2655 [inline]
__x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2655
x64_sys_call+0x32fb/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:47
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was created at:
slab_post_alloc_hook mm/slub.c:4154 [inline]
slab_alloc_node mm/slub.c:4197 [inline]
kmem_cache_alloc_node_noprof+0x818/0xf00 mm/slub.c:4249
kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:579
__alloc_skb+0x347/0x7d0 net/core/skbuff.c:670
alloc_skb include/linux/skbuff.h:1336 [inline]
vcc_sendmsg+0xb40/0xff0 net/atm/common.c:628
sock_sendmsg_nosec net/socket.c:712 [inline]
__sock_sendmsg+0x330/0x3d0 net/socket.c:727
____sys_sendmsg+0x7e0/0xd80 net/socket.c:2566
___sys_sendmsg+0x271/0x3b0 net/socket.c:2620
__sys_sendmsg net/socket.c:2652 [inline]
__do_sys_sendmsg net/socket.c:2657 [inline]
__se_sys_sendmsg net/socket.c:2655 [inline]
__x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2655
x64_sys_call+0x32fb/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:47
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
CPU: 1 UID: 0 PID: 5798 Comm: syz-executor192 Not tainted 6.16.0-rc1-syzkaller-00010-g2c4a1f3fe03e #0 PREEMPT(undef)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/atm/atmtcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c19c0943424b412a84fdf178e6c71fe5480e4f0f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a4b0fd8c25a7583f8564af6cc910418fb8954e89",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1b0ad18704913c92a3ad53748fbc0f219a75b876",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ca00f0e6d733ecd9150716d1fd0138d26e674706",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3261c017a7c5d2815c6a388c5a3280d1fba0e8db",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e996507f59610e5752b8702537f13f551e7a2c96",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c9260c837de1d2b454960a4a2e44a81272fbcd22",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2f370ae1fb6317985f3497b1bb80d457508ca2f7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/atm/atmtcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.95",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.295",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.239",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.95",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.35",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.4",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: atmtcp: Free invalid length skb in atmtcp_c_send().\n\nsyzbot reported the splat below. [0]\n\nvcc_sendmsg() copies data passed from userspace to skb and passes\nit to vcc-\u003edev-\u003eops-\u003esend().\n\natmtcp_c_send() accesses skb-\u003edata as struct atmtcp_hdr after\nchecking if skb-\u003elen is 0, but it\u0027s not enough.\n\nAlso, when skb-\u003elen == 0, skb and sk (vcc) were leaked because\ndev_kfree_skb() is not called and sk_wmem_alloc adjustment is missing\nto revert atm_account_tx() in vcc_sendmsg(), which is expected\nto be done in atm_pop_raw().\n\nLet\u0027s properly free skb with an invalid length in atmtcp_c_send().\n\n[0]:\nBUG: KMSAN: uninit-value in atmtcp_c_send+0x255/0xed0 drivers/atm/atmtcp.c:294\n atmtcp_c_send+0x255/0xed0 drivers/atm/atmtcp.c:294\n vcc_sendmsg+0xd7c/0xff0 net/atm/common.c:644\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg+0x330/0x3d0 net/socket.c:727\n ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2566\n ___sys_sendmsg+0x271/0x3b0 net/socket.c:2620\n __sys_sendmsg net/socket.c:2652 [inline]\n __do_sys_sendmsg net/socket.c:2657 [inline]\n __se_sys_sendmsg net/socket.c:2655 [inline]\n __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2655\n x64_sys_call+0x32fb/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:47\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:4154 [inline]\n slab_alloc_node mm/slub.c:4197 [inline]\n kmem_cache_alloc_node_noprof+0x818/0xf00 mm/slub.c:4249\n kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:579\n __alloc_skb+0x347/0x7d0 net/core/skbuff.c:670\n alloc_skb include/linux/skbuff.h:1336 [inline]\n vcc_sendmsg+0xb40/0xff0 net/atm/common.c:628\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg+0x330/0x3d0 net/socket.c:727\n ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2566\n ___sys_sendmsg+0x271/0x3b0 net/socket.c:2620\n __sys_sendmsg net/socket.c:2652 [inline]\n __do_sys_sendmsg net/socket.c:2657 [inline]\n __se_sys_sendmsg net/socket.c:2655 [inline]\n __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2655\n x64_sys_call+0x32fb/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:47\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nCPU: 1 UID: 0 PID: 5798 Comm: syz-executor192 Not tainted 6.16.0-rc1-syzkaller-00010-g2c4a1f3fe03e #0 PREEMPT(undef)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025"
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:14:29.461Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c19c0943424b412a84fdf178e6c71fe5480e4f0f"
},
{
"url": "https://git.kernel.org/stable/c/a4b0fd8c25a7583f8564af6cc910418fb8954e89"
},
{
"url": "https://git.kernel.org/stable/c/1b0ad18704913c92a3ad53748fbc0f219a75b876"
},
{
"url": "https://git.kernel.org/stable/c/ca00f0e6d733ecd9150716d1fd0138d26e674706"
},
{
"url": "https://git.kernel.org/stable/c/3261c017a7c5d2815c6a388c5a3280d1fba0e8db"
},
{
"url": "https://git.kernel.org/stable/c/e996507f59610e5752b8702537f13f551e7a2c96"
},
{
"url": "https://git.kernel.org/stable/c/c9260c837de1d2b454960a4a2e44a81272fbcd22"
},
{
"url": "https://git.kernel.org/stable/c/2f370ae1fb6317985f3497b1bb80d457508ca2f7"
}
],
"title": "atm: atmtcp: Free invalid length skb in atmtcp_c_send().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38185",
"datePublished": "2025-07-04T13:37:11.885Z",
"dateReserved": "2025-04-16T04:51:23.992Z",
"dateUpdated": "2025-07-28T04:14:29.461Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-37890 (GCVE-0-2025-37890)
Vulnerability from cvelistv5
Published
2025-05-16 13:01
Modified
2025-06-04 12:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc
As described in Gerrard's report [1], we have a UAF case when an hfsc class
has a netem child qdisc. The crux of the issue is that hfsc is assuming
that checking for cl->qdisc->q.qlen == 0 guarantees that it hasn't inserted
the class in the vttree or eltree (which is not true for the netem
duplicate case).
This patch checks the n_active class variable to make sure that the code
won't insert the class in the vttree or eltree twice, catering for the
reentrant case.
[1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea Version: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea Version: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea Version: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea Version: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea Version: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea Version: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea Version: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_hfsc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "273bbcfa53541cde38b2003ad88a59b770306421",
"status": "affected",
"version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
"versionType": "git"
},
{
"lessThan": "e0cf8ee23e1915431f262a7b2dee0c7a7d699af0",
"status": "affected",
"version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
"versionType": "git"
},
{
"lessThan": "e3e949a39a91d1f829a4890e7dfe9417ac72e4d0",
"status": "affected",
"version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
"versionType": "git"
},
{
"lessThan": "8df7d37d626430035b413b97cee18396b3450bef",
"status": "affected",
"version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
"versionType": "git"
},
{
"lessThan": "6082a87af4c52f58150d40dec1716011d871ac21",
"status": "affected",
"version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
"versionType": "git"
},
{
"lessThan": "2e7093c7a8aba5d4f8809f271488e5babe75e202",
"status": "affected",
"version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
"versionType": "git"
},
{
"lessThan": "ac39fd4a757584d78ed062d4f6fd913f83bd98b5",
"status": "affected",
"version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
"versionType": "git"
},
{
"lessThan": "141d34391abbb315d68556b7c67ad97885407547",
"status": "affected",
"version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_hfsc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.294",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.182",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.138",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.294",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.238",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.182",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.138",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.90",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.28",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.6",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc\n\nAs described in Gerrard\u0027s report [1], we have a UAF case when an hfsc class\nhas a netem child qdisc. The crux of the issue is that hfsc is assuming\nthat checking for cl-\u003eqdisc-\u003eq.qlen == 0 guarantees that it hasn\u0027t inserted\nthe class in the vttree or eltree (which is not true for the netem\nduplicate case).\n\nThis patch checks the n_active class variable to make sure that the code\nwon\u0027t insert the class in the vttree or eltree twice, catering for the\nreentrant case.\n\n[1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/"
}
],
"providerMetadata": {
"dateUpdated": "2025-06-04T12:57:24.484Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/273bbcfa53541cde38b2003ad88a59b770306421"
},
{
"url": "https://git.kernel.org/stable/c/e0cf8ee23e1915431f262a7b2dee0c7a7d699af0"
},
{
"url": "https://git.kernel.org/stable/c/e3e949a39a91d1f829a4890e7dfe9417ac72e4d0"
},
{
"url": "https://git.kernel.org/stable/c/8df7d37d626430035b413b97cee18396b3450bef"
},
{
"url": "https://git.kernel.org/stable/c/6082a87af4c52f58150d40dec1716011d871ac21"
},
{
"url": "https://git.kernel.org/stable/c/2e7093c7a8aba5d4f8809f271488e5babe75e202"
},
{
"url": "https://git.kernel.org/stable/c/ac39fd4a757584d78ed062d4f6fd913f83bd98b5"
},
{
"url": "https://git.kernel.org/stable/c/141d34391abbb315d68556b7c67ad97885407547"
}
],
"title": "net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-37890",
"datePublished": "2025-05-16T13:01:12.798Z",
"dateReserved": "2025-04-16T04:51:23.963Z",
"dateUpdated": "2025-06-04T12:57:24.484Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38555 (GCVE-0-2025-38555)
Vulnerability from cvelistv5
Published
2025-08-19 17:02
Modified
2025-09-29 05:53
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget : fix use-after-free in composite_dev_cleanup()
1. In func configfs_composite_bind() -> composite_os_desc_req_prepare():
if kmalloc fails, the pointer cdev->os_desc_req will be freed but not
set to NULL. Then it will return a failure to the upper-level function.
2. in func configfs_composite_bind() -> composite_dev_cleanup():
it will checks whether cdev->os_desc_req is NULL. If it is not NULL, it
will attempt to use it.This will lead to a use-after-free issue.
BUG: KASAN: use-after-free in composite_dev_cleanup+0xf4/0x2c0
Read of size 8 at addr 0000004827837a00 by task init/1
CPU: 10 PID: 1 Comm: init Tainted: G O 5.10.97-oh #1
kasan_report+0x188/0x1cc
__asan_load8+0xb4/0xbc
composite_dev_cleanup+0xf4/0x2c0
configfs_composite_bind+0x210/0x7ac
udc_bind_to_driver+0xb4/0x1ec
usb_gadget_probe_driver+0xec/0x21c
gadget_dev_desc_UDC_store+0x264/0x27c
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 37a3a533429ef9b3cc9f15a656c19623f0e88df7 Version: 37a3a533429ef9b3cc9f15a656c19623f0e88df7 Version: 37a3a533429ef9b3cc9f15a656c19623f0e88df7 Version: 37a3a533429ef9b3cc9f15a656c19623f0e88df7 Version: 37a3a533429ef9b3cc9f15a656c19623f0e88df7 Version: 37a3a533429ef9b3cc9f15a656c19623f0e88df7 Version: 37a3a533429ef9b3cc9f15a656c19623f0e88df7 Version: 37a3a533429ef9b3cc9f15a656c19623f0e88df7 Version: 37a3a533429ef9b3cc9f15a656c19623f0e88df7 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/composite.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dba96dfa5a0f685b959dd28a52ac8dab0b805204",
"status": "affected",
"version": "37a3a533429ef9b3cc9f15a656c19623f0e88df7",
"versionType": "git"
},
{
"lessThan": "2db29235e900a084a656dea7e0939b0abb7bb897",
"status": "affected",
"version": "37a3a533429ef9b3cc9f15a656c19623f0e88df7",
"versionType": "git"
},
{
"lessThan": "8afb22aa063f706f3343707cdfb8cda4d021dd33",
"status": "affected",
"version": "37a3a533429ef9b3cc9f15a656c19623f0e88df7",
"versionType": "git"
},
{
"lessThan": "e624bf26127645a2f7821e73fdf6dc64bad07835",
"status": "affected",
"version": "37a3a533429ef9b3cc9f15a656c19623f0e88df7",
"versionType": "git"
},
{
"lessThan": "aada327a9f8028c573636fa60c0abc80fb8135c9",
"status": "affected",
"version": "37a3a533429ef9b3cc9f15a656c19623f0e88df7",
"versionType": "git"
},
{
"lessThan": "5f06ee9f9a3665d43133f125c17e5258a13f3963",
"status": "affected",
"version": "37a3a533429ef9b3cc9f15a656c19623f0e88df7",
"versionType": "git"
},
{
"lessThan": "bd3c4ef60baf7f65c963f3e12d9d7b2b091e20ba",
"status": "affected",
"version": "37a3a533429ef9b3cc9f15a656c19623f0e88df7",
"versionType": "git"
},
{
"lessThan": "e1be1f380c82a69f80c68c96a7cfe8759fb30355",
"status": "affected",
"version": "37a3a533429ef9b3cc9f15a656c19623f0e88df7",
"versionType": "git"
},
{
"lessThan": "151c0aa896c47a4459e07fee7d4843f44c1bb18e",
"status": "affected",
"version": "37a3a533429ef9b3cc9f15a656c19623f0e88df7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/composite.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget : fix use-after-free in composite_dev_cleanup()\n\n1. In func configfs_composite_bind() -\u003e composite_os_desc_req_prepare():\nif kmalloc fails, the pointer cdev-\u003eos_desc_req will be freed but not\nset to NULL. Then it will return a failure to the upper-level function.\n2. in func configfs_composite_bind() -\u003e composite_dev_cleanup():\nit will checks whether cdev-\u003eos_desc_req is NULL. If it is not NULL, it\nwill attempt to use it.This will lead to a use-after-free issue.\n\nBUG: KASAN: use-after-free in composite_dev_cleanup+0xf4/0x2c0\nRead of size 8 at addr 0000004827837a00 by task init/1\n\nCPU: 10 PID: 1 Comm: init Tainted: G O 5.10.97-oh #1\n kasan_report+0x188/0x1cc\n __asan_load8+0xb4/0xbc\n composite_dev_cleanup+0xf4/0x2c0\n configfs_composite_bind+0x210/0x7ac\n udc_bind_to_driver+0xb4/0x1ec\n usb_gadget_probe_driver+0xec/0x21c\n gadget_dev_desc_UDC_store+0x264/0x27c"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:53:42.268Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dba96dfa5a0f685b959dd28a52ac8dab0b805204"
},
{
"url": "https://git.kernel.org/stable/c/2db29235e900a084a656dea7e0939b0abb7bb897"
},
{
"url": "https://git.kernel.org/stable/c/8afb22aa063f706f3343707cdfb8cda4d021dd33"
},
{
"url": "https://git.kernel.org/stable/c/e624bf26127645a2f7821e73fdf6dc64bad07835"
},
{
"url": "https://git.kernel.org/stable/c/aada327a9f8028c573636fa60c0abc80fb8135c9"
},
{
"url": "https://git.kernel.org/stable/c/5f06ee9f9a3665d43133f125c17e5258a13f3963"
},
{
"url": "https://git.kernel.org/stable/c/bd3c4ef60baf7f65c963f3e12d9d7b2b091e20ba"
},
{
"url": "https://git.kernel.org/stable/c/e1be1f380c82a69f80c68c96a7cfe8759fb30355"
},
{
"url": "https://git.kernel.org/stable/c/151c0aa896c47a4459e07fee7d4843f44c1bb18e"
}
],
"title": "usb: gadget : fix use-after-free in composite_dev_cleanup()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38555",
"datePublished": "2025-08-19T17:02:34.110Z",
"dateReserved": "2025-04-16T04:51:24.025Z",
"dateUpdated": "2025-09-29T05:53:42.268Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49975 (GCVE-0-2022-49975)
Vulnerability from cvelistv5
Published
2025-06-18 11:00
Modified
2025-06-18 11:00
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Don't redirect packets with invalid pkt_len
Syzbot found an issue [1]: fq_codel_drop() try to drop a flow whitout any
skbs, that is, the flow->head is null.
The root cause, as the [2] says, is because that bpf_prog_test_run_skb()
run a bpf prog which redirects empty skbs.
So we should determine whether the length of the packet modified by bpf
prog or others like bpf_prog_test is valid before forwarding it directly.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/skbuff.h",
"net/bpf/test_run.c",
"net/core/dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8b68e53d56697a59b5c53893b53f508bbdf272a0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6204bf78b2a903b96ba43afff6abc0b04d6e0462",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a75987714bd2d8e59840667a28e15c1fa5c47554",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "72f2dc8993f10262092745a88cb2dd0fef094f23",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fd1894224407c484f652ad456e1ce423e89bb3eb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/skbuff.h",
"net/bpf/test_run.c",
"net/core/dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.212",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.65",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.212",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.141",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.65",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Don\u0027t redirect packets with invalid pkt_len\n\nSyzbot found an issue [1]: fq_codel_drop() try to drop a flow whitout any\nskbs, that is, the flow-\u003ehead is null.\nThe root cause, as the [2] says, is because that bpf_prog_test_run_skb()\nrun a bpf prog which redirects empty skbs.\nSo we should determine whether the length of the packet modified by bpf\nprog or others like bpf_prog_test is valid before forwarding it directly."
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T11:00:38.157Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8b68e53d56697a59b5c53893b53f508bbdf272a0"
},
{
"url": "https://git.kernel.org/stable/c/6204bf78b2a903b96ba43afff6abc0b04d6e0462"
},
{
"url": "https://git.kernel.org/stable/c/a75987714bd2d8e59840667a28e15c1fa5c47554"
},
{
"url": "https://git.kernel.org/stable/c/72f2dc8993f10262092745a88cb2dd0fef094f23"
},
{
"url": "https://git.kernel.org/stable/c/fd1894224407c484f652ad456e1ce423e89bb3eb"
}
],
"title": "bpf: Don\u0027t redirect packets with invalid pkt_len",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49975",
"datePublished": "2025-06-18T11:00:38.157Z",
"dateReserved": "2025-06-18T10:57:27.385Z",
"dateUpdated": "2025-06-18T11:00:38.157Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38472 (GCVE-0-2025-38472)
Vulnerability from cvelistv5
Published
2025-07-28 11:21
Modified
2025-07-28 11:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_conntrack: fix crash due to removal of uninitialised entry
A crash in conntrack was reported while trying to unlink the conntrack
entry from the hash bucket list:
[exception RIP: __nf_ct_delete_from_lists+172]
[..]
#7 [ff539b5a2b043aa0] nf_ct_delete at ffffffffc124d421 [nf_conntrack]
#8 [ff539b5a2b043ad0] nf_ct_gc_expired at ffffffffc124d999 [nf_conntrack]
#9 [ff539b5a2b043ae0] __nf_conntrack_find_get at ffffffffc124efbc [nf_conntrack]
[..]
The nf_conn struct is marked as allocated from slab but appears to be in
a partially initialised state:
ct hlist pointer is garbage; looks like the ct hash value
(hence crash).
ct->status is equal to IPS_CONFIRMED|IPS_DYING, which is expected
ct->timeout is 30000 (=30s), which is unexpected.
Everything else looks like normal udp conntrack entry. If we ignore
ct->status and pretend its 0, the entry matches those that are newly
allocated but not yet inserted into the hash:
- ct hlist pointers are overloaded and store/cache the raw tuple hash
- ct->timeout matches the relative time expected for a new udp flow
rather than the absolute 'jiffies' value.
If it were not for the presence of IPS_CONFIRMED,
__nf_conntrack_find_get() would have skipped the entry.
Theory is that we did hit following race:
cpu x cpu y cpu z
found entry E found entry E
E is expired <preemption>
nf_ct_delete()
return E to rcu slab
init_conntrack
E is re-inited,
ct->status set to 0
reply tuplehash hnnode.pprev
stores hash value.
cpu y found E right before it was deleted on cpu x.
E is now re-inited on cpu z. cpu y was preempted before
checking for expiry and/or confirm bit.
->refcnt set to 1
E now owned by skb
->timeout set to 30000
If cpu y were to resume now, it would observe E as
expired but would skip E due to missing CONFIRMED bit.
nf_conntrack_confirm gets called
sets: ct->status |= CONFIRMED
This is wrong: E is not yet added
to hashtable.
cpu y resumes, it observes E as expired but CONFIRMED:
<resumes>
nf_ct_expired()
-> yes (ct->timeout is 30s)
confirmed bit set.
cpu y will try to delete E from the hashtable:
nf_ct_delete() -> set DYING bit
__nf_ct_delete_from_lists
Even this scenario doesn't guarantee a crash:
cpu z still holds the table bucket lock(s) so y blocks:
wait for spinlock held by z
CONFIRMED is set but there is no
guarantee ct will be added to hash:
"chaintoolong" or "clash resolution"
logic both skip the insert step.
reply hnnode.pprev still stores the
hash value.
unlocks spinlock
return NF_DROP
<unblocks, then
crashes on hlist_nulls_del_rcu pprev>
In case CPU z does insert the entry into the hashtable, cpu y will unlink
E again right away but no crash occurs.
Without 'cpu y' race, 'garbage' hlist is of no consequence:
ct refcnt remains at 1, eventually skb will be free'd and E gets
destroyed via: nf_conntrack_put -> nf_conntrack_destroy -> nf_ct_destroy.
To resolve this, move the IPS_CONFIRMED assignment after the table
insertion but before the unlock.
Pablo points out that the confirm-bit-store could be reordered to happen
before hlist add resp. the timeout fixup, so switch to set_bit and
before_atomic memory barrier to prevent this.
It doesn't matter if other CPUs can observe a newly inserted entry right
before the CONFIRMED bit was set:
Such event cannot be distinguished from above "E is the old incarnation"
case: the entry will be skipped.
Also change nf_ct_should_gc() to first check the confirmed bit.
The gc sequence is:
1. Check if entry has expired, if not skip to next entry
2. Obtain a reference to the expired entry.
3. Call nf_ct_should_gc() to double-check step 1.
nf_ct_should_gc() is thus called only for entries that already failed an
expiry check. After this patch, once the confirmed bit check pas
---truncated---
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1397af5bfd7d32b0cf2adb70a78c9a9e8f11d912 Version: 1397af5bfd7d32b0cf2adb70a78c9a9e8f11d912 Version: 1397af5bfd7d32b0cf2adb70a78c9a9e8f11d912 Version: 1397af5bfd7d32b0cf2adb70a78c9a9e8f11d912 Version: 1397af5bfd7d32b0cf2adb70a78c9a9e8f11d912 Version: 594cea2c09f7cd440d1ee1c4547d5bc6a646b0e4 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/netfilter/nf_conntrack.h",
"net/netfilter/nf_conntrack_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a47ef874189d47f934d0809ae738886307c0ea22",
"status": "affected",
"version": "1397af5bfd7d32b0cf2adb70a78c9a9e8f11d912",
"versionType": "git"
},
{
"lessThan": "76179961c423cd698080b5e4d5583cf7f4fcdde9",
"status": "affected",
"version": "1397af5bfd7d32b0cf2adb70a78c9a9e8f11d912",
"versionType": "git"
},
{
"lessThan": "fc38c249c622ff5e3011b8845fd49dbfd9289afc",
"status": "affected",
"version": "1397af5bfd7d32b0cf2adb70a78c9a9e8f11d912",
"versionType": "git"
},
{
"lessThan": "938ce0e8422d3793fe30df2ed0e37f6bc0598379",
"status": "affected",
"version": "1397af5bfd7d32b0cf2adb70a78c9a9e8f11d912",
"versionType": "git"
},
{
"lessThan": "2d72afb340657f03f7261e9243b44457a9228ac7",
"status": "affected",
"version": "1397af5bfd7d32b0cf2adb70a78c9a9e8f11d912",
"versionType": "git"
},
{
"status": "affected",
"version": "594cea2c09f7cd440d1ee1c4547d5bc6a646b0e4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/netfilter/nf_conntrack.h",
"net/netfilter/nf_conntrack_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.147",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.147",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.100",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.40",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.8",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.18.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack: fix crash due to removal of uninitialised entry\n\nA crash in conntrack was reported while trying to unlink the conntrack\nentry from the hash bucket list:\n [exception RIP: __nf_ct_delete_from_lists+172]\n [..]\n #7 [ff539b5a2b043aa0] nf_ct_delete at ffffffffc124d421 [nf_conntrack]\n #8 [ff539b5a2b043ad0] nf_ct_gc_expired at ffffffffc124d999 [nf_conntrack]\n #9 [ff539b5a2b043ae0] __nf_conntrack_find_get at ffffffffc124efbc [nf_conntrack]\n [..]\n\nThe nf_conn struct is marked as allocated from slab but appears to be in\na partially initialised state:\n\n ct hlist pointer is garbage; looks like the ct hash value\n (hence crash).\n ct-\u003estatus is equal to IPS_CONFIRMED|IPS_DYING, which is expected\n ct-\u003etimeout is 30000 (=30s), which is unexpected.\n\nEverything else looks like normal udp conntrack entry. If we ignore\nct-\u003estatus and pretend its 0, the entry matches those that are newly\nallocated but not yet inserted into the hash:\n - ct hlist pointers are overloaded and store/cache the raw tuple hash\n - ct-\u003etimeout matches the relative time expected for a new udp flow\n rather than the absolute \u0027jiffies\u0027 value.\n\nIf it were not for the presence of IPS_CONFIRMED,\n__nf_conntrack_find_get() would have skipped the entry.\n\nTheory is that we did hit following race:\n\ncpu x \t\t\tcpu y\t\t\tcpu z\n found entry E\t\tfound entry E\n E is expired\t\t\u003cpreemption\u003e\n nf_ct_delete()\n return E to rcu slab\n\t\t\t\t\tinit_conntrack\n\t\t\t\t\tE is re-inited,\n\t\t\t\t\tct-\u003estatus set to 0\n\t\t\t\t\treply tuplehash hnnode.pprev\n\t\t\t\t\tstores hash value.\n\ncpu y found E right before it was deleted on cpu x.\nE is now re-inited on cpu z. cpu y was preempted before\nchecking for expiry and/or confirm bit.\n\n\t\t\t\t\t-\u003erefcnt set to 1\n\t\t\t\t\tE now owned by skb\n\t\t\t\t\t-\u003etimeout set to 30000\n\nIf cpu y were to resume now, it would observe E as\nexpired but would skip E due to missing CONFIRMED bit.\n\n\t\t\t\t\tnf_conntrack_confirm gets called\n\t\t\t\t\tsets: ct-\u003estatus |= CONFIRMED\n\t\t\t\t\tThis is wrong: E is not yet added\n\t\t\t\t\tto hashtable.\n\ncpu y resumes, it observes E as expired but CONFIRMED:\n\t\t\t\u003cresumes\u003e\n\t\t\tnf_ct_expired()\n\t\t\t -\u003e yes (ct-\u003etimeout is 30s)\n\t\t\tconfirmed bit set.\n\ncpu y will try to delete E from the hashtable:\n\t\t\tnf_ct_delete() -\u003e set DYING bit\n\t\t\t__nf_ct_delete_from_lists\n\nEven this scenario doesn\u0027t guarantee a crash:\ncpu z still holds the table bucket lock(s) so y blocks:\n\n\t\t\twait for spinlock held by z\n\n\t\t\t\t\tCONFIRMED is set but there is no\n\t\t\t\t\tguarantee ct will be added to hash:\n\t\t\t\t\t\"chaintoolong\" or \"clash resolution\"\n\t\t\t\t\tlogic both skip the insert step.\n\t\t\t\t\treply hnnode.pprev still stores the\n\t\t\t\t\thash value.\n\n\t\t\t\t\tunlocks spinlock\n\t\t\t\t\treturn NF_DROP\n\t\t\t\u003cunblocks, then\n\t\t\t crashes on hlist_nulls_del_rcu pprev\u003e\n\nIn case CPU z does insert the entry into the hashtable, cpu y will unlink\nE again right away but no crash occurs.\n\nWithout \u0027cpu y\u0027 race, \u0027garbage\u0027 hlist is of no consequence:\nct refcnt remains at 1, eventually skb will be free\u0027d and E gets\ndestroyed via: nf_conntrack_put -\u003e nf_conntrack_destroy -\u003e nf_ct_destroy.\n\nTo resolve this, move the IPS_CONFIRMED assignment after the table\ninsertion but before the unlock.\n\nPablo points out that the confirm-bit-store could be reordered to happen\nbefore hlist add resp. the timeout fixup, so switch to set_bit and\nbefore_atomic memory barrier to prevent this.\n\nIt doesn\u0027t matter if other CPUs can observe a newly inserted entry right\nbefore the CONFIRMED bit was set:\n\nSuch event cannot be distinguished from above \"E is the old incarnation\"\ncase: the entry will be skipped.\n\nAlso change nf_ct_should_gc() to first check the confirmed bit.\n\nThe gc sequence is:\n 1. Check if entry has expired, if not skip to next entry\n 2. Obtain a reference to the expired entry.\n 3. Call nf_ct_should_gc() to double-check step 1.\n\nnf_ct_should_gc() is thus called only for entries that already failed an\nexpiry check. After this patch, once the confirmed bit check pas\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T11:21:33.977Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a47ef874189d47f934d0809ae738886307c0ea22"
},
{
"url": "https://git.kernel.org/stable/c/76179961c423cd698080b5e4d5583cf7f4fcdde9"
},
{
"url": "https://git.kernel.org/stable/c/fc38c249c622ff5e3011b8845fd49dbfd9289afc"
},
{
"url": "https://git.kernel.org/stable/c/938ce0e8422d3793fe30df2ed0e37f6bc0598379"
},
{
"url": "https://git.kernel.org/stable/c/2d72afb340657f03f7261e9243b44457a9228ac7"
}
],
"title": "netfilter: nf_conntrack: fix crash due to removal of uninitialised entry",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38472",
"datePublished": "2025-07-28T11:21:33.977Z",
"dateReserved": "2025-04-16T04:51:24.021Z",
"dateUpdated": "2025-07-28T11:21:33.977Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38553 (GCVE-0-2025-38553)
Vulnerability from cvelistv5
Published
2025-08-19 06:06
Modified
2025-09-29 05:53
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: Restrict conditions for adding duplicating netems to qdisc tree
netem_enqueue's duplication prevention logic breaks when a netem
resides in a qdisc tree with other netems - this can lead to a
soft lockup and OOM loop in netem_dequeue, as seen in [1].
Ensure that a duplicating netem cannot exist in a tree with other
netems.
Previous approaches suggested in discussions in chronological order:
1) Track duplication status or ttl in the sk_buff struct. Considered
too specific a use case to extend such a struct, though this would
be a resilient fix and address other previous and potential future
DOS bugs like the one described in loopy fun [2].
2) Restrict netem_enqueue recursion depth like in act_mirred with a
per cpu variable. However, netem_dequeue can call enqueue on its
child, and the depth restriction could be bypassed if the child is a
netem.
3) Use the same approach as in 2, but add metadata in netem_skb_cb
to handle the netem_dequeue case and track a packet's involvement
in duplication. This is an overly complex approach, and Jamal
notes that the skb cb can be overwritten to circumvent this
safeguard.
4) Prevent the addition of a netem to a qdisc tree if its ancestral
path contains a netem. However, filters and actions can cause a
packet to change paths when re-enqueued to the root from netem
duplication, leading us to the current solution: prevent a
duplicating netem from inhabiting the same tree as other netems.
[1] https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/
[2] https://lwn.net/Articles/719297/
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 0afb51e72855971dba83b3c6b70c547c2d1161fd Version: 0afb51e72855971dba83b3c6b70c547c2d1161fd Version: 0afb51e72855971dba83b3c6b70c547c2d1161fd Version: 0afb51e72855971dba83b3c6b70c547c2d1161fd Version: 0afb51e72855971dba83b3c6b70c547c2d1161fd Version: 0afb51e72855971dba83b3c6b70c547c2d1161fd Version: 0afb51e72855971dba83b3c6b70c547c2d1161fd Version: 0afb51e72855971dba83b3c6b70c547c2d1161fd Version: 0afb51e72855971dba83b3c6b70c547c2d1161fd |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_netem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ad340a4b4adb855b18b3666f26ad65c8968e2deb",
"status": "affected",
"version": "0afb51e72855971dba83b3c6b70c547c2d1161fd",
"versionType": "git"
},
{
"lessThan": "f088b6ebe8797a3f948d2cae47f34bfb45cc6522",
"status": "affected",
"version": "0afb51e72855971dba83b3c6b70c547c2d1161fd",
"versionType": "git"
},
{
"lessThan": "cab2809944989889f88a1a8b5cff1c78460c72cb",
"status": "affected",
"version": "0afb51e72855971dba83b3c6b70c547c2d1161fd",
"versionType": "git"
},
{
"lessThan": "325f5ec67cc0a77f2d0d453445b9857f1cd06c76",
"status": "affected",
"version": "0afb51e72855971dba83b3c6b70c547c2d1161fd",
"versionType": "git"
},
{
"lessThan": "103c4e27ec9f5fe53022e46e976abf52c7221baf",
"status": "affected",
"version": "0afb51e72855971dba83b3c6b70c547c2d1161fd",
"versionType": "git"
},
{
"lessThan": "795cb393e38977aa991e70a9363da0ee734b2114",
"status": "affected",
"version": "0afb51e72855971dba83b3c6b70c547c2d1161fd",
"versionType": "git"
},
{
"lessThan": "250f8796006c0f2bc638ce545f601d49ae8d528b",
"status": "affected",
"version": "0afb51e72855971dba83b3c6b70c547c2d1161fd",
"versionType": "git"
},
{
"lessThan": "09317dfb681ac5a96fc69bea0c54441cf91b8270",
"status": "affected",
"version": "0afb51e72855971dba83b3c6b70c547c2d1161fd",
"versionType": "git"
},
{
"lessThan": "ec8e0e3d7adef940cdf9475e2352c0680189d14e",
"status": "affected",
"version": "0afb51e72855971dba83b3c6b70c547c2d1161fd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_netem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Restrict conditions for adding duplicating netems to qdisc tree\n\nnetem_enqueue\u0027s duplication prevention logic breaks when a netem\nresides in a qdisc tree with other netems - this can lead to a\nsoft lockup and OOM loop in netem_dequeue, as seen in [1].\nEnsure that a duplicating netem cannot exist in a tree with other\nnetems.\n\nPrevious approaches suggested in discussions in chronological order:\n\n1) Track duplication status or ttl in the sk_buff struct. Considered\ntoo specific a use case to extend such a struct, though this would\nbe a resilient fix and address other previous and potential future\nDOS bugs like the one described in loopy fun [2].\n\n2) Restrict netem_enqueue recursion depth like in act_mirred with a\nper cpu variable. However, netem_dequeue can call enqueue on its\nchild, and the depth restriction could be bypassed if the child is a\nnetem.\n\n3) Use the same approach as in 2, but add metadata in netem_skb_cb\nto handle the netem_dequeue case and track a packet\u0027s involvement\nin duplication. This is an overly complex approach, and Jamal\nnotes that the skb cb can be overwritten to circumvent this\nsafeguard.\n\n4) Prevent the addition of a netem to a qdisc tree if its ancestral\npath contains a netem. However, filters and actions can cause a\npacket to change paths when re-enqueued to the root from netem\nduplication, leading us to the current solution: prevent a\nduplicating netem from inhabiting the same tree as other netems.\n\n[1] https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/\n[2] https://lwn.net/Articles/719297/"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:53:39.976Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ad340a4b4adb855b18b3666f26ad65c8968e2deb"
},
{
"url": "https://git.kernel.org/stable/c/f088b6ebe8797a3f948d2cae47f34bfb45cc6522"
},
{
"url": "https://git.kernel.org/stable/c/cab2809944989889f88a1a8b5cff1c78460c72cb"
},
{
"url": "https://git.kernel.org/stable/c/325f5ec67cc0a77f2d0d453445b9857f1cd06c76"
},
{
"url": "https://git.kernel.org/stable/c/103c4e27ec9f5fe53022e46e976abf52c7221baf"
},
{
"url": "https://git.kernel.org/stable/c/795cb393e38977aa991e70a9363da0ee734b2114"
},
{
"url": "https://git.kernel.org/stable/c/250f8796006c0f2bc638ce545f601d49ae8d528b"
},
{
"url": "https://git.kernel.org/stable/c/09317dfb681ac5a96fc69bea0c54441cf91b8270"
},
{
"url": "https://git.kernel.org/stable/c/ec8e0e3d7adef940cdf9475e2352c0680189d14e"
}
],
"title": "net/sched: Restrict conditions for adding duplicating netems to qdisc tree",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38553",
"datePublished": "2025-08-19T06:06:53.204Z",
"dateReserved": "2025-04-16T04:51:24.025Z",
"dateUpdated": "2025-09-29T05:53:39.976Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50116 (GCVE-0-2022-50116)
Vulnerability from cvelistv5
Published
2025-06-18 11:02
Modified
2025-06-18 11:02
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tty: n_gsm: fix deadlock and link starvation in outgoing data path
The current implementation queues up new control and user packets as needed
and processes this queue down to the ldisc in the same code path.
That means that the upper and the lower layer are hard coupled in the code.
Due to this deadlocks can happen as seen below while transmitting data,
especially during ldisc congestion. Furthermore, the data channels starve
the control channel on high transmission load on the ldisc.
Introduce an additional control channel data queue to prevent timeouts and
link hangups during ldisc congestion. This is being processed before the
user channel data queue in gsm_data_kick(), i.e. with the highest priority.
Put the queue to ldisc data path into a workqueue and trigger it whenever
new data has been put into the transmission queue. Change
gsm_dlci_data_sweep() accordingly to fill up the transmission queue until
TX_THRESH_HI. This solves the locking issue, keeps latency low and provides
good performance on high data load.
Note that now all packets from a DLCI are removed from the internal queue
if the associated DLCI was closed. This ensures that no data is sent by the
introduced write task to an already closed DLCI.
BUG: spinlock recursion on CPU#0, test_v24_loop/124
lock: serial8250_ports+0x3a8/0x7500, .magic: dead4ead, .owner: test_v24_loop/124, .owner_cpu: 0
CPU: 0 PID: 124 Comm: test_v24_loop Tainted: G O 5.18.0-rc2 #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
<IRQ>
dump_stack_lvl+0x34/0x44
do_raw_spin_lock+0x76/0xa0
_raw_spin_lock_irqsave+0x72/0x80
uart_write_room+0x3b/0xc0
gsm_data_kick+0x14b/0x240 [n_gsm]
gsmld_write_wakeup+0x35/0x70 [n_gsm]
tty_wakeup+0x53/0x60
tty_port_default_wakeup+0x1b/0x30
serial8250_tx_chars+0x12f/0x220
serial8250_handle_irq.part.0+0xfe/0x150
serial8250_default_handle_irq+0x48/0x80
serial8250_interrupt+0x56/0xa0
__handle_irq_event_percpu+0x78/0x1f0
handle_irq_event+0x34/0x70
handle_fasteoi_irq+0x90/0x1e0
__common_interrupt+0x69/0x100
common_interrupt+0x48/0xc0
asm_common_interrupt+0x1e/0x40
RIP: 0010:__do_softirq+0x83/0x34e
Code: 2a 0a ff 0f b7 ed c7 44 24 10 0a 00 00 00 48 c7 c7 51 2a 64 82 e8 2d
e2 d5 ff 65 66 c7 05 83 af 1e 7e 00 00 fb b8 ff ff ff ff <49> c7 c2 40 61
80 82 0f bc c5 41 89 c4 41 83 c4 01 0f 84 e6 00 00
RSP: 0018:ffffc90000003f98 EFLAGS: 00000286
RAX: 00000000ffffffff RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff82642a51 RDI: ffffffff825bb5e7
RBP: 0000000000000200 R08: 00000008de3271a8 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000030 R14: 0000000000000000 R15: 0000000000000000
? __do_softirq+0x73/0x34e
irq_exit_rcu+0xb5/0x100
common_interrupt+0xa4/0xc0
</IRQ>
<TASK>
asm_common_interrupt+0x1e/0x40
RIP: 0010:_raw_spin_unlock_irqrestore+0x2e/0x50
Code: 00 55 48 89 fd 48 83 c7 18 53 48 89 f3 48 8b 74 24 10 e8 85 28 36 ff
48 89 ef e8 cd 58 36 ff 80 e7 02 74 01 fb bf 01 00 00 00 <e8> 3d 97 33 ff
65 8b 05 96 23 2b 7e 85 c0 74 03 5b 5d c3 0f 1f 44
RSP: 0018:ffffc9000020fd08 EFLAGS: 00000202
RAX: 0000000000000000 RBX: 0000000000000246 RCX: 0000000000000000
RDX: 0000000000000004 RSI: ffffffff8257fd74 RDI: 0000000000000001
RBP: ffff8880057de3a0 R08: 00000008de233000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000100 R14: 0000000000000202 R15: ffff8880057df0b8
? _raw_spin_unlock_irqrestore+0x23/0x50
gsmtty_write+0x65/0x80 [n_gsm]
n_tty_write+0x33f/0x530
? swake_up_all+0xe0/0xe0
file_tty_write.constprop.0+0x1b1/0x320
? n_tty_flush_buffer+0xb0/0xb0
new_sync_write+0x10c/0x190
vfs_write+0x282/0x310
ksys_write+0x68/0xe0
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f3e5e35c15c
Code: 8b 7c 24 08 89 c5 e8 c5 ff ff ff 89 ef 89 44 24
---truncated---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tty/n_gsm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c165698c9919b000bdbe73859d3bb7b33bdb9223",
"status": "affected",
"version": "e1eaea46bb4020b38a141b84f88565d4603f8dd0",
"versionType": "git"
},
{
"lessThan": "7962a4b900099cf90e02859bb297f2c618d8d940",
"status": "affected",
"version": "e1eaea46bb4020b38a141b84f88565d4603f8dd0",
"versionType": "git"
},
{
"lessThan": "0af021678d5d30c31f5a6b631f404ead3575212a",
"status": "affected",
"version": "e1eaea46bb4020b38a141b84f88565d4603f8dd0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tty/n_gsm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.18",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.2",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: n_gsm: fix deadlock and link starvation in outgoing data path\n\nThe current implementation queues up new control and user packets as needed\nand processes this queue down to the ldisc in the same code path.\nThat means that the upper and the lower layer are hard coupled in the code.\nDue to this deadlocks can happen as seen below while transmitting data,\nespecially during ldisc congestion. Furthermore, the data channels starve\nthe control channel on high transmission load on the ldisc.\n\nIntroduce an additional control channel data queue to prevent timeouts and\nlink hangups during ldisc congestion. This is being processed before the\nuser channel data queue in gsm_data_kick(), i.e. with the highest priority.\nPut the queue to ldisc data path into a workqueue and trigger it whenever\nnew data has been put into the transmission queue. Change\ngsm_dlci_data_sweep() accordingly to fill up the transmission queue until\nTX_THRESH_HI. This solves the locking issue, keeps latency low and provides\ngood performance on high data load.\nNote that now all packets from a DLCI are removed from the internal queue\nif the associated DLCI was closed. This ensures that no data is sent by the\nintroduced write task to an already closed DLCI.\n\nBUG: spinlock recursion on CPU#0, test_v24_loop/124\n lock: serial8250_ports+0x3a8/0x7500, .magic: dead4ead, .owner: test_v24_loop/124, .owner_cpu: 0\nCPU: 0 PID: 124 Comm: test_v24_loop Tainted: G O 5.18.0-rc2 #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nCall Trace:\n \u003cIRQ\u003e\n dump_stack_lvl+0x34/0x44\n do_raw_spin_lock+0x76/0xa0\n _raw_spin_lock_irqsave+0x72/0x80\n uart_write_room+0x3b/0xc0\n gsm_data_kick+0x14b/0x240 [n_gsm]\n gsmld_write_wakeup+0x35/0x70 [n_gsm]\n tty_wakeup+0x53/0x60\n tty_port_default_wakeup+0x1b/0x30\n serial8250_tx_chars+0x12f/0x220\n serial8250_handle_irq.part.0+0xfe/0x150\n serial8250_default_handle_irq+0x48/0x80\n serial8250_interrupt+0x56/0xa0\n __handle_irq_event_percpu+0x78/0x1f0\n handle_irq_event+0x34/0x70\n handle_fasteoi_irq+0x90/0x1e0\n __common_interrupt+0x69/0x100\n common_interrupt+0x48/0xc0\n asm_common_interrupt+0x1e/0x40\nRIP: 0010:__do_softirq+0x83/0x34e\nCode: 2a 0a ff 0f b7 ed c7 44 24 10 0a 00 00 00 48 c7 c7 51 2a 64 82 e8 2d\ne2 d5 ff 65 66 c7 05 83 af 1e 7e 00 00 fb b8 ff ff ff ff \u003c49\u003e c7 c2 40 61\n80 82 0f bc c5 41 89 c4 41 83 c4 01 0f 84 e6 00 00\nRSP: 0018:ffffc90000003f98 EFLAGS: 00000286\nRAX: 00000000ffffffff RBX: 0000000000000000 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffffffff82642a51 RDI: ffffffff825bb5e7\nRBP: 0000000000000200 R08: 00000008de3271a8 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000030 R14: 0000000000000000 R15: 0000000000000000\n ? __do_softirq+0x73/0x34e\n irq_exit_rcu+0xb5/0x100\n common_interrupt+0xa4/0xc0\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n asm_common_interrupt+0x1e/0x40\nRIP: 0010:_raw_spin_unlock_irqrestore+0x2e/0x50\nCode: 00 55 48 89 fd 48 83 c7 18 53 48 89 f3 48 8b 74 24 10 e8 85 28 36 ff\n48 89 ef e8 cd 58 36 ff 80 e7 02 74 01 fb bf 01 00 00 00 \u003ce8\u003e 3d 97 33 ff\n65 8b 05 96 23 2b 7e 85 c0 74 03 5b 5d c3 0f 1f 44\nRSP: 0018:ffffc9000020fd08 EFLAGS: 00000202\nRAX: 0000000000000000 RBX: 0000000000000246 RCX: 0000000000000000\nRDX: 0000000000000004 RSI: ffffffff8257fd74 RDI: 0000000000000001\nRBP: ffff8880057de3a0 R08: 00000008de233000 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000100 R14: 0000000000000202 R15: ffff8880057df0b8\n ? _raw_spin_unlock_irqrestore+0x23/0x50\n gsmtty_write+0x65/0x80 [n_gsm]\n n_tty_write+0x33f/0x530\n ? swake_up_all+0xe0/0xe0\n file_tty_write.constprop.0+0x1b1/0x320\n ? n_tty_flush_buffer+0xb0/0xb0\n new_sync_write+0x10c/0x190\n vfs_write+0x282/0x310\n ksys_write+0x68/0xe0\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f3e5e35c15c\nCode: 8b 7c 24 08 89 c5 e8 c5 ff ff ff 89 ef 89 44 24\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T11:02:47.361Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c165698c9919b000bdbe73859d3bb7b33bdb9223"
},
{
"url": "https://git.kernel.org/stable/c/7962a4b900099cf90e02859bb297f2c618d8d940"
},
{
"url": "https://git.kernel.org/stable/c/0af021678d5d30c31f5a6b631f404ead3575212a"
}
],
"title": "tty: n_gsm: fix deadlock and link starvation in outgoing data path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50116",
"datePublished": "2025-06-18T11:02:47.361Z",
"dateReserved": "2025-06-18T10:57:27.415Z",
"dateUpdated": "2025-06-18T11:02:47.361Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21701 (GCVE-0-2025-21701)
Vulnerability from cvelistv5
Published
2025-02-13 15:05
Modified
2025-09-02 19:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: avoid race between device unregistration and ethnl ops
The following trace can be seen if a device is being unregistered while
its number of channels are being modified.
DEBUG_LOCKS_WARN_ON(lock->magic != lock)
WARNING: CPU: 3 PID: 3754 at kernel/locking/mutex.c:564 __mutex_lock+0xc8a/0x1120
CPU: 3 UID: 0 PID: 3754 Comm: ethtool Not tainted 6.13.0-rc6+ #771
RIP: 0010:__mutex_lock+0xc8a/0x1120
Call Trace:
<TASK>
ethtool_check_max_channel+0x1ea/0x880
ethnl_set_channels+0x3c3/0xb10
ethnl_default_set_doit+0x306/0x650
genl_family_rcv_msg_doit+0x1e3/0x2c0
genl_rcv_msg+0x432/0x6f0
netlink_rcv_skb+0x13d/0x3b0
genl_rcv+0x28/0x40
netlink_unicast+0x42e/0x720
netlink_sendmsg+0x765/0xc20
__sys_sendto+0x3ac/0x420
__x64_sys_sendto+0xe0/0x1c0
do_syscall_64+0x95/0x180
entry_SYSCALL_64_after_hwframe+0x76/0x7e
This is because unregister_netdevice_many_notify might run before the
rtnl lock section of ethnl operations, eg. set_channels in the above
example. In this example the rss lock would be destroyed by the device
unregistration path before being used again, but in general running
ethnl operations while dismantle has started is not a good idea.
Fix this by denying any operation on devices being unregistered. A check
was already there in ethnl_ops_begin, but not wide enough.
Note that the same issue cannot be seen on the ioctl version
(__dev_ethtool) because the device reference is retrieved from within
the rtnl lock section there. Once dismantle started, the net device is
unlisted and no reference will be found.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: cfd719f04267108f5f5bf802b9d7de69e99a99f9 Version: dde91ccfa25fd58f64c397d91b81a4b393100ffa Version: dde91ccfa25fd58f64c397d91b81a4b393100ffa Version: dde91ccfa25fd58f64c397d91b81a4b393100ffa Version: dde91ccfa25fd58f64c397d91b81a4b393100ffa Version: dde91ccfa25fd58f64c397d91b81a4b393100ffa Version: 7c26da3be1e9843a15b5318f90db8a564479d2ac |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21701",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-02T19:15:24.731894Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-02T19:16:21.196Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ethtool/netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "26bc6076798aa4dc83a07d0a386f9e57c94e8517",
"status": "affected",
"version": "cfd719f04267108f5f5bf802b9d7de69e99a99f9",
"versionType": "git"
},
{
"lessThan": "b1cb37a31a482df3dd35a6ac166282dac47664f4",
"status": "affected",
"version": "dde91ccfa25fd58f64c397d91b81a4b393100ffa",
"versionType": "git"
},
{
"lessThan": "2f29127e94ae9fdc7497331003d6860e9551cdf3",
"status": "affected",
"version": "dde91ccfa25fd58f64c397d91b81a4b393100ffa",
"versionType": "git"
},
{
"lessThan": "b382ab9b885cbb665e0e70a727f101c981b4edf3",
"status": "affected",
"version": "dde91ccfa25fd58f64c397d91b81a4b393100ffa",
"versionType": "git"
},
{
"lessThan": "4dc880245f9b529fa8f476b5553c799d2848b47b",
"status": "affected",
"version": "dde91ccfa25fd58f64c397d91b81a4b393100ffa",
"versionType": "git"
},
{
"lessThan": "12e070eb6964b341b41677fd260af5a305316a1f",
"status": "affected",
"version": "dde91ccfa25fd58f64c397d91b81a4b393100ffa",
"versionType": "git"
},
{
"status": "affected",
"version": "7c26da3be1e9843a15b5318f90db8a564479d2ac",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ethtool/netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "5.15.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.76",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.87",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: avoid race between device unregistration and ethnl ops\n\nThe following trace can be seen if a device is being unregistered while\nits number of channels are being modified.\n\n DEBUG_LOCKS_WARN_ON(lock-\u003emagic != lock)\n WARNING: CPU: 3 PID: 3754 at kernel/locking/mutex.c:564 __mutex_lock+0xc8a/0x1120\n CPU: 3 UID: 0 PID: 3754 Comm: ethtool Not tainted 6.13.0-rc6+ #771\n RIP: 0010:__mutex_lock+0xc8a/0x1120\n Call Trace:\n \u003cTASK\u003e\n ethtool_check_max_channel+0x1ea/0x880\n ethnl_set_channels+0x3c3/0xb10\n ethnl_default_set_doit+0x306/0x650\n genl_family_rcv_msg_doit+0x1e3/0x2c0\n genl_rcv_msg+0x432/0x6f0\n netlink_rcv_skb+0x13d/0x3b0\n genl_rcv+0x28/0x40\n netlink_unicast+0x42e/0x720\n netlink_sendmsg+0x765/0xc20\n __sys_sendto+0x3ac/0x420\n __x64_sys_sendto+0xe0/0x1c0\n do_syscall_64+0x95/0x180\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThis is because unregister_netdevice_many_notify might run before the\nrtnl lock section of ethnl operations, eg. set_channels in the above\nexample. In this example the rss lock would be destroyed by the device\nunregistration path before being used again, but in general running\nethnl operations while dismantle has started is not a good idea.\n\nFix this by denying any operation on devices being unregistered. A check\nwas already there in ethnl_ops_begin, but not wide enough.\n\nNote that the same issue cannot be seen on the ioctl version\n(__dev_ethtool) because the device reference is retrieved from within\nthe rtnl lock section there. Once dismantle started, the net device is\nunlisted and no reference will be found."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T13:06:18.444Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/26bc6076798aa4dc83a07d0a386f9e57c94e8517"
},
{
"url": "https://git.kernel.org/stable/c/b1cb37a31a482df3dd35a6ac166282dac47664f4"
},
{
"url": "https://git.kernel.org/stable/c/2f29127e94ae9fdc7497331003d6860e9551cdf3"
},
{
"url": "https://git.kernel.org/stable/c/b382ab9b885cbb665e0e70a727f101c981b4edf3"
},
{
"url": "https://git.kernel.org/stable/c/4dc880245f9b529fa8f476b5553c799d2848b47b"
},
{
"url": "https://git.kernel.org/stable/c/12e070eb6964b341b41677fd260af5a305316a1f"
}
],
"title": "net: avoid race between device unregistration and ethnl ops",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21701",
"datePublished": "2025-02-13T15:05:46.483Z",
"dateReserved": "2024-12-29T08:45:45.748Z",
"dateUpdated": "2025-09-02T19:16:21.196Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-49996 (GCVE-0-2024-49996)
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2025-05-04 09:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cifs: Fix buffer overflow when parsing NFS reparse points
ReparseDataLength is sum of the InodeType size and DataBuffer size.
So to get DataBuffer size it is needed to subtract InodeType's size from
ReparseDataLength.
Function cifs_strndup_from_utf16() is currentlly accessing buf->DataBuffer
at position after the end of the buffer because it does not subtract
InodeType size from the length. Fix this problem and correctly subtract
variable len.
Member InodeType is present only when reparse buffer is large enough. Check
for ReparseDataLength before accessing InodeType to prevent another invalid
memory access.
Major and minor rdev values are present also only when reparse buffer is
large enough. Check for reparse buffer size before calling reparse_mkdev().
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d5ecebc4900df7f6e8dff0717574668885110553 Version: d5ecebc4900df7f6e8dff0717574668885110553 Version: d5ecebc4900df7f6e8dff0717574668885110553 Version: d5ecebc4900df7f6e8dff0717574668885110553 Version: d5ecebc4900df7f6e8dff0717574668885110553 Version: d5ecebc4900df7f6e8dff0717574668885110553 Version: d5ecebc4900df7f6e8dff0717574668885110553 Version: d5ecebc4900df7f6e8dff0717574668885110553 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49996",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T13:30:36.265660Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T13:38:41.853Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/reparse.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7b222d6cb87077faf56a687a72af1951cf78c8a9",
"status": "affected",
"version": "d5ecebc4900df7f6e8dff0717574668885110553",
"versionType": "git"
},
{
"lessThan": "73b078e3314d4854fd8286f3ba65c860ddd3a3dd",
"status": "affected",
"version": "d5ecebc4900df7f6e8dff0717574668885110553",
"versionType": "git"
},
{
"lessThan": "01cdddde39b065074fd48f07027757783cbf5b7d",
"status": "affected",
"version": "d5ecebc4900df7f6e8dff0717574668885110553",
"versionType": "git"
},
{
"lessThan": "ec79e6170bcae8a6036a4b6960f5e7e59a785601",
"status": "affected",
"version": "d5ecebc4900df7f6e8dff0717574668885110553",
"versionType": "git"
},
{
"lessThan": "c6db81c550cea0c73bd72ef55f579991e0e4ba07",
"status": "affected",
"version": "d5ecebc4900df7f6e8dff0717574668885110553",
"versionType": "git"
},
{
"lessThan": "803b3a39cb096d8718c0aebc03fd19f11c7dc919",
"status": "affected",
"version": "d5ecebc4900df7f6e8dff0717574668885110553",
"versionType": "git"
},
{
"lessThan": "c173d47b69f07cd7ca08efb4e458adbd4725d8e9",
"status": "affected",
"version": "d5ecebc4900df7f6e8dff0717574668885110553",
"versionType": "git"
},
{
"lessThan": "e2a8910af01653c1c268984855629d71fb81f404",
"status": "affected",
"version": "d5ecebc4900df7f6e8dff0717574668885110553",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/reparse.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.287",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.174",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.287",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.231",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.174",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.120",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.55",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10.14",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.3",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix buffer overflow when parsing NFS reparse points\n\nReparseDataLength is sum of the InodeType size and DataBuffer size.\nSo to get DataBuffer size it is needed to subtract InodeType\u0027s size from\nReparseDataLength.\n\nFunction cifs_strndup_from_utf16() is currentlly accessing buf-\u003eDataBuffer\nat position after the end of the buffer because it does not subtract\nInodeType size from the length. Fix this problem and correctly subtract\nvariable len.\n\nMember InodeType is present only when reparse buffer is large enough. Check\nfor ReparseDataLength before accessing InodeType to prevent another invalid\nmemory access.\n\nMajor and minor rdev values are present also only when reparse buffer is\nlarge enough. Check for reparse buffer size before calling reparse_mkdev()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:43:17.347Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7b222d6cb87077faf56a687a72af1951cf78c8a9"
},
{
"url": "https://git.kernel.org/stable/c/73b078e3314d4854fd8286f3ba65c860ddd3a3dd"
},
{
"url": "https://git.kernel.org/stable/c/01cdddde39b065074fd48f07027757783cbf5b7d"
},
{
"url": "https://git.kernel.org/stable/c/ec79e6170bcae8a6036a4b6960f5e7e59a785601"
},
{
"url": "https://git.kernel.org/stable/c/c6db81c550cea0c73bd72ef55f579991e0e4ba07"
},
{
"url": "https://git.kernel.org/stable/c/803b3a39cb096d8718c0aebc03fd19f11c7dc919"
},
{
"url": "https://git.kernel.org/stable/c/c173d47b69f07cd7ca08efb4e458adbd4725d8e9"
},
{
"url": "https://git.kernel.org/stable/c/e2a8910af01653c1c268984855629d71fb81f404"
}
],
"title": "cifs: Fix buffer overflow when parsing NFS reparse points",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-49996",
"datePublished": "2024-10-21T18:02:37.046Z",
"dateReserved": "2024-10-21T12:17:06.056Z",
"dateUpdated": "2025-05-04T09:43:17.347Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38529 (GCVE-0-2025-38529)
Vulnerability from cvelistv5
Published
2025-08-16 11:12
Modified
2025-08-28 14:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
comedi: aio_iiro_16: Fix bit shift out of bounds
When checking for a supported IRQ number, the following test is used:
if ((1 << it->options[1]) & 0xdcfc) {
However, `it->options[i]` is an unchecked `int` value from userspace, so
the shift amount could be negative or out of bounds. Fix the test by
requiring `it->options[1]` to be within bounds before proceeding with
the original test. Valid `it->options[1]` values that select the IRQ
will be in the range [1,15]. The value 0 explicitly disables the use of
interrupts.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: ad7a370c8be47247f68f7187cc82f4f25a347116 Version: ad7a370c8be47247f68f7187cc82f4f25a347116 Version: ad7a370c8be47247f68f7187cc82f4f25a347116 Version: ad7a370c8be47247f68f7187cc82f4f25a347116 Version: ad7a370c8be47247f68f7187cc82f4f25a347116 Version: ad7a370c8be47247f68f7187cc82f4f25a347116 Version: ad7a370c8be47247f68f7187cc82f4f25a347116 Version: ad7a370c8be47247f68f7187cc82f4f25a347116 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers/aio_iiro_16.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a88692245c315bf8e225f205297a6f4b13d6856a",
"status": "affected",
"version": "ad7a370c8be47247f68f7187cc82f4f25a347116",
"versionType": "git"
},
{
"lessThan": "5ac7c60439236fb691b8c7987390e2327bbf18fa",
"status": "affected",
"version": "ad7a370c8be47247f68f7187cc82f4f25a347116",
"versionType": "git"
},
{
"lessThan": "c593215385f0c0163015cca4512ed3ff42875d19",
"status": "affected",
"version": "ad7a370c8be47247f68f7187cc82f4f25a347116",
"versionType": "git"
},
{
"lessThan": "ff30dd3f15f443d2a0085b12ec2cc95d44f35fa7",
"status": "affected",
"version": "ad7a370c8be47247f68f7187cc82f4f25a347116",
"versionType": "git"
},
{
"lessThan": "955e8835855fed8e87f7d8c8075564a1746c1b4c",
"status": "affected",
"version": "ad7a370c8be47247f68f7187cc82f4f25a347116",
"versionType": "git"
},
{
"lessThan": "e0f3c0867d7d231c70984f05c97752caacd0daba",
"status": "affected",
"version": "ad7a370c8be47247f68f7187cc82f4f25a347116",
"versionType": "git"
},
{
"lessThan": "43ddd82e6a91913cea1c078e782afd8de60c3a53",
"status": "affected",
"version": "ad7a370c8be47247f68f7187cc82f4f25a347116",
"versionType": "git"
},
{
"lessThan": "66acb1586737a22dd7b78abc63213b1bcaa100e4",
"status": "affected",
"version": "ad7a370c8be47247f68f7187cc82f4f25a347116",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers/aio_iiro_16.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.0"
},
{
"lessThan": "4.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.147",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.147",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.100",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.40",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.8",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: aio_iiro_16: Fix bit shift out of bounds\n\nWhen checking for a supported IRQ number, the following test is used:\n\n\tif ((1 \u003c\u003c it-\u003eoptions[1]) \u0026 0xdcfc) {\n\nHowever, `it-\u003eoptions[i]` is an unchecked `int` value from userspace, so\nthe shift amount could be negative or out of bounds. Fix the test by\nrequiring `it-\u003eoptions[1]` to be within bounds before proceeding with\nthe original test. Valid `it-\u003eoptions[1]` values that select the IRQ\nwill be in the range [1,15]. The value 0 explicitly disables the use of\ninterrupts."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T14:43:36.193Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a88692245c315bf8e225f205297a6f4b13d6856a"
},
{
"url": "https://git.kernel.org/stable/c/5ac7c60439236fb691b8c7987390e2327bbf18fa"
},
{
"url": "https://git.kernel.org/stable/c/c593215385f0c0163015cca4512ed3ff42875d19"
},
{
"url": "https://git.kernel.org/stable/c/ff30dd3f15f443d2a0085b12ec2cc95d44f35fa7"
},
{
"url": "https://git.kernel.org/stable/c/955e8835855fed8e87f7d8c8075564a1746c1b4c"
},
{
"url": "https://git.kernel.org/stable/c/e0f3c0867d7d231c70984f05c97752caacd0daba"
},
{
"url": "https://git.kernel.org/stable/c/43ddd82e6a91913cea1c078e782afd8de60c3a53"
},
{
"url": "https://git.kernel.org/stable/c/66acb1586737a22dd7b78abc63213b1bcaa100e4"
}
],
"title": "comedi: aio_iiro_16: Fix bit shift out of bounds",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38529",
"datePublished": "2025-08-16T11:12:22.447Z",
"dateReserved": "2025-04-16T04:51:24.023Z",
"dateUpdated": "2025-08-28T14:43:36.193Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38602 (GCVE-0-2025-38602)
Vulnerability from cvelistv5
Published
2025-08-19 17:03
Modified
2025-09-29 05:54
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iwlwifi: Add missing check for alloc_ordered_workqueue
Add check for the return value of alloc_ordered_workqueue since it may
return NULL pointer.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: b481de9ca074528fe8c429604e2777db8b89806a Version: b481de9ca074528fe8c429604e2777db8b89806a Version: b481de9ca074528fe8c429604e2777db8b89806a Version: b481de9ca074528fe8c429604e2777db8b89806a Version: b481de9ca074528fe8c429604e2777db8b89806a Version: b481de9ca074528fe8c429604e2777db8b89806a Version: b481de9ca074528fe8c429604e2777db8b89806a Version: b481de9ca074528fe8c429604e2777db8b89806a Version: b481de9ca074528fe8c429604e2777db8b89806a |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/intel/iwlwifi/dvm/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c80832d445653baba5ac80cd2c2637c437ac881b",
"status": "affected",
"version": "b481de9ca074528fe8c429604e2777db8b89806a",
"versionType": "git"
},
{
"lessThan": "b398120fbe0acfef60b16f6a0f69902d385d7728",
"status": "affected",
"version": "b481de9ca074528fe8c429604e2777db8b89806a",
"versionType": "git"
},
{
"lessThan": "2e9f85ee3b46453a2f250a57d3a9f10c70c71202",
"status": "affected",
"version": "b481de9ca074528fe8c429604e2777db8b89806a",
"versionType": "git"
},
{
"lessThan": "6663c52608d8d8727bf1911e6d9218069ba1c85e",
"status": "affected",
"version": "b481de9ca074528fe8c429604e2777db8b89806a",
"versionType": "git"
},
{
"lessThan": "ca980f1911a7144d451d1c31298ab8507c6bd88f",
"status": "affected",
"version": "b481de9ca074528fe8c429604e2777db8b89806a",
"versionType": "git"
},
{
"lessThan": "7dd6350307af6521b6240b295c93b7eec4daebe6",
"status": "affected",
"version": "b481de9ca074528fe8c429604e2777db8b89806a",
"versionType": "git"
},
{
"lessThan": "c0e43c3f6c0a79381b468574c241065998412b7c",
"status": "affected",
"version": "b481de9ca074528fe8c429604e2777db8b89806a",
"versionType": "git"
},
{
"lessThan": "70a1b527eaea9430b1bd87de59f3b9f6bd225701",
"status": "affected",
"version": "b481de9ca074528fe8c429604e2777db8b89806a",
"versionType": "git"
},
{
"lessThan": "90a0d9f339960448a3acc1437a46730f975efd6a",
"status": "affected",
"version": "b481de9ca074528fe8c429604e2777db8b89806a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/intel/iwlwifi/dvm/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.24"
},
{
"lessThan": "2.6.24",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.24",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niwlwifi: Add missing check for alloc_ordered_workqueue\n\nAdd check for the return value of alloc_ordered_workqueue since it may\nreturn NULL pointer."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:54:37.082Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c80832d445653baba5ac80cd2c2637c437ac881b"
},
{
"url": "https://git.kernel.org/stable/c/b398120fbe0acfef60b16f6a0f69902d385d7728"
},
{
"url": "https://git.kernel.org/stable/c/2e9f85ee3b46453a2f250a57d3a9f10c70c71202"
},
{
"url": "https://git.kernel.org/stable/c/6663c52608d8d8727bf1911e6d9218069ba1c85e"
},
{
"url": "https://git.kernel.org/stable/c/ca980f1911a7144d451d1c31298ab8507c6bd88f"
},
{
"url": "https://git.kernel.org/stable/c/7dd6350307af6521b6240b295c93b7eec4daebe6"
},
{
"url": "https://git.kernel.org/stable/c/c0e43c3f6c0a79381b468574c241065998412b7c"
},
{
"url": "https://git.kernel.org/stable/c/70a1b527eaea9430b1bd87de59f3b9f6bd225701"
},
{
"url": "https://git.kernel.org/stable/c/90a0d9f339960448a3acc1437a46730f975efd6a"
}
],
"title": "iwlwifi: Add missing check for alloc_ordered_workqueue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38602",
"datePublished": "2025-08-19T17:03:41.604Z",
"dateReserved": "2025-04-16T04:51:24.028Z",
"dateUpdated": "2025-09-29T05:54:37.082Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38001 (GCVE-0-2025-38001)
Vulnerability from cvelistv5
Published
2025-06-06 13:41
Modified
2025-07-28 04:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net_sched: hfsc: Address reentrant enqueue adding class to eltree twice
Savino says:
"We are writing to report that this recent patch
(141d34391abbb315d68556b7c67ad97885407547) [1]
can be bypassed, and a UAF can still occur when HFSC is utilized with
NETEM.
The patch only checks the cl->cl_nactive field to determine whether
it is the first insertion or not [2], but this field is only
incremented by init_vf [3].
By using HFSC_RSC (which uses init_ed) [4], it is possible to bypass the
check and insert the class twice in the eltree.
Under normal conditions, this would lead to an infinite loop in
hfsc_dequeue for the reasons we already explained in this report [5].
However, if TBF is added as root qdisc and it is configured with a
very low rate,
it can be utilized to prevent packets from being dequeued.
This behavior can be exploited to perform subsequent insertions in the
HFSC eltree and cause a UAF."
To fix both the UAF and the infinite loop, with netem as an hfsc child,
check explicitly in hfsc_enqueue whether the class is already in the eltree
whenever the HFSC_RSC flag is set.
[1] https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=141d34391abbb315d68556b7c67ad97885407547
[2] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1572
[3] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L677
[4] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1574
[5] https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/T/#u
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea Version: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea Version: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea Version: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea Version: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea Version: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea Version: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea Version: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea Version: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-07-13T18:31:30.486Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://syst3mfailure.io/rbtree-family-drama/"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_hfsc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e5bee633cc276410337d54b99f77fbc1ad8801e5",
"status": "affected",
"version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
"versionType": "git"
},
{
"lessThan": "6672e6c00810056acaac019fe26cdc26fee8a66c",
"status": "affected",
"version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
"versionType": "git"
},
{
"lessThan": "2c928b3a0b04a431ffcd6c8b7d88a267124a3a28",
"status": "affected",
"version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
"versionType": "git"
},
{
"lessThan": "a0ec22fa20b252edbe070a9de8501eef63c17ef5",
"status": "affected",
"version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
"versionType": "git"
},
{
"lessThan": "295f7c579b07b5b7cf2dffe485f71cc2f27647cb",
"status": "affected",
"version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
"versionType": "git"
},
{
"lessThan": "2f2190ce4ca972051cac6a8d7937448f8cb9673c",
"status": "affected",
"version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
"versionType": "git"
},
{
"lessThan": "4e38eaaabfb7fffbb371a51150203e19eee5d70e",
"status": "affected",
"version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
"versionType": "git"
},
{
"lessThan": "39ed887b1dd2d6b720f87e86692ac3006cc111c8",
"status": "affected",
"version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
"versionType": "git"
},
{
"lessThan": "ac9fe7dd8e730a103ae4481147395cc73492d786",
"status": "affected",
"version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_hfsc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.294",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.185",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.294",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.238",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.185",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.141",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.93",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.32",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.10",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.1",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: hfsc: Address reentrant enqueue adding class to eltree twice\n\nSavino says:\n \"We are writing to report that this recent patch\n (141d34391abbb315d68556b7c67ad97885407547) [1]\n can be bypassed, and a UAF can still occur when HFSC is utilized with\n NETEM.\n\n The patch only checks the cl-\u003ecl_nactive field to determine whether\n it is the first insertion or not [2], but this field is only\n incremented by init_vf [3].\n\n By using HFSC_RSC (which uses init_ed) [4], it is possible to bypass the\n check and insert the class twice in the eltree.\n Under normal conditions, this would lead to an infinite loop in\n hfsc_dequeue for the reasons we already explained in this report [5].\n\n However, if TBF is added as root qdisc and it is configured with a\n very low rate,\n it can be utilized to prevent packets from being dequeued.\n This behavior can be exploited to perform subsequent insertions in the\n HFSC eltree and cause a UAF.\"\n\nTo fix both the UAF and the infinite loop, with netem as an hfsc child,\ncheck explicitly in hfsc_enqueue whether the class is already in the eltree\nwhenever the HFSC_RSC flag is set.\n\n[1] https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=141d34391abbb315d68556b7c67ad97885407547\n[2] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1572\n[3] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L677\n[4] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1574\n[5] https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/T/#u"
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:11:54.147Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e5bee633cc276410337d54b99f77fbc1ad8801e5"
},
{
"url": "https://git.kernel.org/stable/c/6672e6c00810056acaac019fe26cdc26fee8a66c"
},
{
"url": "https://git.kernel.org/stable/c/2c928b3a0b04a431ffcd6c8b7d88a267124a3a28"
},
{
"url": "https://git.kernel.org/stable/c/a0ec22fa20b252edbe070a9de8501eef63c17ef5"
},
{
"url": "https://git.kernel.org/stable/c/295f7c579b07b5b7cf2dffe485f71cc2f27647cb"
},
{
"url": "https://git.kernel.org/stable/c/2f2190ce4ca972051cac6a8d7937448f8cb9673c"
},
{
"url": "https://git.kernel.org/stable/c/4e38eaaabfb7fffbb371a51150203e19eee5d70e"
},
{
"url": "https://git.kernel.org/stable/c/39ed887b1dd2d6b720f87e86692ac3006cc111c8"
},
{
"url": "https://git.kernel.org/stable/c/ac9fe7dd8e730a103ae4481147395cc73492d786"
}
],
"title": "net_sched: hfsc: Address reentrant enqueue adding class to eltree twice",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38001",
"datePublished": "2025-06-06T13:41:45.462Z",
"dateReserved": "2025-04-16T04:51:23.976Z",
"dateUpdated": "2025-07-28T04:11:54.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38617 (GCVE-0-2025-38617)
Vulnerability from cvelistv5
Published
2025-08-22 13:01
Modified
2025-09-29 05:54
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/packet: fix a race in packet_set_ring() and packet_notifier()
When packet_set_ring() releases po->bind_lock, another thread can
run packet_notifier() and process an NETDEV_UP event.
This race and the fix are both similar to that of commit 15fe076edea7
("net/packet: fix a race in packet_bind() and packet_notifier()").
There too the packet_notifier NETDEV_UP event managed to run while a
po->bind_lock critical section had to be temporarily released. And
the fix was similarly to temporarily set po->num to zero to keep
the socket unhooked until the lock is retaken.
The po->bind_lock in packet_set_ring and packet_notifier precede the
introduction of git history.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/packet/af_packet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "18f13f2a83eb81be349a9757ba2141ff1da9ad73",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7da733f117533e9b2ebbd530a22ae4028713955c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ba2257034755ae773722f15f4c3ad1dcdad15ca9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7de07705007c7e34995a5599aaab1d23e762d7ca",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "88caf46db8239e6471413d28aabaa6b8bd552805",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f2e8fcfd2b1bc754920108b7f2cd75082c5a18df",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e50ccfaca9e3c671cae917dcb994831a859cf588",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f1791fd7b845bea0ce9674fcf2febee7bc87a893",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "01d3c8417b9c1b884a8a981a3b886da556512f36",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/packet/af_packet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/packet: fix a race in packet_set_ring() and packet_notifier()\n\nWhen packet_set_ring() releases po-\u003ebind_lock, another thread can\nrun packet_notifier() and process an NETDEV_UP event.\n\nThis race and the fix are both similar to that of commit 15fe076edea7\n(\"net/packet: fix a race in packet_bind() and packet_notifier()\").\n\nThere too the packet_notifier NETDEV_UP event managed to run while a\npo-\u003ebind_lock critical section had to be temporarily released. And\nthe fix was similarly to temporarily set po-\u003enum to zero to keep\nthe socket unhooked until the lock is retaken.\n\nThe po-\u003ebind_lock in packet_set_ring and packet_notifier precede the\nintroduction of git history."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:54:52.280Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/18f13f2a83eb81be349a9757ba2141ff1da9ad73"
},
{
"url": "https://git.kernel.org/stable/c/7da733f117533e9b2ebbd530a22ae4028713955c"
},
{
"url": "https://git.kernel.org/stable/c/ba2257034755ae773722f15f4c3ad1dcdad15ca9"
},
{
"url": "https://git.kernel.org/stable/c/7de07705007c7e34995a5599aaab1d23e762d7ca"
},
{
"url": "https://git.kernel.org/stable/c/88caf46db8239e6471413d28aabaa6b8bd552805"
},
{
"url": "https://git.kernel.org/stable/c/f2e8fcfd2b1bc754920108b7f2cd75082c5a18df"
},
{
"url": "https://git.kernel.org/stable/c/e50ccfaca9e3c671cae917dcb994831a859cf588"
},
{
"url": "https://git.kernel.org/stable/c/f1791fd7b845bea0ce9674fcf2febee7bc87a893"
},
{
"url": "https://git.kernel.org/stable/c/01d3c8417b9c1b884a8a981a3b886da556512f36"
}
],
"title": "net/packet: fix a race in packet_set_ring() and packet_notifier()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38617",
"datePublished": "2025-08-22T13:01:23.963Z",
"dateReserved": "2025-04-16T04:51:24.029Z",
"dateUpdated": "2025-09-29T05:54:52.280Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50191 (GCVE-0-2022-50191)
Vulnerability from cvelistv5
Published
2025-06-18 11:03
Modified
2025-06-18 11:03
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
regulator: of: Fix refcount leak bug in of_get_regulation_constraints()
We should call the of_node_put() for the reference returned by
of_get_child_by_name() which has increased the refcount.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 40e20d68bb3fb1ce2704c886d597918988d3321d Version: 40e20d68bb3fb1ce2704c886d597918988d3321d Version: 40e20d68bb3fb1ce2704c886d597918988d3321d Version: 40e20d68bb3fb1ce2704c886d597918988d3321d Version: 40e20d68bb3fb1ce2704c886d597918988d3321d Version: 40e20d68bb3fb1ce2704c886d597918988d3321d Version: 40e20d68bb3fb1ce2704c886d597918988d3321d Version: 40e20d68bb3fb1ce2704c886d597918988d3321d |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/regulator/of_regulator.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a23098cc32860272dc6c3200ff20c34c65b7b694",
"status": "affected",
"version": "40e20d68bb3fb1ce2704c886d597918988d3321d",
"versionType": "git"
},
{
"lessThan": "b9ca8585c766616563cf3c062c6878f61f83cf00",
"status": "affected",
"version": "40e20d68bb3fb1ce2704c886d597918988d3321d",
"versionType": "git"
},
{
"lessThan": "35f9e861d9b9434903a8ede37a3561f78985826d",
"status": "affected",
"version": "40e20d68bb3fb1ce2704c886d597918988d3321d",
"versionType": "git"
},
{
"lessThan": "332e555dca074c4eb2084898021c3676423814c3",
"status": "affected",
"version": "40e20d68bb3fb1ce2704c886d597918988d3321d",
"versionType": "git"
},
{
"lessThan": "c9df8ff290097aabd5c9200f7f729b0813d37b19",
"status": "affected",
"version": "40e20d68bb3fb1ce2704c886d597918988d3321d",
"versionType": "git"
},
{
"lessThan": "11ecb4f8735b0230d54a82c18b21ea778b695d61",
"status": "affected",
"version": "40e20d68bb3fb1ce2704c886d597918988d3321d",
"versionType": "git"
},
{
"lessThan": "fc7b19f547bc9e622060a0a9a39da2330aa21c53",
"status": "affected",
"version": "40e20d68bb3fb1ce2704c886d597918988d3321d",
"versionType": "git"
},
{
"lessThan": "66efb665cd5ad69b27dca8571bf89fc6b9c628a4",
"status": "affected",
"version": "40e20d68bb3fb1ce2704c886d597918988d3321d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/regulator/of_regulator.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.256",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.211",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.137",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.291",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.256",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.211",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.137",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.61",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.18",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.2",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: of: Fix refcount leak bug in of_get_regulation_constraints()\n\nWe should call the of_node_put() for the reference returned by\nof_get_child_by_name() which has increased the refcount."
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T11:03:36.928Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a23098cc32860272dc6c3200ff20c34c65b7b694"
},
{
"url": "https://git.kernel.org/stable/c/b9ca8585c766616563cf3c062c6878f61f83cf00"
},
{
"url": "https://git.kernel.org/stable/c/35f9e861d9b9434903a8ede37a3561f78985826d"
},
{
"url": "https://git.kernel.org/stable/c/332e555dca074c4eb2084898021c3676423814c3"
},
{
"url": "https://git.kernel.org/stable/c/c9df8ff290097aabd5c9200f7f729b0813d37b19"
},
{
"url": "https://git.kernel.org/stable/c/11ecb4f8735b0230d54a82c18b21ea778b695d61"
},
{
"url": "https://git.kernel.org/stable/c/fc7b19f547bc9e622060a0a9a39da2330aa21c53"
},
{
"url": "https://git.kernel.org/stable/c/66efb665cd5ad69b27dca8571bf89fc6b9c628a4"
}
],
"title": "regulator: of: Fix refcount leak bug in of_get_regulation_constraints()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50191",
"datePublished": "2025-06-18T11:03:36.928Z",
"dateReserved": "2025-06-18T10:57:27.427Z",
"dateUpdated": "2025-06-18T11:03:36.928Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-46733 (GCVE-0-2024-46733)
Vulnerability from cvelistv5
Published
2024-09-18 06:32
Modified
2025-05-04 09:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix qgroup reserve leaks in cow_file_range
In the buffered write path, the dirty page owns the qgroup reserve until
it creates an ordered_extent.
Therefore, any errors that occur before the ordered_extent is created
must free that reservation, or else the space is leaked. The fstest
generic/475 exercises various IO error paths, and is able to trigger
errors in cow_file_range where we fail to get to allocating the ordered
extent. Note that because we *do* clear delalloc, we are likely to
remove the inode from the delalloc list, so the inodes/pages to not have
invalidate/launder called on them in the commit abort path.
This results in failures at the unmount stage of the test that look like:
BTRFS: error (device dm-8 state EA) in cleanup_transaction:2018: errno=-5 IO failure
BTRFS: error (device dm-8 state EA) in btrfs_replace_file_extents:2416: errno=-5 IO failure
BTRFS warning (device dm-8 state EA): qgroup 0/5 has unreleased space, type 0 rsv 28672
------------[ cut here ]------------
WARNING: CPU: 3 PID: 22588 at fs/btrfs/disk-io.c:4333 close_ctree+0x222/0x4d0 [btrfs]
Modules linked in: btrfs blake2b_generic libcrc32c xor zstd_compress raid6_pq
CPU: 3 PID: 22588 Comm: umount Kdump: loaded Tainted: G W 6.10.0-rc7-gab56fde445b8 #21
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014
RIP: 0010:close_ctree+0x222/0x4d0 [btrfs]
RSP: 0018:ffffb4465283be00 EFLAGS: 00010202
RAX: 0000000000000001 RBX: ffffa1a1818e1000 RCX: 0000000000000001
RDX: 0000000000000000 RSI: ffffb4465283bbe0 RDI: ffffa1a19374fcb8
RBP: ffffa1a1818e13c0 R08: 0000000100028b16 R09: 0000000000000000
R10: 0000000000000003 R11: 0000000000000003 R12: ffffa1a18ad7972c
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 00007f9168312b80(0000) GS:ffffa1a4afcc0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f91683c9140 CR3: 000000010acaa000 CR4: 00000000000006f0
Call Trace:
<TASK>
? close_ctree+0x222/0x4d0 [btrfs]
? __warn.cold+0x8e/0xea
? close_ctree+0x222/0x4d0 [btrfs]
? report_bug+0xff/0x140
? handle_bug+0x3b/0x70
? exc_invalid_op+0x17/0x70
? asm_exc_invalid_op+0x1a/0x20
? close_ctree+0x222/0x4d0 [btrfs]
generic_shutdown_super+0x70/0x160
kill_anon_super+0x11/0x40
btrfs_kill_super+0x11/0x20 [btrfs]
deactivate_locked_super+0x2e/0xa0
cleanup_mnt+0xb5/0x150
task_work_run+0x57/0x80
syscall_exit_to_user_mode+0x121/0x130
do_syscall_64+0xab/0x1a0
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f916847a887
---[ end trace 0000000000000000 ]---
BTRFS error (device dm-8 state EA): qgroup reserved space leaked
Cases 2 and 3 in the out_reserve path both pertain to this type of leak
and must free the reserved qgroup data. Because it is already an error
path, I opted not to handle the possible errors in
btrfs_free_qgroup_data.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-46733",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-29T14:53:35.751159Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-29T14:53:50.933Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "159f0f61b283ea71e827dd0c18c5dce197de1fa2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "84464db2ec2a55b9313d5f264da196a37ec80994",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e42ef22bc10f0309c0c65d8d6ca8b4127a674b7f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "30479f31d44d47ed00ae0c7453d9b253537005b2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.11",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.135",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix qgroup reserve leaks in cow_file_range\n\nIn the buffered write path, the dirty page owns the qgroup reserve until\nit creates an ordered_extent.\n\nTherefore, any errors that occur before the ordered_extent is created\nmust free that reservation, or else the space is leaked. The fstest\ngeneric/475 exercises various IO error paths, and is able to trigger\nerrors in cow_file_range where we fail to get to allocating the ordered\nextent. Note that because we *do* clear delalloc, we are likely to\nremove the inode from the delalloc list, so the inodes/pages to not have\ninvalidate/launder called on them in the commit abort path.\n\nThis results in failures at the unmount stage of the test that look like:\n\n BTRFS: error (device dm-8 state EA) in cleanup_transaction:2018: errno=-5 IO failure\n BTRFS: error (device dm-8 state EA) in btrfs_replace_file_extents:2416: errno=-5 IO failure\n BTRFS warning (device dm-8 state EA): qgroup 0/5 has unreleased space, type 0 rsv 28672\n ------------[ cut here ]------------\n WARNING: CPU: 3 PID: 22588 at fs/btrfs/disk-io.c:4333 close_ctree+0x222/0x4d0 [btrfs]\n Modules linked in: btrfs blake2b_generic libcrc32c xor zstd_compress raid6_pq\n CPU: 3 PID: 22588 Comm: umount Kdump: loaded Tainted: G W 6.10.0-rc7-gab56fde445b8 #21\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014\n RIP: 0010:close_ctree+0x222/0x4d0 [btrfs]\n RSP: 0018:ffffb4465283be00 EFLAGS: 00010202\n RAX: 0000000000000001 RBX: ffffa1a1818e1000 RCX: 0000000000000001\n RDX: 0000000000000000 RSI: ffffb4465283bbe0 RDI: ffffa1a19374fcb8\n RBP: ffffa1a1818e13c0 R08: 0000000100028b16 R09: 0000000000000000\n R10: 0000000000000003 R11: 0000000000000003 R12: ffffa1a18ad7972c\n R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n FS: 00007f9168312b80(0000) GS:ffffa1a4afcc0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f91683c9140 CR3: 000000010acaa000 CR4: 00000000000006f0\n Call Trace:\n \u003cTASK\u003e\n ? close_ctree+0x222/0x4d0 [btrfs]\n ? __warn.cold+0x8e/0xea\n ? close_ctree+0x222/0x4d0 [btrfs]\n ? report_bug+0xff/0x140\n ? handle_bug+0x3b/0x70\n ? exc_invalid_op+0x17/0x70\n ? asm_exc_invalid_op+0x1a/0x20\n ? close_ctree+0x222/0x4d0 [btrfs]\n generic_shutdown_super+0x70/0x160\n kill_anon_super+0x11/0x40\n btrfs_kill_super+0x11/0x20 [btrfs]\n deactivate_locked_super+0x2e/0xa0\n cleanup_mnt+0xb5/0x150\n task_work_run+0x57/0x80\n syscall_exit_to_user_mode+0x121/0x130\n do_syscall_64+0xab/0x1a0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7f916847a887\n ---[ end trace 0000000000000000 ]---\n BTRFS error (device dm-8 state EA): qgroup reserved space leaked\n\nCases 2 and 3 in the out_reserve path both pertain to this type of leak\nand must free the reserved qgroup data. Because it is already an error\npath, I opted not to handle the possible errors in\nbtrfs_free_qgroup_data."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:32:59.327Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/159f0f61b283ea71e827dd0c18c5dce197de1fa2"
},
{
"url": "https://git.kernel.org/stable/c/84464db2ec2a55b9313d5f264da196a37ec80994"
},
{
"url": "https://git.kernel.org/stable/c/e42ef22bc10f0309c0c65d8d6ca8b4127a674b7f"
},
{
"url": "https://git.kernel.org/stable/c/30479f31d44d47ed00ae0c7453d9b253537005b2"
}
],
"title": "btrfs: fix qgroup reserve leaks in cow_file_range",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-46733",
"datePublished": "2024-09-18T06:32:27.453Z",
"dateReserved": "2024-09-11T15:12:18.257Z",
"dateUpdated": "2025-05-04T09:32:59.327Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38386 (GCVE-0-2025-38386)
Vulnerability from cvelistv5
Published
2025-07-25 12:53
Modified
2025-07-28 04:20
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ACPICA: Refuse to evaluate a method if arguments are missing
As reported in [1], a platform firmware update that increased the number
of method parameters and forgot to update a least one of its callers,
caused ACPICA to crash due to use-after-free.
Since this a result of a clear AML issue that arguably cannot be fixed
up by the interpreter (it cannot produce missing data out of thin air),
address it by making ACPICA refuse to evaluate a method if the caller
attempts to pass fewer arguments than expected to it.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/acpi/acpica/dsmethod.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b49d224d1830c46e20adce2a239c454cdab426f1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2219e49857ffd6aea1b1ca5214d3270f84623a16",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ab1e8491c19eb2ea0fda81ef28e841c7cb6399f5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4305d936abde795c2ef6ba916de8f00a50f64d2d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d547779e72cea9865b732cd45393c4cd02b3598e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "18ff4ed6a33a7e3f2097710eacc96bea7696e803",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c9e4da550ae196132b990bd77ed3d8f2d9747f87",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6fcab2791543924d438e7fa49276d0998b0a069f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/acpi/acpica/dsmethod.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.240",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.187",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.144",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.97",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.37",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.296",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.240",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.187",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.144",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.97",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: Refuse to evaluate a method if arguments are missing\n\nAs reported in [1], a platform firmware update that increased the number\nof method parameters and forgot to update a least one of its callers,\ncaused ACPICA to crash due to use-after-free.\n\nSince this a result of a clear AML issue that arguably cannot be fixed\nup by the interpreter (it cannot produce missing data out of thin air),\naddress it by making ACPICA refuse to evaluate a method if the caller\nattempts to pass fewer arguments than expected to it."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:20:47.364Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b49d224d1830c46e20adce2a239c454cdab426f1"
},
{
"url": "https://git.kernel.org/stable/c/2219e49857ffd6aea1b1ca5214d3270f84623a16"
},
{
"url": "https://git.kernel.org/stable/c/ab1e8491c19eb2ea0fda81ef28e841c7cb6399f5"
},
{
"url": "https://git.kernel.org/stable/c/4305d936abde795c2ef6ba916de8f00a50f64d2d"
},
{
"url": "https://git.kernel.org/stable/c/d547779e72cea9865b732cd45393c4cd02b3598e"
},
{
"url": "https://git.kernel.org/stable/c/18ff4ed6a33a7e3f2097710eacc96bea7696e803"
},
{
"url": "https://git.kernel.org/stable/c/c9e4da550ae196132b990bd77ed3d8f2d9747f87"
},
{
"url": "https://git.kernel.org/stable/c/6fcab2791543924d438e7fa49276d0998b0a069f"
}
],
"title": "ACPICA: Refuse to evaluate a method if arguments are missing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38386",
"datePublished": "2025-07-25T12:53:27.229Z",
"dateReserved": "2025-04-16T04:51:24.010Z",
"dateUpdated": "2025-07-28T04:20:47.364Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47706 (GCVE-0-2024-47706)
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2025-05-04 09:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
block, bfq: fix possible UAF for bfqq->bic with merge chain
1) initial state, three tasks:
Process 1 Process 2 Process 3
(BIC1) (BIC2) (BIC3)
| Λ | Λ | Λ
| | | | | |
V | V | V |
bfqq1 bfqq2 bfqq3
process ref: 1 1 1
2) bfqq1 merged to bfqq2:
Process 1 Process 2 Process 3
(BIC1) (BIC2) (BIC3)
| | | Λ
\--------------\| | |
V V |
bfqq1--------->bfqq2 bfqq3
process ref: 0 2 1
3) bfqq2 merged to bfqq3:
Process 1 Process 2 Process 3
(BIC1) (BIC2) (BIC3)
here -> Λ | |
\--------------\ \-------------\|
V V
bfqq1--------->bfqq2---------->bfqq3
process ref: 0 1 3
In this case, IO from Process 1 will get bfqq2 from BIC1 first, and then
get bfqq3 through merge chain, and finially handle IO by bfqq3.
Howerver, current code will think bfqq2 is owned by BIC1, like initial
state, and set bfqq2->bic to BIC1.
bfq_insert_request
-> by Process 1
bfqq = bfq_init_rq(rq)
bfqq = bfq_get_bfqq_handle_split
bfqq = bic_to_bfqq
-> get bfqq2 from BIC1
bfqq->ref++
rq->elv.priv[0] = bic
rq->elv.priv[1] = bfqq
if (bfqq_process_refs(bfqq) == 1)
bfqq->bic = bic
-> record BIC1 to bfqq2
__bfq_insert_request
new_bfqq = bfq_setup_cooperator
-> get bfqq3 from bfqq2->new_bfqq
bfqq_request_freed(bfqq)
new_bfqq->ref++
rq->elv.priv[1] = new_bfqq
-> handle IO by bfqq3
Fix the problem by checking bfqq is from merge chain fist. And this
might fix a following problem reported by our syzkaller(unreproducible):
==================================================================
BUG: KASAN: slab-use-after-free in bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]
BUG: KASAN: slab-use-after-free in bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]
BUG: KASAN: slab-use-after-free in bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889
Write of size 1 at addr ffff888123839eb8 by task kworker/0:1H/18595
CPU: 0 PID: 18595 Comm: kworker/0:1H Tainted: G L 6.6.0-07439-gba2303cacfda #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Workqueue: kblockd blk_mq_requeue_work
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0x10d/0x610 mm/kasan/report.c:475
kasan_report+0x8e/0xc0 mm/kasan/report.c:588
bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]
bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]
bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889
bfq_get_bfqq_handle_split+0x169/0x5d0 block/bfq-iosched.c:6757
bfq_init_rq block/bfq-iosched.c:6876 [inline]
bfq_insert_request block/bfq-iosched.c:6254 [inline]
bfq_insert_requests+0x1112/0x5cf0 block/bfq-iosched.c:6304
blk_mq_insert_request+0x290/0x8d0 block/blk-mq.c:2593
blk_mq_requeue_work+0x6bc/0xa70 block/blk-mq.c:1502
process_one_work kernel/workqueue.c:2627 [inline]
process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700
worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781
kthread+0x33c/0x440 kernel/kthread.c:388
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305
</TASK>
Allocated by task 20776:
kasan_save_stack+0x20/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
__kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328
kasan_slab_alloc include/linux/kasan.h:188 [inline]
slab_post_alloc_hook mm/slab.h:763 [inline]
slab_alloc_node mm/slub.c:3458 [inline]
kmem_cache_alloc_node+0x1a4/0x6f0 mm/slub.c:3503
ioc_create_icq block/blk-ioc.c:370 [inline]
---truncated---
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 36eca894832351feed9072d0f97eb06fc9482ca4 Version: 36eca894832351feed9072d0f97eb06fc9482ca4 Version: 36eca894832351feed9072d0f97eb06fc9482ca4 Version: 36eca894832351feed9072d0f97eb06fc9482ca4 Version: 36eca894832351feed9072d0f97eb06fc9482ca4 Version: 36eca894832351feed9072d0f97eb06fc9482ca4 Version: 36eca894832351feed9072d0f97eb06fc9482ca4 Version: 36eca894832351feed9072d0f97eb06fc9482ca4 Version: 36eca894832351feed9072d0f97eb06fc9482ca4 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47706",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-21T13:03:53.838190Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T13:04:19.673Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/bfq-iosched.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a9bdd5b36887d2bacb8bc777fd18317c99fc2587",
"status": "affected",
"version": "36eca894832351feed9072d0f97eb06fc9482ca4",
"versionType": "git"
},
{
"lessThan": "bc2140534b2aae752e4f7cb4489642dbb5ec4777",
"status": "affected",
"version": "36eca894832351feed9072d0f97eb06fc9482ca4",
"versionType": "git"
},
{
"lessThan": "e1277ae780cca4e69ef5468d4582dfd48f0b8320",
"status": "affected",
"version": "36eca894832351feed9072d0f97eb06fc9482ca4",
"versionType": "git"
},
{
"lessThan": "8aa9de02a4be2e7006e636816ce19b0d667ceaa3",
"status": "affected",
"version": "36eca894832351feed9072d0f97eb06fc9482ca4",
"versionType": "git"
},
{
"lessThan": "ddbdaad123254fb53e32480cb74a486a6868b1e0",
"status": "affected",
"version": "36eca894832351feed9072d0f97eb06fc9482ca4",
"versionType": "git"
},
{
"lessThan": "7faed2896d78e48ec96229e73b30b0af6c00a9aa",
"status": "affected",
"version": "36eca894832351feed9072d0f97eb06fc9482ca4",
"versionType": "git"
},
{
"lessThan": "880692ee233ba63808182705b3333403413b58f5",
"status": "affected",
"version": "36eca894832351feed9072d0f97eb06fc9482ca4",
"versionType": "git"
},
{
"lessThan": "6d130db286ad0ea392c96ebb2551acf0d7308048",
"status": "affected",
"version": "36eca894832351feed9072d0f97eb06fc9482ca4",
"versionType": "git"
},
{
"lessThan": "18ad4df091dd5d067d2faa8fce1180b79f7041a7",
"status": "affected",
"version": "36eca894832351feed9072d0f97eb06fc9482ca4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/bfq-iosched.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.323",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.285",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.227",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.323",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.285",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.227",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.168",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.113",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.54",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10.13",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.2",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock, bfq: fix possible UAF for bfqq-\u003ebic with merge chain\n\n1) initial state, three tasks:\n\n\t\tProcess 1 Process 2\tProcess 3\n\t\t (BIC1) (BIC2)\t\t (BIC3)\n\t\t | \u039b | \u039b\t\t | \u039b\n\t\t | | | |\t\t | |\n\t\t V | V |\t\t V |\n\t\t bfqq1 bfqq2\t\t bfqq3\nprocess ref:\t 1\t\t 1\t\t 1\n\n2) bfqq1 merged to bfqq2:\n\n\t\tProcess 1 Process 2\tProcess 3\n\t\t (BIC1) (BIC2)\t\t (BIC3)\n\t\t | |\t\t | \u039b\n\t\t \\--------------\\|\t\t | |\n\t\t V\t\t V |\n\t\t bfqq1---------\u003ebfqq2\t\t bfqq3\nprocess ref:\t 0\t\t 2\t\t 1\n\n3) bfqq2 merged to bfqq3:\n\n\t\tProcess 1 Process 2\tProcess 3\n\t\t (BIC1) (BIC2)\t\t (BIC3)\n\t here -\u003e \u039b |\t\t |\n\t\t \\--------------\\ \\-------------\\|\n\t\t V\t\t V\n\t\t bfqq1---------\u003ebfqq2----------\u003ebfqq3\nprocess ref:\t 0\t\t 1\t\t 3\n\nIn this case, IO from Process 1 will get bfqq2 from BIC1 first, and then\nget bfqq3 through merge chain, and finially handle IO by bfqq3.\nHowerver, current code will think bfqq2 is owned by BIC1, like initial\nstate, and set bfqq2-\u003ebic to BIC1.\n\nbfq_insert_request\n-\u003e by Process 1\n bfqq = bfq_init_rq(rq)\n bfqq = bfq_get_bfqq_handle_split\n bfqq = bic_to_bfqq\n -\u003e get bfqq2 from BIC1\n bfqq-\u003eref++\n rq-\u003eelv.priv[0] = bic\n rq-\u003eelv.priv[1] = bfqq\n if (bfqq_process_refs(bfqq) == 1)\n bfqq-\u003ebic = bic\n -\u003e record BIC1 to bfqq2\n\n __bfq_insert_request\n new_bfqq = bfq_setup_cooperator\n -\u003e get bfqq3 from bfqq2-\u003enew_bfqq\n bfqq_request_freed(bfqq)\n new_bfqq-\u003eref++\n rq-\u003eelv.priv[1] = new_bfqq\n -\u003e handle IO by bfqq3\n\nFix the problem by checking bfqq is from merge chain fist. And this\nmight fix a following problem reported by our syzkaller(unreproducible):\n\n==================================================================\nBUG: KASAN: slab-use-after-free in bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]\nBUG: KASAN: slab-use-after-free in bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]\nBUG: KASAN: slab-use-after-free in bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889\nWrite of size 1 at addr ffff888123839eb8 by task kworker/0:1H/18595\n\nCPU: 0 PID: 18595 Comm: kworker/0:1H Tainted: G L 6.6.0-07439-gba2303cacfda #6\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\nWorkqueue: kblockd blk_mq_requeue_work\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:364 [inline]\n print_report+0x10d/0x610 mm/kasan/report.c:475\n kasan_report+0x8e/0xc0 mm/kasan/report.c:588\n bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]\n bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]\n bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889\n bfq_get_bfqq_handle_split+0x169/0x5d0 block/bfq-iosched.c:6757\n bfq_init_rq block/bfq-iosched.c:6876 [inline]\n bfq_insert_request block/bfq-iosched.c:6254 [inline]\n bfq_insert_requests+0x1112/0x5cf0 block/bfq-iosched.c:6304\n blk_mq_insert_request+0x290/0x8d0 block/blk-mq.c:2593\n blk_mq_requeue_work+0x6bc/0xa70 block/blk-mq.c:1502\n process_one_work kernel/workqueue.c:2627 [inline]\n process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700\n worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781\n kthread+0x33c/0x440 kernel/kthread.c:388\n ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305\n \u003c/TASK\u003e\n\nAllocated by task 20776:\n kasan_save_stack+0x20/0x40 mm/kasan/common.c:45\n kasan_set_track+0x25/0x30 mm/kasan/common.c:52\n __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328\n kasan_slab_alloc include/linux/kasan.h:188 [inline]\n slab_post_alloc_hook mm/slab.h:763 [inline]\n slab_alloc_node mm/slub.c:3458 [inline]\n kmem_cache_alloc_node+0x1a4/0x6f0 mm/slub.c:3503\n ioc_create_icq block/blk-ioc.c:370 [inline]\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:37:55.250Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a9bdd5b36887d2bacb8bc777fd18317c99fc2587"
},
{
"url": "https://git.kernel.org/stable/c/bc2140534b2aae752e4f7cb4489642dbb5ec4777"
},
{
"url": "https://git.kernel.org/stable/c/e1277ae780cca4e69ef5468d4582dfd48f0b8320"
},
{
"url": "https://git.kernel.org/stable/c/8aa9de02a4be2e7006e636816ce19b0d667ceaa3"
},
{
"url": "https://git.kernel.org/stable/c/ddbdaad123254fb53e32480cb74a486a6868b1e0"
},
{
"url": "https://git.kernel.org/stable/c/7faed2896d78e48ec96229e73b30b0af6c00a9aa"
},
{
"url": "https://git.kernel.org/stable/c/880692ee233ba63808182705b3333403413b58f5"
},
{
"url": "https://git.kernel.org/stable/c/6d130db286ad0ea392c96ebb2551acf0d7308048"
},
{
"url": "https://git.kernel.org/stable/c/18ad4df091dd5d067d2faa8fce1180b79f7041a7"
}
],
"title": "block, bfq: fix possible UAF for bfqq-\u003ebic with merge chain",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-47706",
"datePublished": "2024-10-21T11:53:40.759Z",
"dateReserved": "2024-09-30T16:00:12.946Z",
"dateUpdated": "2025-05-04T09:37:55.250Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38556 (GCVE-0-2025-38556)
Vulnerability from cvelistv5
Published
2025-08-19 17:02
Modified
2025-09-29 05:53
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: core: Harden s32ton() against conversion to 0 bits
Testing by the syzbot fuzzer showed that the HID core gets a
shift-out-of-bounds exception when it tries to convert a 32-bit
quantity to a 0-bit quantity. Ideally this should never occur, but
there are buggy devices and some might have a report field with size
set to zero; we shouldn't reject the report or the device just because
of that.
Instead, harden the s32ton() routine so that it returns a reasonable
result instead of crashing when it is called with the number of bits
set to 0 -- the same as what snto32() does.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d3b504146c111548ab60b6ef7aad00bfb1db05a2",
"status": "affected",
"version": "dde5845a529ff753364a6d1aea61180946270bfa",
"versionType": "git"
},
{
"lessThan": "8b4a94b1510f6a46ec48494b52ee8f67eb4fc836",
"status": "affected",
"version": "dde5845a529ff753364a6d1aea61180946270bfa",
"versionType": "git"
},
{
"lessThan": "865ad8469fa24de1559f247d9426ab01e5ce3a56",
"status": "affected",
"version": "dde5845a529ff753364a6d1aea61180946270bfa",
"versionType": "git"
},
{
"lessThan": "a6b87bfc2ab5bccb7ad953693c85d9062aef3fdd",
"status": "affected",
"version": "dde5845a529ff753364a6d1aea61180946270bfa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.20"
},
{
"lessThan": "2.6.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: Harden s32ton() against conversion to 0 bits\n\nTesting by the syzbot fuzzer showed that the HID core gets a\nshift-out-of-bounds exception when it tries to convert a 32-bit\nquantity to a 0-bit quantity. Ideally this should never occur, but\nthere are buggy devices and some might have a report field with size\nset to zero; we shouldn\u0027t reject the report or the device just because\nof that.\n\nInstead, harden the s32ton() routine so that it returns a reasonable\nresult instead of crashing when it is called with the number of bits\nset to 0 -- the same as what snto32() does."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:53:43.421Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d3b504146c111548ab60b6ef7aad00bfb1db05a2"
},
{
"url": "https://git.kernel.org/stable/c/8b4a94b1510f6a46ec48494b52ee8f67eb4fc836"
},
{
"url": "https://git.kernel.org/stable/c/865ad8469fa24de1559f247d9426ab01e5ce3a56"
},
{
"url": "https://git.kernel.org/stable/c/a6b87bfc2ab5bccb7ad953693c85d9062aef3fdd"
}
],
"title": "HID: core: Harden s32ton() against conversion to 0 bits",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38556",
"datePublished": "2025-08-19T17:02:34.929Z",
"dateReserved": "2025-04-16T04:51:24.025Z",
"dateUpdated": "2025-09-29T05:53:43.421Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38612 (GCVE-0-2025-38612)
Vulnerability from cvelistv5
Published
2025-08-19 17:03
Modified
2025-09-29 05:54
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
staging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc()
In the error paths after fb_info structure is successfully allocated,
the memory allocated in fb_deferred_io_init() for info->pagerefs is not
freed. Fix that by adding the cleanup function on the error path.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c296d5f9957c03994a699d6739c27d4581a9f6c7 Version: c296d5f9957c03994a699d6739c27d4581a9f6c7 Version: c296d5f9957c03994a699d6739c27d4581a9f6c7 Version: c296d5f9957c03994a699d6739c27d4581a9f6c7 Version: c296d5f9957c03994a699d6739c27d4581a9f6c7 Version: c296d5f9957c03994a699d6739c27d4581a9f6c7 Version: c296d5f9957c03994a699d6739c27d4581a9f6c7 Version: c296d5f9957c03994a699d6739c27d4581a9f6c7 Version: c296d5f9957c03994a699d6739c27d4581a9f6c7 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/fbtft/fbtft-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "83ea0c7b8d12c67f6c4703d6c458627a7fc45fc0",
"status": "affected",
"version": "c296d5f9957c03994a699d6739c27d4581a9f6c7",
"versionType": "git"
},
{
"lessThan": "c3b1c45c48117ed4d8797ee89d1155f16b72d490",
"status": "affected",
"version": "c296d5f9957c03994a699d6739c27d4581a9f6c7",
"versionType": "git"
},
{
"lessThan": "3290f62f23fae05f2ec34085eb86dfb3648ef91f",
"status": "affected",
"version": "c296d5f9957c03994a699d6739c27d4581a9f6c7",
"versionType": "git"
},
{
"lessThan": "6f9e2cf9e9c1a891a683329af35bb33ed9d38b5f",
"status": "affected",
"version": "c296d5f9957c03994a699d6739c27d4581a9f6c7",
"versionType": "git"
},
{
"lessThan": "b31cf6f7716a5d3e4461763f32d812acdaec6e74",
"status": "affected",
"version": "c296d5f9957c03994a699d6739c27d4581a9f6c7",
"versionType": "git"
},
{
"lessThan": "a3177955f8da3c826a18b75e54881e2e9a9c96f1",
"status": "affected",
"version": "c296d5f9957c03994a699d6739c27d4581a9f6c7",
"versionType": "git"
},
{
"lessThan": "6771f121ae87490ddc19eabb7450383af9e01b6d",
"status": "affected",
"version": "c296d5f9957c03994a699d6739c27d4581a9f6c7",
"versionType": "git"
},
{
"lessThan": "47b3d6e8921bbb7b65c2dab8eaa8864901848c1c",
"status": "affected",
"version": "c296d5f9957c03994a699d6739c27d4581a9f6c7",
"versionType": "git"
},
{
"lessThan": "eb2cb7dab60f9be0b435ac4a674255429a36d72c",
"status": "affected",
"version": "c296d5f9957c03994a699d6739c27d4581a9f6c7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/fbtft/fbtft-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.0"
},
{
"lessThan": "4.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc()\n\nIn the error paths after fb_info structure is successfully allocated,\nthe memory allocated in fb_deferred_io_init() for info-\u003epagerefs is not\nfreed. Fix that by adding the cleanup function on the error path."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:54:46.364Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/83ea0c7b8d12c67f6c4703d6c458627a7fc45fc0"
},
{
"url": "https://git.kernel.org/stable/c/c3b1c45c48117ed4d8797ee89d1155f16b72d490"
},
{
"url": "https://git.kernel.org/stable/c/3290f62f23fae05f2ec34085eb86dfb3648ef91f"
},
{
"url": "https://git.kernel.org/stable/c/6f9e2cf9e9c1a891a683329af35bb33ed9d38b5f"
},
{
"url": "https://git.kernel.org/stable/c/b31cf6f7716a5d3e4461763f32d812acdaec6e74"
},
{
"url": "https://git.kernel.org/stable/c/a3177955f8da3c826a18b75e54881e2e9a9c96f1"
},
{
"url": "https://git.kernel.org/stable/c/6771f121ae87490ddc19eabb7450383af9e01b6d"
},
{
"url": "https://git.kernel.org/stable/c/47b3d6e8921bbb7b65c2dab8eaa8864901848c1c"
},
{
"url": "https://git.kernel.org/stable/c/eb2cb7dab60f9be0b435ac4a674255429a36d72c"
}
],
"title": "staging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38612",
"datePublished": "2025-08-19T17:03:54.797Z",
"dateReserved": "2025-04-16T04:51:24.029Z",
"dateUpdated": "2025-09-29T05:54:46.364Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38587 (GCVE-0-2025-38587)
Vulnerability from cvelistv5
Published
2025-08-19 17:03
Modified
2025-09-29 05:54
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: fix possible infinite loop in fib6_info_uses_dev()
fib6_info_uses_dev() seems to rely on RCU without an explicit
protection.
Like the prior fix in rt6_nlmsg_size(),
we need to make sure fib6_del_route() or fib6_add_rt2node()
have not removed the anchor from the list, or we risk an infinite loop.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d0ec61c9f3583b76aebdbb271f5c0d3fcccd48b2 Version: 52da02521ede55fb86546c3fffd9377b3261b91f Version: 34a949e7a0869dfa31a40416d2a56973fae1807b Version: d9ccb18f83ea2bb654289b6ecf014fd267cc988b Version: d9ccb18f83ea2bb654289b6ecf014fd267cc988b Version: d9ccb18f83ea2bb654289b6ecf014fd267cc988b Version: 11edcd026012ac18acee0f1514db3ed1b160fc6f |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bc85e62394f008fa848c4ba02c936c735a3e8ef5",
"status": "affected",
"version": "d0ec61c9f3583b76aebdbb271f5c0d3fcccd48b2",
"versionType": "git"
},
{
"lessThan": "9cb6de8ee144a94ae7a40bdb32560329ab7276f0",
"status": "affected",
"version": "52da02521ede55fb86546c3fffd9377b3261b91f",
"versionType": "git"
},
{
"lessThan": "db65739d406c72776fbdbbc334be827ef05880d2",
"status": "affected",
"version": "34a949e7a0869dfa31a40416d2a56973fae1807b",
"versionType": "git"
},
{
"lessThan": "16d21816c0918f8058b5fc14cbe8595d62046e2d",
"status": "affected",
"version": "d9ccb18f83ea2bb654289b6ecf014fd267cc988b",
"versionType": "git"
},
{
"lessThan": "e09be457b71b983a085312ff9e981f51e4ed3211",
"status": "affected",
"version": "d9ccb18f83ea2bb654289b6ecf014fd267cc988b",
"versionType": "git"
},
{
"lessThan": "f8d8ce1b515a0a6af72b30502670a406cfb75073",
"status": "affected",
"version": "d9ccb18f83ea2bb654289b6ecf014fd267cc988b",
"versionType": "git"
},
{
"status": "affected",
"version": "11edcd026012ac18acee0f1514db3ed1b160fc6f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "6.1.128",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "6.6.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "6.12.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.11.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix possible infinite loop in fib6_info_uses_dev()\n\nfib6_info_uses_dev() seems to rely on RCU without an explicit\nprotection.\n\nLike the prior fix in rt6_nlmsg_size(),\nwe need to make sure fib6_del_route() or fib6_add_rt2node()\nhave not removed the anchor from the list, or we risk an infinite loop."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:54:19.423Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bc85e62394f008fa848c4ba02c936c735a3e8ef5"
},
{
"url": "https://git.kernel.org/stable/c/9cb6de8ee144a94ae7a40bdb32560329ab7276f0"
},
{
"url": "https://git.kernel.org/stable/c/db65739d406c72776fbdbbc334be827ef05880d2"
},
{
"url": "https://git.kernel.org/stable/c/16d21816c0918f8058b5fc14cbe8595d62046e2d"
},
{
"url": "https://git.kernel.org/stable/c/e09be457b71b983a085312ff9e981f51e4ed3211"
},
{
"url": "https://git.kernel.org/stable/c/f8d8ce1b515a0a6af72b30502670a406cfb75073"
}
],
"title": "ipv6: fix possible infinite loop in fib6_info_uses_dev()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38587",
"datePublished": "2025-08-19T17:03:08.924Z",
"dateReserved": "2025-04-16T04:51:24.026Z",
"dateUpdated": "2025-09-29T05:54:19.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38646 (GCVE-0-2025-38646)
Vulnerability from cvelistv5
Published
2025-08-22 16:00
Modified
2025-09-29 05:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtw89: avoid NULL dereference when RX problematic packet on unsupported 6 GHz band
With a quite rare chance, RX report might be problematic to make SW think
a packet is received on 6 GHz band even if the chip does not support 6 GHz
band actually. Since SW won't initialize stuffs for unsupported bands, NULL
dereference will happen then in the sequence, rtw89_vif_rx_stats_iter() ->
rtw89_core_cancel_6ghz_probe_tx(). So, add a check to avoid it.
The following is a crash log for this case.
BUG: kernel NULL pointer dereference, address: 0000000000000032
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 1 PID: 1907 Comm: irq/131-rtw89_p Tainted: G U 6.6.56-05896-g89f5fb0eb30b #1 (HASH:1400 4)
Hardware name: Google Telith/Telith, BIOS Google_Telith.15217.747.0 11/12/2024
RIP: 0010:rtw89_vif_rx_stats_iter+0xd2/0x310 [rtw89_core]
Code: 4c 89 7d c8 48 89 55 c0 49 8d 44 24 02 48 89 45 b8 45 31 ff eb 11
41 c6 45 3a 01 41 b7 01 4d 8b 6d 00 4d 39 f5 74 42 8b 43 10 <41> 33 45
32 0f b7 4b 14 66 41 33 4d 36 0f b7 c9 09 c1 74 d8 4d 85
RSP: 0018:ffff9f3080138ca0 EFLAGS: 00010246
RAX: 00000000b8bf5770 RBX: ffff91b5e8c639c0 RCX: 0000000000000011
RDX: ffff91b582de1be8 RSI: 0000000000000000 RDI: ffff91b5e8c639e6
RBP: ffff9f3080138d00 R08: 0000000000000000 R09: 0000000000000000
R10: ffff91b59de70000 R11: ffffffffc069be50 R12: ffff91b5e8c639e4
R13: 0000000000000000 R14: ffff91b5828020b8 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff91b8efa40000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000032 CR3: 00000002bf838000 CR4: 0000000000750ee0
PKRU: 55555554
Call Trace:
<IRQ>
? __die_body+0x68/0xb0
? page_fault_oops+0x379/0x3e0
? exc_page_fault+0x4f/0xa0
? asm_exc_page_fault+0x22/0x30
? __pfx_rtw89_vif_rx_stats_iter+0x10/0x10 [rtw89_core (HASH:1400 5)]
? rtw89_vif_rx_stats_iter+0xd2/0x310 [rtw89_core (HASH:1400 5)]
__iterate_interfaces+0x59/0x110 [mac80211 (HASH:1400 6)]
? __pfx_rtw89_vif_rx_stats_iter+0x10/0x10 [rtw89_core (HASH:1400 5)]
? __pfx_rtw89_vif_rx_stats_iter+0x10/0x10 [rtw89_core (HASH:1400 5)]
ieee80211_iterate_active_interfaces_atomic+0x36/0x50 [mac80211 (HASH:1400 6)]
rtw89_core_rx_to_mac80211+0xfd/0x1b0 [rtw89_core (HASH:1400 5)]
rtw89_core_rx+0x43a/0x980 [rtw89_core (HASH:1400 5)]
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtw89/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "892b29eab44b1803d2cad8e50f1bc2144ef478cb",
"status": "affected",
"version": "c6aa9a9c47252ac7b07ed6d10459027e2f2a2de0",
"versionType": "git"
},
{
"lessThan": "77a7a48f87d673a68664bebf044214821decbfda",
"status": "affected",
"version": "c6aa9a9c47252ac7b07ed6d10459027e2f2a2de0",
"versionType": "git"
},
{
"lessThan": "f3527ac15a00916e68ecb495b74dbe6a6c62a06f",
"status": "affected",
"version": "c6aa9a9c47252ac7b07ed6d10459027e2f2a2de0",
"versionType": "git"
},
{
"lessThan": "4b525630729082f026e7030eafccf89e3add7eae",
"status": "affected",
"version": "c6aa9a9c47252ac7b07ed6d10459027e2f2a2de0",
"versionType": "git"
},
{
"lessThan": "7e04f01bb94fe61c73cc59f0495c3b6c16a83231",
"status": "affected",
"version": "c6aa9a9c47252ac7b07ed6d10459027e2f2a2de0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtw89/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: avoid NULL dereference when RX problematic packet on unsupported 6 GHz band\n\nWith a quite rare chance, RX report might be problematic to make SW think\na packet is received on 6 GHz band even if the chip does not support 6 GHz\nband actually. Since SW won\u0027t initialize stuffs for unsupported bands, NULL\ndereference will happen then in the sequence, rtw89_vif_rx_stats_iter() -\u003e\nrtw89_core_cancel_6ghz_probe_tx(). So, add a check to avoid it.\n\nThe following is a crash log for this case.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000032\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 1 PID: 1907 Comm: irq/131-rtw89_p Tainted: G U 6.6.56-05896-g89f5fb0eb30b #1 (HASH:1400 4)\n Hardware name: Google Telith/Telith, BIOS Google_Telith.15217.747.0 11/12/2024\n RIP: 0010:rtw89_vif_rx_stats_iter+0xd2/0x310 [rtw89_core]\n Code: 4c 89 7d c8 48 89 55 c0 49 8d 44 24 02 48 89 45 b8 45 31 ff eb 11\n 41 c6 45 3a 01 41 b7 01 4d 8b 6d 00 4d 39 f5 74 42 8b 43 10 \u003c41\u003e 33 45\n 32 0f b7 4b 14 66 41 33 4d 36 0f b7 c9 09 c1 74 d8 4d 85\n RSP: 0018:ffff9f3080138ca0 EFLAGS: 00010246\n RAX: 00000000b8bf5770 RBX: ffff91b5e8c639c0 RCX: 0000000000000011\n RDX: ffff91b582de1be8 RSI: 0000000000000000 RDI: ffff91b5e8c639e6\n RBP: ffff9f3080138d00 R08: 0000000000000000 R09: 0000000000000000\n R10: ffff91b59de70000 R11: ffffffffc069be50 R12: ffff91b5e8c639e4\n R13: 0000000000000000 R14: ffff91b5828020b8 R15: 0000000000000000\n FS: 0000000000000000(0000) GS:ffff91b8efa40000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000032 CR3: 00000002bf838000 CR4: 0000000000750ee0\n PKRU: 55555554\n Call Trace:\n \u003cIRQ\u003e\n ? __die_body+0x68/0xb0\n ? page_fault_oops+0x379/0x3e0\n ? exc_page_fault+0x4f/0xa0\n ? asm_exc_page_fault+0x22/0x30\n ? __pfx_rtw89_vif_rx_stats_iter+0x10/0x10 [rtw89_core (HASH:1400 5)]\n ? rtw89_vif_rx_stats_iter+0xd2/0x310 [rtw89_core (HASH:1400 5)]\n __iterate_interfaces+0x59/0x110 [mac80211 (HASH:1400 6)]\n ? __pfx_rtw89_vif_rx_stats_iter+0x10/0x10 [rtw89_core (HASH:1400 5)]\n ? __pfx_rtw89_vif_rx_stats_iter+0x10/0x10 [rtw89_core (HASH:1400 5)]\n ieee80211_iterate_active_interfaces_atomic+0x36/0x50 [mac80211 (HASH:1400 6)]\n rtw89_core_rx_to_mac80211+0xfd/0x1b0 [rtw89_core (HASH:1400 5)]\n rtw89_core_rx+0x43a/0x980 [rtw89_core (HASH:1400 5)]"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:55:26.395Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/892b29eab44b1803d2cad8e50f1bc2144ef478cb"
},
{
"url": "https://git.kernel.org/stable/c/77a7a48f87d673a68664bebf044214821decbfda"
},
{
"url": "https://git.kernel.org/stable/c/f3527ac15a00916e68ecb495b74dbe6a6c62a06f"
},
{
"url": "https://git.kernel.org/stable/c/4b525630729082f026e7030eafccf89e3add7eae"
},
{
"url": "https://git.kernel.org/stable/c/7e04f01bb94fe61c73cc59f0495c3b6c16a83231"
}
],
"title": "wifi: rtw89: avoid NULL dereference when RX problematic packet on unsupported 6 GHz band",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38646",
"datePublished": "2025-08-22T16:00:51.397Z",
"dateReserved": "2025-04-16T04:51:24.030Z",
"dateUpdated": "2025-09-29T05:55:26.395Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38006 (GCVE-0-2025-38006)
Vulnerability from cvelistv5
Published
2025-06-18 09:28
Modified
2025-06-18 09:28
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: mctp: Don't access ifa_index when missing
In mctp_dump_addrinfo, ifa_index can be used to filter interfaces, but
only when the struct ifaddrmsg is provided. Otherwise it will be
comparing to uninitialised memory - reproducible in the syzkaller case from
dhcpd, or busybox "ip addr show".
The kernel MCTP implementation has always filtered by ifa_index, so
existing userspace programs expecting to dump MCTP addresses must
already be passing a valid ifa_index value (either 0 or a real index).
BUG: KMSAN: uninit-value in mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128
mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128
rtnl_dump_all+0x3ec/0x5b0 net/core/rtnetlink.c:4380
rtnl_dumpit+0xd5/0x2f0 net/core/rtnetlink.c:6824
netlink_dump+0x97b/0x1690 net/netlink/af_netlink.c:2309
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mctp/device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "acab78ae12c7fefb4f3bfe22e00770a5faa42724",
"status": "affected",
"version": "583be982d93479ea3d85091b0fd0b01201ede87d",
"versionType": "git"
},
{
"lessThan": "d4d1561d17eb72908e4489c0900d96e0484fac20",
"status": "affected",
"version": "583be982d93479ea3d85091b0fd0b01201ede87d",
"versionType": "git"
},
{
"lessThan": "24fa213dffa470166ec014f979f36c6ff44afb45",
"status": "affected",
"version": "583be982d93479ea3d85091b0fd0b01201ede87d",
"versionType": "git"
},
{
"lessThan": "f11cf946c0a92c560a890d68e4775723353599e1",
"status": "affected",
"version": "583be982d93479ea3d85091b0fd0b01201ede87d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mctp/device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.92",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.30",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.8",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mctp: Don\u0027t access ifa_index when missing\n\nIn mctp_dump_addrinfo, ifa_index can be used to filter interfaces, but\nonly when the struct ifaddrmsg is provided. Otherwise it will be\ncomparing to uninitialised memory - reproducible in the syzkaller case from\ndhcpd, or busybox \"ip addr show\".\n\nThe kernel MCTP implementation has always filtered by ifa_index, so\nexisting userspace programs expecting to dump MCTP addresses must\nalready be passing a valid ifa_index value (either 0 or a real index).\n\nBUG: KMSAN: uninit-value in mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128\n mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128\n rtnl_dump_all+0x3ec/0x5b0 net/core/rtnetlink.c:4380\n rtnl_dumpit+0xd5/0x2f0 net/core/rtnetlink.c:6824\n netlink_dump+0x97b/0x1690 net/netlink/af_netlink.c:2309"
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T09:28:17.773Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/acab78ae12c7fefb4f3bfe22e00770a5faa42724"
},
{
"url": "https://git.kernel.org/stable/c/d4d1561d17eb72908e4489c0900d96e0484fac20"
},
{
"url": "https://git.kernel.org/stable/c/24fa213dffa470166ec014f979f36c6ff44afb45"
},
{
"url": "https://git.kernel.org/stable/c/f11cf946c0a92c560a890d68e4775723353599e1"
}
],
"title": "net: mctp: Don\u0027t access ifa_index when missing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38006",
"datePublished": "2025-06-18T09:28:17.773Z",
"dateReserved": "2025-04-16T04:51:23.977Z",
"dateUpdated": "2025-06-18T09:28:17.773Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…