Vulnerability-Lookup

Vendor	Product	Description
Ubuntu	Ubuntu	Ubuntu 16.04 ESM
Ubuntu	Ubuntu	Ubuntu 20.04 ESM
Ubuntu	Ubuntu	Ubuntu 24.04 LTS
Ubuntu	Ubuntu	Ubuntu 25.04
Ubuntu	Ubuntu	Ubuntu 18.04 ESM
Ubuntu	Ubuntu	Ubuntu 14.04 ESM
Ubuntu	Ubuntu	Ubuntu 22.04 LTS

CVE-2025-21946 (GCVE-0-2025-21946)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:41 – Updated: 2026-01-11 16:29

Title

ksmbd: fix out-of-bounds in parse_sec_desc()

Summary

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix out-of-bounds in parse_sec_desc() If osidoffset, gsidoffset and dacloffset could be greater than smb_ntsd struct size. If it is smaller, It could cause slab-out-of-bounds. And when validating sid, It need to check it included subauth array size.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f4ee19528664777af…
	https://git.kernel.org/stable/c/c1569dbbe2d43041b…
	https://git.kernel.org/stable/c/159d059cbcb0e6d0e…
	https://git.kernel.org/stable/c/6a9831180d0b23b5c…
	https://git.kernel.org/stable/c/d6e13e19063db24f9…

Impacted products

Vendor

Product

Version

Linux

Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < f4ee19528664777af8b842f8f001be98345aa973 (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < c1569dbbe2d43041be9f3fef7ca08bec3b66ad1b (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 159d059cbcb0e6d0e7a7b34af3862ba09a6b22d1 (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 6a9831180d0b23b5c97e2bd841aefc8f82900172 (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < d6e13e19063db24f94b690159d0633aaf72a0f03 (git)

Linux

Affected: 5.15
Unaffected: 0 , < 5.15 (semver)
Unaffected: 6.1.160 , ≤ 6.1.* (semver)
Unaffected: 6.6.83 , ≤ 6.6.* (semver)
Unaffected: 6.12.19 , ≤ 6.12.* (semver)
Unaffected: 6.13.7 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/server/smbacl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f4ee19528664777af8b842f8f001be98345aa973",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "c1569dbbe2d43041be9f3fef7ca08bec3b66ad1b",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "159d059cbcb0e6d0e7a7b34af3862ba09a6b22d1",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "6a9831180d0b23b5c97e2bd841aefc8f82900172",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "d6e13e19063db24f94b690159d0633aaf72a0f03",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/server/smbacl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.160",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.83",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.19",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.7",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix out-of-bounds in parse_sec_desc()\n\nIf osidoffset, gsidoffset and dacloffset could be greater than smb_ntsd\nstruct size. If it is smaller, It could cause slab-out-of-bounds.\nAnd when validating sid, It need to check it included subauth array size."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-11T16:29:10.705Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f4ee19528664777af8b842f8f001be98345aa973"
        },
        {
          "url": "https://git.kernel.org/stable/c/c1569dbbe2d43041be9f3fef7ca08bec3b66ad1b"
        },
        {
          "url": "https://git.kernel.org/stable/c/159d059cbcb0e6d0e7a7b34af3862ba09a6b22d1"
        },
        {
          "url": "https://git.kernel.org/stable/c/6a9831180d0b23b5c97e2bd841aefc8f82900172"
        },
        {
          "url": "https://git.kernel.org/stable/c/d6e13e19063db24f94b690159d0633aaf72a0f03"
        }
      ],
      "title": "ksmbd: fix out-of-bounds in parse_sec_desc()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21946",
    "datePublished": "2025-04-01T15:41:08.955Z",
    "dateReserved": "2024-12-29T08:45:45.790Z",
    "dateUpdated": "2026-01-11T16:29:10.705Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37889 (GCVE-0-2025-37889)

Vulnerability from cvelistv5 – Published: 2025-05-09 06:45 – Updated: 2025-11-03 19:57

Title

ASoC: ops: Consistently treat platform_max as control value

Summary

In the Linux kernel, the following vulnerability has been resolved: ASoC: ops: Consistently treat platform_max as control value This reverts commit 9bdd10d57a88 ("ASoC: ops: Shift tested values in snd_soc_put_volsw() by +min"), and makes some additional related updates. There are two ways the platform_max could be interpreted; the maximum register value, or the maximum value the control can be set to. The patch moved from treating the value as a control value to a register one. When the patch was applied it was technically correct as snd_soc_limit_volume() also used the register interpretation. However, even then most of the other usages treated platform_max as a control value, and snd_soc_limit_volume() has since been updated to also do so in commit fb9ad24485087 ("ASoC: ops: add correct range check for limiting volume"). That patch however, missed updating snd_soc_put_volsw() back to the control interpretation, and fixing snd_soc_info_volsw_range(). The control interpretation makes more sense as limiting is typically done from the machine driver, so it is appropriate to use the customer facing representation rather than the internal codec representation. Update all the code to consistently use this interpretation of platform_max. Finally, also add some comments to the soc_mixer_control struct to hopefully avoid further patches switching between the two approaches.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c402f184a053c8e7c…
	https://git.kernel.org/stable/c/694110bc2407a61f0…
	https://git.kernel.org/stable/c/544055329560d4b64…
	https://git.kernel.org/stable/c/a46a9371f8b9a0eef…
	https://git.kernel.org/stable/c/296c8295ae34045da…
	https://git.kernel.org/stable/c/0eba2a7e858907a74…

Impacted products

Vendor

Product

Version

Linux

Affected: c11fc224e58e7972ffd05b8f25e9b1d6a0b8d562 , < c402f184a053c8e7ca325e50f04bbbc1e4fee019 (git)
Affected: a50562146d6c7650029a115c96ef9aaa7648c344 , < 694110bc2407a61f02a770cbb5f39b51e4ec77c6 (git)
Affected: 395e52b7a1ad01e1b51adb09854a0aa5347428de , < 544055329560d4b64fe204fc6be325ebc24c72ca (git)
Affected: fb9ad24485087e0f00d84bee7a5914640b2b9024 , < a46a9371f8b9a0eeff53a21e11ed3b65f52d9cf6 (git)
Affected: fb9ad24485087e0f00d84bee7a5914640b2b9024 , < 296c8295ae34045da0214882628d49c1c060dd8a (git)
Affected: fb9ad24485087e0f00d84bee7a5914640b2b9024 , < 0eba2a7e858907a746ba69cd002eb9eb4dbd7bf3 (git)

Linux

Affected: 6.7
Unaffected: 0 , < 6.7 (semver)
Unaffected: 5.15.180 , ≤ 5.15.* (semver)
Unaffected: 6.1.132 , ≤ 6.1.* (semver)
Unaffected: 6.6.84 , ≤ 6.6.* (semver)
Unaffected: 6.12.20 , ≤ 6.12.* (semver)
Unaffected: 6.13.8 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:57:00.804Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/sound/soc.h",
            "sound/soc/soc-ops.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c402f184a053c8e7ca325e50f04bbbc1e4fee019",
              "status": "affected",
              "version": "c11fc224e58e7972ffd05b8f25e9b1d6a0b8d562",
              "versionType": "git"
            },
            {
              "lessThan": "694110bc2407a61f02a770cbb5f39b51e4ec77c6",
              "status": "affected",
              "version": "a50562146d6c7650029a115c96ef9aaa7648c344",
              "versionType": "git"
            },
            {
              "lessThan": "544055329560d4b64fe204fc6be325ebc24c72ca",
              "status": "affected",
              "version": "395e52b7a1ad01e1b51adb09854a0aa5347428de",
              "versionType": "git"
            },
            {
              "lessThan": "a46a9371f8b9a0eeff53a21e11ed3b65f52d9cf6",
              "status": "affected",
              "version": "fb9ad24485087e0f00d84bee7a5914640b2b9024",
              "versionType": "git"
            },
            {
              "lessThan": "296c8295ae34045da0214882628d49c1c060dd8a",
              "status": "affected",
              "version": "fb9ad24485087e0f00d84bee7a5914640b2b9024",
              "versionType": "git"
            },
            {
              "lessThan": "0eba2a7e858907a746ba69cd002eb9eb4dbd7bf3",
              "status": "affected",
              "version": "fb9ad24485087e0f00d84bee7a5914640b2b9024",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/sound/soc.h",
            "sound/soc/soc-ops.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.180",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.132",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.84",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.180",
                  "versionStartIncluding": "5.15.148",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.132",
                  "versionStartIncluding": "6.1.74",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.84",
                  "versionStartIncluding": "6.6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.20",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.8",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: ops: Consistently treat platform_max as control value\n\nThis reverts commit 9bdd10d57a88 (\"ASoC: ops: Shift tested values in\nsnd_soc_put_volsw() by +min\"), and makes some additional related\nupdates.\n\nThere are two ways the platform_max could be interpreted; the maximum\nregister value, or the maximum value the control can be set to. The\npatch moved from treating the value as a control value to a register\none. When the patch was applied it was technically correct as\nsnd_soc_limit_volume() also used the register interpretation. However,\neven then most of the other usages treated platform_max as a\ncontrol value, and snd_soc_limit_volume() has since been updated to\nalso do so in commit fb9ad24485087 (\"ASoC: ops: add correct range\ncheck for limiting volume\"). That patch however, missed updating\nsnd_soc_put_volsw() back to the control interpretation, and fixing\nsnd_soc_info_volsw_range(). The control interpretation makes more\nsense as limiting is typically done from the machine driver, so it is\nappropriate to use the customer facing representation rather than the\ninternal codec representation. Update all the code to consistently use\nthis interpretation of platform_max.\n\nFinally, also add some comments to the soc_mixer_control struct to\nhopefully avoid further patches switching between the two approaches."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-10T14:09:43.898Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c402f184a053c8e7ca325e50f04bbbc1e4fee019"
        },
        {
          "url": "https://git.kernel.org/stable/c/694110bc2407a61f02a770cbb5f39b51e4ec77c6"
        },
        {
          "url": "https://git.kernel.org/stable/c/544055329560d4b64fe204fc6be325ebc24c72ca"
        },
        {
          "url": "https://git.kernel.org/stable/c/a46a9371f8b9a0eeff53a21e11ed3b65f52d9cf6"
        },
        {
          "url": "https://git.kernel.org/stable/c/296c8295ae34045da0214882628d49c1c060dd8a"
        },
        {
          "url": "https://git.kernel.org/stable/c/0eba2a7e858907a746ba69cd002eb9eb4dbd7bf3"
        }
      ],
      "title": "ASoC: ops: Consistently treat platform_max as control value",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37889",
    "datePublished": "2025-05-09T06:45:50.868Z",
    "dateReserved": "2025-04-16T04:51:23.963Z",
    "dateUpdated": "2025-11-03T19:57:00.804Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-22010 (GCVE-0-2025-22010)

Vulnerability from cvelistv5 – Published: 2025-04-08 08:18 – Updated: 2025-11-03 19:40

Title

RDMA/hns: Fix soft lockup during bt pages loop

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix soft lockup during bt pages loop Driver runs a for-loop when allocating bt pages and mapping them with buffer pages. When a large buffer (e.g. MR over 100GB) is being allocated, it may require a considerable loop count. This will lead to soft lockup: watchdog: BUG: soft lockup - CPU#27 stuck for 22s! ... Call trace: hem_list_alloc_mid_bt+0x124/0x394 [hns_roce_hw_v2] hns_roce_hem_list_request+0xf8/0x160 [hns_roce_hw_v2] hns_roce_mtr_create+0x2e4/0x360 [hns_roce_hw_v2] alloc_mr_pbl+0xd4/0x17c [hns_roce_hw_v2] hns_roce_reg_user_mr+0xf8/0x190 [hns_roce_hw_v2] ib_uverbs_reg_mr+0x118/0x290 watchdog: BUG: soft lockup - CPU#35 stuck for 23s! ... Call trace: hns_roce_hem_list_find_mtt+0x7c/0xb0 [hns_roce_hw_v2] mtr_map_bufs+0xc4/0x204 [hns_roce_hw_v2] hns_roce_mtr_create+0x31c/0x3c4 [hns_roce_hw_v2] alloc_mr_pbl+0xb0/0x160 [hns_roce_hw_v2] hns_roce_reg_user_mr+0x108/0x1c0 [hns_roce_hw_v2] ib_uverbs_reg_mr+0x120/0x2bc Add a cond_resched() to fix soft lockup during these loops. In order not to affect the allocation performance of normal-size buffer, set the loop count of a 100GB MR as the threshold to call cond_resched().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/461eb4ddede266df8…
	https://git.kernel.org/stable/c/efe544462fc0b4997…
	https://git.kernel.org/stable/c/4104b0023ff66b5df…
	https://git.kernel.org/stable/c/975355faba56c0751…
	https://git.kernel.org/stable/c/13a52f6c9ff99f7d8…
	https://git.kernel.org/stable/c/9ab20fec7a1ce3057…
	https://git.kernel.org/stable/c/25655580136de59ec…

Impacted products

Vendor

Product

Version

Linux

Affected: 38389eaa4db192648916464b60f6086d6bbaa6de , < 461eb4ddede266df8f181f578732bb01742c3fd6 (git)
Affected: 38389eaa4db192648916464b60f6086d6bbaa6de , < efe544462fc0b499725364f90bd0f8bbf16f861a (git)
Affected: 38389eaa4db192648916464b60f6086d6bbaa6de , < 4104b0023ff66b5df900d23dbf38310893deca79 (git)
Affected: 38389eaa4db192648916464b60f6086d6bbaa6de , < 975355faba56c0751292ed15a90c3e2c7dc0aad6 (git)
Affected: 38389eaa4db192648916464b60f6086d6bbaa6de , < 13a52f6c9ff99f7d88f81da535cb4e85eade662b (git)
Affected: 38389eaa4db192648916464b60f6086d6bbaa6de , < 9ab20fec7a1ce3057ad86afd27bfd08420b7cd11 (git)
Affected: 38389eaa4db192648916464b60f6086d6bbaa6de , < 25655580136de59ec89f09089dd28008ea440fc9 (git)

Linux

Affected: 5.3
Unaffected: 0 , < 5.3 (semver)
Unaffected: 5.10.236 , ≤ 5.10.* (semver)
Unaffected: 5.15.180 , ≤ 5.15.* (semver)
Unaffected: 6.1.132 , ≤ 6.1.* (semver)
Unaffected: 6.6.85 , ≤ 6.6.* (semver)
Unaffected: 6.12.21 , ≤ 6.12.* (semver)
Unaffected: 6.13.9 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:40:55.912Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/hns/hns_roce_hem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "461eb4ddede266df8f181f578732bb01742c3fd6",
              "status": "affected",
              "version": "38389eaa4db192648916464b60f6086d6bbaa6de",
              "versionType": "git"
            },
            {
              "lessThan": "efe544462fc0b499725364f90bd0f8bbf16f861a",
              "status": "affected",
              "version": "38389eaa4db192648916464b60f6086d6bbaa6de",
              "versionType": "git"
            },
            {
              "lessThan": "4104b0023ff66b5df900d23dbf38310893deca79",
              "status": "affected",
              "version": "38389eaa4db192648916464b60f6086d6bbaa6de",
              "versionType": "git"
            },
            {
              "lessThan": "975355faba56c0751292ed15a90c3e2c7dc0aad6",
              "status": "affected",
              "version": "38389eaa4db192648916464b60f6086d6bbaa6de",
              "versionType": "git"
            },
            {
              "lessThan": "13a52f6c9ff99f7d88f81da535cb4e85eade662b",
              "status": "affected",
              "version": "38389eaa4db192648916464b60f6086d6bbaa6de",
              "versionType": "git"
            },
            {
              "lessThan": "9ab20fec7a1ce3057ad86afd27bfd08420b7cd11",
              "status": "affected",
              "version": "38389eaa4db192648916464b60f6086d6bbaa6de",
              "versionType": "git"
            },
            {
              "lessThan": "25655580136de59ec89f09089dd28008ea440fc9",
              "status": "affected",
              "version": "38389eaa4db192648916464b60f6086d6bbaa6de",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/hns/hns_roce_hem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.3"
            },
            {
              "lessThan": "5.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.236",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.180",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.132",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.85",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.21",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.236",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.180",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.132",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.85",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.21",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.9",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Fix soft lockup during bt pages loop\n\nDriver runs a for-loop when allocating bt pages and mapping them with\nbuffer pages. When a large buffer (e.g. MR over 100GB) is being allocated,\nit may require a considerable loop count. This will lead to soft lockup:\n\n        watchdog: BUG: soft lockup - CPU#27 stuck for 22s!\n        ...\n        Call trace:\n         hem_list_alloc_mid_bt+0x124/0x394 [hns_roce_hw_v2]\n         hns_roce_hem_list_request+0xf8/0x160 [hns_roce_hw_v2]\n         hns_roce_mtr_create+0x2e4/0x360 [hns_roce_hw_v2]\n         alloc_mr_pbl+0xd4/0x17c [hns_roce_hw_v2]\n         hns_roce_reg_user_mr+0xf8/0x190 [hns_roce_hw_v2]\n         ib_uverbs_reg_mr+0x118/0x290\n\n        watchdog: BUG: soft lockup - CPU#35 stuck for 23s!\n        ...\n        Call trace:\n         hns_roce_hem_list_find_mtt+0x7c/0xb0 [hns_roce_hw_v2]\n         mtr_map_bufs+0xc4/0x204 [hns_roce_hw_v2]\n         hns_roce_mtr_create+0x31c/0x3c4 [hns_roce_hw_v2]\n         alloc_mr_pbl+0xb0/0x160 [hns_roce_hw_v2]\n         hns_roce_reg_user_mr+0x108/0x1c0 [hns_roce_hw_v2]\n         ib_uverbs_reg_mr+0x120/0x2bc\n\nAdd a cond_resched() to fix soft lockup during these loops. In order not\nto affect the allocation performance of normal-size buffer, set the loop\ncount of a 100GB MR as the threshold to call cond_resched()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:27:32.747Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/461eb4ddede266df8f181f578732bb01742c3fd6"
        },
        {
          "url": "https://git.kernel.org/stable/c/efe544462fc0b499725364f90bd0f8bbf16f861a"
        },
        {
          "url": "https://git.kernel.org/stable/c/4104b0023ff66b5df900d23dbf38310893deca79"
        },
        {
          "url": "https://git.kernel.org/stable/c/975355faba56c0751292ed15a90c3e2c7dc0aad6"
        },
        {
          "url": "https://git.kernel.org/stable/c/13a52f6c9ff99f7d88f81da535cb4e85eade662b"
        },
        {
          "url": "https://git.kernel.org/stable/c/9ab20fec7a1ce3057ad86afd27bfd08420b7cd11"
        },
        {
          "url": "https://git.kernel.org/stable/c/25655580136de59ec89f09089dd28008ea440fc9"
        }
      ],
      "title": "RDMA/hns: Fix soft lockup during bt pages loop",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22010",
    "datePublished": "2025-04-08T08:18:00.430Z",
    "dateReserved": "2024-12-29T08:45:45.804Z",
    "dateUpdated": "2025-11-03T19:40:55.912Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38227 (GCVE-0-2025-38227)

Vulnerability from cvelistv5 – Published: 2025-07-04 13:37 – Updated: 2025-11-03 17:35

Title

media: vidtv: Terminating the subsequent process of initialization failure

Summary

In the Linux kernel, the following vulnerability has been resolved: media: vidtv: Terminating the subsequent process of initialization failure syzbot reported a slab-use-after-free Read in vidtv_mux_init. [1] After PSI initialization fails, the si member is accessed again, resulting in this uaf. After si initialization fails, the subsequent process needs to be exited. [1] BUG: KASAN: slab-use-after-free in vidtv_mux_pid_ctx_init drivers/media/test-drivers/vidtv/vidtv_mux.c:78 [inline] BUG: KASAN: slab-use-after-free in vidtv_mux_init+0xac2/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:524 Read of size 8 at addr ffff88802fa42acc by task syz.2.37/6059 CPU: 0 UID: 0 PID: 6059 Comm: syz.2.37 Not tainted 6.14.0-rc5-syzkaller #0 Hardware name: Google Compute Engine, BIOS Google 02/12/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xd9/0x110 mm/kasan/report.c:634 vidtv_mux_pid_ctx_init drivers/media/test-drivers/vidtv/vidtv_mux.c:78 vidtv_mux_init+0xac2/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:524 vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 vidtv_start_feed drivers/media/test-drivers/vidtv/vidtv_bridge.c:239 dmx_section_feed_start_filtering drivers/media/dvb-core/dvb_demux.c:973 dvb_dmxdev_feed_start drivers/media/dvb-core/dmxdev.c:508 [inline] dvb_dmxdev_feed_restart.isra.0 drivers/media/dvb-core/dmxdev.c:537 dvb_dmxdev_filter_stop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564 dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline] dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246 __fput+0x3ff/0xb70 fs/file_table.c:464 task_work_run+0x14e/0x250 kernel/task_work.c:227 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0xad8/0x2d70 kernel/exit.c:938 do_group_exit+0xd3/0x2a0 kernel/exit.c:1087 __do_sys_exit_group kernel/exit.c:1098 [inline] __se_sys_exit_group kernel/exit.c:1096 [inline] __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1096 x64_sys_call+0x151f/0x1720 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f871d58d169 Code: Unable to access opcode bytes at 0x7f871d58d13f. RSP: 002b:00007fff4b19a788 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f871d58d169 RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 00007fff4b19a7ec R08: 0000000b4b19a87f R09: 00000000000927c0 R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000003 R13: 00000000000927c0 R14: 000000000001d553 R15: 00007fff4b19a840 </TASK> Allocated by task 6059: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kmalloc_noprof include/linux/slab.h:901 [inline] kzalloc_noprof include/linux/slab.h:1037 [inline] vidtv_psi_pat_table_init drivers/media/test-drivers/vidtv/vidtv_psi.c:970 vidtv_channel_si_init drivers/media/test-drivers/vidtv/vidtv_channel.c:423 vidtv_mux_init drivers/media/test-drivers/vidtv/vidtv_mux.c:519 vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 vidtv_start_feed drivers/media/test-drivers/vidtv/vidtv_bridge.c:239 dmx_section_feed_start_filtering drivers/media/dvb-core/dvb_demux.c:973 dvb_dmxdev_feed_start drivers/media/dvb-core/dmxdev.c:508 [inline] dvb_dmxdev_feed_restart.isra.0 drivers/media/dvb-core/dmxdev.c:537 dvb_dmxdev_filter_stop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564 dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline] dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246 __fput+0x3ff/0xb70 fs/file_tabl ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e1d72ff111eceea6b…
	https://git.kernel.org/stable/c/7e62be1f3b241bc9f…
	https://git.kernel.org/stable/c/685c18bc5a36f823e…
	https://git.kernel.org/stable/c/9824e1732a163e005…
	https://git.kernel.org/stable/c/72541cae73d0809a6…
	https://git.kernel.org/stable/c/f8c2483be6e8bb6c2…
	https://git.kernel.org/stable/c/1d5f88f0534803268…

Impacted products

Vendor

Product

Version

Linux

Affected: 3be8037960bccd13052cfdeba8805ad785041d70 , < e1d72ff111eceea6b28dccb7ca4e8f4900b11729 (git)
Affected: 3be8037960bccd13052cfdeba8805ad785041d70 , < 7e62be1f3b241bc9faee547864bb39332955509b (git)
Affected: 3be8037960bccd13052cfdeba8805ad785041d70 , < 685c18bc5a36f823ee725e85aac1303ef5f535ba (git)
Affected: 3be8037960bccd13052cfdeba8805ad785041d70 , < 9824e1732a163e005aa84e12ec439493ebd4f097 (git)
Affected: 3be8037960bccd13052cfdeba8805ad785041d70 , < 72541cae73d0809a6416bfcd2ee6473046a0013a (git)
Affected: 3be8037960bccd13052cfdeba8805ad785041d70 , < f8c2483be6e8bb6c2148315b4a924c65bb442b5e (git)
Affected: 3be8037960bccd13052cfdeba8805ad785041d70 , < 1d5f88f053480326873115092bc116b7d14916ba (git)

Linux

Affected: 5.10
Unaffected: 0 , < 5.10 (semver)
Unaffected: 5.10.239 , ≤ 5.10.* (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.95 , ≤ 6.6.* (semver)
Unaffected: 6.12.35 , ≤ 6.12.* (semver)
Unaffected: 6.15.4 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:35:44.869Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/test-drivers/vidtv/vidtv_channel.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e1d72ff111eceea6b28dccb7ca4e8f4900b11729",
              "status": "affected",
              "version": "3be8037960bccd13052cfdeba8805ad785041d70",
              "versionType": "git"
            },
            {
              "lessThan": "7e62be1f3b241bc9faee547864bb39332955509b",
              "status": "affected",
              "version": "3be8037960bccd13052cfdeba8805ad785041d70",
              "versionType": "git"
            },
            {
              "lessThan": "685c18bc5a36f823ee725e85aac1303ef5f535ba",
              "status": "affected",
              "version": "3be8037960bccd13052cfdeba8805ad785041d70",
              "versionType": "git"
            },
            {
              "lessThan": "9824e1732a163e005aa84e12ec439493ebd4f097",
              "status": "affected",
              "version": "3be8037960bccd13052cfdeba8805ad785041d70",
              "versionType": "git"
            },
            {
              "lessThan": "72541cae73d0809a6416bfcd2ee6473046a0013a",
              "status": "affected",
              "version": "3be8037960bccd13052cfdeba8805ad785041d70",
              "versionType": "git"
            },
            {
              "lessThan": "f8c2483be6e8bb6c2148315b4a924c65bb442b5e",
              "status": "affected",
              "version": "3be8037960bccd13052cfdeba8805ad785041d70",
              "versionType": "git"
            },
            {
              "lessThan": "1d5f88f053480326873115092bc116b7d14916ba",
              "status": "affected",
              "version": "3be8037960bccd13052cfdeba8805ad785041d70",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/test-drivers/vidtv/vidtv_channel.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.10"
            },
            {
              "lessThan": "5.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: Terminating the subsequent process of initialization failure\n\nsyzbot reported a slab-use-after-free Read in vidtv_mux_init. [1]\n\nAfter PSI initialization fails, the si member is accessed again, resulting\nin this uaf.\n\nAfter si initialization fails, the subsequent process needs to be exited.\n\n[1]\nBUG: KASAN: slab-use-after-free in vidtv_mux_pid_ctx_init drivers/media/test-drivers/vidtv/vidtv_mux.c:78 [inline]\nBUG: KASAN: slab-use-after-free in vidtv_mux_init+0xac2/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:524\nRead of size 8 at addr ffff88802fa42acc by task syz.2.37/6059\n\nCPU: 0 UID: 0 PID: 6059 Comm: syz.2.37 Not tainted 6.14.0-rc5-syzkaller #0\nHardware name: Google Compute Engine, BIOS Google 02/12/2025\nCall Trace:\n\u003cTASK\u003e\n__dump_stack lib/dump_stack.c:94 [inline]\ndump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\nprint_address_description mm/kasan/report.c:408 [inline]\nprint_report+0xc3/0x670 mm/kasan/report.c:521\nkasan_report+0xd9/0x110 mm/kasan/report.c:634\nvidtv_mux_pid_ctx_init drivers/media/test-drivers/vidtv/vidtv_mux.c:78\nvidtv_mux_init+0xac2/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:524\nvidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194\nvidtv_start_feed drivers/media/test-drivers/vidtv/vidtv_bridge.c:239\ndmx_section_feed_start_filtering drivers/media/dvb-core/dvb_demux.c:973\ndvb_dmxdev_feed_start drivers/media/dvb-core/dmxdev.c:508 [inline]\ndvb_dmxdev_feed_restart.isra.0 drivers/media/dvb-core/dmxdev.c:537\ndvb_dmxdev_filter_stop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564\ndvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline]\ndvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246\n__fput+0x3ff/0xb70 fs/file_table.c:464\ntask_work_run+0x14e/0x250 kernel/task_work.c:227\nexit_task_work include/linux/task_work.h:40 [inline]\ndo_exit+0xad8/0x2d70 kernel/exit.c:938\ndo_group_exit+0xd3/0x2a0 kernel/exit.c:1087\n__do_sys_exit_group kernel/exit.c:1098 [inline]\n__se_sys_exit_group kernel/exit.c:1096 [inline]\n__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1096\nx64_sys_call+0x151f/0x1720 arch/x86/include/generated/asm/syscalls_64.h:232\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f871d58d169\nCode: Unable to access opcode bytes at 0x7f871d58d13f.\nRSP: 002b:00007fff4b19a788 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f871d58d169\nRDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 00007fff4b19a7ec R08: 0000000b4b19a87f R09: 00000000000927c0\nR10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000003\nR13: 00000000000927c0 R14: 000000000001d553 R15: 00007fff4b19a840\n \u003c/TASK\u003e\n\nAllocated by task 6059:\n kasan_save_stack+0x33/0x60 mm/kasan/common.c:47\n kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394\n kmalloc_noprof include/linux/slab.h:901 [inline]\n kzalloc_noprof include/linux/slab.h:1037 [inline]\n vidtv_psi_pat_table_init drivers/media/test-drivers/vidtv/vidtv_psi.c:970\n vidtv_channel_si_init drivers/media/test-drivers/vidtv/vidtv_channel.c:423\n vidtv_mux_init drivers/media/test-drivers/vidtv/vidtv_mux.c:519\n vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194\n vidtv_start_feed drivers/media/test-drivers/vidtv/vidtv_bridge.c:239\n dmx_section_feed_start_filtering drivers/media/dvb-core/dvb_demux.c:973\n dvb_dmxdev_feed_start drivers/media/dvb-core/dmxdev.c:508 [inline]\n dvb_dmxdev_feed_restart.isra.0 drivers/media/dvb-core/dmxdev.c:537\n dvb_dmxdev_filter_stop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564\n dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline]\n dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246\n __fput+0x3ff/0xb70 fs/file_tabl\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:15:40.974Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e1d72ff111eceea6b28dccb7ca4e8f4900b11729"
        },
        {
          "url": "https://git.kernel.org/stable/c/7e62be1f3b241bc9faee547864bb39332955509b"
        },
        {
          "url": "https://git.kernel.org/stable/c/685c18bc5a36f823ee725e85aac1303ef5f535ba"
        },
        {
          "url": "https://git.kernel.org/stable/c/9824e1732a163e005aa84e12ec439493ebd4f097"
        },
        {
          "url": "https://git.kernel.org/stable/c/72541cae73d0809a6416bfcd2ee6473046a0013a"
        },
        {
          "url": "https://git.kernel.org/stable/c/f8c2483be6e8bb6c2148315b4a924c65bb442b5e"
        },
        {
          "url": "https://git.kernel.org/stable/c/1d5f88f053480326873115092bc116b7d14916ba"
        }
      ],
      "title": "media: vidtv: Terminating the subsequent process of initialization failure",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38227",
    "datePublished": "2025-07-04T13:37:41.922Z",
    "dateReserved": "2025-04-16T04:51:23.995Z",
    "dateUpdated": "2025-11-03T17:35:44.869Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-22015 (GCVE-0-2025-22015)

Vulnerability from cvelistv5 – Published: 2025-04-08 08:18 – Updated: 2025-11-03 19:41

Title

mm/migrate: fix shmem xarray update during migration

Summary

In the Linux kernel, the following vulnerability has been resolved: mm/migrate: fix shmem xarray update during migration A shmem folio can be either in page cache or in swap cache, but not at the same time. Namely, once it is in swap cache, folio->mapping should be NULL, and the folio is no longer in a shmem mapping. In __folio_migrate_mapping(), to determine the number of xarray entries to update, folio_test_swapbacked() is used, but that conflates shmem in page cache case and shmem in swap cache case. It leads to xarray multi-index entry corruption, since it turns a sibling entry to a normal entry during xas_store() (see [1] for a userspace reproduction). Fix it by only using folio_test_swapcache() to determine whether xarray is storing swap cache entries or not to choose the right number of xarray entries to update. [1] https://lore.kernel.org/linux-mm/Z8idPCkaJW1IChjT@casper.infradead.org/ Note: In __split_huge_page(), folio_test_anon() && folio_test_swapcache() is used to get swap_cache address space, but that ignores the shmem folio in swap cache case. It could lead to NULL pointer dereferencing when a in-swap-cache shmem folio is split at __xa_store(), since !folio_test_anon() is true and folio->mapping is NULL. But fortunately, its caller split_huge_page_to_list_to_order() bails out early with EBUSY when folio->mapping is NULL. So no need to take care of it here.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/49100c0b070e900f8…
	https://git.kernel.org/stable/c/29124ae980e2860f0…
	https://git.kernel.org/stable/c/c057ee03f751d6cec…
	https://git.kernel.org/stable/c/75cfb92eb63298d71…
	https://git.kernel.org/stable/c/60cf233b585cdf1f3…

Impacted products

Vendor

Product

Version

Linux

Affected: be72d197b2281e2ee3f28017fc9be1ab17e26d16 , < 49100c0b070e900f87c8fac3be9b9ef8a30fa673 (git)
Affected: 07550b1461d4d0499165e7d6f7718cfd0e440427 , < 29124ae980e2860f0eec7355949d3d3292ee81da (git)
Affected: fc346d0a70a13d52fe1c4bc49516d83a42cd7c4c , < c057ee03f751d6cecf7ee64f52f6545d94082aaa (git)
Affected: fc346d0a70a13d52fe1c4bc49516d83a42cd7c4c , < 75cfb92eb63298d717b6b0118f91ba12c4fcfeb5 (git)
Affected: fc346d0a70a13d52fe1c4bc49516d83a42cd7c4c , < 60cf233b585cdf1f3c5e52d1225606b86acd08b0 (git)

Linux

Affected: 6.7
Unaffected: 0 , < 6.7 (semver)
Unaffected: 6.1.132 , ≤ 6.1.* (semver)
Unaffected: 6.6.85 , ≤ 6.6.* (semver)
Unaffected: 6.12.21 , ≤ 6.12.* (semver)
Unaffected: 6.13.9 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:41:00.297Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/migrate.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "49100c0b070e900f87c8fac3be9b9ef8a30fa673",
              "status": "affected",
              "version": "be72d197b2281e2ee3f28017fc9be1ab17e26d16",
              "versionType": "git"
            },
            {
              "lessThan": "29124ae980e2860f0eec7355949d3d3292ee81da",
              "status": "affected",
              "version": "07550b1461d4d0499165e7d6f7718cfd0e440427",
              "versionType": "git"
            },
            {
              "lessThan": "c057ee03f751d6cecf7ee64f52f6545d94082aaa",
              "status": "affected",
              "version": "fc346d0a70a13d52fe1c4bc49516d83a42cd7c4c",
              "versionType": "git"
            },
            {
              "lessThan": "75cfb92eb63298d717b6b0118f91ba12c4fcfeb5",
              "status": "affected",
              "version": "fc346d0a70a13d52fe1c4bc49516d83a42cd7c4c",
              "versionType": "git"
            },
            {
              "lessThan": "60cf233b585cdf1f3c5e52d1225606b86acd08b0",
              "status": "affected",
              "version": "fc346d0a70a13d52fe1c4bc49516d83a42cd7c4c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/migrate.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.132",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.85",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.21",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.132",
                  "versionStartIncluding": "6.1.71",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.85",
                  "versionStartIncluding": "6.6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.21",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.9",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/migrate: fix shmem xarray update during migration\n\nA shmem folio can be either in page cache or in swap cache, but not at the\nsame time.  Namely, once it is in swap cache, folio-\u003emapping should be\nNULL, and the folio is no longer in a shmem mapping.\n\nIn __folio_migrate_mapping(), to determine the number of xarray entries to\nupdate, folio_test_swapbacked() is used, but that conflates shmem in page\ncache case and shmem in swap cache case.  It leads to xarray multi-index\nentry corruption, since it turns a sibling entry to a normal entry during\nxas_store() (see [1] for a userspace reproduction).  Fix it by only using\nfolio_test_swapcache() to determine whether xarray is storing swap cache\nentries or not to choose the right number of xarray entries to update.\n\n[1] https://lore.kernel.org/linux-mm/Z8idPCkaJW1IChjT@casper.infradead.org/\n\nNote:\nIn __split_huge_page(), folio_test_anon() \u0026\u0026 folio_test_swapcache() is\nused to get swap_cache address space, but that ignores the shmem folio in\nswap cache case.  It could lead to NULL pointer dereferencing when a\nin-swap-cache shmem folio is split at __xa_store(), since\n!folio_test_anon() is true and folio-\u003emapping is NULL.  But fortunately,\nits caller split_huge_page_to_list_to_order() bails out early with EBUSY\nwhen folio-\u003emapping is NULL.  So no need to take care of it here."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:27:44.695Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/49100c0b070e900f87c8fac3be9b9ef8a30fa673"
        },
        {
          "url": "https://git.kernel.org/stable/c/29124ae980e2860f0eec7355949d3d3292ee81da"
        },
        {
          "url": "https://git.kernel.org/stable/c/c057ee03f751d6cecf7ee64f52f6545d94082aaa"
        },
        {
          "url": "https://git.kernel.org/stable/c/75cfb92eb63298d717b6b0118f91ba12c4fcfeb5"
        },
        {
          "url": "https://git.kernel.org/stable/c/60cf233b585cdf1f3c5e52d1225606b86acd08b0"
        }
      ],
      "title": "mm/migrate: fix shmem xarray update during migration",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22015",
    "datePublished": "2025-04-08T08:18:05.287Z",
    "dateReserved": "2024-12-29T08:45:45.806Z",
    "dateUpdated": "2025-11-03T19:41:00.297Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38055 (GCVE-0-2025-38055)

Vulnerability from cvelistv5 – Published: 2025-06-18 09:33 – Updated: 2025-06-18 09:33

Title

perf/x86/intel: Fix segfault with PEBS-via-PT with sample_freq

Summary

In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Fix segfault with PEBS-via-PT with sample_freq Currently, using PEBS-via-PT with a sample frequency instead of a sample period, causes a segfault. For example: BUG: kernel NULL pointer dereference, address: 0000000000000195 <NMI> ? __die_body.cold+0x19/0x27 ? page_fault_oops+0xca/0x290 ? exc_page_fault+0x7e/0x1b0 ? asm_exc_page_fault+0x26/0x30 ? intel_pmu_pebs_event_update_no_drain+0x40/0x60 ? intel_pmu_pebs_event_update_no_drain+0x32/0x60 intel_pmu_drain_pebs_icl+0x333/0x350 handle_pmi_common+0x272/0x3c0 intel_pmu_handle_irq+0x10a/0x2e0 perf_event_nmi_handler+0x2a/0x50 That happens because intel_pmu_pebs_event_update_no_drain() assumes all the pebs_enabled bits represent counter indexes, which is not always the case. In this particular case, bits 60 and 61 are set for PEBS-via-PT purposes. The behaviour of PEBS-via-PT with sample frequency is questionable because although a PMI is generated (PEBS_PMI_AFTER_EACH_RECORD), the period is not adjusted anyway. Putting that aside, fix intel_pmu_pebs_event_update_no_drain() by passing the mask of counter bits instead of 'size'. Note, prior to the Fixes commit, 'size' would be limited to the maximum counter index, so the issue was not hit.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/ca51db23166767a84…
	https://git.kernel.org/stable/c/0b1874a5b1173fbcb…
	https://git.kernel.org/stable/c/99bcd91fabada0dbb…

Impacted products

Vendor

Product

Version

Linux

Affected: 722e42e45c2f1c6d1adec7813651dba5139f52f4 , < ca51db23166767a8445deb8331c9b8d5205d9287 (git)
Affected: 722e42e45c2f1c6d1adec7813651dba5139f52f4 , < 0b1874a5b1173fbcb2185ab828f4c33d067e551e (git)
Affected: 722e42e45c2f1c6d1adec7813651dba5139f52f4 , < 99bcd91fabada0dbb1d5f0de44532d8008db93c6 (git)
Affected: a9d6d466bcf0621a872e1052bc40e4c6f0541b8d (git)

Linux

Affected: 6.11
Unaffected: 0 , < 6.11 (semver)
Unaffected: 6.12.31 , ≤ 6.12.* (semver)
Unaffected: 6.14.9 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/events/intel/ds.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ca51db23166767a8445deb8331c9b8d5205d9287",
              "status": "affected",
              "version": "722e42e45c2f1c6d1adec7813651dba5139f52f4",
              "versionType": "git"
            },
            {
              "lessThan": "0b1874a5b1173fbcb2185ab828f4c33d067e551e",
              "status": "affected",
              "version": "722e42e45c2f1c6d1adec7813651dba5139f52f4",
              "versionType": "git"
            },
            {
              "lessThan": "99bcd91fabada0dbb1d5f0de44532d8008db93c6",
              "status": "affected",
              "version": "722e42e45c2f1c6d1adec7813651dba5139f52f4",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "a9d6d466bcf0621a872e1052bc40e4c6f0541b8d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/events/intel/ds.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.31",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.10.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/intel: Fix segfault with PEBS-via-PT with sample_freq\n\nCurrently, using PEBS-via-PT with a sample frequency instead of a sample\nperiod, causes a segfault.  For example:\n\n    BUG: kernel NULL pointer dereference, address: 0000000000000195\n    \u003cNMI\u003e\n    ? __die_body.cold+0x19/0x27\n    ? page_fault_oops+0xca/0x290\n    ? exc_page_fault+0x7e/0x1b0\n    ? asm_exc_page_fault+0x26/0x30\n    ? intel_pmu_pebs_event_update_no_drain+0x40/0x60\n    ? intel_pmu_pebs_event_update_no_drain+0x32/0x60\n    intel_pmu_drain_pebs_icl+0x333/0x350\n    handle_pmi_common+0x272/0x3c0\n    intel_pmu_handle_irq+0x10a/0x2e0\n    perf_event_nmi_handler+0x2a/0x50\n\nThat happens because intel_pmu_pebs_event_update_no_drain() assumes all the\npebs_enabled bits represent counter indexes, which is not always the case.\nIn this particular case, bits 60 and 61 are set for PEBS-via-PT purposes.\n\nThe behaviour of PEBS-via-PT with sample frequency is questionable because\nalthough a PMI is generated (PEBS_PMI_AFTER_EACH_RECORD), the period is not\nadjusted anyway.\n\nPutting that aside, fix intel_pmu_pebs_event_update_no_drain() by passing\nthe mask of counter bits instead of \u0027size\u0027.  Note, prior to the Fixes\ncommit, \u0027size\u0027 would be limited to the maximum counter index, so the issue\nwas not hit."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-18T09:33:35.556Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ca51db23166767a8445deb8331c9b8d5205d9287"
        },
        {
          "url": "https://git.kernel.org/stable/c/0b1874a5b1173fbcb2185ab828f4c33d067e551e"
        },
        {
          "url": "https://git.kernel.org/stable/c/99bcd91fabada0dbb1d5f0de44532d8008db93c6"
        }
      ],
      "title": "perf/x86/intel: Fix segfault with PEBS-via-PT with sample_freq",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38055",
    "datePublished": "2025-06-18T09:33:35.556Z",
    "dateReserved": "2025-04-16T04:51:23.979Z",
    "dateUpdated": "2025-06-18T09:33:35.556Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38073 (GCVE-0-2025-38073)

Vulnerability from cvelistv5 – Published: 2025-06-18 09:33 – Updated: 2026-01-02 15:39

This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:39:20.766Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "rejectedReasons": [
        {
          "lang": "en",
          "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38073",
    "datePublished": "2025-06-18T09:33:49.393Z",
    "dateRejected": "2026-01-02T15:39:20.766Z",
    "dateReserved": "2025-04-16T04:51:23.980Z",
    "dateUpdated": "2026-01-02T15:39:20.766Z",
    "state": "REJECTED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38090 (GCVE-0-2025-38090)

Vulnerability from cvelistv5 – Published: 2025-06-30 07:29 – Updated: 2025-11-03 17:33

Title

drivers/rapidio/rio_cm.c: prevent possible heap overwrite

Summary

In the Linux kernel, the following vulnerability has been resolved: drivers/rapidio/rio_cm.c: prevent possible heap overwrite In riocm_cdev_ioctl(RIO_CM_CHAN_SEND) -> cm_chan_msg_send() -> riocm_ch_send() cm_chan_msg_send() checks that userspace didn't send too much data but riocm_ch_send() failed to check that userspace sent sufficient data. The result is that riocm_ch_send() can write to fields in the rio_ch_chan_hdr which were outside the bounds of the space which cm_chan_msg_send() allocated. Address this by teaching riocm_ch_send() to check that the entire rio_ch_chan_hdr was copied in from userspace.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a8b5ea2e302aa5cd0…
	https://git.kernel.org/stable/c/c03ddc183249f03fc…
	https://git.kernel.org/stable/c/58f664614f8c3d614…
	https://git.kernel.org/stable/c/ecf5ee280b702270a…
	https://git.kernel.org/stable/c/1921781ec4a8824bd…
	https://git.kernel.org/stable/c/1cce6ac47f4a2ac17…
	https://git.kernel.org/stable/c/6d5c6711a55c35ce0…
	https://git.kernel.org/stable/c/50695153d7ddde3b1…

Impacted products

Vendor

Product

Version

Linux

Affected: b6e8d4aa1110306378af0f3472a6b85a1f039a16 , < a8b5ea2e302aa5cd00fc7addd8df53c9bde7b5f6 (git)
Affected: b6e8d4aa1110306378af0f3472a6b85a1f039a16 , < c03ddc183249f03fc7e057e02cae6f89144d0123 (git)
Affected: b6e8d4aa1110306378af0f3472a6b85a1f039a16 , < 58f664614f8c3d6142ab81ae551e466dc6e092e8 (git)
Affected: b6e8d4aa1110306378af0f3472a6b85a1f039a16 , < ecf5ee280b702270afb02f61b299d3dfe3ec7730 (git)
Affected: b6e8d4aa1110306378af0f3472a6b85a1f039a16 , < 1921781ec4a8824bd0c520bf9363e28a880d14ec (git)
Affected: b6e8d4aa1110306378af0f3472a6b85a1f039a16 , < 1cce6ac47f4a2ac1766b8a188dc8c8f6d8df2a53 (git)
Affected: b6e8d4aa1110306378af0f3472a6b85a1f039a16 , < 6d5c6711a55c35ce09b90705546050408d9d4b61 (git)
Affected: b6e8d4aa1110306378af0f3472a6b85a1f039a16 , < 50695153d7ddde3b1696dbf0085be0033bf3ddb3 (git)

Linux

Affected: 4.8
Unaffected: 0 , < 4.8 (semver)
Unaffected: 5.4.295 , ≤ 5.4.* (semver)
Unaffected: 5.10.239 , ≤ 5.10.* (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.95 , ≤ 6.6.* (semver)
Unaffected: 6.12.35 , ≤ 6.12.* (semver)
Unaffected: 6.15.4 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:33:59.041Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/rapidio/rio_cm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a8b5ea2e302aa5cd00fc7addd8df53c9bde7b5f6",
              "status": "affected",
              "version": "b6e8d4aa1110306378af0f3472a6b85a1f039a16",
              "versionType": "git"
            },
            {
              "lessThan": "c03ddc183249f03fc7e057e02cae6f89144d0123",
              "status": "affected",
              "version": "b6e8d4aa1110306378af0f3472a6b85a1f039a16",
              "versionType": "git"
            },
            {
              "lessThan": "58f664614f8c3d6142ab81ae551e466dc6e092e8",
              "status": "affected",
              "version": "b6e8d4aa1110306378af0f3472a6b85a1f039a16",
              "versionType": "git"
            },
            {
              "lessThan": "ecf5ee280b702270afb02f61b299d3dfe3ec7730",
              "status": "affected",
              "version": "b6e8d4aa1110306378af0f3472a6b85a1f039a16",
              "versionType": "git"
            },
            {
              "lessThan": "1921781ec4a8824bd0c520bf9363e28a880d14ec",
              "status": "affected",
              "version": "b6e8d4aa1110306378af0f3472a6b85a1f039a16",
              "versionType": "git"
            },
            {
              "lessThan": "1cce6ac47f4a2ac1766b8a188dc8c8f6d8df2a53",
              "status": "affected",
              "version": "b6e8d4aa1110306378af0f3472a6b85a1f039a16",
              "versionType": "git"
            },
            {
              "lessThan": "6d5c6711a55c35ce09b90705546050408d9d4b61",
              "status": "affected",
              "version": "b6e8d4aa1110306378af0f3472a6b85a1f039a16",
              "versionType": "git"
            },
            {
              "lessThan": "50695153d7ddde3b1696dbf0085be0033bf3ddb3",
              "status": "affected",
              "version": "b6e8d4aa1110306378af0f3472a6b85a1f039a16",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/rapidio/rio_cm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            },
            {
              "lessThan": "4.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers/rapidio/rio_cm.c: prevent possible heap overwrite\n\nIn\n\nriocm_cdev_ioctl(RIO_CM_CHAN_SEND)\n   -\u003e cm_chan_msg_send()\n      -\u003e riocm_ch_send()\n\ncm_chan_msg_send() checks that userspace didn\u0027t send too much data but\nriocm_ch_send() failed to check that userspace sent sufficient data.  The\nresult is that riocm_ch_send() can write to fields in the rio_ch_chan_hdr\nwhich were outside the bounds of the space which cm_chan_msg_send()\nallocated.\n\nAddress this by teaching riocm_ch_send() to check that the entire\nrio_ch_chan_hdr was copied in from userspace."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:12:06.031Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a8b5ea2e302aa5cd00fc7addd8df53c9bde7b5f6"
        },
        {
          "url": "https://git.kernel.org/stable/c/c03ddc183249f03fc7e057e02cae6f89144d0123"
        },
        {
          "url": "https://git.kernel.org/stable/c/58f664614f8c3d6142ab81ae551e466dc6e092e8"
        },
        {
          "url": "https://git.kernel.org/stable/c/ecf5ee280b702270afb02f61b299d3dfe3ec7730"
        },
        {
          "url": "https://git.kernel.org/stable/c/1921781ec4a8824bd0c520bf9363e28a880d14ec"
        },
        {
          "url": "https://git.kernel.org/stable/c/1cce6ac47f4a2ac1766b8a188dc8c8f6d8df2a53"
        },
        {
          "url": "https://git.kernel.org/stable/c/6d5c6711a55c35ce09b90705546050408d9d4b61"
        },
        {
          "url": "https://git.kernel.org/stable/c/50695153d7ddde3b1696dbf0085be0033bf3ddb3"
        }
      ],
      "title": "drivers/rapidio/rio_cm.c: prevent possible heap overwrite",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38090",
    "datePublished": "2025-06-30T07:29:45.565Z",
    "dateReserved": "2025-04-16T04:51:23.982Z",
    "dateUpdated": "2025-11-03T17:33:59.041Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38129 (GCVE-0-2025-38129)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:35 – Updated: 2026-01-19 12:18

Title

page_pool: Fix use-after-free in page_pool_recycle_in_ring

Summary

In the Linux kernel, the following vulnerability has been resolved: page_pool: Fix use-after-free in page_pool_recycle_in_ring syzbot reported a uaf in page_pool_recycle_in_ring: BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862 Read of size 8 at addr ffff8880286045a0 by task syz.0.284/6943 CPU: 0 UID: 0 PID: 6943 Comm: syz.0.284 Not tainted 6.13.0-rc3-syzkaller-gdfa94ce54f41 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862 __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:165 [inline] _raw_spin_unlock_bh+0x1b/0x40 kernel/locking/spinlock.c:210 spin_unlock_bh include/linux/spinlock.h:396 [inline] ptr_ring_produce_bh include/linux/ptr_ring.h:164 [inline] page_pool_recycle_in_ring net/core/page_pool.c:707 [inline] page_pool_put_unrefed_netmem+0x748/0xb00 net/core/page_pool.c:826 page_pool_put_netmem include/net/page_pool/helpers.h:323 [inline] page_pool_put_full_netmem include/net/page_pool/helpers.h:353 [inline] napi_pp_put_page+0x149/0x2b0 net/core/skbuff.c:1036 skb_pp_recycle net/core/skbuff.c:1047 [inline] skb_free_head net/core/skbuff.c:1094 [inline] skb_release_data+0x6c4/0x8a0 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x1c9/0x380 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1263 [inline] __skb_queue_purge_reason include/linux/skbuff.h:3343 [inline] root cause is: page_pool_recycle_in_ring ptr_ring_produce spin_lock(&r->producer_lock); WRITE_ONCE(r->queue[r->producer++], ptr) //recycle last page to pool page_pool_release page_pool_scrub page_pool_empty_ring ptr_ring_consume page_pool_return_page //release all page __page_pool_destroy free_percpu(pool->recycle_stats); free(pool) //free spin_unlock(&r->producer_lock); //pool->ring uaf read recycle_stat_inc(pool, ring); page_pool can be free while page pool recycle the last page in ring. Add producer-lock barrier to page_pool_release to prevent the page pool from being free before all pages have been recycled. recycle_stat_inc() is empty when CONFIG_PAGE_POOL_STATS is not enabled, which will trigger Wempty-body build warning. Add definition for pool stat macro to fix warning.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d69f28ef7cdafdcf3…
	https://git.kernel.org/stable/c/1a8c0b61d4cb55c54…
	https://git.kernel.org/stable/c/4914c0a166540e534…
	https://git.kernel.org/stable/c/e869a85acc2e60dc5…
	https://git.kernel.org/stable/c/4ab8c0f8905c9c4d0…
	https://git.kernel.org/stable/c/271683bb2cf32e512…

Impacted products

Vendor

Product

Version

Linux

Affected: ff7d6b27f894f1469dc51ccb828b7363ccd9799f , < d69f28ef7cdafdcf37ee310f38b1399e7d05f9a8 (git)
Affected: ff7d6b27f894f1469dc51ccb828b7363ccd9799f , < 1a8c0b61d4cb55c5440583ec9e7f86a730369e32 (git)
Affected: ff7d6b27f894f1469dc51ccb828b7363ccd9799f , < 4914c0a166540e534a0c1d43affd329d95fb56fd (git)
Affected: ff7d6b27f894f1469dc51ccb828b7363ccd9799f , < e869a85acc2e60dc554579b910826a4919d8cd98 (git)
Affected: ff7d6b27f894f1469dc51ccb828b7363ccd9799f , < 4ab8c0f8905c9c4d05e7f437e65a9a365573ff02 (git)
Affected: ff7d6b27f894f1469dc51ccb828b7363ccd9799f , < 271683bb2cf32e5126c592b5d5e6a756fa374fd9 (git)

Linux

Affected: 4.18
Unaffected: 0 , < 4.18 (semver)
Unaffected: 5.15.198 , ≤ 5.15.* (semver)
Unaffected: 6.1.160 , ≤ 6.1.* (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/core/page_pool.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d69f28ef7cdafdcf37ee310f38b1399e7d05f9a8",
              "status": "affected",
              "version": "ff7d6b27f894f1469dc51ccb828b7363ccd9799f",
              "versionType": "git"
            },
            {
              "lessThan": "1a8c0b61d4cb55c5440583ec9e7f86a730369e32",
              "status": "affected",
              "version": "ff7d6b27f894f1469dc51ccb828b7363ccd9799f",
              "versionType": "git"
            },
            {
              "lessThan": "4914c0a166540e534a0c1d43affd329d95fb56fd",
              "status": "affected",
              "version": "ff7d6b27f894f1469dc51ccb828b7363ccd9799f",
              "versionType": "git"
            },
            {
              "lessThan": "e869a85acc2e60dc554579b910826a4919d8cd98",
              "status": "affected",
              "version": "ff7d6b27f894f1469dc51ccb828b7363ccd9799f",
              "versionType": "git"
            },
            {
              "lessThan": "4ab8c0f8905c9c4d05e7f437e65a9a365573ff02",
              "status": "affected",
              "version": "ff7d6b27f894f1469dc51ccb828b7363ccd9799f",
              "versionType": "git"
            },
            {
              "lessThan": "271683bb2cf32e5126c592b5d5e6a756fa374fd9",
              "status": "affected",
              "version": "ff7d6b27f894f1469dc51ccb828b7363ccd9799f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/core/page_pool.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.18"
            },
            {
              "lessThan": "4.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.198",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.198",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.160",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npage_pool: Fix use-after-free in page_pool_recycle_in_ring\n\nsyzbot reported a uaf in page_pool_recycle_in_ring:\n\nBUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862\nRead of size 8 at addr ffff8880286045a0 by task syz.0.284/6943\n\nCPU: 0 UID: 0 PID: 6943 Comm: syz.0.284 Not tainted 6.13.0-rc3-syzkaller-gdfa94ce54f41 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:489\n kasan_report+0x143/0x180 mm/kasan/report.c:602\n lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862\n __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:165 [inline]\n _raw_spin_unlock_bh+0x1b/0x40 kernel/locking/spinlock.c:210\n spin_unlock_bh include/linux/spinlock.h:396 [inline]\n ptr_ring_produce_bh include/linux/ptr_ring.h:164 [inline]\n page_pool_recycle_in_ring net/core/page_pool.c:707 [inline]\n page_pool_put_unrefed_netmem+0x748/0xb00 net/core/page_pool.c:826\n page_pool_put_netmem include/net/page_pool/helpers.h:323 [inline]\n page_pool_put_full_netmem include/net/page_pool/helpers.h:353 [inline]\n napi_pp_put_page+0x149/0x2b0 net/core/skbuff.c:1036\n skb_pp_recycle net/core/skbuff.c:1047 [inline]\n skb_free_head net/core/skbuff.c:1094 [inline]\n skb_release_data+0x6c4/0x8a0 net/core/skbuff.c:1125\n skb_release_all net/core/skbuff.c:1190 [inline]\n __kfree_skb net/core/skbuff.c:1204 [inline]\n sk_skb_reason_drop+0x1c9/0x380 net/core/skbuff.c:1242\n kfree_skb_reason include/linux/skbuff.h:1263 [inline]\n __skb_queue_purge_reason include/linux/skbuff.h:3343 [inline]\n\nroot cause is:\n\npage_pool_recycle_in_ring\n  ptr_ring_produce\n    spin_lock(\u0026r-\u003eproducer_lock);\n    WRITE_ONCE(r-\u003equeue[r-\u003eproducer++], ptr)\n      //recycle last page to pool\n\t\t\t\tpage_pool_release\n\t\t\t\t  page_pool_scrub\n\t\t\t\t    page_pool_empty_ring\n\t\t\t\t      ptr_ring_consume\n\t\t\t\t      page_pool_return_page  //release all page\n\t\t\t\t  __page_pool_destroy\n\t\t\t\t     free_percpu(pool-\u003erecycle_stats);\n\t\t\t\t     free(pool) //free\n\n     spin_unlock(\u0026r-\u003eproducer_lock); //pool-\u003ering uaf read\n  recycle_stat_inc(pool, ring);\n\npage_pool can be free while page pool recycle the last page in ring.\nAdd producer-lock barrier to page_pool_release to prevent the page\npool from being free before all pages have been recycled.\n\nrecycle_stat_inc() is empty when CONFIG_PAGE_POOL_STATS is not\nenabled, which will trigger Wempty-body build warning. Add definition\nfor pool stat macro to fix warning."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-19T12:18:00.706Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d69f28ef7cdafdcf37ee310f38b1399e7d05f9a8"
        },
        {
          "url": "https://git.kernel.org/stable/c/1a8c0b61d4cb55c5440583ec9e7f86a730369e32"
        },
        {
          "url": "https://git.kernel.org/stable/c/4914c0a166540e534a0c1d43affd329d95fb56fd"
        },
        {
          "url": "https://git.kernel.org/stable/c/e869a85acc2e60dc554579b910826a4919d8cd98"
        },
        {
          "url": "https://git.kernel.org/stable/c/4ab8c0f8905c9c4d05e7f437e65a9a365573ff02"
        },
        {
          "url": "https://git.kernel.org/stable/c/271683bb2cf32e5126c592b5d5e6a756fa374fd9"
        }
      ],
      "title": "page_pool: Fix use-after-free in page_pool_recycle_in_ring",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38129",
    "datePublished": "2025-07-03T08:35:33.728Z",
    "dateReserved": "2025-04-16T04:51:23.987Z",
    "dateUpdated": "2026-01-19T12:18:00.706Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38412 (GCVE-0-2025-38412)

Vulnerability from cvelistv5 – Published: 2025-07-25 13:20 – Updated: 2025-11-03 17:37

Title

platform/x86: dell-wmi-sysman: Fix WMI data block retrieval in sysfs callbacks

Summary

In the Linux kernel, the following vulnerability has been resolved: platform/x86: dell-wmi-sysman: Fix WMI data block retrieval in sysfs callbacks After retrieving WMI data blocks in sysfs callbacks, check for the validity of them before dereferencing their content.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/92c2d914b5337431d…
	https://git.kernel.org/stable/c/68e9963583d11963c…
	https://git.kernel.org/stable/c/0deb3eb78ebf225cb…
	https://git.kernel.org/stable/c/5df3b870bc389a176…
	https://git.kernel.org/stable/c/aaf847dcb4114fe8b…
	https://git.kernel.org/stable/c/eb617dd25ca176f3f…

Impacted products

Vendor

Product

Version

Linux

Affected: e8a60aa7404bfef37705da5607c97737073ac38d , < 92c2d914b5337431d885597a79a3a3d9d55e80b7 (git)
Affected: e8a60aa7404bfef37705da5607c97737073ac38d , < 68e9963583d11963ceca5d276e9c44684509f759 (git)
Affected: e8a60aa7404bfef37705da5607c97737073ac38d , < 0deb3eb78ebf225cb41aa9b2b2150f46cbfd359e (git)
Affected: e8a60aa7404bfef37705da5607c97737073ac38d , < 5df3b870bc389a1767c72448a3ce1c576ef4deab (git)
Affected: e8a60aa7404bfef37705da5607c97737073ac38d , < aaf847dcb4114fe8b25d4c1c790bedcb6088cb3d (git)
Affected: e8a60aa7404bfef37705da5607c97737073ac38d , < eb617dd25ca176f3fee24f873f0fd60010773d67 (git)

Linux

Affected: 5.11
Unaffected: 0 , < 5.11 (semver)
Unaffected: 5.15.187 , ≤ 5.15.* (semver)
Unaffected: 6.1.144 , ≤ 6.1.* (semver)
Unaffected: 6.6.97 , ≤ 6.6.* (semver)
Unaffected: 6.12.37 , ≤ 6.12.* (semver)
Unaffected: 6.15.6 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:37:44.050Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/platform/x86/dell/dell-wmi-sysman/dell-wmi-sysman.h",
            "drivers/platform/x86/dell/dell-wmi-sysman/enum-attributes.c",
            "drivers/platform/x86/dell/dell-wmi-sysman/int-attributes.c",
            "drivers/platform/x86/dell/dell-wmi-sysman/passobj-attributes.c",
            "drivers/platform/x86/dell/dell-wmi-sysman/string-attributes.c",
            "drivers/platform/x86/dell/dell-wmi-sysman/sysman.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "92c2d914b5337431d885597a79a3a3d9d55e80b7",
              "status": "affected",
              "version": "e8a60aa7404bfef37705da5607c97737073ac38d",
              "versionType": "git"
            },
            {
              "lessThan": "68e9963583d11963ceca5d276e9c44684509f759",
              "status": "affected",
              "version": "e8a60aa7404bfef37705da5607c97737073ac38d",
              "versionType": "git"
            },
            {
              "lessThan": "0deb3eb78ebf225cb41aa9b2b2150f46cbfd359e",
              "status": "affected",
              "version": "e8a60aa7404bfef37705da5607c97737073ac38d",
              "versionType": "git"
            },
            {
              "lessThan": "5df3b870bc389a1767c72448a3ce1c576ef4deab",
              "status": "affected",
              "version": "e8a60aa7404bfef37705da5607c97737073ac38d",
              "versionType": "git"
            },
            {
              "lessThan": "aaf847dcb4114fe8b25d4c1c790bedcb6088cb3d",
              "status": "affected",
              "version": "e8a60aa7404bfef37705da5607c97737073ac38d",
              "versionType": "git"
            },
            {
              "lessThan": "eb617dd25ca176f3fee24f873f0fd60010773d67",
              "status": "affected",
              "version": "e8a60aa7404bfef37705da5607c97737073ac38d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/platform/x86/dell/dell-wmi-sysman/dell-wmi-sysman.h",
            "drivers/platform/x86/dell/dell-wmi-sysman/enum-attributes.c",
            "drivers/platform/x86/dell/dell-wmi-sysman/int-attributes.c",
            "drivers/platform/x86/dell/dell-wmi-sysman/passobj-attributes.c",
            "drivers/platform/x86/dell/dell-wmi-sysman/string-attributes.c",
            "drivers/platform/x86/dell/dell-wmi-sysman/sysman.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.11"
            },
            {
              "lessThan": "5.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.187",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.144",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.97",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.37",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.187",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.144",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.97",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.37",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.6",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: dell-wmi-sysman: Fix WMI data block retrieval in sysfs callbacks\n\nAfter retrieving WMI data blocks in sysfs callbacks, check for the\nvalidity of them before dereferencing their content."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:21:25.343Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/92c2d914b5337431d885597a79a3a3d9d55e80b7"
        },
        {
          "url": "https://git.kernel.org/stable/c/68e9963583d11963ceca5d276e9c44684509f759"
        },
        {
          "url": "https://git.kernel.org/stable/c/0deb3eb78ebf225cb41aa9b2b2150f46cbfd359e"
        },
        {
          "url": "https://git.kernel.org/stable/c/5df3b870bc389a1767c72448a3ce1c576ef4deab"
        },
        {
          "url": "https://git.kernel.org/stable/c/aaf847dcb4114fe8b25d4c1c790bedcb6088cb3d"
        },
        {
          "url": "https://git.kernel.org/stable/c/eb617dd25ca176f3fee24f873f0fd60010773d67"
        }
      ],
      "title": "platform/x86: dell-wmi-sysman: Fix WMI data block retrieval in sysfs callbacks",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38412",
    "datePublished": "2025-07-25T13:20:16.688Z",
    "dateReserved": "2025-04-16T04:51:24.013Z",
    "dateUpdated": "2025-11-03T17:37:44.050Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38377 (GCVE-0-2025-38377)

Vulnerability from cvelistv5 – Published: 2025-07-25 12:53 – Updated: 2025-11-03 17:37

Title

rose: fix dangling neighbour pointers in rose_rt_device_down()

Summary

In the Linux kernel, the following vulnerability has been resolved: rose: fix dangling neighbour pointers in rose_rt_device_down() There are two bugs in rose_rt_device_down() that can cause use-after-free: 1. The loop bound `t->count` is modified within the loop, which can cause the loop to terminate early and miss some entries. 2. When removing an entry from the neighbour array, the subsequent entries are moved up to fill the gap, but the loop index `i` is still incremented, causing the next entry to be skipped. For example, if a node has three neighbours (A, A, B) with count=3 and A is being removed, the second A is not checked. i=0: (A, A, B) -> (A, B) with count=2 ^ checked i=1: (A, B) -> (A, B) with count=2 ^ checked (B, not A!) i=2: (doesn't occur because i < count is false) This leaves the second A in the array with count=2, but the rose_neigh structure has been freed. Code that accesses these entries assumes that the first `count` entries are valid pointers, causing a use-after-free when it accesses the dangling pointer. Fix both issues by iterating over the array in reverse order with a fixed loop bound. This ensures that all entries are examined and that the removal of an entry doesn't affect subsequent iterations.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/94e0918e39039c47d…
	https://git.kernel.org/stable/c/fe62a35fb1f77f494…
	https://git.kernel.org/stable/c/2b952dbb32fef8357…
	https://git.kernel.org/stable/c/b6b232e16e08c6dc1…
	https://git.kernel.org/stable/c/7a1841c9609377e98…
	https://git.kernel.org/stable/c/446ac00b86be16708…
	https://git.kernel.org/stable/c/2c6c82ee074bfcfd1…
	https://git.kernel.org/stable/c/34a500caf48c47d51…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 94e0918e39039c47ddceb609500817f7266be756 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < fe62a35fb1f77f494ed534fc69a9043dc5a30ce1 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2b952dbb32fef835756f07ff0cd77efbb836dfea (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b6b232e16e08c6dc120672b4753392df0d28c1b4 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7a1841c9609377e989ec41c16551309ce79c39e4 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 446ac00b86be1670838e513b643933d78837d8db (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2c6c82ee074bfcfd1bc978ec45bfea37703d840a (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 34a500caf48c47d5171f4aa1f237da39b07c6157 (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.4.296 , ≤ 5.4.* (semver)
Unaffected: 5.10.240 , ≤ 5.10.* (semver)
Unaffected: 5.15.187 , ≤ 5.15.* (semver)
Unaffected: 6.1.144 , ≤ 6.1.* (semver)
Unaffected: 6.6.97 , ≤ 6.6.* (semver)
Unaffected: 6.12.37 , ≤ 6.12.* (semver)
Unaffected: 6.15.6 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:37:14.330Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/rose/rose_route.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "94e0918e39039c47ddceb609500817f7266be756",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "fe62a35fb1f77f494ed534fc69a9043dc5a30ce1",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "2b952dbb32fef835756f07ff0cd77efbb836dfea",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "b6b232e16e08c6dc120672b4753392df0d28c1b4",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "7a1841c9609377e989ec41c16551309ce79c39e4",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "446ac00b86be1670838e513b643933d78837d8db",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "2c6c82ee074bfcfd1bc978ec45bfea37703d840a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "34a500caf48c47d5171f4aa1f237da39b07c6157",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/rose/rose_route.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.187",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.144",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.97",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.37",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.187",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.144",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.97",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.37",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.6",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrose: fix dangling neighbour pointers in rose_rt_device_down()\n\nThere are two bugs in rose_rt_device_down() that can cause\nuse-after-free:\n\n1. The loop bound `t-\u003ecount` is modified within the loop, which can\n   cause the loop to terminate early and miss some entries.\n\n2. When removing an entry from the neighbour array, the subsequent entries\n   are moved up to fill the gap, but the loop index `i` is still\n   incremented, causing the next entry to be skipped.\n\nFor example, if a node has three neighbours (A, A, B) with count=3 and A\nis being removed, the second A is not checked.\n\n    i=0: (A, A, B) -\u003e (A, B) with count=2\n          ^ checked\n    i=1: (A, B)    -\u003e (A, B) with count=2\n             ^ checked (B, not A!)\n    i=2: (doesn\u0027t occur because i \u003c count is false)\n\nThis leaves the second A in the array with count=2, but the rose_neigh\nstructure has been freed. Code that accesses these entries assumes that\nthe first `count` entries are valid pointers, causing a use-after-free\nwhen it accesses the dangling pointer.\n\nFix both issues by iterating over the array in reverse order with a fixed\nloop bound. This ensures that all entries are examined and that the removal\nof an entry doesn\u0027t affect subsequent iterations."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:20:23.944Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/94e0918e39039c47ddceb609500817f7266be756"
        },
        {
          "url": "https://git.kernel.org/stable/c/fe62a35fb1f77f494ed534fc69a9043dc5a30ce1"
        },
        {
          "url": "https://git.kernel.org/stable/c/2b952dbb32fef835756f07ff0cd77efbb836dfea"
        },
        {
          "url": "https://git.kernel.org/stable/c/b6b232e16e08c6dc120672b4753392df0d28c1b4"
        },
        {
          "url": "https://git.kernel.org/stable/c/7a1841c9609377e989ec41c16551309ce79c39e4"
        },
        {
          "url": "https://git.kernel.org/stable/c/446ac00b86be1670838e513b643933d78837d8db"
        },
        {
          "url": "https://git.kernel.org/stable/c/2c6c82ee074bfcfd1bc978ec45bfea37703d840a"
        },
        {
          "url": "https://git.kernel.org/stable/c/34a500caf48c47d5171f4aa1f237da39b07c6157"
        }
      ],
      "title": "rose: fix dangling neighbour pointers in rose_rt_device_down()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38377",
    "datePublished": "2025-07-25T12:53:19.141Z",
    "dateReserved": "2025-04-16T04:51:24.010Z",
    "dateUpdated": "2025-11-03T17:37:14.330Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38287 (GCVE-0-2025-38287)

Vulnerability from cvelistv5 – Published: 2025-07-10 07:42 – Updated: 2025-07-28 04:17

Title

IB/cm: Drop lockdep assert and WARN when freeing old msg

Summary

In the Linux kernel, the following vulnerability has been resolved: IB/cm: Drop lockdep assert and WARN when freeing old msg The send completion handler can run after cm_id has advanced to another message. The cm_id lock is not needed in this case, but a recent change re-used cm_free_priv_msg(), which asserts that the lock is held and WARNs if the cm_id's currently outstanding msg is different than the one being freed.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/fc096a0cd2017cb0a…
	https://git.kernel.org/stable/c/7590649ee7af381a9…

Impacted products

Vendor

Product

Version

Linux

Affected: 1e5159219076ddb2e44338c667c83fd1bd43dfef , < fc096a0cd2017cb0aa1e7fb83131410af9283910 (git)
Affected: 1e5159219076ddb2e44338c667c83fd1bd43dfef , < 7590649ee7af381a9d1153143026dec124c5798e (git)

Linux

Affected: 6.13
Unaffected: 0 , < 6.13 (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/core/cm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "fc096a0cd2017cb0aa1e7fb83131410af9283910",
              "status": "affected",
              "version": "1e5159219076ddb2e44338c667c83fd1bd43dfef",
              "versionType": "git"
            },
            {
              "lessThan": "7590649ee7af381a9d1153143026dec124c5798e",
              "status": "affected",
              "version": "1e5159219076ddb2e44338c667c83fd1bd43dfef",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/core/cm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.13"
            },
            {
              "lessThan": "6.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/cm: Drop lockdep assert and WARN when freeing old msg\n\nThe send completion handler can run after cm_id has advanced to another\nmessage.  The cm_id lock is not needed in this case, but a recent change\nre-used cm_free_priv_msg(), which asserts that the lock is held and\nWARNs if the cm_id\u0027s currently outstanding msg is different than the one\nbeing freed."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:17:30.531Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/fc096a0cd2017cb0aa1e7fb83131410af9283910"
        },
        {
          "url": "https://git.kernel.org/stable/c/7590649ee7af381a9d1153143026dec124c5798e"
        }
      ],
      "title": "IB/cm: Drop lockdep assert and WARN when freeing old msg",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38287",
    "datePublished": "2025-07-10T07:42:04.056Z",
    "dateReserved": "2025-04-16T04:51:24.000Z",
    "dateUpdated": "2025-07-28T04:17:30.531Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38109 (GCVE-0-2025-38109)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:35 – Updated: 2025-07-28 04:12

Title

net/mlx5: Fix ECVF vports unload on shutdown flow

Summary

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix ECVF vports unload on shutdown flow Fix shutdown flow UAF when a virtual function is created on the embedded chip (ECVF) of a BlueField device. In such case the vport acl ingress table is not properly destroyed. ECVF functionality is independent of ecpf_vport_exists capability and thus functions mlx5_eswitch_(enable|disable)_pf_vf_vports() should not test it when enabling/disabling ECVF vports. kernel log: [] refcount_t: underflow; use-after-free. [] WARNING: CPU: 3 PID: 1 at lib/refcount.c:28 refcount_warn_saturate+0x124/0x220 ---------------- [] Call trace: [] refcount_warn_saturate+0x124/0x220 [] tree_put_node+0x164/0x1e0 [mlx5_core] [] mlx5_destroy_flow_table+0x98/0x2c0 [mlx5_core] [] esw_acl_ingress_table_destroy+0x28/0x40 [mlx5_core] [] esw_acl_ingress_lgcy_cleanup+0x80/0xf4 [mlx5_core] [] esw_legacy_vport_acl_cleanup+0x44/0x60 [mlx5_core] [] esw_vport_cleanup+0x64/0x90 [mlx5_core] [] mlx5_esw_vport_disable+0xc0/0x1d0 [mlx5_core] [] mlx5_eswitch_unload_ec_vf_vports+0xcc/0x150 [mlx5_core] [] mlx5_eswitch_disable_sriov+0x198/0x2a0 [mlx5_core] [] mlx5_device_disable_sriov+0xb8/0x1e0 [mlx5_core] [] mlx5_sriov_detach+0x40/0x50 [mlx5_core] [] mlx5_unload+0x40/0xc4 [mlx5_core] [] mlx5_unload_one_devl_locked+0x6c/0xe4 [mlx5_core] [] mlx5_unload_one+0x3c/0x60 [mlx5_core] [] shutdown+0x7c/0xa4 [mlx5_core] [] pci_device_shutdown+0x3c/0xa0 [] device_shutdown+0x170/0x340 [] __do_sys_reboot+0x1f4/0x2a0 [] __arm64_sys_reboot+0x2c/0x40 [] invoke_syscall+0x78/0x100 [] el0_svc_common.constprop.0+0x54/0x184 [] do_el0_svc+0x30/0xac [] el0_svc+0x48/0x160 [] el0t_64_sync_handler+0xa4/0x12c [] el0t_64_sync+0x1a4/0x1a8 [] --[ end trace 9c4601d68c70030e ]---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/5953ae44dfe5dbad3…
	https://git.kernel.org/stable/c/da15ca0553325acf6…
	https://git.kernel.org/stable/c/24db585d369f949f6…
	https://git.kernel.org/stable/c/687560d8a9a2d6548…

Impacted products

Vendor

Product

Version

Linux

Affected: a7719b29a82199b90ebbf355d3332e0fbfbf6045 , < 5953ae44dfe5dbad374318875be834c3b7b71ee6 (git)
Affected: a7719b29a82199b90ebbf355d3332e0fbfbf6045 , < da15ca0553325acf68039015f2f4db750c8e2b96 (git)
Affected: a7719b29a82199b90ebbf355d3332e0fbfbf6045 , < 24db585d369f949f698e03d7d8017e5ae19d0497 (git)
Affected: a7719b29a82199b90ebbf355d3332e0fbfbf6045 , < 687560d8a9a2d654829ad0da1ec24242f1de711d (git)

Linux

Affected: 6.5
Unaffected: 0 , < 6.5 (semver)
Unaffected: 6.6.94 , ≤ 6.6.* (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/eswitch.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5953ae44dfe5dbad374318875be834c3b7b71ee6",
              "status": "affected",
              "version": "a7719b29a82199b90ebbf355d3332e0fbfbf6045",
              "versionType": "git"
            },
            {
              "lessThan": "da15ca0553325acf68039015f2f4db750c8e2b96",
              "status": "affected",
              "version": "a7719b29a82199b90ebbf355d3332e0fbfbf6045",
              "versionType": "git"
            },
            {
              "lessThan": "24db585d369f949f698e03d7d8017e5ae19d0497",
              "status": "affected",
              "version": "a7719b29a82199b90ebbf355d3332e0fbfbf6045",
              "versionType": "git"
            },
            {
              "lessThan": "687560d8a9a2d654829ad0da1ec24242f1de711d",
              "status": "affected",
              "version": "a7719b29a82199b90ebbf355d3332e0fbfbf6045",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/eswitch.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.5"
            },
            {
              "lessThan": "6.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix ECVF vports unload on shutdown flow\n\nFix shutdown flow UAF when a virtual function is created on the embedded\nchip (ECVF) of a BlueField device. In such case the vport acl ingress\ntable is not properly destroyed.\n\nECVF functionality is independent of ecpf_vport_exists capability and\nthus functions mlx5_eswitch_(enable|disable)_pf_vf_vports() should not\ntest it when enabling/disabling ECVF vports.\n\nkernel log:\n[] refcount_t: underflow; use-after-free.\n[] WARNING: CPU: 3 PID: 1 at lib/refcount.c:28\n   refcount_warn_saturate+0x124/0x220\n----------------\n[] Call trace:\n[] refcount_warn_saturate+0x124/0x220\n[] tree_put_node+0x164/0x1e0 [mlx5_core]\n[] mlx5_destroy_flow_table+0x98/0x2c0 [mlx5_core]\n[] esw_acl_ingress_table_destroy+0x28/0x40 [mlx5_core]\n[] esw_acl_ingress_lgcy_cleanup+0x80/0xf4 [mlx5_core]\n[] esw_legacy_vport_acl_cleanup+0x44/0x60 [mlx5_core]\n[] esw_vport_cleanup+0x64/0x90 [mlx5_core]\n[] mlx5_esw_vport_disable+0xc0/0x1d0 [mlx5_core]\n[] mlx5_eswitch_unload_ec_vf_vports+0xcc/0x150 [mlx5_core]\n[] mlx5_eswitch_disable_sriov+0x198/0x2a0 [mlx5_core]\n[] mlx5_device_disable_sriov+0xb8/0x1e0 [mlx5_core]\n[] mlx5_sriov_detach+0x40/0x50 [mlx5_core]\n[] mlx5_unload+0x40/0xc4 [mlx5_core]\n[] mlx5_unload_one_devl_locked+0x6c/0xe4 [mlx5_core]\n[] mlx5_unload_one+0x3c/0x60 [mlx5_core]\n[] shutdown+0x7c/0xa4 [mlx5_core]\n[] pci_device_shutdown+0x3c/0xa0\n[] device_shutdown+0x170/0x340\n[] __do_sys_reboot+0x1f4/0x2a0\n[] __arm64_sys_reboot+0x2c/0x40\n[] invoke_syscall+0x78/0x100\n[] el0_svc_common.constprop.0+0x54/0x184\n[] do_el0_svc+0x30/0xac\n[] el0_svc+0x48/0x160\n[] el0t_64_sync_handler+0xa4/0x12c\n[] el0t_64_sync+0x1a4/0x1a8\n[] --[ end trace 9c4601d68c70030e ]---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:12:25.395Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5953ae44dfe5dbad374318875be834c3b7b71ee6"
        },
        {
          "url": "https://git.kernel.org/stable/c/da15ca0553325acf68039015f2f4db750c8e2b96"
        },
        {
          "url": "https://git.kernel.org/stable/c/24db585d369f949f698e03d7d8017e5ae19d0497"
        },
        {
          "url": "https://git.kernel.org/stable/c/687560d8a9a2d654829ad0da1ec24242f1de711d"
        }
      ],
      "title": "net/mlx5: Fix ECVF vports unload on shutdown flow",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38109",
    "datePublished": "2025-07-03T08:35:19.240Z",
    "dateReserved": "2025-04-16T04:51:23.985Z",
    "dateUpdated": "2025-07-28T04:12:25.395Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38683 (GCVE-0-2025-38683)

Vulnerability from cvelistv5 – Published: 2025-09-04 15:32 – Updated: 2025-11-03 17:41

Title

hv_netvsc: Fix panic during namespace deletion with VF

Summary

In the Linux kernel, the following vulnerability has been resolved: hv_netvsc: Fix panic during namespace deletion with VF The existing code move the VF NIC to new namespace when NETDEV_REGISTER is received on netvsc NIC. During deletion of the namespace, default_device_exit_batch() >> default_device_exit_net() is called. When netvsc NIC is moved back and registered to the default namespace, it automatically brings VF NIC back to the default namespace. This will cause the default_device_exit_net() >> for_each_netdev_safe loop unable to detect the list end, and hit NULL ptr: [ 231.449420] mana 7870:00:00.0 enP30832s1: Moved VF to namespace with: eth0 [ 231.449656] BUG: kernel NULL pointer dereference, address: 0000000000000010 [ 231.450246] #PF: supervisor read access in kernel mode [ 231.450579] #PF: error_code(0x0000) - not-present page [ 231.450916] PGD 17b8a8067 P4D 0 [ 231.451163] Oops: Oops: 0000 [#1] SMP NOPTI [ 231.451450] CPU: 82 UID: 0 PID: 1394 Comm: kworker/u768:1 Not tainted 6.16.0-rc4+ #3 VOLUNTARY [ 231.452042] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024 [ 231.452692] Workqueue: netns cleanup_net [ 231.452947] RIP: 0010:default_device_exit_batch+0x16c/0x3f0 [ 231.453326] Code: c0 0c f5 b3 e8 d5 db fe ff 48 85 c0 74 15 48 c7 c2 f8 fd ca b2 be 10 00 00 00 48 8d 7d c0 e8 7b 77 25 00 49 8b 86 28 01 00 00 <48> 8b 50 10 4c 8b 2a 4c 8d 62 f0 49 83 ed 10 4c 39 e0 0f 84 d6 00 [ 231.454294] RSP: 0018:ff75fc7c9bf9fd00 EFLAGS: 00010246 [ 231.454610] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 61c8864680b583eb [ 231.455094] RDX: ff1fa9f71462d800 RSI: ff75fc7c9bf9fd38 RDI: 0000000030766564 [ 231.455686] RBP: ff75fc7c9bf9fd78 R08: 0000000000000000 R09: 0000000000000000 [ 231.456126] R10: 0000000000000001 R11: 0000000000000004 R12: ff1fa9f70088e340 [ 231.456621] R13: ff1fa9f70088e340 R14: ffffffffb3f50c20 R15: ff1fa9f7103e6340 [ 231.457161] FS: 0000000000000000(0000) GS:ff1faa6783a08000(0000) knlGS:0000000000000000 [ 231.457707] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 231.458031] CR2: 0000000000000010 CR3: 0000000179ab2006 CR4: 0000000000b73ef0 [ 231.458434] Call Trace: [ 231.458600] <TASK> [ 231.458777] ops_undo_list+0x100/0x220 [ 231.459015] cleanup_net+0x1b8/0x300 [ 231.459285] process_one_work+0x184/0x340 To fix it, move the ns change to a workqueue, and take rtnl_lock to avoid changing the netdev list when default_device_exit_net() is using it.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/3ca41ab55d23a0aa7…
	https://git.kernel.org/stable/c/3467c4ebb334658c6…
	https://git.kernel.org/stable/c/4eff1e57a8ef98d70…
	https://git.kernel.org/stable/c/2a70cbd1aef8b8be3…
	https://git.kernel.org/stable/c/d036104947176d030…
	https://git.kernel.org/stable/c/5276896e6923ebe8c…
	https://git.kernel.org/stable/c/4293f6c5ccf735b26…
	https://git.kernel.org/stable/c/33caa208dba6fa639…

Impacted products

Vendor

Product

Version

Linux

Affected: 3eb6aa870057da9f1304db660f68b9c2eb7e856d , < 3ca41ab55d23a0aa71661a5a56a8f06c11db90dc (git)
Affected: b7a396f76ada277d049558db648389456458af65 , < 3467c4ebb334658c6fcf3eabb64a6e8b2135e010 (git)
Affected: 4faa6e3e66b3251eb4bf5761d2f3f0f14095aaca , < 4eff1e57a8ef98d70451b94e8437e458b27dd234 (git)
Affected: 62c85b9a0dd7471a362170323e1211ad98ff7b4b , < 2a70cbd1aef8b8be39992ab7b776ce1390091774 (git)
Affected: 4c262801ea60c518b5bebc22a09f5b78b3147da2 , < d036104947176d030bec64792d54e1b4f4c7f318 (git)
Affected: 4c262801ea60c518b5bebc22a09f5b78b3147da2 , < 5276896e6923ebe8c68573779d784aaf7d987cce (git)
Affected: 4c262801ea60c518b5bebc22a09f5b78b3147da2 , < 4293f6c5ccf735b26afeb6825def14d830e0367b (git)
Affected: 4c262801ea60c518b5bebc22a09f5b78b3147da2 , < 33caa208dba6fa639e8a92fd0c8320b652e5550c (git)
Affected: 7abd221a55a61b6b2bf0e80f850bfc0ae75c7e01 (git)
Affected: 31a38a908c98aebc7a1104dab5f1ba199f234b7b (git)
Affected: 04d748d4bd2d86739b159563f257e3dc5492c88d (git)

Linux

Affected: 6.12
Unaffected: 0 , < 6.12 (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.149 , ≤ 6.1.* (semver)
Unaffected: 6.6.103 , ≤ 6.6.* (semver)
Unaffected: 6.12.43 , ≤ 6.12.* (semver)
Unaffected: 6.15.11 , ≤ 6.15.* (semver)
Unaffected: 6.16.2 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:41:09.549Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/hyperv/hyperv_net.h",
            "drivers/net/hyperv/netvsc_drv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3ca41ab55d23a0aa71661a5a56a8f06c11db90dc",
              "status": "affected",
              "version": "3eb6aa870057da9f1304db660f68b9c2eb7e856d",
              "versionType": "git"
            },
            {
              "lessThan": "3467c4ebb334658c6fcf3eabb64a6e8b2135e010",
              "status": "affected",
              "version": "b7a396f76ada277d049558db648389456458af65",
              "versionType": "git"
            },
            {
              "lessThan": "4eff1e57a8ef98d70451b94e8437e458b27dd234",
              "status": "affected",
              "version": "4faa6e3e66b3251eb4bf5761d2f3f0f14095aaca",
              "versionType": "git"
            },
            {
              "lessThan": "2a70cbd1aef8b8be39992ab7b776ce1390091774",
              "status": "affected",
              "version": "62c85b9a0dd7471a362170323e1211ad98ff7b4b",
              "versionType": "git"
            },
            {
              "lessThan": "d036104947176d030bec64792d54e1b4f4c7f318",
              "status": "affected",
              "version": "4c262801ea60c518b5bebc22a09f5b78b3147da2",
              "versionType": "git"
            },
            {
              "lessThan": "5276896e6923ebe8c68573779d784aaf7d987cce",
              "status": "affected",
              "version": "4c262801ea60c518b5bebc22a09f5b78b3147da2",
              "versionType": "git"
            },
            {
              "lessThan": "4293f6c5ccf735b26afeb6825def14d830e0367b",
              "status": "affected",
              "version": "4c262801ea60c518b5bebc22a09f5b78b3147da2",
              "versionType": "git"
            },
            {
              "lessThan": "33caa208dba6fa639e8a92fd0c8320b652e5550c",
              "status": "affected",
              "version": "4c262801ea60c518b5bebc22a09f5b78b3147da2",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "7abd221a55a61b6b2bf0e80f850bfc0ae75c7e01",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "31a38a908c98aebc7a1104dab5f1ba199f234b7b",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "04d748d4bd2d86739b159563f257e3dc5492c88d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/hyperv/hyperv_net.h",
            "drivers/net/hyperv/netvsc_drv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.12"
            },
            {
              "lessThan": "6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.43",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "5.10.229",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "5.15.170",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "6.1.115",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "6.6.59",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.43",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.11",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.2",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.323",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.4.285",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.11.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhv_netvsc: Fix panic during namespace deletion with VF\n\nThe existing code move the VF NIC to new namespace when NETDEV_REGISTER is\nreceived on netvsc NIC. During deletion of the namespace,\ndefault_device_exit_batch() \u003e\u003e default_device_exit_net() is called. When\nnetvsc NIC is moved back and registered to the default namespace, it\nautomatically brings VF NIC back to the default namespace. This will cause\nthe default_device_exit_net() \u003e\u003e for_each_netdev_safe loop unable to detect\nthe list end, and hit NULL ptr:\n\n[  231.449420] mana 7870:00:00.0 enP30832s1: Moved VF to namespace with: eth0\n[  231.449656] BUG: kernel NULL pointer dereference, address: 0000000000000010\n[  231.450246] #PF: supervisor read access in kernel mode\n[  231.450579] #PF: error_code(0x0000) - not-present page\n[  231.450916] PGD 17b8a8067 P4D 0\n[  231.451163] Oops: Oops: 0000 [#1] SMP NOPTI\n[  231.451450] CPU: 82 UID: 0 PID: 1394 Comm: kworker/u768:1 Not tainted 6.16.0-rc4+ #3 VOLUNTARY\n[  231.452042] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024\n[  231.452692] Workqueue: netns cleanup_net\n[  231.452947] RIP: 0010:default_device_exit_batch+0x16c/0x3f0\n[  231.453326] Code: c0 0c f5 b3 e8 d5 db fe ff 48 85 c0 74 15 48 c7 c2 f8 fd ca b2 be 10 00 00 00 48 8d 7d c0 e8 7b 77 25 00 49 8b 86 28 01 00 00 \u003c48\u003e 8b 50 10 4c 8b 2a 4c 8d 62 f0 49 83 ed 10 4c 39 e0 0f 84 d6 00\n[  231.454294] RSP: 0018:ff75fc7c9bf9fd00 EFLAGS: 00010246\n[  231.454610] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 61c8864680b583eb\n[  231.455094] RDX: ff1fa9f71462d800 RSI: ff75fc7c9bf9fd38 RDI: 0000000030766564\n[  231.455686] RBP: ff75fc7c9bf9fd78 R08: 0000000000000000 R09: 0000000000000000\n[  231.456126] R10: 0000000000000001 R11: 0000000000000004 R12: ff1fa9f70088e340\n[  231.456621] R13: ff1fa9f70088e340 R14: ffffffffb3f50c20 R15: ff1fa9f7103e6340\n[  231.457161] FS:  0000000000000000(0000) GS:ff1faa6783a08000(0000) knlGS:0000000000000000\n[  231.457707] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  231.458031] CR2: 0000000000000010 CR3: 0000000179ab2006 CR4: 0000000000b73ef0\n[  231.458434] Call Trace:\n[  231.458600]  \u003cTASK\u003e\n[  231.458777]  ops_undo_list+0x100/0x220\n[  231.459015]  cleanup_net+0x1b8/0x300\n[  231.459285]  process_one_work+0x184/0x340\n\nTo fix it, move the ns change to a workqueue, and take rtnl_lock to avoid\nchanging the netdev list when default_device_exit_net() is using it."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:55:54.951Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3ca41ab55d23a0aa71661a5a56a8f06c11db90dc"
        },
        {
          "url": "https://git.kernel.org/stable/c/3467c4ebb334658c6fcf3eabb64a6e8b2135e010"
        },
        {
          "url": "https://git.kernel.org/stable/c/4eff1e57a8ef98d70451b94e8437e458b27dd234"
        },
        {
          "url": "https://git.kernel.org/stable/c/2a70cbd1aef8b8be39992ab7b776ce1390091774"
        },
        {
          "url": "https://git.kernel.org/stable/c/d036104947176d030bec64792d54e1b4f4c7f318"
        },
        {
          "url": "https://git.kernel.org/stable/c/5276896e6923ebe8c68573779d784aaf7d987cce"
        },
        {
          "url": "https://git.kernel.org/stable/c/4293f6c5ccf735b26afeb6825def14d830e0367b"
        },
        {
          "url": "https://git.kernel.org/stable/c/33caa208dba6fa639e8a92fd0c8320b652e5550c"
        }
      ],
      "title": "hv_netvsc: Fix panic during namespace deletion with VF",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38683",
    "datePublished": "2025-09-04T15:32:38.215Z",
    "dateReserved": "2025-04-16T04:51:24.032Z",
    "dateUpdated": "2025-11-03T17:41:09.549Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38300 (GCVE-0-2025-38300)

Vulnerability from cvelistv5 – Published: 2025-07-10 07:42 – Updated: 2025-11-03 17:36

Title

crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare()

Summary

In the Linux kernel, the following vulnerability has been resolved: crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare() Fix two DMA cleanup issues on the error path in sun8i_ce_cipher_prepare(): 1] If dma_map_sg() fails for areq->dst, the device driver would try to free DMA memory it has not allocated in the first place. To fix this, on the "theend_sgs" error path, call dma unmap only if the corresponding dma map was successful. 2] If the dma_map_single() call for the IV fails, the device driver would try to free an invalid DMA memory address on the "theend_iv" path: ------------[ cut here ]------------ DMA-API: sun8i-ce 1904000.crypto: device driver tries to free an invalid DMA memory address WARNING: CPU: 2 PID: 69 at kernel/dma/debug.c:968 check_unmap+0x123c/0x1b90 Modules linked in: skcipher_example(O+) CPU: 2 UID: 0 PID: 69 Comm: 1904000.crypto- Tainted: G O 6.15.0-rc3+ #24 PREEMPT Tainted: [O]=OOT_MODULE Hardware name: OrangePi Zero2 (DT) pc : check_unmap+0x123c/0x1b90 lr : check_unmap+0x123c/0x1b90 ... Call trace: check_unmap+0x123c/0x1b90 (P) debug_dma_unmap_page+0xac/0xc0 dma_unmap_page_attrs+0x1f4/0x5fc sun8i_ce_cipher_do_one+0x1bd4/0x1f40 crypto_pump_work+0x334/0x6e0 kthread_worker_fn+0x21c/0x438 kthread+0x374/0x664 ret_from_fork+0x10/0x20 ---[ end trace 0000000000000000 ]--- To fix this, check for !dma_mapping_error() before calling dma_unmap_single() on the "theend_iv" path.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a0ac3f85b2e3ef529…
	https://git.kernel.org/stable/c/c62b79c1c51303dbc…
	https://git.kernel.org/stable/c/19d267d9fad00d94a…
	https://git.kernel.org/stable/c/4051250e5db489f8a…
	https://git.kernel.org/stable/c/f31adc3e356f7350d…

Impacted products

Vendor

Product

Version

Linux

Affected: 06f751b613296cc34b86fc83fccaf30d646eb8bc , < a0ac3f85b2e3ef529e852f252a70311f9029d5e6 (git)
Affected: 06f751b613296cc34b86fc83fccaf30d646eb8bc , < c62b79c1c51303dbcb6edfa4de0ee176f4934c52 (git)
Affected: 06f751b613296cc34b86fc83fccaf30d646eb8bc , < 19d267d9fad00d94ad8477899e38ed7c11f33fb6 (git)
Affected: 06f751b613296cc34b86fc83fccaf30d646eb8bc , < 4051250e5db489f8ad65fc337e2677b9b568ac72 (git)
Affected: 06f751b613296cc34b86fc83fccaf30d646eb8bc , < f31adc3e356f7350d4a4d68c98d3f60f2f6e26b3 (git)

Linux

Affected: 5.5
Unaffected: 0 , < 5.5 (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.94 , ≤ 6.6.* (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:36:20.735Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a0ac3f85b2e3ef529e852f252a70311f9029d5e6",
              "status": "affected",
              "version": "06f751b613296cc34b86fc83fccaf30d646eb8bc",
              "versionType": "git"
            },
            {
              "lessThan": "c62b79c1c51303dbcb6edfa4de0ee176f4934c52",
              "status": "affected",
              "version": "06f751b613296cc34b86fc83fccaf30d646eb8bc",
              "versionType": "git"
            },
            {
              "lessThan": "19d267d9fad00d94ad8477899e38ed7c11f33fb6",
              "status": "affected",
              "version": "06f751b613296cc34b86fc83fccaf30d646eb8bc",
              "versionType": "git"
            },
            {
              "lessThan": "4051250e5db489f8ad65fc337e2677b9b568ac72",
              "status": "affected",
              "version": "06f751b613296cc34b86fc83fccaf30d646eb8bc",
              "versionType": "git"
            },
            {
              "lessThan": "f31adc3e356f7350d4a4d68c98d3f60f2f6e26b3",
              "status": "affected",
              "version": "06f751b613296cc34b86fc83fccaf30d646eb8bc",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.5"
            },
            {
              "lessThan": "5.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare()\n\nFix two DMA cleanup issues on the error path in sun8i_ce_cipher_prepare():\n\n1] If dma_map_sg() fails for areq-\u003edst, the device driver would try to free\n   DMA memory it has not allocated in the first place. To fix this, on the\n   \"theend_sgs\" error path, call dma unmap only if the corresponding dma\n   map was successful.\n\n2] If the dma_map_single() call for the IV fails, the device driver would\n   try to free an invalid DMA memory address on the \"theend_iv\" path:\n   ------------[ cut here ]------------\n   DMA-API: sun8i-ce 1904000.crypto: device driver tries to free an invalid DMA memory address\n   WARNING: CPU: 2 PID: 69 at kernel/dma/debug.c:968 check_unmap+0x123c/0x1b90\n   Modules linked in: skcipher_example(O+)\n   CPU: 2 UID: 0 PID: 69 Comm: 1904000.crypto- Tainted: G           O        6.15.0-rc3+ #24 PREEMPT\n   Tainted: [O]=OOT_MODULE\n   Hardware name: OrangePi Zero2 (DT)\n   pc : check_unmap+0x123c/0x1b90\n   lr : check_unmap+0x123c/0x1b90\n   ...\n   Call trace:\n    check_unmap+0x123c/0x1b90 (P)\n    debug_dma_unmap_page+0xac/0xc0\n    dma_unmap_page_attrs+0x1f4/0x5fc\n    sun8i_ce_cipher_do_one+0x1bd4/0x1f40\n    crypto_pump_work+0x334/0x6e0\n    kthread_worker_fn+0x21c/0x438\n    kthread+0x374/0x664\n    ret_from_fork+0x10/0x20\n   ---[ end trace 0000000000000000 ]---\n\nTo fix this, check for !dma_mapping_error() before calling\ndma_unmap_single() on the \"theend_iv\" path."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:17:54.404Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a0ac3f85b2e3ef529e852f252a70311f9029d5e6"
        },
        {
          "url": "https://git.kernel.org/stable/c/c62b79c1c51303dbcb6edfa4de0ee176f4934c52"
        },
        {
          "url": "https://git.kernel.org/stable/c/19d267d9fad00d94ad8477899e38ed7c11f33fb6"
        },
        {
          "url": "https://git.kernel.org/stable/c/4051250e5db489f8ad65fc337e2677b9b568ac72"
        },
        {
          "url": "https://git.kernel.org/stable/c/f31adc3e356f7350d4a4d68c98d3f60f2f6e26b3"
        }
      ],
      "title": "crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38300",
    "datePublished": "2025-07-10T07:42:12.826Z",
    "dateReserved": "2025-04-16T04:51:24.002Z",
    "dateUpdated": "2025-11-03T17:36:20.735Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38295 (GCVE-0-2025-38295)

Vulnerability from cvelistv5 – Published: 2025-07-10 07:42 – Updated: 2025-07-28 04:17

Title

perf/amlogic: Replace smp_processor_id() with raw_smp_processor_id() in meson_ddr_pmu_create()

Summary

In the Linux kernel, the following vulnerability has been resolved: perf/amlogic: Replace smp_processor_id() with raw_smp_processor_id() in meson_ddr_pmu_create() The Amlogic DDR PMU driver meson_ddr_pmu_create() function incorrectly uses smp_processor_id(), which assumes disabled preemption. This leads to kernel warnings during module loading because meson_ddr_pmu_create() can be called in a preemptible context. Following kernel warning and stack trace: [ 31.745138] [ T2289] BUG: using smp_processor_id() in preemptible [00000000] code: (udev-worker)/2289 [ 31.745154] [ T2289] caller is debug_smp_processor_id+0x28/0x38 [ 31.745172] [ T2289] CPU: 4 UID: 0 PID: 2289 Comm: (udev-worker) Tainted: GW 6.14.0-0-MANJARO-ARM #1 59519addcbca6ba8de735e151fd7b9e97aac7ff0 [ 31.745181] [ T2289] Tainted: [W]=WARN [ 31.745183] [ T2289] Hardware name: Hardkernel ODROID-N2Plus (DT) [ 31.745188] [ T2289] Call trace: [ 31.745191] [ T2289] show_stack+0x28/0x40 (C) [ 31.745199] [ T2289] dump_stack_lvl+0x4c/0x198 [ 31.745205] [ T2289] dump_stack+0x20/0x50 [ 31.745209] [ T2289] check_preemption_disabled+0xec/0xf0 [ 31.745213] [ T2289] debug_smp_processor_id+0x28/0x38 [ 31.745216] [ T2289] meson_ddr_pmu_create+0x200/0x560 [meson_ddr_pmu_g12 8095101c49676ad138d9961e3eddaee10acca7bd] [ 31.745237] [ T2289] g12_ddr_pmu_probe+0x20/0x38 [meson_ddr_pmu_g12 8095101c49676ad138d9961e3eddaee10acca7bd] [ 31.745246] [ T2289] platform_probe+0x98/0xe0 [ 31.745254] [ T2289] really_probe+0x144/0x3f8 [ 31.745258] [ T2289] __driver_probe_device+0xb8/0x180 [ 31.745261] [ T2289] driver_probe_device+0x54/0x268 [ 31.745264] [ T2289] __driver_attach+0x11c/0x288 [ 31.745267] [ T2289] bus_for_each_dev+0xfc/0x160 [ 31.745274] [ T2289] driver_attach+0x34/0x50 [ 31.745277] [ T2289] bus_add_driver+0x160/0x2b0 [ 31.745281] [ T2289] driver_register+0x78/0x120 [ 31.745285] [ T2289] __platform_driver_register+0x30/0x48 [ 31.745288] [ T2289] init_module+0x30/0xfe0 [meson_ddr_pmu_g12 8095101c49676ad138d9961e3eddaee10acca7bd] [ 31.745298] [ T2289] do_one_initcall+0x11c/0x438 [ 31.745303] [ T2289] do_init_module+0x68/0x228 [ 31.745311] [ T2289] load_module+0x118c/0x13a8 [ 31.745315] [ T2289] __arm64_sys_finit_module+0x274/0x390 [ 31.745320] [ T2289] invoke_syscall+0x74/0x108 [ 31.745326] [ T2289] el0_svc_common+0x90/0xf8 [ 31.745330] [ T2289] do_el0_svc+0x2c/0x48 [ 31.745333] [ T2289] el0_svc+0x60/0x150 [ 31.745337] [ T2289] el0t_64_sync_handler+0x80/0x118 [ 31.745341] [ T2289] el0t_64_sync+0x1b8/0x1c0 Changes replaces smp_processor_id() with raw_smp_processor_id() to ensure safe CPU ID retrieval in preemptible contexts.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/77511c2d2d1cbce8d…
	https://git.kernel.org/stable/c/b038ffbd49e41f992…
	https://git.kernel.org/stable/c/6f5f53048d3b761d6…
	https://git.kernel.org/stable/c/097469a2b0f12b91b…

Impacted products

Vendor

Product

Version

Linux

Affected: 2016e2113d35ba06866961a39e9a9c822f2ffabd , < 77511c2d2d1cbce8d9b4f50849843dd469d14173 (git)
Affected: 2016e2113d35ba06866961a39e9a9c822f2ffabd , < b038ffbd49e41f99228dbb0c66d6dd7b20292884 (git)
Affected: 2016e2113d35ba06866961a39e9a9c822f2ffabd , < 6f5f53048d3b761d694430632d3a03977273e987 (git)
Affected: 2016e2113d35ba06866961a39e9a9c822f2ffabd , < 097469a2b0f12b91b4f27b9e9e4f2c46484cde30 (git)

Linux

Affected: 6.2
Unaffected: 0 , < 6.2 (semver)
Unaffected: 6.6.94 , ≤ 6.6.* (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/perf/amlogic/meson_ddr_pmu_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "77511c2d2d1cbce8d9b4f50849843dd469d14173",
              "status": "affected",
              "version": "2016e2113d35ba06866961a39e9a9c822f2ffabd",
              "versionType": "git"
            },
            {
              "lessThan": "b038ffbd49e41f99228dbb0c66d6dd7b20292884",
              "status": "affected",
              "version": "2016e2113d35ba06866961a39e9a9c822f2ffabd",
              "versionType": "git"
            },
            {
              "lessThan": "6f5f53048d3b761d694430632d3a03977273e987",
              "status": "affected",
              "version": "2016e2113d35ba06866961a39e9a9c822f2ffabd",
              "versionType": "git"
            },
            {
              "lessThan": "097469a2b0f12b91b4f27b9e9e4f2c46484cde30",
              "status": "affected",
              "version": "2016e2113d35ba06866961a39e9a9c822f2ffabd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/perf/amlogic/meson_ddr_pmu_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/amlogic: Replace smp_processor_id() with raw_smp_processor_id() in meson_ddr_pmu_create()\n\nThe Amlogic DDR PMU driver meson_ddr_pmu_create() function incorrectly uses\nsmp_processor_id(), which assumes disabled preemption. This leads to kernel\nwarnings during module loading because meson_ddr_pmu_create() can be called\nin a preemptible context.\n\nFollowing kernel warning and stack trace:\n[   31.745138] [   T2289] BUG: using smp_processor_id() in preemptible [00000000] code: (udev-worker)/2289\n[   31.745154] [   T2289] caller is debug_smp_processor_id+0x28/0x38\n[   31.745172] [   T2289] CPU: 4 UID: 0 PID: 2289 Comm: (udev-worker) Tainted: GW 6.14.0-0-MANJARO-ARM #1 59519addcbca6ba8de735e151fd7b9e97aac7ff0\n[   31.745181] [   T2289] Tainted: [W]=WARN\n[   31.745183] [   T2289] Hardware name: Hardkernel ODROID-N2Plus (DT)\n[   31.745188] [   T2289] Call trace:\n[   31.745191] [   T2289]  show_stack+0x28/0x40 (C)\n[   31.745199] [   T2289]  dump_stack_lvl+0x4c/0x198\n[   31.745205] [   T2289]  dump_stack+0x20/0x50\n[   31.745209] [   T2289]  check_preemption_disabled+0xec/0xf0\n[   31.745213] [   T2289]  debug_smp_processor_id+0x28/0x38\n[   31.745216] [   T2289]  meson_ddr_pmu_create+0x200/0x560 [meson_ddr_pmu_g12 8095101c49676ad138d9961e3eddaee10acca7bd]\n[   31.745237] [   T2289]  g12_ddr_pmu_probe+0x20/0x38 [meson_ddr_pmu_g12 8095101c49676ad138d9961e3eddaee10acca7bd]\n[   31.745246] [   T2289]  platform_probe+0x98/0xe0\n[   31.745254] [   T2289]  really_probe+0x144/0x3f8\n[   31.745258] [   T2289]  __driver_probe_device+0xb8/0x180\n[   31.745261] [   T2289]  driver_probe_device+0x54/0x268\n[   31.745264] [   T2289]  __driver_attach+0x11c/0x288\n[   31.745267] [   T2289]  bus_for_each_dev+0xfc/0x160\n[   31.745274] [   T2289]  driver_attach+0x34/0x50\n[   31.745277] [   T2289]  bus_add_driver+0x160/0x2b0\n[   31.745281] [   T2289]  driver_register+0x78/0x120\n[   31.745285] [   T2289]  __platform_driver_register+0x30/0x48\n[   31.745288] [   T2289]  init_module+0x30/0xfe0 [meson_ddr_pmu_g12 8095101c49676ad138d9961e3eddaee10acca7bd]\n[   31.745298] [   T2289]  do_one_initcall+0x11c/0x438\n[   31.745303] [   T2289]  do_init_module+0x68/0x228\n[   31.745311] [   T2289]  load_module+0x118c/0x13a8\n[   31.745315] [   T2289]  __arm64_sys_finit_module+0x274/0x390\n[   31.745320] [   T2289]  invoke_syscall+0x74/0x108\n[   31.745326] [   T2289]  el0_svc_common+0x90/0xf8\n[   31.745330] [   T2289]  do_el0_svc+0x2c/0x48\n[   31.745333] [   T2289]  el0_svc+0x60/0x150\n[   31.745337] [   T2289]  el0t_64_sync_handler+0x80/0x118\n[   31.745341] [   T2289]  el0t_64_sync+0x1b8/0x1c0\n\nChanges replaces smp_processor_id() with raw_smp_processor_id() to\nensure safe CPU ID retrieval in preemptible contexts."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:17:47.042Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/77511c2d2d1cbce8d9b4f50849843dd469d14173"
        },
        {
          "url": "https://git.kernel.org/stable/c/b038ffbd49e41f99228dbb0c66d6dd7b20292884"
        },
        {
          "url": "https://git.kernel.org/stable/c/6f5f53048d3b761d694430632d3a03977273e987"
        },
        {
          "url": "https://git.kernel.org/stable/c/097469a2b0f12b91b4f27b9e9e4f2c46484cde30"
        }
      ],
      "title": "perf/amlogic: Replace smp_processor_id() with raw_smp_processor_id() in meson_ddr_pmu_create()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38295",
    "datePublished": "2025-07-10T07:42:09.521Z",
    "dateReserved": "2025-04-16T04:51:24.001Z",
    "dateUpdated": "2025-07-28T04:17:47.042Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38037 (GCVE-0-2025-38037)

Vulnerability from cvelistv5 – Published: 2025-06-18 09:33 – Updated: 2025-11-03 17:33

Title

vxlan: Annotate FDB data races

Summary

In the Linux kernel, the following vulnerability has been resolved: vxlan: Annotate FDB data races The 'used' and 'updated' fields in the FDB entry structure can be accessed concurrently by multiple threads, leading to reports such as [1]. Can be reproduced using [2]. Suppress these reports by annotating these accesses using READ_ONCE() / WRITE_ONCE(). [1] BUG: KCSAN: data-race in vxlan_xmit / vxlan_xmit write to 0xffff942604d263a8 of 8 bytes by task 286 on cpu 0: vxlan_xmit+0xb29/0x2380 dev_hard_start_xmit+0x84/0x2f0 __dev_queue_xmit+0x45a/0x1650 packet_xmit+0x100/0x150 packet_sendmsg+0x2114/0x2ac0 __sys_sendto+0x318/0x330 __x64_sys_sendto+0x76/0x90 x64_sys_call+0x14e8/0x1c00 do_syscall_64+0x9e/0x1a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f read to 0xffff942604d263a8 of 8 bytes by task 287 on cpu 2: vxlan_xmit+0xadf/0x2380 dev_hard_start_xmit+0x84/0x2f0 __dev_queue_xmit+0x45a/0x1650 packet_xmit+0x100/0x150 packet_sendmsg+0x2114/0x2ac0 __sys_sendto+0x318/0x330 __x64_sys_sendto+0x76/0x90 x64_sys_call+0x14e8/0x1c00 do_syscall_64+0x9e/0x1a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f value changed: 0x00000000fffbac6e -> 0x00000000fffbac6f Reported by Kernel Concurrency Sanitizer on: CPU: 2 UID: 0 PID: 287 Comm: mausezahn Not tainted 6.13.0-rc7-01544-gb4b270f11a02 #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 [2] #!/bin/bash set +H echo whitelist > /sys/kernel/debug/kcsan echo !vxlan_xmit > /sys/kernel/debug/kcsan ip link add name vx0 up type vxlan id 10010 dstport 4789 local 192.0.2.1 bridge fdb add 00:11:22:33:44:55 dev vx0 self static dst 198.51.100.1 taskset -c 0 mausezahn vx0 -a own -b 00:11:22:33:44:55 -c 0 -q & taskset -c 2 mausezahn vx0 -a own -b 00:11:22:33:44:55 -c 0 -q &

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/02a33b1035a307453…
	https://git.kernel.org/stable/c/87d076987a9ba106c…
	https://git.kernel.org/stable/c/e033da39fc6abbdda…
	https://git.kernel.org/stable/c/784b78295a3a58bf0…
	https://git.kernel.org/stable/c/13cba3f837903f718…
	https://git.kernel.org/stable/c/a6644aeb8ddf196de…
	https://git.kernel.org/stable/c/4eceb7eae6ea7c950…
	https://git.kernel.org/stable/c/f6205f8215f12a965…

Impacted products

Vendor

Product

Version

Linux

Affected: d342894c5d2f8c7df194c793ec4059656e09ca31 , < 02a33b1035a307453a1da6ce0a1bf3676be287d7 (git)
Affected: d342894c5d2f8c7df194c793ec4059656e09ca31 , < 87d076987a9ba106c83412fcd113656f71af05a1 (git)
Affected: d342894c5d2f8c7df194c793ec4059656e09ca31 , < e033da39fc6abbddab6c29624acef80757f273fa (git)
Affected: d342894c5d2f8c7df194c793ec4059656e09ca31 , < 784b78295a3a58bf052339dd669e6e03710220d3 (git)
Affected: d342894c5d2f8c7df194c793ec4059656e09ca31 , < 13cba3f837903f7184d6e9b6137d5165ffe82a8f (git)
Affected: d342894c5d2f8c7df194c793ec4059656e09ca31 , < a6644aeb8ddf196dec5f8e782293c36f065df4d7 (git)
Affected: d342894c5d2f8c7df194c793ec4059656e09ca31 , < 4eceb7eae6ea7c950384c34e6dbbe872c981935f (git)
Affected: d342894c5d2f8c7df194c793ec4059656e09ca31 , < f6205f8215f12a96518ac9469ff76294ae7bd612 (git)

Linux

Affected: 3.7
Unaffected: 0 , < 3.7 (semver)
Unaffected: 5.4.294 , ≤ 5.4.* (semver)
Unaffected: 5.10.238 , ≤ 5.10.* (semver)
Unaffected: 5.15.185 , ≤ 5.15.* (semver)
Unaffected: 6.1.141 , ≤ 6.1.* (semver)
Unaffected: 6.6.93 , ≤ 6.6.* (semver)
Unaffected: 6.12.31 , ≤ 6.12.* (semver)
Unaffected: 6.14.9 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:33:16.449Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/vxlan/vxlan_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "02a33b1035a307453a1da6ce0a1bf3676be287d7",
              "status": "affected",
              "version": "d342894c5d2f8c7df194c793ec4059656e09ca31",
              "versionType": "git"
            },
            {
              "lessThan": "87d076987a9ba106c83412fcd113656f71af05a1",
              "status": "affected",
              "version": "d342894c5d2f8c7df194c793ec4059656e09ca31",
              "versionType": "git"
            },
            {
              "lessThan": "e033da39fc6abbddab6c29624acef80757f273fa",
              "status": "affected",
              "version": "d342894c5d2f8c7df194c793ec4059656e09ca31",
              "versionType": "git"
            },
            {
              "lessThan": "784b78295a3a58bf052339dd669e6e03710220d3",
              "status": "affected",
              "version": "d342894c5d2f8c7df194c793ec4059656e09ca31",
              "versionType": "git"
            },
            {
              "lessThan": "13cba3f837903f7184d6e9b6137d5165ffe82a8f",
              "status": "affected",
              "version": "d342894c5d2f8c7df194c793ec4059656e09ca31",
              "versionType": "git"
            },
            {
              "lessThan": "a6644aeb8ddf196dec5f8e782293c36f065df4d7",
              "status": "affected",
              "version": "d342894c5d2f8c7df194c793ec4059656e09ca31",
              "versionType": "git"
            },
            {
              "lessThan": "4eceb7eae6ea7c950384c34e6dbbe872c981935f",
              "status": "affected",
              "version": "d342894c5d2f8c7df194c793ec4059656e09ca31",
              "versionType": "git"
            },
            {
              "lessThan": "f6205f8215f12a96518ac9469ff76294ae7bd612",
              "status": "affected",
              "version": "d342894c5d2f8c7df194c793ec4059656e09ca31",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/vxlan/vxlan_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.7"
            },
            {
              "lessThan": "3.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.294",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.238",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.185",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.93",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.294",
                  "versionStartIncluding": "3.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.238",
                  "versionStartIncluding": "3.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.185",
                  "versionStartIncluding": "3.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.141",
                  "versionStartIncluding": "3.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.93",
                  "versionStartIncluding": "3.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.31",
                  "versionStartIncluding": "3.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "versionStartIncluding": "3.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "3.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvxlan: Annotate FDB data races\n\nThe \u0027used\u0027 and \u0027updated\u0027 fields in the FDB entry structure can be\naccessed concurrently by multiple threads, leading to reports such as\n[1]. Can be reproduced using [2].\n\nSuppress these reports by annotating these accesses using\nREAD_ONCE() / WRITE_ONCE().\n\n[1]\nBUG: KCSAN: data-race in vxlan_xmit / vxlan_xmit\n\nwrite to 0xffff942604d263a8 of 8 bytes by task 286 on cpu 0:\n vxlan_xmit+0xb29/0x2380\n dev_hard_start_xmit+0x84/0x2f0\n __dev_queue_xmit+0x45a/0x1650\n packet_xmit+0x100/0x150\n packet_sendmsg+0x2114/0x2ac0\n __sys_sendto+0x318/0x330\n __x64_sys_sendto+0x76/0x90\n x64_sys_call+0x14e8/0x1c00\n do_syscall_64+0x9e/0x1a0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nread to 0xffff942604d263a8 of 8 bytes by task 287 on cpu 2:\n vxlan_xmit+0xadf/0x2380\n dev_hard_start_xmit+0x84/0x2f0\n __dev_queue_xmit+0x45a/0x1650\n packet_xmit+0x100/0x150\n packet_sendmsg+0x2114/0x2ac0\n __sys_sendto+0x318/0x330\n __x64_sys_sendto+0x76/0x90\n x64_sys_call+0x14e8/0x1c00\n do_syscall_64+0x9e/0x1a0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nvalue changed: 0x00000000fffbac6e -\u003e 0x00000000fffbac6f\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 2 UID: 0 PID: 287 Comm: mausezahn Not tainted 6.13.0-rc7-01544-gb4b270f11a02 #5\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014\n\n[2]\n #!/bin/bash\n\n set +H\n echo whitelist \u003e /sys/kernel/debug/kcsan\n echo !vxlan_xmit \u003e /sys/kernel/debug/kcsan\n\n ip link add name vx0 up type vxlan id 10010 dstport 4789 local 192.0.2.1\n bridge fdb add 00:11:22:33:44:55 dev vx0 self static dst 198.51.100.1\n taskset -c 0 mausezahn vx0 -a own -b 00:11:22:33:44:55 -c 0 -q \u0026\n taskset -c 2 mausezahn vx0 -a own -b 00:11:22:33:44:55 -c 0 -q \u0026"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-15T15:43:54.094Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/02a33b1035a307453a1da6ce0a1bf3676be287d7"
        },
        {
          "url": "https://git.kernel.org/stable/c/87d076987a9ba106c83412fcd113656f71af05a1"
        },
        {
          "url": "https://git.kernel.org/stable/c/e033da39fc6abbddab6c29624acef80757f273fa"
        },
        {
          "url": "https://git.kernel.org/stable/c/784b78295a3a58bf052339dd669e6e03710220d3"
        },
        {
          "url": "https://git.kernel.org/stable/c/13cba3f837903f7184d6e9b6137d5165ffe82a8f"
        },
        {
          "url": "https://git.kernel.org/stable/c/a6644aeb8ddf196dec5f8e782293c36f065df4d7"
        },
        {
          "url": "https://git.kernel.org/stable/c/4eceb7eae6ea7c950384c34e6dbbe872c981935f"
        },
        {
          "url": "https://git.kernel.org/stable/c/f6205f8215f12a96518ac9469ff76294ae7bd612"
        }
      ],
      "title": "vxlan: Annotate FDB data races",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38037",
    "datePublished": "2025-06-18T09:33:23.551Z",
    "dateReserved": "2025-04-16T04:51:23.978Z",
    "dateUpdated": "2025-11-03T17:33:16.449Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38439 (GCVE-0-2025-38439)

Vulnerability from cvelistv5 – Published: 2025-07-25 15:27 – Updated: 2025-11-03 17:38

Title

bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT

Summary

In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT When transmitting an XDP_REDIRECT packet, call dma_unmap_len_set() with the proper length instead of 0. This bug triggers this warning on a system with IOMMU enabled: WARNING: CPU: 36 PID: 0 at drivers/iommu/dma-iommu.c:842 __iommu_dma_unmap+0x159/0x170 RIP: 0010:__iommu_dma_unmap+0x159/0x170 Code: a8 00 00 00 00 48 c7 45 b0 00 00 00 00 48 c7 45 c8 00 00 00 00 48 c7 45 a0 ff ff ff ff 4c 89 45 b8 4c 89 45 c0 e9 77 ff ff ff <0f> 0b e9 60 ff ff ff e8 8b bf 6a 00 66 66 2e 0f 1f 84 00 00 00 00 RSP: 0018:ff22d31181150c88 EFLAGS: 00010206 RAX: 0000000000002000 RBX: 00000000e13a0000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ff22d31181150cf0 R08: ff22d31181150ca8 R09: 0000000000000000 R10: 0000000000000000 R11: ff22d311d36c9d80 R12: 0000000000001000 R13: ff13544d10645010 R14: ff22d31181150c90 R15: ff13544d0b2bac00 FS: 0000000000000000(0000) GS:ff13550908a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005be909dacff8 CR3: 0008000173408003 CR4: 0000000000f71ef0 PKRU: 55555554 Call Trace: <IRQ> ? show_regs+0x6d/0x80 ? __warn+0x89/0x160 ? __iommu_dma_unmap+0x159/0x170 ? report_bug+0x17e/0x1b0 ? handle_bug+0x46/0x90 ? exc_invalid_op+0x18/0x80 ? asm_exc_invalid_op+0x1b/0x20 ? __iommu_dma_unmap+0x159/0x170 ? __iommu_dma_unmap+0xb3/0x170 iommu_dma_unmap_page+0x4f/0x100 dma_unmap_page_attrs+0x52/0x220 ? srso_alias_return_thunk+0x5/0xfbef5 ? xdp_return_frame+0x2e/0xd0 bnxt_tx_int_xdp+0xdf/0x440 [bnxt_en] __bnxt_poll_work_done+0x81/0x1e0 [bnxt_en] bnxt_poll+0xd3/0x1e0 [bnxt_en]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e260f4d49370c85a4…
	https://git.kernel.org/stable/c/16ae306602163fcb7…
	https://git.kernel.org/stable/c/8d672a1a6bfc81fef…
	https://git.kernel.org/stable/c/f9eaf6d036075dc82…
	https://git.kernel.org/stable/c/5909679a82cd74cf0…
	https://git.kernel.org/stable/c/f154e41e1d9d15ab2…
	https://git.kernel.org/stable/c/50dad9909715094e7…
	https://git.kernel.org/stable/c/3cdf199d4755d4779…

Impacted products

Vendor

Product

Version

Linux

Affected: f18c2b77b2e4eec2313d519ba125bd6a069513cf , < e260f4d49370c85a4701d43c6d16b8c39f8b605f (git)
Affected: f18c2b77b2e4eec2313d519ba125bd6a069513cf , < 16ae306602163fcb7ae83f2701b542e43c100cee (git)
Affected: f18c2b77b2e4eec2313d519ba125bd6a069513cf , < 8d672a1a6bfc81fef9151925c9c0481f4acf4bec (git)
Affected: f18c2b77b2e4eec2313d519ba125bd6a069513cf , < f9eaf6d036075dc820520e1194692c0619b7297b (git)
Affected: f18c2b77b2e4eec2313d519ba125bd6a069513cf , < 5909679a82cd74cf0343d9e3ddf4b6931aa7e613 (git)
Affected: f18c2b77b2e4eec2313d519ba125bd6a069513cf , < f154e41e1d9d15ab21300ba7bbf0ebb5cb3b9c2a (git)
Affected: f18c2b77b2e4eec2313d519ba125bd6a069513cf , < 50dad9909715094e7d9ca25e9e0412b875987519 (git)
Affected: f18c2b77b2e4eec2313d519ba125bd6a069513cf , < 3cdf199d4755d477972ee87110b2aebc88b3cfad (git)

Linux

Affected: 5.3
Unaffected: 0 , < 5.3 (semver)
Unaffected: 5.4.296 , ≤ 5.4.* (semver)
Unaffected: 5.10.240 , ≤ 5.10.* (semver)
Unaffected: 5.15.189 , ≤ 5.15.* (semver)
Unaffected: 6.1.146 , ≤ 6.1.* (semver)
Unaffected: 6.6.99 , ≤ 6.6.* (semver)
Unaffected: 6.12.39 , ≤ 6.12.* (semver)
Unaffected: 6.15.7 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:38:02.718Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e260f4d49370c85a4701d43c6d16b8c39f8b605f",
              "status": "affected",
              "version": "f18c2b77b2e4eec2313d519ba125bd6a069513cf",
              "versionType": "git"
            },
            {
              "lessThan": "16ae306602163fcb7ae83f2701b542e43c100cee",
              "status": "affected",
              "version": "f18c2b77b2e4eec2313d519ba125bd6a069513cf",
              "versionType": "git"
            },
            {
              "lessThan": "8d672a1a6bfc81fef9151925c9c0481f4acf4bec",
              "status": "affected",
              "version": "f18c2b77b2e4eec2313d519ba125bd6a069513cf",
              "versionType": "git"
            },
            {
              "lessThan": "f9eaf6d036075dc820520e1194692c0619b7297b",
              "status": "affected",
              "version": "f18c2b77b2e4eec2313d519ba125bd6a069513cf",
              "versionType": "git"
            },
            {
              "lessThan": "5909679a82cd74cf0343d9e3ddf4b6931aa7e613",
              "status": "affected",
              "version": "f18c2b77b2e4eec2313d519ba125bd6a069513cf",
              "versionType": "git"
            },
            {
              "lessThan": "f154e41e1d9d15ab21300ba7bbf0ebb5cb3b9c2a",
              "status": "affected",
              "version": "f18c2b77b2e4eec2313d519ba125bd6a069513cf",
              "versionType": "git"
            },
            {
              "lessThan": "50dad9909715094e7d9ca25e9e0412b875987519",
              "status": "affected",
              "version": "f18c2b77b2e4eec2313d519ba125bd6a069513cf",
              "versionType": "git"
            },
            {
              "lessThan": "3cdf199d4755d477972ee87110b2aebc88b3cfad",
              "status": "affected",
              "version": "f18c2b77b2e4eec2313d519ba125bd6a069513cf",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.3"
            },
            {
              "lessThan": "5.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.189",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.146",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.99",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.189",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.146",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.99",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.39",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.7",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Set DMA unmap len correctly for XDP_REDIRECT\n\nWhen transmitting an XDP_REDIRECT packet, call dma_unmap_len_set()\nwith the proper length instead of 0.  This bug triggers this warning\non a system with IOMMU enabled:\n\nWARNING: CPU: 36 PID: 0 at drivers/iommu/dma-iommu.c:842 __iommu_dma_unmap+0x159/0x170\nRIP: 0010:__iommu_dma_unmap+0x159/0x170\nCode: a8 00 00 00 00 48 c7 45 b0 00 00 00 00 48 c7 45 c8 00 00 00 00 48 c7 45 a0 ff ff ff ff 4c 89 45\nb8 4c 89 45 c0 e9 77 ff ff ff \u003c0f\u003e 0b e9 60 ff ff ff e8 8b bf 6a 00 66 66 2e 0f 1f 84 00 00 00 00\nRSP: 0018:ff22d31181150c88 EFLAGS: 00010206\nRAX: 0000000000002000 RBX: 00000000e13a0000 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: ff22d31181150cf0 R08: ff22d31181150ca8 R09: 0000000000000000\nR10: 0000000000000000 R11: ff22d311d36c9d80 R12: 0000000000001000\nR13: ff13544d10645010 R14: ff22d31181150c90 R15: ff13544d0b2bac00\nFS: 0000000000000000(0000) GS:ff13550908a00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005be909dacff8 CR3: 0008000173408003 CR4: 0000000000f71ef0\nPKRU: 55555554\nCall Trace:\n\u003cIRQ\u003e\n? show_regs+0x6d/0x80\n? __warn+0x89/0x160\n? __iommu_dma_unmap+0x159/0x170\n? report_bug+0x17e/0x1b0\n? handle_bug+0x46/0x90\n? exc_invalid_op+0x18/0x80\n? asm_exc_invalid_op+0x1b/0x20\n? __iommu_dma_unmap+0x159/0x170\n? __iommu_dma_unmap+0xb3/0x170\niommu_dma_unmap_page+0x4f/0x100\ndma_unmap_page_attrs+0x52/0x220\n? srso_alias_return_thunk+0x5/0xfbef5\n? xdp_return_frame+0x2e/0xd0\nbnxt_tx_int_xdp+0xdf/0x440 [bnxt_en]\n__bnxt_poll_work_done+0x81/0x1e0 [bnxt_en]\nbnxt_poll+0xd3/0x1e0 [bnxt_en]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:22:14.626Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e260f4d49370c85a4701d43c6d16b8c39f8b605f"
        },
        {
          "url": "https://git.kernel.org/stable/c/16ae306602163fcb7ae83f2701b542e43c100cee"
        },
        {
          "url": "https://git.kernel.org/stable/c/8d672a1a6bfc81fef9151925c9c0481f4acf4bec"
        },
        {
          "url": "https://git.kernel.org/stable/c/f9eaf6d036075dc820520e1194692c0619b7297b"
        },
        {
          "url": "https://git.kernel.org/stable/c/5909679a82cd74cf0343d9e3ddf4b6931aa7e613"
        },
        {
          "url": "https://git.kernel.org/stable/c/f154e41e1d9d15ab21300ba7bbf0ebb5cb3b9c2a"
        },
        {
          "url": "https://git.kernel.org/stable/c/50dad9909715094e7d9ca25e9e0412b875987519"
        },
        {
          "url": "https://git.kernel.org/stable/c/3cdf199d4755d477972ee87110b2aebc88b3cfad"
        }
      ],
      "title": "bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38439",
    "datePublished": "2025-07-25T15:27:18.640Z",
    "dateReserved": "2025-04-16T04:51:24.016Z",
    "dateUpdated": "2025-11-03T17:38:02.718Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21919 (GCVE-0-2025-21919)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:40 – Updated: 2025-11-03 19:39

Title

sched/fair: Fix potential memory corruption in child_cfs_rq_on_list

Summary

In the Linux kernel, the following vulnerability has been resolved: sched/fair: Fix potential memory corruption in child_cfs_rq_on_list child_cfs_rq_on_list attempts to convert a 'prev' pointer to a cfs_rq. This 'prev' pointer can originate from struct rq's leaf_cfs_rq_list, making the conversion invalid and potentially leading to memory corruption. Depending on the relative positions of leaf_cfs_rq_list and the task group (tg) pointer within the struct, this can cause a memory fault or access garbage data. The issue arises in list_add_leaf_cfs_rq, where both cfs_rq->leaf_cfs_rq_list and rq->leaf_cfs_rq_list are added to the same leaf list. Also, rq->tmp_alone_branch can be set to rq->leaf_cfs_rq_list. This adds a check `if (prev == &rq->leaf_cfs_rq_list)` after the main conditional in child_cfs_rq_on_list. This ensures that the container_of operation will convert a correct cfs_rq struct. This check is sufficient because only cfs_rqs on the same CPU are added to the list, so verifying the 'prev' pointer against the current rq's list head is enough. Fixes a potential memory corruption issue that due to current struct layout might not be manifesting as a crash but could lead to unpredictable behavior when the layout changes.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-787 - Out-of-bounds Write

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/5cb300dcdd27e6a35…
	https://git.kernel.org/stable/c/000c9ee43928f2ce6…
	https://git.kernel.org/stable/c/9cc7f0018609f75a3…
	https://git.kernel.org/stable/c/b5741e4b9ef356761…
	https://git.kernel.org/stable/c/e1dd09df30ba86716…
	https://git.kernel.org/stable/c/3b4035ddbfc8e4521…

Impacted products

Vendor

Product

Version

Linux

Affected: fdaba61ef8a268d4136d0a113d153f7a89eb9984 , < 5cb300dcdd27e6a351ac02541e0231261c775852 (git)
Affected: fdaba61ef8a268d4136d0a113d153f7a89eb9984 , < 000c9ee43928f2ce68a156dd40bab7616256f4dd (git)
Affected: fdaba61ef8a268d4136d0a113d153f7a89eb9984 , < 9cc7f0018609f75a349e42e3aebc3b0e905ba775 (git)
Affected: fdaba61ef8a268d4136d0a113d153f7a89eb9984 , < b5741e4b9ef3567613b2351384f91d3f16e59986 (git)
Affected: fdaba61ef8a268d4136d0a113d153f7a89eb9984 , < e1dd09df30ba86716cb2ffab97dc35195c01eb8f (git)
Affected: fdaba61ef8a268d4136d0a113d153f7a89eb9984 , < 3b4035ddbfc8e4521f85569998a7569668cccf51 (git)

Linux

Affected: 5.13
Unaffected: 0 , < 5.13 (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.131 , ≤ 6.1.* (semver)
Unaffected: 6.6.83 , ≤ 6.6.* (semver)
Unaffected: 6.12.19 , ≤ 6.12.* (semver)
Unaffected: 6.13.7 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21919",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:23:59.713530Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-787",
                "description": "CWE-787 Out-of-bounds Write",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:26:33.844Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:39:11.086Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/sched/fair.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5cb300dcdd27e6a351ac02541e0231261c775852",
              "status": "affected",
              "version": "fdaba61ef8a268d4136d0a113d153f7a89eb9984",
              "versionType": "git"
            },
            {
              "lessThan": "000c9ee43928f2ce68a156dd40bab7616256f4dd",
              "status": "affected",
              "version": "fdaba61ef8a268d4136d0a113d153f7a89eb9984",
              "versionType": "git"
            },
            {
              "lessThan": "9cc7f0018609f75a349e42e3aebc3b0e905ba775",
              "status": "affected",
              "version": "fdaba61ef8a268d4136d0a113d153f7a89eb9984",
              "versionType": "git"
            },
            {
              "lessThan": "b5741e4b9ef3567613b2351384f91d3f16e59986",
              "status": "affected",
              "version": "fdaba61ef8a268d4136d0a113d153f7a89eb9984",
              "versionType": "git"
            },
            {
              "lessThan": "e1dd09df30ba86716cb2ffab97dc35195c01eb8f",
              "status": "affected",
              "version": "fdaba61ef8a268d4136d0a113d153f7a89eb9984",
              "versionType": "git"
            },
            {
              "lessThan": "3b4035ddbfc8e4521f85569998a7569668cccf51",
              "status": "affected",
              "version": "fdaba61ef8a268d4136d0a113d153f7a89eb9984",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/sched/fair.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.13"
            },
            {
              "lessThan": "5.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.131",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.131",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.83",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.19",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.7",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/fair: Fix potential memory corruption in child_cfs_rq_on_list\n\nchild_cfs_rq_on_list attempts to convert a \u0027prev\u0027 pointer to a cfs_rq.\nThis \u0027prev\u0027 pointer can originate from struct rq\u0027s leaf_cfs_rq_list,\nmaking the conversion invalid and potentially leading to memory\ncorruption. Depending on the relative positions of leaf_cfs_rq_list and\nthe task group (tg) pointer within the struct, this can cause a memory\nfault or access garbage data.\n\nThe issue arises in list_add_leaf_cfs_rq, where both\ncfs_rq-\u003eleaf_cfs_rq_list and rq-\u003eleaf_cfs_rq_list are added to the same\nleaf list. Also, rq-\u003etmp_alone_branch can be set to rq-\u003eleaf_cfs_rq_list.\n\nThis adds a check `if (prev == \u0026rq-\u003eleaf_cfs_rq_list)` after the main\nconditional in child_cfs_rq_on_list. This ensures that the container_of\noperation will convert a correct cfs_rq struct.\n\nThis check is sufficient because only cfs_rqs on the same CPU are added\nto the list, so verifying the \u0027prev\u0027 pointer against the current rq\u0027s list\nhead is enough.\n\nFixes a potential memory corruption issue that due to current struct\nlayout might not be manifesting as a crash but could lead to unpredictable\nbehavior when the layout changes."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:24:33.615Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5cb300dcdd27e6a351ac02541e0231261c775852"
        },
        {
          "url": "https://git.kernel.org/stable/c/000c9ee43928f2ce68a156dd40bab7616256f4dd"
        },
        {
          "url": "https://git.kernel.org/stable/c/9cc7f0018609f75a349e42e3aebc3b0e905ba775"
        },
        {
          "url": "https://git.kernel.org/stable/c/b5741e4b9ef3567613b2351384f91d3f16e59986"
        },
        {
          "url": "https://git.kernel.org/stable/c/e1dd09df30ba86716cb2ffab97dc35195c01eb8f"
        },
        {
          "url": "https://git.kernel.org/stable/c/3b4035ddbfc8e4521f85569998a7569668cccf51"
        }
      ],
      "title": "sched/fair: Fix potential memory corruption in child_cfs_rq_on_list",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21919",
    "datePublished": "2025-04-01T15:40:54.075Z",
    "dateReserved": "2024-12-29T08:45:45.787Z",
    "dateUpdated": "2025-11-03T19:39:11.086Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21926 (GCVE-0-2025-21926)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:40 – Updated: 2025-11-03 19:39

Title

net: gso: fix ownership in __udp_gso_segment

Summary

In the Linux kernel, the following vulnerability has been resolved: net: gso: fix ownership in __udp_gso_segment In __udp_gso_segment the skb destructor is removed before segmenting the skb but the socket reference is kept as-is. This is an issue if the original skb is later orphaned as we can hit the following bug: kernel BUG at ./include/linux/skbuff.h:3312! (skb_orphan) RIP: 0010:ip_rcv_core+0x8b2/0xca0 Call Trace: ip_rcv+0xab/0x6e0 __netif_receive_skb_one_core+0x168/0x1b0 process_backlog+0x384/0x1100 __napi_poll.constprop.0+0xa1/0x370 net_rx_action+0x925/0xe50 The above can happen following a sequence of events when using OpenVSwitch, when an OVS_ACTION_ATTR_USERSPACE action precedes an OVS_ACTION_ATTR_OUTPUT action: 1. OVS_ACTION_ATTR_USERSPACE is handled (in do_execute_actions): the skb goes through queue_gso_packets and then __udp_gso_segment, where its destructor is removed. 2. The segments' data are copied and sent to userspace. 3. OVS_ACTION_ATTR_OUTPUT is handled (in do_execute_actions) and the same original skb is sent to its path. 4. If it later hits skb_orphan, we hit the bug. Fix this by also removing the reference to the socket in __udp_gso_segment.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/9f28205ddb76e86ca…
	https://git.kernel.org/stable/c/a2d1cca955ed34873…
	https://git.kernel.org/stable/c/455217ac9db0cf934…
	https://git.kernel.org/stable/c/e8db70537878e1bb3…
	https://git.kernel.org/stable/c/01a83237644d6822b…
	https://git.kernel.org/stable/c/084819b0d8b1bd433…
	https://git.kernel.org/stable/c/c32da44cc9298eaa6…
	https://git.kernel.org/stable/c/ee01b2f2d7d001078…

Impacted products

Vendor

Product

Version

Linux

Affected: ad405857b174ed31a97982bb129c320d03321cf5 , < 9f28205ddb76e86cac418332e952241d85fed0dc (git)
Affected: ad405857b174ed31a97982bb129c320d03321cf5 , < a2d1cca955ed34873e524cc2e6e885450d262f05 (git)
Affected: ad405857b174ed31a97982bb129c320d03321cf5 , < 455217ac9db0cf9349b3933664355e907bb1a569 (git)
Affected: ad405857b174ed31a97982bb129c320d03321cf5 , < e8db70537878e1bb3fd83e5abcc6feefc0587828 (git)
Affected: ad405857b174ed31a97982bb129c320d03321cf5 , < 01a83237644d6822bc7df2c5564fc81b0df84358 (git)
Affected: ad405857b174ed31a97982bb129c320d03321cf5 , < 084819b0d8b1bd433b90142371eb9450d657f8ca (git)
Affected: ad405857b174ed31a97982bb129c320d03321cf5 , < c32da44cc9298eaa6109e3fc2c2b4e07cc4bf11b (git)
Affected: ad405857b174ed31a97982bb129c320d03321cf5 , < ee01b2f2d7d0010787c2343463965bbc283a497f (git)

Linux

Affected: 4.18
Unaffected: 0 , < 4.18 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.131 , ≤ 6.1.* (semver)
Unaffected: 6.6.83 , ≤ 6.6.* (semver)
Unaffected: 6.12.19 , ≤ 6.12.* (semver)
Unaffected: 6.13.7 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:39:23.706Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/udp_offload.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9f28205ddb76e86cac418332e952241d85fed0dc",
              "status": "affected",
              "version": "ad405857b174ed31a97982bb129c320d03321cf5",
              "versionType": "git"
            },
            {
              "lessThan": "a2d1cca955ed34873e524cc2e6e885450d262f05",
              "status": "affected",
              "version": "ad405857b174ed31a97982bb129c320d03321cf5",
              "versionType": "git"
            },
            {
              "lessThan": "455217ac9db0cf9349b3933664355e907bb1a569",
              "status": "affected",
              "version": "ad405857b174ed31a97982bb129c320d03321cf5",
              "versionType": "git"
            },
            {
              "lessThan": "e8db70537878e1bb3fd83e5abcc6feefc0587828",
              "status": "affected",
              "version": "ad405857b174ed31a97982bb129c320d03321cf5",
              "versionType": "git"
            },
            {
              "lessThan": "01a83237644d6822bc7df2c5564fc81b0df84358",
              "status": "affected",
              "version": "ad405857b174ed31a97982bb129c320d03321cf5",
              "versionType": "git"
            },
            {
              "lessThan": "084819b0d8b1bd433b90142371eb9450d657f8ca",
              "status": "affected",
              "version": "ad405857b174ed31a97982bb129c320d03321cf5",
              "versionType": "git"
            },
            {
              "lessThan": "c32da44cc9298eaa6109e3fc2c2b4e07cc4bf11b",
              "status": "affected",
              "version": "ad405857b174ed31a97982bb129c320d03321cf5",
              "versionType": "git"
            },
            {
              "lessThan": "ee01b2f2d7d0010787c2343463965bbc283a497f",
              "status": "affected",
              "version": "ad405857b174ed31a97982bb129c320d03321cf5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/udp_offload.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.18"
            },
            {
              "lessThan": "4.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.131",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.131",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.83",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.19",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.7",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: gso: fix ownership in __udp_gso_segment\n\nIn __udp_gso_segment the skb destructor is removed before segmenting the\nskb but the socket reference is kept as-is. This is an issue if the\noriginal skb is later orphaned as we can hit the following bug:\n\n  kernel BUG at ./include/linux/skbuff.h:3312!  (skb_orphan)\n  RIP: 0010:ip_rcv_core+0x8b2/0xca0\n  Call Trace:\n   ip_rcv+0xab/0x6e0\n   __netif_receive_skb_one_core+0x168/0x1b0\n   process_backlog+0x384/0x1100\n   __napi_poll.constprop.0+0xa1/0x370\n   net_rx_action+0x925/0xe50\n\nThe above can happen following a sequence of events when using\nOpenVSwitch, when an OVS_ACTION_ATTR_USERSPACE action precedes an\nOVS_ACTION_ATTR_OUTPUT action:\n\n1. OVS_ACTION_ATTR_USERSPACE is handled (in do_execute_actions): the skb\n   goes through queue_gso_packets and then __udp_gso_segment, where its\n   destructor is removed.\n2. The segments\u0027 data are copied and sent to userspace.\n3. OVS_ACTION_ATTR_OUTPUT is handled (in do_execute_actions) and the\n   same original skb is sent to its path.\n4. If it later hits skb_orphan, we hit the bug.\n\nFix this by also removing the reference to the socket in\n__udp_gso_segment."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:24:43.335Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9f28205ddb76e86cac418332e952241d85fed0dc"
        },
        {
          "url": "https://git.kernel.org/stable/c/a2d1cca955ed34873e524cc2e6e885450d262f05"
        },
        {
          "url": "https://git.kernel.org/stable/c/455217ac9db0cf9349b3933664355e907bb1a569"
        },
        {
          "url": "https://git.kernel.org/stable/c/e8db70537878e1bb3fd83e5abcc6feefc0587828"
        },
        {
          "url": "https://git.kernel.org/stable/c/01a83237644d6822bc7df2c5564fc81b0df84358"
        },
        {
          "url": "https://git.kernel.org/stable/c/084819b0d8b1bd433b90142371eb9450d657f8ca"
        },
        {
          "url": "https://git.kernel.org/stable/c/c32da44cc9298eaa6109e3fc2c2b4e07cc4bf11b"
        },
        {
          "url": "https://git.kernel.org/stable/c/ee01b2f2d7d0010787c2343463965bbc283a497f"
        }
      ],
      "title": "net: gso: fix ownership in __udp_gso_segment",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21926",
    "datePublished": "2025-04-01T15:40:57.882Z",
    "dateReserved": "2024-12-29T08:45:45.788Z",
    "dateUpdated": "2025-11-03T19:39:23.706Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21887 (GCVE-0-2025-21887)

Vulnerability from cvelistv5 – Published: 2025-03-27 14:57 – Updated: 2025-12-06 21:38

Title

ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up

Summary

In the Linux kernel, the following vulnerability has been resolved: ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up The issue was caused by dput(upper) being called before ovl_dentry_update_reval(), while upper->d_flags was still accessed in ovl_dentry_remote(). Move dput(upper) after its last use to prevent use-after-free. BUG: KASAN: slab-use-after-free in ovl_dentry_remote fs/overlayfs/util.c:162 [inline] BUG: KASAN: slab-use-after-free in ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 ovl_dentry_remote fs/overlayfs/util.c:162 [inline] ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167 ovl_link_up fs/overlayfs/copy_up.c:610 [inline] ovl_copy_up_one+0x2105/0x3490 fs/overlayfs/copy_up.c:1170 ovl_copy_up_flags+0x18d/0x200 fs/overlayfs/copy_up.c:1223 ovl_rename+0x39e/0x18c0 fs/overlayfs/dir.c:1136 vfs_rename+0xf84/0x20a0 fs/namei.c:4893 ... </TASK>

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f77618291836168ec…
	https://git.kernel.org/stable/c/4b49d939b5a79117f…
	https://git.kernel.org/stable/c/a7c41830ffcd17b21…
	https://git.kernel.org/stable/c/64455c8051c3aedc7…
	https://git.kernel.org/stable/c/3594aad97e7be2557…
	https://git.kernel.org/stable/c/60b4b5c1277fc491d…
	https://git.kernel.org/stable/c/c84e125fff2615b4d…

Impacted products

Vendor

Product

Version

Linux

Affected: 714ba10a6dd19752a349e59aa875f3288ccb59b9 , < f77618291836168eca99e89cd175256f928f5e64 (git)
Affected: 62f29ca45f832e281fc14966ac25f6ff3bd121ca , < 4b49d939b5a79117f939b77cc67efae2694d9799 (git)
Affected: e4f2a1feebb3f209a0fca82aa53507a5b8be4d53 , < a7c41830ffcd17b2177a95a9b99b270302090c35 (git)
Affected: b07d5cc93e1b28df47a72c519d09d0a836043613 , < 64455c8051c3aedc71abb7ec8d47c80301f99f00 (git)
Affected: b07d5cc93e1b28df47a72c519d09d0a836043613 , < 3594aad97e7be2557ca9fa9c931b206b604028c8 (git)
Affected: b07d5cc93e1b28df47a72c519d09d0a836043613 , < 60b4b5c1277fc491da9e1e7abab307bfa39c2db7 (git)
Affected: b07d5cc93e1b28df47a72c519d09d0a836043613 , < c84e125fff2615b4d9c259e762596134eddd2f27 (git)
Affected: 33ab4dd6202f359558a0a2678b94d1b9994c17e5 (git)
Affected: 1ecdc55e5cd9f70f8d7513802971d4cffb9f77af (git)

Linux

Affected: 6.5
Unaffected: 0 , < 6.5 (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.130 , ≤ 6.1.* (semver)
Unaffected: 6.6.81 , ≤ 6.6.* (semver)
Unaffected: 6.12.18 , ≤ 6.12.* (semver)
Unaffected: 6.13.6 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21887",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-27T16:59:58.510815Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-27T17:08:22.888Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:38:40.259Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/overlayfs/copy_up.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f77618291836168eca99e89cd175256f928f5e64",
              "status": "affected",
              "version": "714ba10a6dd19752a349e59aa875f3288ccb59b9",
              "versionType": "git"
            },
            {
              "lessThan": "4b49d939b5a79117f939b77cc67efae2694d9799",
              "status": "affected",
              "version": "62f29ca45f832e281fc14966ac25f6ff3bd121ca",
              "versionType": "git"
            },
            {
              "lessThan": "a7c41830ffcd17b2177a95a9b99b270302090c35",
              "status": "affected",
              "version": "e4f2a1feebb3f209a0fca82aa53507a5b8be4d53",
              "versionType": "git"
            },
            {
              "lessThan": "64455c8051c3aedc71abb7ec8d47c80301f99f00",
              "status": "affected",
              "version": "b07d5cc93e1b28df47a72c519d09d0a836043613",
              "versionType": "git"
            },
            {
              "lessThan": "3594aad97e7be2557ca9fa9c931b206b604028c8",
              "status": "affected",
              "version": "b07d5cc93e1b28df47a72c519d09d0a836043613",
              "versionType": "git"
            },
            {
              "lessThan": "60b4b5c1277fc491da9e1e7abab307bfa39c2db7",
              "status": "affected",
              "version": "b07d5cc93e1b28df47a72c519d09d0a836043613",
              "versionType": "git"
            },
            {
              "lessThan": "c84e125fff2615b4d9c259e762596134eddd2f27",
              "status": "affected",
              "version": "b07d5cc93e1b28df47a72c519d09d0a836043613",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "33ab4dd6202f359558a0a2678b94d1b9994c17e5",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "1ecdc55e5cd9f70f8d7513802971d4cffb9f77af",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/overlayfs/copy_up.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.5"
            },
            {
              "lessThan": "6.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "5.10.188",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.15.121",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.130",
                  "versionStartIncluding": "6.1.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.81",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.18",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.6",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.4.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\novl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up\n\nThe issue was caused by dput(upper) being called before\novl_dentry_update_reval(), while upper-\u003ed_flags was still\naccessed in ovl_dentry_remote().\n\nMove dput(upper) after its last use to prevent use-after-free.\n\nBUG: KASAN: slab-use-after-free in ovl_dentry_remote fs/overlayfs/util.c:162 [inline]\nBUG: KASAN: slab-use-after-free in ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167\n\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0xc3/0x620 mm/kasan/report.c:488\n kasan_report+0xd9/0x110 mm/kasan/report.c:601\n ovl_dentry_remote fs/overlayfs/util.c:162 [inline]\n ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167\n ovl_link_up fs/overlayfs/copy_up.c:610 [inline]\n ovl_copy_up_one+0x2105/0x3490 fs/overlayfs/copy_up.c:1170\n ovl_copy_up_flags+0x18d/0x200 fs/overlayfs/copy_up.c:1223\n ovl_rename+0x39e/0x18c0 fs/overlayfs/dir.c:1136\n vfs_rename+0xf84/0x20a0 fs/namei.c:4893\n...\n \u003c/TASK\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-06T21:38:16.505Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f77618291836168eca99e89cd175256f928f5e64"
        },
        {
          "url": "https://git.kernel.org/stable/c/4b49d939b5a79117f939b77cc67efae2694d9799"
        },
        {
          "url": "https://git.kernel.org/stable/c/a7c41830ffcd17b2177a95a9b99b270302090c35"
        },
        {
          "url": "https://git.kernel.org/stable/c/64455c8051c3aedc71abb7ec8d47c80301f99f00"
        },
        {
          "url": "https://git.kernel.org/stable/c/3594aad97e7be2557ca9fa9c931b206b604028c8"
        },
        {
          "url": "https://git.kernel.org/stable/c/60b4b5c1277fc491da9e1e7abab307bfa39c2db7"
        },
        {
          "url": "https://git.kernel.org/stable/c/c84e125fff2615b4d9c259e762596134eddd2f27"
        }
      ],
      "title": "ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21887",
    "datePublished": "2025-03-27T14:57:14.524Z",
    "dateReserved": "2024-12-29T08:45:45.782Z",
    "dateUpdated": "2025-12-06T21:38:16.505Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38393 (GCVE-0-2025-38393)

Vulnerability from cvelistv5 – Published: 2025-07-25 12:53 – Updated: 2025-11-03 17:37

Title

NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN

Summary

In the Linux kernel, the following vulnerability has been resolved: NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN We found a few different systems hung up in writeback waiting on the same page lock, and one task waiting on the NFS_LAYOUT_DRAIN bit in pnfs_update_layout(), however the pnfs_layout_hdr's plh_outstanding count was zero. It seems most likely that this is another race between the waiter and waker similar to commit ed0172af5d6f ("SUNRPC: Fix a race to wake a sync task"). Fix it up by applying the advised barrier.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/08287df60bac5b008…
	https://git.kernel.org/stable/c/8846fd02c98da8b79…
	https://git.kernel.org/stable/c/e4b13885e7ef1e64e…
	https://git.kernel.org/stable/c/8ca65fa71024a1767…
	https://git.kernel.org/stable/c/864a54c1243ed3ca6…
	https://git.kernel.org/stable/c/1f4da20080718f258…
	https://git.kernel.org/stable/c/c01776287414ca434…

Impacted products

Vendor

Product

Version

Linux

Affected: 8acc3e228e1c90bd410f73597a4549e0409f22d6 , < 08287df60bac5b008b6bcdb03053988335d3d282 (git)
Affected: ec23a86e060cbe30b62eb2955adc97c92d80cc4c , < 8846fd02c98da8b79e6343a20e6071be6f372180 (git)
Affected: 880265c77ac415090090d1fe72a188fee71cb458 , < e4b13885e7ef1e64e45268feef1e5f0707c47e72 (git)
Affected: 880265c77ac415090090d1fe72a188fee71cb458 , < 8ca65fa71024a1767a59ffbc6a6e2278af84735e (git)
Affected: 880265c77ac415090090d1fe72a188fee71cb458 , < 864a54c1243ed3ca60baa4bc492dede1361f4c83 (git)
Affected: 880265c77ac415090090d1fe72a188fee71cb458 , < 1f4da20080718f258e189a2c5f515385fa393da6 (git)
Affected: 880265c77ac415090090d1fe72a188fee71cb458 , < c01776287414ca43412d1319d2877cbad65444ac (git)
Affected: f133819e24e78f3aaaa00e9fa2b816d5f73fd172 (git)

Linux

Affected: 5.19
Unaffected: 0 , < 5.19 (semver)
Unaffected: 5.10.240 , ≤ 5.10.* (semver)
Unaffected: 5.15.187 , ≤ 5.15.* (semver)
Unaffected: 6.1.144 , ≤ 6.1.* (semver)
Unaffected: 6.6.97 , ≤ 6.6.* (semver)
Unaffected: 6.12.37 , ≤ 6.12.* (semver)
Unaffected: 6.15.6 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:37:26.857Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/nfs/pnfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "08287df60bac5b008b6bcdb03053988335d3d282",
              "status": "affected",
              "version": "8acc3e228e1c90bd410f73597a4549e0409f22d6",
              "versionType": "git"
            },
            {
              "lessThan": "8846fd02c98da8b79e6343a20e6071be6f372180",
              "status": "affected",
              "version": "ec23a86e060cbe30b62eb2955adc97c92d80cc4c",
              "versionType": "git"
            },
            {
              "lessThan": "e4b13885e7ef1e64e45268feef1e5f0707c47e72",
              "status": "affected",
              "version": "880265c77ac415090090d1fe72a188fee71cb458",
              "versionType": "git"
            },
            {
              "lessThan": "8ca65fa71024a1767a59ffbc6a6e2278af84735e",
              "status": "affected",
              "version": "880265c77ac415090090d1fe72a188fee71cb458",
              "versionType": "git"
            },
            {
              "lessThan": "864a54c1243ed3ca60baa4bc492dede1361f4c83",
              "status": "affected",
              "version": "880265c77ac415090090d1fe72a188fee71cb458",
              "versionType": "git"
            },
            {
              "lessThan": "1f4da20080718f258e189a2c5f515385fa393da6",
              "status": "affected",
              "version": "880265c77ac415090090d1fe72a188fee71cb458",
              "versionType": "git"
            },
            {
              "lessThan": "c01776287414ca43412d1319d2877cbad65444ac",
              "status": "affected",
              "version": "880265c77ac415090090d1fe72a188fee71cb458",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "f133819e24e78f3aaaa00e9fa2b816d5f73fd172",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/nfs/pnfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.19"
            },
            {
              "lessThan": "5.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.187",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.144",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.97",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.37",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "5.10.124",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.187",
                  "versionStartIncluding": "5.15.49",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.144",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.97",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.37",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.6",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.18.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN\n\nWe found a few different systems hung up in writeback waiting on the same\npage lock, and one task waiting on the NFS_LAYOUT_DRAIN bit in\npnfs_update_layout(), however the pnfs_layout_hdr\u0027s plh_outstanding count\nwas zero.\n\nIt seems most likely that this is another race between the waiter and waker\nsimilar to commit ed0172af5d6f (\"SUNRPC: Fix a race to wake a sync task\").\nFix it up by applying the advised barrier."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:20:57.805Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/08287df60bac5b008b6bcdb03053988335d3d282"
        },
        {
          "url": "https://git.kernel.org/stable/c/8846fd02c98da8b79e6343a20e6071be6f372180"
        },
        {
          "url": "https://git.kernel.org/stable/c/e4b13885e7ef1e64e45268feef1e5f0707c47e72"
        },
        {
          "url": "https://git.kernel.org/stable/c/8ca65fa71024a1767a59ffbc6a6e2278af84735e"
        },
        {
          "url": "https://git.kernel.org/stable/c/864a54c1243ed3ca60baa4bc492dede1361f4c83"
        },
        {
          "url": "https://git.kernel.org/stable/c/1f4da20080718f258e189a2c5f515385fa393da6"
        },
        {
          "url": "https://git.kernel.org/stable/c/c01776287414ca43412d1319d2877cbad65444ac"
        }
      ],
      "title": "NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38393",
    "datePublished": "2025-07-25T12:53:38.104Z",
    "dateReserved": "2025-04-16T04:51:24.011Z",
    "dateUpdated": "2025-11-03T17:37:26.857Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38155 (GCVE-0-2025-38155)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:35 – Updated: 2025-07-28 04:13

Title

wifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init()

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init() devm_ioremap() returns NULL on error. Currently, mt7915_mmio_wed_init() does not check for this case, which results in a NULL pointer dereference. Prevent null pointer dereference in mt7915_mmio_wed_init().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e9f9cef1877ac3228…
	https://git.kernel.org/stable/c/790d05cde359356fe…
	https://git.kernel.org/stable/c/d825ed9fd768be10d…
	https://git.kernel.org/stable/c/efb95439c1477bbc9…

Impacted products

Vendor

Product

Version

Linux

Affected: 4f831d18d12da80cec0bebe5b8ca8702a528195a , < e9f9cef1877ac32285dbc1f31b86c8955b712fc2 (git)
Affected: 4f831d18d12da80cec0bebe5b8ca8702a528195a , < 790d05cde359356feea8915094a51166af1629f5 (git)
Affected: 4f831d18d12da80cec0bebe5b8ca8702a528195a , < d825ed9fd768be10d52beba6f57a4b50c0c154aa (git)
Affected: 4f831d18d12da80cec0bebe5b8ca8702a528195a , < efb95439c1477bbc955cacd0179c35e7861b437c (git)

Linux

Affected: 6.2
Unaffected: 0 , < 6.2 (semver)
Unaffected: 6.6.94 , ≤ 6.6.* (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/mediatek/mt76/mt7915/mmio.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e9f9cef1877ac32285dbc1f31b86c8955b712fc2",
              "status": "affected",
              "version": "4f831d18d12da80cec0bebe5b8ca8702a528195a",
              "versionType": "git"
            },
            {
              "lessThan": "790d05cde359356feea8915094a51166af1629f5",
              "status": "affected",
              "version": "4f831d18d12da80cec0bebe5b8ca8702a528195a",
              "versionType": "git"
            },
            {
              "lessThan": "d825ed9fd768be10d52beba6f57a4b50c0c154aa",
              "status": "affected",
              "version": "4f831d18d12da80cec0bebe5b8ca8702a528195a",
              "versionType": "git"
            },
            {
              "lessThan": "efb95439c1477bbc955cacd0179c35e7861b437c",
              "status": "affected",
              "version": "4f831d18d12da80cec0bebe5b8ca8702a528195a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/mediatek/mt76/mt7915/mmio.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init()\n\ndevm_ioremap() returns NULL on error. Currently, mt7915_mmio_wed_init()\ndoes not check for this case, which results in a NULL pointer\ndereference.\n\nPrevent null pointer dereference in mt7915_mmio_wed_init()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:13:45.339Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e9f9cef1877ac32285dbc1f31b86c8955b712fc2"
        },
        {
          "url": "https://git.kernel.org/stable/c/790d05cde359356feea8915094a51166af1629f5"
        },
        {
          "url": "https://git.kernel.org/stable/c/d825ed9fd768be10d52beba6f57a4b50c0c154aa"
        },
        {
          "url": "https://git.kernel.org/stable/c/efb95439c1477bbc955cacd0179c35e7861b437c"
        }
      ],
      "title": "wifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38155",
    "datePublished": "2025-07-03T08:35:58.185Z",
    "dateReserved": "2025-04-16T04:51:23.990Z",
    "dateUpdated": "2025-07-28T04:13:45.339Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38416 (GCVE-0-2025-38416)

Vulnerability from cvelistv5 – Published: 2025-07-25 14:00 – Updated: 2025-11-03 17:37

Title

NFC: nci: uart: Set tty->disc_data only in success path

Summary

In the Linux kernel, the following vulnerability has been resolved: NFC: nci: uart: Set tty->disc_data only in success path Setting tty->disc_data before opening the NCI device means we need to clean it up on error paths. This also opens some short window if device starts sending data, even before NCIUARTSETDRIVER IOCTL succeeded (broken hardware?). Close the window by exposing tty->disc_data only on the success path, when opening of the NCI device and try_module_get() succeeds. The code differs in error path in one aspect: tty->disc_data won't be ever assigned thus NULL-ified. This however should not be relevant difference, because of "tty->disc_data=NULL" in nci_uart_tty_open().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a514fca2b8e95838a…
	https://git.kernel.org/stable/c/000bfbc6bc334a93f…
	https://git.kernel.org/stable/c/ac6992f72bd8e2267…
	https://git.kernel.org/stable/c/dc7722619a9c307e9…
	https://git.kernel.org/stable/c/a8acc7080ad55c540…
	https://git.kernel.org/stable/c/55c3dbd8389636161…
	https://git.kernel.org/stable/c/e9799db771b2d574d…
	https://git.kernel.org/stable/c/fc27ab48904ceb7e4…

Impacted products

Vendor

Product

Version

Linux

Affected: 9961127d4bce6325e9a0b0fb105e0c85a6c62cb7 , < a514fca2b8e95838a3ba600f31a18fa60b76d893 (git)
Affected: 9961127d4bce6325e9a0b0fb105e0c85a6c62cb7 , < 000bfbc6bc334a93fffca8f5aa9583e7b6356cb5 (git)
Affected: 9961127d4bce6325e9a0b0fb105e0c85a6c62cb7 , < ac6992f72bd8e22679c1e147ac214de6a7093c23 (git)
Affected: 9961127d4bce6325e9a0b0fb105e0c85a6c62cb7 , < dc7722619a9c307e9938d735cf4a2210d3d48dcb (git)
Affected: 9961127d4bce6325e9a0b0fb105e0c85a6c62cb7 , < a8acc7080ad55c5402a1b818b3008998247dda87 (git)
Affected: 9961127d4bce6325e9a0b0fb105e0c85a6c62cb7 , < 55c3dbd8389636161090a2b2b6d2d709b9602e9c (git)
Affected: 9961127d4bce6325e9a0b0fb105e0c85a6c62cb7 , < e9799db771b2d574d5bf0dfb3177485e5f40d4d6 (git)
Affected: 9961127d4bce6325e9a0b0fb105e0c85a6c62cb7 , < fc27ab48904ceb7e4792f0c400f1ef175edf16fe (git)

Linux

Affected: 4.2
Unaffected: 0 , < 4.2 (semver)
Unaffected: 5.4.295 , ≤ 5.4.* (semver)
Unaffected: 5.10.239 , ≤ 5.10.* (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.95 , ≤ 6.6.* (semver)
Unaffected: 6.12.35 , ≤ 6.12.* (semver)
Unaffected: 6.15.4 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:37:47.815Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/nfc/nci/uart.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a514fca2b8e95838a3ba600f31a18fa60b76d893",
              "status": "affected",
              "version": "9961127d4bce6325e9a0b0fb105e0c85a6c62cb7",
              "versionType": "git"
            },
            {
              "lessThan": "000bfbc6bc334a93fffca8f5aa9583e7b6356cb5",
              "status": "affected",
              "version": "9961127d4bce6325e9a0b0fb105e0c85a6c62cb7",
              "versionType": "git"
            },
            {
              "lessThan": "ac6992f72bd8e22679c1e147ac214de6a7093c23",
              "status": "affected",
              "version": "9961127d4bce6325e9a0b0fb105e0c85a6c62cb7",
              "versionType": "git"
            },
            {
              "lessThan": "dc7722619a9c307e9938d735cf4a2210d3d48dcb",
              "status": "affected",
              "version": "9961127d4bce6325e9a0b0fb105e0c85a6c62cb7",
              "versionType": "git"
            },
            {
              "lessThan": "a8acc7080ad55c5402a1b818b3008998247dda87",
              "status": "affected",
              "version": "9961127d4bce6325e9a0b0fb105e0c85a6c62cb7",
              "versionType": "git"
            },
            {
              "lessThan": "55c3dbd8389636161090a2b2b6d2d709b9602e9c",
              "status": "affected",
              "version": "9961127d4bce6325e9a0b0fb105e0c85a6c62cb7",
              "versionType": "git"
            },
            {
              "lessThan": "e9799db771b2d574d5bf0dfb3177485e5f40d4d6",
              "status": "affected",
              "version": "9961127d4bce6325e9a0b0fb105e0c85a6c62cb7",
              "versionType": "git"
            },
            {
              "lessThan": "fc27ab48904ceb7e4792f0c400f1ef175edf16fe",
              "status": "affected",
              "version": "9961127d4bce6325e9a0b0fb105e0c85a6c62cb7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/nfc/nci/uart.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.2"
            },
            {
              "lessThan": "4.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFC: nci: uart: Set tty-\u003edisc_data only in success path\n\nSetting tty-\u003edisc_data before opening the NCI device means we need to\nclean it up on error paths.  This also opens some short window if device\nstarts sending data, even before NCIUARTSETDRIVER IOCTL succeeded\n(broken hardware?).  Close the window by exposing tty-\u003edisc_data only on\nthe success path, when opening of the NCI device and try_module_get()\nsucceeds.\n\nThe code differs in error path in one aspect: tty-\u003edisc_data won\u0027t be\never assigned thus NULL-ified.  This however should not be relevant\ndifference, because of \"tty-\u003edisc_data=NULL\" in nci_uart_tty_open()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:21:30.827Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a514fca2b8e95838a3ba600f31a18fa60b76d893"
        },
        {
          "url": "https://git.kernel.org/stable/c/000bfbc6bc334a93fffca8f5aa9583e7b6356cb5"
        },
        {
          "url": "https://git.kernel.org/stable/c/ac6992f72bd8e22679c1e147ac214de6a7093c23"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc7722619a9c307e9938d735cf4a2210d3d48dcb"
        },
        {
          "url": "https://git.kernel.org/stable/c/a8acc7080ad55c5402a1b818b3008998247dda87"
        },
        {
          "url": "https://git.kernel.org/stable/c/55c3dbd8389636161090a2b2b6d2d709b9602e9c"
        },
        {
          "url": "https://git.kernel.org/stable/c/e9799db771b2d574d5bf0dfb3177485e5f40d4d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/fc27ab48904ceb7e4792f0c400f1ef175edf16fe"
        }
      ],
      "title": "NFC: nci: uart: Set tty-\u003edisc_data only in success path",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38416",
    "datePublished": "2025-07-25T14:00:17.849Z",
    "dateReserved": "2025-04-16T04:51:24.014Z",
    "dateUpdated": "2025-11-03T17:37:47.815Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38070 (GCVE-0-2025-38070)

Vulnerability from cvelistv5 – Published: 2025-06-18 09:33 – Updated: 2025-06-19 13:11

Title

ASoC: sma1307: Add NULL check in sma1307_setting_loaded()

Summary

In the Linux kernel, the following vulnerability has been resolved: ASoC: sma1307: Add NULL check in sma1307_setting_loaded() All varibale allocated by kzalloc and devm_kzalloc could be NULL. Multiple pointer checks and their cleanup are added. This issue is found by our static analysis tool

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f8434b8ba437d3f6c…
	https://git.kernel.org/stable/c/0ec6bd16705fe21d6…

Impacted products

Vendor

Product

Version

Linux

Affected: 576c57e6b4c1d734bcb7cc33dde9a99a9383b520 , < f8434b8ba437d3f6cbcd9ffe8405bd16ed28fc5c (git)
Affected: 576c57e6b4c1d734bcb7cc33dde9a99a9383b520 , < 0ec6bd16705fe21d6429d6b8f7981eae2142bba8 (git)

Linux

Affected: 6.13
Unaffected: 0 , < 6.13 (semver)
Unaffected: 6.14.9 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/soc/codecs/sma1307.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f8434b8ba437d3f6cbcd9ffe8405bd16ed28fc5c",
              "status": "affected",
              "version": "576c57e6b4c1d734bcb7cc33dde9a99a9383b520",
              "versionType": "git"
            },
            {
              "lessThan": "0ec6bd16705fe21d6429d6b8f7981eae2142bba8",
              "status": "affected",
              "version": "576c57e6b4c1d734bcb7cc33dde9a99a9383b520",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "sound/soc/codecs/sma1307.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.13"
            },
            {
              "lessThan": "6.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: sma1307: Add NULL check in sma1307_setting_loaded()\n\nAll varibale allocated by kzalloc and devm_kzalloc could be NULL.\nMultiple pointer checks and their cleanup are added.\n\nThis issue is found by our static analysis tool"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-19T13:11:03.569Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f8434b8ba437d3f6cbcd9ffe8405bd16ed28fc5c"
        },
        {
          "url": "https://git.kernel.org/stable/c/0ec6bd16705fe21d6429d6b8f7981eae2142bba8"
        }
      ],
      "title": "ASoC: sma1307: Add NULL check in sma1307_setting_loaded()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38070",
    "datePublished": "2025-06-18T09:33:47.351Z",
    "dateReserved": "2025-04-16T04:51:23.980Z",
    "dateUpdated": "2025-06-19T13:11:03.569Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21912 (GCVE-0-2025-21912)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:40 – Updated: 2026-01-02 15:28

Title

gpio: rcar: Use raw_spinlock to protect register access

Summary

In the Linux kernel, the following vulnerability has been resolved: gpio: rcar: Use raw_spinlock to protect register access Use raw_spinlock in order to fix spurious messages about invalid context when spinlock debugging is enabled. The lock is only used to serialize register access. [ 4.239592] ============================= [ 4.239595] [ BUG: Invalid wait context ] [ 4.239599] 6.13.0-rc7-arm64-renesas-05496-gd088502a519f #35 Not tainted [ 4.239603] ----------------------------- [ 4.239606] kworker/u8:5/76 is trying to lock: [ 4.239609] ffff0000091898a0 (&p->lock){....}-{3:3}, at: gpio_rcar_config_interrupt_input_mode+0x34/0x164 [ 4.239641] other info that might help us debug this: [ 4.239643] context-{5:5} [ 4.239646] 5 locks held by kworker/u8:5/76: [ 4.239651] #0: ffff0000080fb148 ((wq_completion)async){+.+.}-{0:0}, at: process_one_work+0x190/0x62c [ 4.250180] OF: /soc/sound@ec500000/ports/port@0/endpoint: Read of boolean property 'frame-master' with a value. [ 4.254094] #1: ffff80008299bd80 ((work_completion)(&entry->work)){+.+.}-{0:0}, at: process_one_work+0x1b8/0x62c [ 4.254109] #2: ffff00000920c8f8 [ 4.258345] OF: /soc/sound@ec500000/ports/port@1/endpoint: Read of boolean property 'bitclock-master' with a value. [ 4.264803] (&dev->mutex){....}-{4:4}, at: __device_attach_async_helper+0x3c/0xdc [ 4.264820] #3: ffff00000a50ca40 (request_class#2){+.+.}-{4:4}, at: __setup_irq+0xa0/0x690 [ 4.264840] #4: [ 4.268872] OF: /soc/sound@ec500000/ports/port@1/endpoint: Read of boolean property 'frame-master' with a value. [ 4.273275] ffff00000a50c8c8 (lock_class){....}-{2:2}, at: __setup_irq+0xc4/0x690 [ 4.296130] renesas_sdhi_internal_dmac ee100000.mmc: mmc1 base at 0x00000000ee100000, max clock rate 200 MHz [ 4.304082] stack backtrace: [ 4.304086] CPU: 1 UID: 0 PID: 76 Comm: kworker/u8:5 Not tainted 6.13.0-rc7-arm64-renesas-05496-gd088502a519f #35 [ 4.304092] Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT) [ 4.304097] Workqueue: async async_run_entry_fn [ 4.304106] Call trace: [ 4.304110] show_stack+0x14/0x20 (C) [ 4.304122] dump_stack_lvl+0x6c/0x90 [ 4.304131] dump_stack+0x14/0x1c [ 4.304138] __lock_acquire+0xdfc/0x1584 [ 4.426274] lock_acquire+0x1c4/0x33c [ 4.429942] _raw_spin_lock_irqsave+0x5c/0x80 [ 4.434307] gpio_rcar_config_interrupt_input_mode+0x34/0x164 [ 4.440061] gpio_rcar_irq_set_type+0xd4/0xd8 [ 4.444422] __irq_set_trigger+0x5c/0x178 [ 4.448435] __setup_irq+0x2e4/0x690 [ 4.452012] request_threaded_irq+0xc4/0x190 [ 4.456285] devm_request_threaded_irq+0x7c/0xf4 [ 4.459398] ata1: link resume succeeded after 1 retries [ 4.460902] mmc_gpiod_request_cd_irq+0x68/0xe0 [ 4.470660] mmc_start_host+0x50/0xac [ 4.474327] mmc_add_host+0x80/0xe4 [ 4.477817] tmio_mmc_host_probe+0x2b0/0x440 [ 4.482094] renesas_sdhi_probe+0x488/0x6f4 [ 4.486281] renesas_sdhi_internal_dmac_probe+0x60/0x78 [ 4.491509] platform_probe+0x64/0xd8 [ 4.495178] really_probe+0xb8/0x2a8 [ 4.498756] __driver_probe_device+0x74/0x118 [ 4.503116] driver_probe_device+0x3c/0x154 [ 4.507303] __device_attach_driver+0xd4/0x160 [ 4.511750] bus_for_each_drv+0x84/0xe0 [ 4.515588] __device_attach_async_helper+0xb0/0xdc [ 4.520470] async_run_entry_fn+0x30/0xd8 [ 4.524481] process_one_work+0x210/0x62c [ 4.528494] worker_thread+0x1ac/0x340 [ 4.532245] kthread+0x10c/0x110 [ 4.535476] ret_from_fork+0x10/0x20

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/389891ac9f678baf6…
	https://git.kernel.org/stable/c/7c1f36f9c9aca507d…
	https://git.kernel.org/stable/c/3e300913c42041e81…
	https://git.kernel.org/stable/c/c10365031f16514a2…
	https://git.kernel.org/stable/c/b42c84f9e4ec5bc28…
	https://git.kernel.org/stable/c/51ef3073493e2a25d…
	https://git.kernel.org/stable/c/f02c41f87cfe61440…

Impacted products

Vendor

Product

Version

Linux

Affected: 119f5e448d32c11faf22fe81f6f2d78467a47149 , < 389891ac9f678baf68e13623ef1308493af4b074 (git)
Affected: 119f5e448d32c11faf22fe81f6f2d78467a47149 , < 7c1f36f9c9aca507d317479a3d3388150ae40a87 (git)
Affected: 119f5e448d32c11faf22fe81f6f2d78467a47149 , < 3e300913c42041e81c5b17a970c4e078086ff2d1 (git)
Affected: 119f5e448d32c11faf22fe81f6f2d78467a47149 , < c10365031f16514a29c812cd909085a6e4ea4b61 (git)
Affected: 119f5e448d32c11faf22fe81f6f2d78467a47149 , < b42c84f9e4ec5bc2885e7fd80c79ec0352f5d2af (git)
Affected: 119f5e448d32c11faf22fe81f6f2d78467a47149 , < 51ef3073493e2a25dced05fdd59dfb059e7e284d (git)
Affected: 119f5e448d32c11faf22fe81f6f2d78467a47149 , < f02c41f87cfe61440c18bf77d1ef0a884b9ee2b5 (git)

Linux

Affected: 3.10
Unaffected: 0 , < 3.10 (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.131 , ≤ 6.1.* (semver)
Unaffected: 6.6.83 , ≤ 6.6.* (semver)
Unaffected: 6.12.19 , ≤ 6.12.* (semver)
Unaffected: 6.13.7 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:38:58.412Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpio/gpio-rcar.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "389891ac9f678baf68e13623ef1308493af4b074",
              "status": "affected",
              "version": "119f5e448d32c11faf22fe81f6f2d78467a47149",
              "versionType": "git"
            },
            {
              "lessThan": "7c1f36f9c9aca507d317479a3d3388150ae40a87",
              "status": "affected",
              "version": "119f5e448d32c11faf22fe81f6f2d78467a47149",
              "versionType": "git"
            },
            {
              "lessThan": "3e300913c42041e81c5b17a970c4e078086ff2d1",
              "status": "affected",
              "version": "119f5e448d32c11faf22fe81f6f2d78467a47149",
              "versionType": "git"
            },
            {
              "lessThan": "c10365031f16514a29c812cd909085a6e4ea4b61",
              "status": "affected",
              "version": "119f5e448d32c11faf22fe81f6f2d78467a47149",
              "versionType": "git"
            },
            {
              "lessThan": "b42c84f9e4ec5bc2885e7fd80c79ec0352f5d2af",
              "status": "affected",
              "version": "119f5e448d32c11faf22fe81f6f2d78467a47149",
              "versionType": "git"
            },
            {
              "lessThan": "51ef3073493e2a25dced05fdd59dfb059e7e284d",
              "status": "affected",
              "version": "119f5e448d32c11faf22fe81f6f2d78467a47149",
              "versionType": "git"
            },
            {
              "lessThan": "f02c41f87cfe61440c18bf77d1ef0a884b9ee2b5",
              "status": "affected",
              "version": "119f5e448d32c11faf22fe81f6f2d78467a47149",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpio/gpio-rcar.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.10"
            },
            {
              "lessThan": "3.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.131",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.131",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.83",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.19",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.7",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: rcar: Use raw_spinlock to protect register access\n\nUse raw_spinlock in order to fix spurious messages about invalid context\nwhen spinlock debugging is enabled. The lock is only used to serialize\nregister access.\n\n    [    4.239592] =============================\n    [    4.239595] [ BUG: Invalid wait context ]\n    [    4.239599] 6.13.0-rc7-arm64-renesas-05496-gd088502a519f #35 Not tainted\n    [    4.239603] -----------------------------\n    [    4.239606] kworker/u8:5/76 is trying to lock:\n    [    4.239609] ffff0000091898a0 (\u0026p-\u003elock){....}-{3:3}, at: gpio_rcar_config_interrupt_input_mode+0x34/0x164\n    [    4.239641] other info that might help us debug this:\n    [    4.239643] context-{5:5}\n    [    4.239646] 5 locks held by kworker/u8:5/76:\n    [    4.239651]  #0: ffff0000080fb148 ((wq_completion)async){+.+.}-{0:0}, at: process_one_work+0x190/0x62c\n    [    4.250180] OF: /soc/sound@ec500000/ports/port@0/endpoint: Read of boolean property \u0027frame-master\u0027 with a value.\n    [    4.254094]  #1: ffff80008299bd80 ((work_completion)(\u0026entry-\u003ework)){+.+.}-{0:0}, at: process_one_work+0x1b8/0x62c\n    [    4.254109]  #2: ffff00000920c8f8\n    [    4.258345] OF: /soc/sound@ec500000/ports/port@1/endpoint: Read of boolean property \u0027bitclock-master\u0027 with a value.\n    [    4.264803]  (\u0026dev-\u003emutex){....}-{4:4}, at: __device_attach_async_helper+0x3c/0xdc\n    [    4.264820]  #3: ffff00000a50ca40 (request_class#2){+.+.}-{4:4}, at: __setup_irq+0xa0/0x690\n    [    4.264840]  #4:\n    [    4.268872] OF: /soc/sound@ec500000/ports/port@1/endpoint: Read of boolean property \u0027frame-master\u0027 with a value.\n    [    4.273275] ffff00000a50c8c8 (lock_class){....}-{2:2}, at: __setup_irq+0xc4/0x690\n    [    4.296130] renesas_sdhi_internal_dmac ee100000.mmc: mmc1 base at 0x00000000ee100000, max clock rate 200 MHz\n    [    4.304082] stack backtrace:\n    [    4.304086] CPU: 1 UID: 0 PID: 76 Comm: kworker/u8:5 Not tainted 6.13.0-rc7-arm64-renesas-05496-gd088502a519f #35\n    [    4.304092] Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT)\n    [    4.304097] Workqueue: async async_run_entry_fn\n    [    4.304106] Call trace:\n    [    4.304110]  show_stack+0x14/0x20 (C)\n    [    4.304122]  dump_stack_lvl+0x6c/0x90\n    [    4.304131]  dump_stack+0x14/0x1c\n    [    4.304138]  __lock_acquire+0xdfc/0x1584\n    [    4.426274]  lock_acquire+0x1c4/0x33c\n    [    4.429942]  _raw_spin_lock_irqsave+0x5c/0x80\n    [    4.434307]  gpio_rcar_config_interrupt_input_mode+0x34/0x164\n    [    4.440061]  gpio_rcar_irq_set_type+0xd4/0xd8\n    [    4.444422]  __irq_set_trigger+0x5c/0x178\n    [    4.448435]  __setup_irq+0x2e4/0x690\n    [    4.452012]  request_threaded_irq+0xc4/0x190\n    [    4.456285]  devm_request_threaded_irq+0x7c/0xf4\n    [    4.459398] ata1: link resume succeeded after 1 retries\n    [    4.460902]  mmc_gpiod_request_cd_irq+0x68/0xe0\n    [    4.470660]  mmc_start_host+0x50/0xac\n    [    4.474327]  mmc_add_host+0x80/0xe4\n    [    4.477817]  tmio_mmc_host_probe+0x2b0/0x440\n    [    4.482094]  renesas_sdhi_probe+0x488/0x6f4\n    [    4.486281]  renesas_sdhi_internal_dmac_probe+0x60/0x78\n    [    4.491509]  platform_probe+0x64/0xd8\n    [    4.495178]  really_probe+0xb8/0x2a8\n    [    4.498756]  __driver_probe_device+0x74/0x118\n    [    4.503116]  driver_probe_device+0x3c/0x154\n    [    4.507303]  __device_attach_driver+0xd4/0x160\n    [    4.511750]  bus_for_each_drv+0x84/0xe0\n    [    4.515588]  __device_attach_async_helper+0xb0/0xdc\n    [    4.520470]  async_run_entry_fn+0x30/0xd8\n    [    4.524481]  process_one_work+0x210/0x62c\n    [    4.528494]  worker_thread+0x1ac/0x340\n    [    4.532245]  kthread+0x10c/0x110\n    [    4.535476]  ret_from_fork+0x10/0x20"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:28:38.362Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/389891ac9f678baf68e13623ef1308493af4b074"
        },
        {
          "url": "https://git.kernel.org/stable/c/7c1f36f9c9aca507d317479a3d3388150ae40a87"
        },
        {
          "url": "https://git.kernel.org/stable/c/3e300913c42041e81c5b17a970c4e078086ff2d1"
        },
        {
          "url": "https://git.kernel.org/stable/c/c10365031f16514a29c812cd909085a6e4ea4b61"
        },
        {
          "url": "https://git.kernel.org/stable/c/b42c84f9e4ec5bc2885e7fd80c79ec0352f5d2af"
        },
        {
          "url": "https://git.kernel.org/stable/c/51ef3073493e2a25dced05fdd59dfb059e7e284d"
        },
        {
          "url": "https://git.kernel.org/stable/c/f02c41f87cfe61440c18bf77d1ef0a884b9ee2b5"
        }
      ],
      "title": "gpio: rcar: Use raw_spinlock to protect register access",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21912",
    "datePublished": "2025-04-01T15:40:50.299Z",
    "dateReserved": "2024-12-29T08:45:45.787Z",
    "dateUpdated": "2026-01-02T15:28:38.362Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38100 (GCVE-0-2025-38100)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:35 – Updated: 2025-11-03 17:34

Title

x86/iopl: Cure TIF_IO_BITMAP inconsistencies

Summary

In the Linux kernel, the following vulnerability has been resolved: x86/iopl: Cure TIF_IO_BITMAP inconsistencies io_bitmap_exit() is invoked from exit_thread() when a task exists or when a fork fails. In the latter case the exit_thread() cleans up resources which were allocated during fork(). io_bitmap_exit() invokes task_update_io_bitmap(), which in turn ends up in tss_update_io_bitmap(). tss_update_io_bitmap() operates on the current task. If current has TIF_IO_BITMAP set, but no bitmap installed, tss_update_io_bitmap() crashes with a NULL pointer dereference. There are two issues, which lead to that problem: 1) io_bitmap_exit() should not invoke task_update_io_bitmap() when the task, which is cleaned up, is not the current task. That's a clear indicator for a cleanup after a failed fork(). 2) A task should not have TIF_IO_BITMAP set and neither a bitmap installed nor IOPL emulation level 3 activated. This happens when a kernel thread is created in the context of a user space thread, which has TIF_IO_BITMAP set as the thread flags are copied and the IO bitmap pointer is cleared. Other than in the failed fork() case this has no impact because kernel threads including IO workers never return to user space and therefore never invoke tss_update_io_bitmap(). Cure this by adding the missing cleanups and checks: 1) Prevent io_bitmap_exit() to invoke task_update_io_bitmap() if the to be cleaned up task is not the current task. 2) Clear TIF_IO_BITMAP in copy_thread() unconditionally. For user space forks it is set later, when the IO bitmap is inherited in io_bitmap_share(). For paranoia sake, add a warning into tss_update_io_bitmap() to catch the case, when that code is invoked with inconsistent state.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d64b7b05a827f98d0…
	https://git.kernel.org/stable/c/2dace5e016c991424…
	https://git.kernel.org/stable/c/aa5ce1485562f2023…
	https://git.kernel.org/stable/c/2cfcbe1554c119402…
	https://git.kernel.org/stable/c/b3b3b6366dc8eb5b2…
	https://git.kernel.org/stable/c/73cfcc8445585b8af…
	https://git.kernel.org/stable/c/8b68e978718f14fdc…

Impacted products

Vendor

Product

Version

Linux

Affected: ea5f1cd7ab494f65f50f338299eabb40ad6a1767 , < d64b7b05a827f98d068f412969eef65489b0cf03 (git)
Affected: ea5f1cd7ab494f65f50f338299eabb40ad6a1767 , < 2dace5e016c991424a3dc6e83b1ae5dca8992d08 (git)
Affected: ea5f1cd7ab494f65f50f338299eabb40ad6a1767 , < aa5ce1485562f20235b4c759eee5ab0c41d2c220 (git)
Affected: ea5f1cd7ab494f65f50f338299eabb40ad6a1767 , < 2cfcbe1554c119402e7382de974c26b0549899fe (git)
Affected: ea5f1cd7ab494f65f50f338299eabb40ad6a1767 , < b3b3b6366dc8eb5b22edba9adc4bff3cdacfd64c (git)
Affected: ea5f1cd7ab494f65f50f338299eabb40ad6a1767 , < 73cfcc8445585b8af7e18be3c9246b851fdf336c (git)
Affected: ea5f1cd7ab494f65f50f338299eabb40ad6a1767 , < 8b68e978718f14fdcb080c2a7791c52a0d09bc6d (git)

Linux

Affected: 5.5
Unaffected: 0 , < 5.5 (semver)
Unaffected: 5.10.239 , ≤ 5.10.* (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.94 , ≤ 6.6.* (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:04.011Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kernel/ioport.c",
            "arch/x86/kernel/process.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d64b7b05a827f98d068f412969eef65489b0cf03",
              "status": "affected",
              "version": "ea5f1cd7ab494f65f50f338299eabb40ad6a1767",
              "versionType": "git"
            },
            {
              "lessThan": "2dace5e016c991424a3dc6e83b1ae5dca8992d08",
              "status": "affected",
              "version": "ea5f1cd7ab494f65f50f338299eabb40ad6a1767",
              "versionType": "git"
            },
            {
              "lessThan": "aa5ce1485562f20235b4c759eee5ab0c41d2c220",
              "status": "affected",
              "version": "ea5f1cd7ab494f65f50f338299eabb40ad6a1767",
              "versionType": "git"
            },
            {
              "lessThan": "2cfcbe1554c119402e7382de974c26b0549899fe",
              "status": "affected",
              "version": "ea5f1cd7ab494f65f50f338299eabb40ad6a1767",
              "versionType": "git"
            },
            {
              "lessThan": "b3b3b6366dc8eb5b22edba9adc4bff3cdacfd64c",
              "status": "affected",
              "version": "ea5f1cd7ab494f65f50f338299eabb40ad6a1767",
              "versionType": "git"
            },
            {
              "lessThan": "73cfcc8445585b8af7e18be3c9246b851fdf336c",
              "status": "affected",
              "version": "ea5f1cd7ab494f65f50f338299eabb40ad6a1767",
              "versionType": "git"
            },
            {
              "lessThan": "8b68e978718f14fdcb080c2a7791c52a0d09bc6d",
              "status": "affected",
              "version": "ea5f1cd7ab494f65f50f338299eabb40ad6a1767",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kernel/ioport.c",
            "arch/x86/kernel/process.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.5"
            },
            {
              "lessThan": "5.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/iopl: Cure TIF_IO_BITMAP inconsistencies\n\nio_bitmap_exit() is invoked from exit_thread() when a task exists or\nwhen a fork fails. In the latter case the exit_thread() cleans up\nresources which were allocated during fork().\n\nio_bitmap_exit() invokes task_update_io_bitmap(), which in turn ends up\nin tss_update_io_bitmap(). tss_update_io_bitmap() operates on the\ncurrent task. If current has TIF_IO_BITMAP set, but no bitmap installed,\ntss_update_io_bitmap() crashes with a NULL pointer dereference.\n\nThere are two issues, which lead to that problem:\n\n  1) io_bitmap_exit() should not invoke task_update_io_bitmap() when\n     the task, which is cleaned up, is not the current task. That\u0027s a\n     clear indicator for a cleanup after a failed fork().\n\n  2) A task should not have TIF_IO_BITMAP set and neither a bitmap\n     installed nor IOPL emulation level 3 activated.\n\n     This happens when a kernel thread is created in the context of\n     a user space thread, which has TIF_IO_BITMAP set as the thread\n     flags are copied and the IO bitmap pointer is cleared.\n\n     Other than in the failed fork() case this has no impact because\n     kernel threads including IO workers never return to user space and\n     therefore never invoke tss_update_io_bitmap().\n\nCure this by adding the missing cleanups and checks:\n\n  1) Prevent io_bitmap_exit() to invoke task_update_io_bitmap() if\n     the to be cleaned up task is not the current task.\n\n  2) Clear TIF_IO_BITMAP in copy_thread() unconditionally. For user\n     space forks it is set later, when the IO bitmap is inherited in\n     io_bitmap_share().\n\nFor paranoia sake, add a warning into tss_update_io_bitmap() to catch\nthe case, when that code is invoked with inconsistent state."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:12:08.909Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d64b7b05a827f98d068f412969eef65489b0cf03"
        },
        {
          "url": "https://git.kernel.org/stable/c/2dace5e016c991424a3dc6e83b1ae5dca8992d08"
        },
        {
          "url": "https://git.kernel.org/stable/c/aa5ce1485562f20235b4c759eee5ab0c41d2c220"
        },
        {
          "url": "https://git.kernel.org/stable/c/2cfcbe1554c119402e7382de974c26b0549899fe"
        },
        {
          "url": "https://git.kernel.org/stable/c/b3b3b6366dc8eb5b22edba9adc4bff3cdacfd64c"
        },
        {
          "url": "https://git.kernel.org/stable/c/73cfcc8445585b8af7e18be3c9246b851fdf336c"
        },
        {
          "url": "https://git.kernel.org/stable/c/8b68e978718f14fdcb080c2a7791c52a0d09bc6d"
        }
      ],
      "title": "x86/iopl: Cure TIF_IO_BITMAP inconsistencies",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38100",
    "datePublished": "2025-07-03T08:35:09.487Z",
    "dateReserved": "2025-04-16T04:51:23.985Z",
    "dateUpdated": "2025-11-03T17:34:04.011Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21945 (GCVE-0-2025-21945)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:41 – Updated: 2025-11-03 19:39

Title

ksmbd: fix use-after-free in smb2_lock

Summary

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in smb2_lock If smb_lock->zero_len has value, ->llist of smb_lock is not delete and flock is old one. It will cause use-after-free on error handling routine.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/410ce35a2ed6d0e11…
	https://git.kernel.org/stable/c/8573571060ca466cb…
	https://git.kernel.org/stable/c/a0609097fd10d618a…
	https://git.kernel.org/stable/c/636e021646cf9b52d…
	https://git.kernel.org/stable/c/84d2d1641b71dec32…

Impacted products

Vendor

Product

Version

Linux

Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 410ce35a2ed6d0e114132bba29af49b69880c8c7 (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 8573571060ca466cbef2c6f03306b2cc7b883506 (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < a0609097fd10d618aed4864038393dd75131289e (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 636e021646cf9b52ddfea7c809b018e91f2188cb (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 84d2d1641b71dec326e8736a749b7ee76a9599fc (git)

Linux

Affected: 5.15
Unaffected: 0 , < 5.15 (semver)
Unaffected: 6.1.131 , ≤ 6.1.* (semver)
Unaffected: 6.6.83 , ≤ 6.6.* (semver)
Unaffected: 6.12.19 , ≤ 6.12.* (semver)
Unaffected: 6.13.7 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21945",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-16T13:14:55.516245Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-16T13:19:52.605Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:39:45.983Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/server/smb2pdu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "410ce35a2ed6d0e114132bba29af49b69880c8c7",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "8573571060ca466cbef2c6f03306b2cc7b883506",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "a0609097fd10d618aed4864038393dd75131289e",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "636e021646cf9b52ddfea7c809b018e91f2188cb",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "84d2d1641b71dec326e8736a749b7ee76a9599fc",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/server/smb2pdu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.131",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.131",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.83",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.19",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.7",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free in smb2_lock\n\nIf smb_lock-\u003ezero_len has value, -\u003ellist of smb_lock is not delete and\nflock is old one. It will cause use-after-free on error handling\nroutine."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:25:24.187Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/410ce35a2ed6d0e114132bba29af49b69880c8c7"
        },
        {
          "url": "https://git.kernel.org/stable/c/8573571060ca466cbef2c6f03306b2cc7b883506"
        },
        {
          "url": "https://git.kernel.org/stable/c/a0609097fd10d618aed4864038393dd75131289e"
        },
        {
          "url": "https://git.kernel.org/stable/c/636e021646cf9b52ddfea7c809b018e91f2188cb"
        },
        {
          "url": "https://git.kernel.org/stable/c/84d2d1641b71dec326e8736a749b7ee76a9599fc"
        }
      ],
      "title": "ksmbd: fix use-after-free in smb2_lock",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21945",
    "datePublished": "2025-04-01T15:41:08.471Z",
    "dateReserved": "2024-12-29T08:45:45.790Z",
    "dateUpdated": "2025-11-03T19:39:45.983Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21978 (GCVE-0-2025-21978)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:47 – Updated: 2025-11-03 19:40

Title

drm/hyperv: Fix address space leak when Hyper-V DRM device is removed

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/hyperv: Fix address space leak when Hyper-V DRM device is removed When a Hyper-V DRM device is probed, the driver allocates MMIO space for the vram, and maps it cacheable. If the device removed, or in the error path for device probing, the MMIO space is released but no unmap is done. Consequently the kernel address space for the mapping is leaked. Fix this by adding iounmap() calls in the device removal path, and in the error path during device probing.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c40cd24bfb9bfbb31…
	https://git.kernel.org/stable/c/ad27b4a51495490b8…
	https://git.kernel.org/stable/c/24f1bbfb2be77dad8…
	https://git.kernel.org/stable/c/158242b56bf465a73…
	https://git.kernel.org/stable/c/aed709355fd05ef74…

Impacted products

Vendor

Product

Version

Linux

Affected: a0ab5abced550ddeefddb06055ed60779a54eb79 , < c40cd24bfb9bfbb315c118ca14ebe6cf52e2dd1e (git)
Affected: a0ab5abced550ddeefddb06055ed60779a54eb79 , < ad27b4a51495490b815580d9b935e8eee14d1a9c (git)
Affected: a0ab5abced550ddeefddb06055ed60779a54eb79 , < 24f1bbfb2be77dad82489c1468bbb14312aab129 (git)
Affected: a0ab5abced550ddeefddb06055ed60779a54eb79 , < 158242b56bf465a73e1edeac0fe828a8acad4499 (git)
Affected: a0ab5abced550ddeefddb06055ed60779a54eb79 , < aed709355fd05ef747e1af24a1d5d78cd7feb81e (git)

Linux

Affected: 6.0
Unaffected: 0 , < 6.0 (semver)
Unaffected: 6.1.132 , ≤ 6.1.* (semver)
Unaffected: 6.6.84 , ≤ 6.6.* (semver)
Unaffected: 6.12.20 , ≤ 6.12.* (semver)
Unaffected: 6.13.8 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:40:18.321Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/hyperv/hyperv_drm_drv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c40cd24bfb9bfbb315c118ca14ebe6cf52e2dd1e",
              "status": "affected",
              "version": "a0ab5abced550ddeefddb06055ed60779a54eb79",
              "versionType": "git"
            },
            {
              "lessThan": "ad27b4a51495490b815580d9b935e8eee14d1a9c",
              "status": "affected",
              "version": "a0ab5abced550ddeefddb06055ed60779a54eb79",
              "versionType": "git"
            },
            {
              "lessThan": "24f1bbfb2be77dad82489c1468bbb14312aab129",
              "status": "affected",
              "version": "a0ab5abced550ddeefddb06055ed60779a54eb79",
              "versionType": "git"
            },
            {
              "lessThan": "158242b56bf465a73e1edeac0fe828a8acad4499",
              "status": "affected",
              "version": "a0ab5abced550ddeefddb06055ed60779a54eb79",
              "versionType": "git"
            },
            {
              "lessThan": "aed709355fd05ef747e1af24a1d5d78cd7feb81e",
              "status": "affected",
              "version": "a0ab5abced550ddeefddb06055ed60779a54eb79",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/hyperv/hyperv_drm_drv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.132",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.84",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.132",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.84",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.20",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.8",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/hyperv: Fix address space leak when Hyper-V DRM device is removed\n\nWhen a Hyper-V DRM device is probed, the driver allocates MMIO space for\nthe vram, and maps it cacheable. If the device removed, or in the error\npath for device probing, the MMIO space is released but no unmap is done.\nConsequently the kernel address space for the mapping is leaked.\n\nFix this by adding iounmap() calls in the device removal path, and in the\nerror path during device probing."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:26:27.998Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c40cd24bfb9bfbb315c118ca14ebe6cf52e2dd1e"
        },
        {
          "url": "https://git.kernel.org/stable/c/ad27b4a51495490b815580d9b935e8eee14d1a9c"
        },
        {
          "url": "https://git.kernel.org/stable/c/24f1bbfb2be77dad82489c1468bbb14312aab129"
        },
        {
          "url": "https://git.kernel.org/stable/c/158242b56bf465a73e1edeac0fe828a8acad4499"
        },
        {
          "url": "https://git.kernel.org/stable/c/aed709355fd05ef747e1af24a1d5d78cd7feb81e"
        }
      ],
      "title": "drm/hyperv: Fix address space leak when Hyper-V DRM device is removed",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21978",
    "datePublished": "2025-04-01T15:47:08.168Z",
    "dateReserved": "2024-12-29T08:45:45.798Z",
    "dateUpdated": "2025-11-03T19:40:18.321Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38301 (GCVE-0-2025-38301)

Vulnerability from cvelistv5 – Published: 2025-07-10 07:42 – Updated: 2025-07-28 04:18

Title

nvmem: zynqmp_nvmem: unbreak driver after cleanup

Summary

In the Linux kernel, the following vulnerability has been resolved: nvmem: zynqmp_nvmem: unbreak driver after cleanup Commit 29be47fcd6a0 ("nvmem: zynqmp_nvmem: zynqmp_nvmem_probe cleanup") changed the driver to expect the device pointer to be passed as the "context", but in nvmem the context parameter comes from nvmem_config.priv which is never set - Leading to null pointer exceptions when the device is accessed.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c8bb1bcea877446f8…
	https://git.kernel.org/stable/c/3728101f56ef54425…
	https://git.kernel.org/stable/c/fe8abdd175d7b547a…

Impacted products

Vendor

Product

Version

Linux

Affected: 29be47fcd6a06ea2e79eeeca6e69ad1e23254a69 , < c8bb1bcea877446f86922a8fd1661b8c07d90e5c (git)
Affected: 29be47fcd6a06ea2e79eeeca6e69ad1e23254a69 , < 3728101f56ef54425a11027a3ddc2c3941d60b71 (git)
Affected: 29be47fcd6a06ea2e79eeeca6e69ad1e23254a69 , < fe8abdd175d7b547ae1a612757e7902bcd62e9cf (git)

Linux

Affected: 6.9
Unaffected: 0 , < 6.9 (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/nvmem/zynqmp_nvmem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c8bb1bcea877446f86922a8fd1661b8c07d90e5c",
              "status": "affected",
              "version": "29be47fcd6a06ea2e79eeeca6e69ad1e23254a69",
              "versionType": "git"
            },
            {
              "lessThan": "3728101f56ef54425a11027a3ddc2c3941d60b71",
              "status": "affected",
              "version": "29be47fcd6a06ea2e79eeeca6e69ad1e23254a69",
              "versionType": "git"
            },
            {
              "lessThan": "fe8abdd175d7b547ae1a612757e7902bcd62e9cf",
              "status": "affected",
              "version": "29be47fcd6a06ea2e79eeeca6e69ad1e23254a69",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/nvmem/zynqmp_nvmem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.9"
            },
            {
              "lessThan": "6.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmem: zynqmp_nvmem: unbreak driver after cleanup\n\nCommit 29be47fcd6a0 (\"nvmem: zynqmp_nvmem: zynqmp_nvmem_probe cleanup\")\nchanged the driver to expect the device pointer to be passed as the\n\"context\", but in nvmem the context parameter comes from nvmem_config.priv\nwhich is never set - Leading to null pointer exceptions when the device is\naccessed."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:18:00.922Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c8bb1bcea877446f86922a8fd1661b8c07d90e5c"
        },
        {
          "url": "https://git.kernel.org/stable/c/3728101f56ef54425a11027a3ddc2c3941d60b71"
        },
        {
          "url": "https://git.kernel.org/stable/c/fe8abdd175d7b547ae1a612757e7902bcd62e9cf"
        }
      ],
      "title": "nvmem: zynqmp_nvmem: unbreak driver after cleanup",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38301",
    "datePublished": "2025-07-10T07:42:13.455Z",
    "dateReserved": "2025-04-16T04:51:24.002Z",
    "dateUpdated": "2025-07-28T04:18:00.922Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38101 (GCVE-0-2025-38101)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:35 – Updated: 2025-07-28 04:12

Title

ring-buffer: Fix buffer locking in ring_buffer_subbuf_order_set()

Summary

In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Fix buffer locking in ring_buffer_subbuf_order_set() Enlarge the critical section in ring_buffer_subbuf_order_set() to ensure that error handling takes place with per-buffer mutex held, thus preventing list corruption and other concurrency-related issues.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e09c0600beea469b3…
	https://git.kernel.org/stable/c/0fc9a295cd8e59c36…
	https://git.kernel.org/stable/c/40ee2afafc1d9fe3a…

Impacted products

Vendor

Product

Version

Linux

Affected: f9b94daa542a8d2532f0930f01cd9aec2d19621b , < e09c0600beea469b3ebf974464e526a02d59ad62 (git)
Affected: f9b94daa542a8d2532f0930f01cd9aec2d19621b , < 0fc9a295cd8e59c3636e97395e7c74a9c89fee42 (git)
Affected: f9b94daa542a8d2532f0930f01cd9aec2d19621b , < 40ee2afafc1d9fe3aa44a6fbe440d78a5c96a72e (git)

Linux

Affected: 6.8
Unaffected: 0 , < 6.8 (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/ring_buffer.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e09c0600beea469b3ebf974464e526a02d59ad62",
              "status": "affected",
              "version": "f9b94daa542a8d2532f0930f01cd9aec2d19621b",
              "versionType": "git"
            },
            {
              "lessThan": "0fc9a295cd8e59c3636e97395e7c74a9c89fee42",
              "status": "affected",
              "version": "f9b94daa542a8d2532f0930f01cd9aec2d19621b",
              "versionType": "git"
            },
            {
              "lessThan": "40ee2afafc1d9fe3aa44a6fbe440d78a5c96a72e",
              "status": "affected",
              "version": "f9b94daa542a8d2532f0930f01cd9aec2d19621b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/ring_buffer.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Fix buffer locking in ring_buffer_subbuf_order_set()\n\nEnlarge the critical section in ring_buffer_subbuf_order_set() to\nensure that error handling takes place with per-buffer mutex held,\nthus preventing list corruption and other concurrency-related issues."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:12:15.362Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e09c0600beea469b3ebf974464e526a02d59ad62"
        },
        {
          "url": "https://git.kernel.org/stable/c/0fc9a295cd8e59c3636e97395e7c74a9c89fee42"
        },
        {
          "url": "https://git.kernel.org/stable/c/40ee2afafc1d9fe3aa44a6fbe440d78a5c96a72e"
        }
      ],
      "title": "ring-buffer: Fix buffer locking in ring_buffer_subbuf_order_set()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38101",
    "datePublished": "2025-07-03T08:35:10.844Z",
    "dateReserved": "2025-04-16T04:51:23.985Z",
    "dateUpdated": "2025-07-28T04:12:15.362Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38098 (GCVE-0-2025-38098)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:13 – Updated: 2025-09-03 13:06

Title

drm/amd/display: Don't treat wb connector as physical in create_validate_stream_for_sink

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Don't treat wb connector as physical in create_validate_stream_for_sink Don't try to operate on a drm_wb_connector as an amdgpu_dm_connector. While dereferencing aconnector->base will "work" it's wrong and might lead to unknown bad things. Just... don't.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b14e726d57f610854…
	https://git.kernel.org/stable/c/18ca68f7c65772158…
	https://git.kernel.org/stable/c/cbf4890c6f28fb1ad…

Impacted products

Vendor

Product

Version

Linux

Affected: dbf5d3d02987faa0eec3710dd687cd912362d7b5 , < b14e726d57f61085485f107a6203c50a09695abd (git)
Affected: dbf5d3d02987faa0eec3710dd687cd912362d7b5 , < 18ca68f7c657721583a75cab01f0d0d2ec63a6c9 (git)
Affected: dbf5d3d02987faa0eec3710dd687cd912362d7b5 , < cbf4890c6f28fb1ad733e14613fbd33c2004bced (git)
Affected: 0fe85301b95077ac4fa4a91909d38b7341e81187 (git)

Linux

Affected: 6.8
Unaffected: 0 , < 6.8 (semver)
Unaffected: 6.12.31 , ≤ 6.12.* (semver)
Unaffected: 6.14.9 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c",
            "drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h",
            "drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b14e726d57f61085485f107a6203c50a09695abd",
              "status": "affected",
              "version": "dbf5d3d02987faa0eec3710dd687cd912362d7b5",
              "versionType": "git"
            },
            {
              "lessThan": "18ca68f7c657721583a75cab01f0d0d2ec63a6c9",
              "status": "affected",
              "version": "dbf5d3d02987faa0eec3710dd687cd912362d7b5",
              "versionType": "git"
            },
            {
              "lessThan": "cbf4890c6f28fb1ad733e14613fbd33c2004bced",
              "status": "affected",
              "version": "dbf5d3d02987faa0eec3710dd687cd912362d7b5",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "0fe85301b95077ac4fa4a91909d38b7341e81187",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c",
            "drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h",
            "drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.31",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.7.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Don\u0027t treat wb connector as physical in create_validate_stream_for_sink\n\nDon\u0027t try to operate on a drm_wb_connector as an amdgpu_dm_connector.\nWhile dereferencing aconnector-\u003ebase will \"work\" it\u0027s wrong and\nmight lead to unknown bad things. Just... don\u0027t."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-03T13:06:53.318Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b14e726d57f61085485f107a6203c50a09695abd"
        },
        {
          "url": "https://git.kernel.org/stable/c/18ca68f7c657721583a75cab01f0d0d2ec63a6c9"
        },
        {
          "url": "https://git.kernel.org/stable/c/cbf4890c6f28fb1ad733e14613fbd33c2004bced"
        }
      ],
      "title": "drm/amd/display: Don\u0027t treat wb connector as physical in create_validate_stream_for_sink",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38098",
    "datePublished": "2025-07-03T08:13:58.603Z",
    "dateReserved": "2025-04-16T04:51:23.985Z",
    "dateUpdated": "2025-09-03T13:06:53.318Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38074 (GCVE-0-2025-38074)

Vulnerability from cvelistv5 – Published: 2025-06-18 09:33 – Updated: 2026-01-02 15:30

Title

vhost-scsi: protect vq->log_used with vq->mutex

Summary

In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: protect vq->log_used with vq->mutex The vhost-scsi completion path may access vq->log_base when vq->log_used is already set to false. vhost-thread QEMU-thread vhost_scsi_complete_cmd_work() -> vhost_add_used() -> vhost_add_used_n() if (unlikely(vq->log_used)) QEMU disables vq->log_used via VHOST_SET_VRING_ADDR. mutex_lock(&vq->mutex); vq->log_used = false now! mutex_unlock(&vq->mutex); QEMU gfree(vq->log_base) log_used() -> log_write(vq->log_base) Assuming the VMM is QEMU. The vq->log_base is from QEMU userpace and can be reclaimed via gfree(). As a result, this causes invalid memory writes to QEMU userspace. The control queue path has the same issue.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/80cf68489681c165d…
	https://git.kernel.org/stable/c/8312a1ccff1566f37…
	https://git.kernel.org/stable/c/59614c5acf6688f7a…
	https://git.kernel.org/stable/c/ca85c2d0db5f83098…
	https://git.kernel.org/stable/c/bd8c9404e44adb9f6…
	https://git.kernel.org/stable/c/c0039e3afda29be46…
	https://git.kernel.org/stable/c/f591cf9fce724e507…

Impacted products

Vendor

Product

Version

Linux

Affected: 057cbf49a1f08297877e46c82f707b1bfea806a8 , < 80cf68489681c165ded460930e391b1eb37b5f6f (git)
Affected: 057cbf49a1f08297877e46c82f707b1bfea806a8 , < 8312a1ccff1566f375191a89b9ba71b6eb48a8cd (git)
Affected: 057cbf49a1f08297877e46c82f707b1bfea806a8 , < 59614c5acf6688f7af3c245d359082c0e9e53117 (git)
Affected: 057cbf49a1f08297877e46c82f707b1bfea806a8 , < ca85c2d0db5f8309832be45858b960d933c2131c (git)
Affected: 057cbf49a1f08297877e46c82f707b1bfea806a8 , < bd8c9404e44adb9f6219c09b3409a61ab7ce3427 (git)
Affected: 057cbf49a1f08297877e46c82f707b1bfea806a8 , < c0039e3afda29be469d29b3013d7f9bdee136834 (git)
Affected: 057cbf49a1f08297877e46c82f707b1bfea806a8 , < f591cf9fce724e5075cc67488c43c6e39e8cbe27 (git)

Linux

Affected: 3.6
Unaffected: 0 , < 3.6 (semver)
Unaffected: 5.10.240 , ≤ 5.10.* (semver)
Unaffected: 5.15.189 , ≤ 5.15.* (semver)
Unaffected: 6.1.146 , ≤ 6.1.* (semver)
Unaffected: 6.6.93 , ≤ 6.6.* (semver)
Unaffected: 6.12.31 , ≤ 6.12.* (semver)
Unaffected: 6.14.9 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:33:42.169Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/vhost/scsi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "80cf68489681c165ded460930e391b1eb37b5f6f",
              "status": "affected",
              "version": "057cbf49a1f08297877e46c82f707b1bfea806a8",
              "versionType": "git"
            },
            {
              "lessThan": "8312a1ccff1566f375191a89b9ba71b6eb48a8cd",
              "status": "affected",
              "version": "057cbf49a1f08297877e46c82f707b1bfea806a8",
              "versionType": "git"
            },
            {
              "lessThan": "59614c5acf6688f7af3c245d359082c0e9e53117",
              "status": "affected",
              "version": "057cbf49a1f08297877e46c82f707b1bfea806a8",
              "versionType": "git"
            },
            {
              "lessThan": "ca85c2d0db5f8309832be45858b960d933c2131c",
              "status": "affected",
              "version": "057cbf49a1f08297877e46c82f707b1bfea806a8",
              "versionType": "git"
            },
            {
              "lessThan": "bd8c9404e44adb9f6219c09b3409a61ab7ce3427",
              "status": "affected",
              "version": "057cbf49a1f08297877e46c82f707b1bfea806a8",
              "versionType": "git"
            },
            {
              "lessThan": "c0039e3afda29be469d29b3013d7f9bdee136834",
              "status": "affected",
              "version": "057cbf49a1f08297877e46c82f707b1bfea806a8",
              "versionType": "git"
            },
            {
              "lessThan": "f591cf9fce724e5075cc67488c43c6e39e8cbe27",
              "status": "affected",
              "version": "057cbf49a1f08297877e46c82f707b1bfea806a8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/vhost/scsi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.6"
            },
            {
              "lessThan": "3.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.189",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.146",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.93",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.189",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.146",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.93",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.31",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost-scsi: protect vq-\u003elog_used with vq-\u003emutex\n\nThe vhost-scsi completion path may access vq-\u003elog_base when vq-\u003elog_used is\nalready set to false.\n\n    vhost-thread                       QEMU-thread\n\nvhost_scsi_complete_cmd_work()\n-\u003e vhost_add_used()\n   -\u003e vhost_add_used_n()\n      if (unlikely(vq-\u003elog_used))\n                                      QEMU disables vq-\u003elog_used\n                                      via VHOST_SET_VRING_ADDR.\n                                      mutex_lock(\u0026vq-\u003emutex);\n                                      vq-\u003elog_used = false now!\n                                      mutex_unlock(\u0026vq-\u003emutex);\n\n\t\t\t\t      QEMU gfree(vq-\u003elog_base)\n        log_used()\n        -\u003e log_write(vq-\u003elog_base)\n\nAssuming the VMM is QEMU. The vq-\u003elog_base is from QEMU userpace and can be\nreclaimed via gfree(). As a result, this causes invalid memory writes to\nQEMU userspace.\n\nThe control queue path has the same issue."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:30:04.884Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/80cf68489681c165ded460930e391b1eb37b5f6f"
        },
        {
          "url": "https://git.kernel.org/stable/c/8312a1ccff1566f375191a89b9ba71b6eb48a8cd"
        },
        {
          "url": "https://git.kernel.org/stable/c/59614c5acf6688f7af3c245d359082c0e9e53117"
        },
        {
          "url": "https://git.kernel.org/stable/c/ca85c2d0db5f8309832be45858b960d933c2131c"
        },
        {
          "url": "https://git.kernel.org/stable/c/bd8c9404e44adb9f6219c09b3409a61ab7ce3427"
        },
        {
          "url": "https://git.kernel.org/stable/c/c0039e3afda29be469d29b3013d7f9bdee136834"
        },
        {
          "url": "https://git.kernel.org/stable/c/f591cf9fce724e5075cc67488c43c6e39e8cbe27"
        }
      ],
      "title": "vhost-scsi: protect vq-\u003elog_used with vq-\u003emutex",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38074",
    "datePublished": "2025-06-18T09:33:50.006Z",
    "dateReserved": "2025-04-16T04:51:23.980Z",
    "dateUpdated": "2026-01-02T15:30:04.884Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38135 (GCVE-0-2025-38135)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:35 – Updated: 2025-11-03 17:34

Title

serial: Fix potential null-ptr-deref in mlb_usio_probe()

Summary

In the Linux kernel, the following vulnerability has been resolved: serial: Fix potential null-ptr-deref in mlb_usio_probe() devm_ioremap() can return NULL on error. Currently, mlb_usio_probe() does not check for this case, which could result in a NULL pointer dereference. Add NULL check after devm_ioremap() to prevent this issue.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a05ebe384c7ca7547…
	https://git.kernel.org/stable/c/81159a6b064142b99…
	https://git.kernel.org/stable/c/19fd9f5a69363d330…
	https://git.kernel.org/stable/c/548b0e81b9a0902a8…
	https://git.kernel.org/stable/c/a6c7c365734cd0fa1…
	https://git.kernel.org/stable/c/c23d87b43f7dba5eb…
	https://git.kernel.org/stable/c/e1b144aebe6fb898d…
	https://git.kernel.org/stable/c/86bcae88c9209e334…

Impacted products

Vendor

Product

Version

Linux

Affected: ba44dc04300441b47618f9933bf36e75a280e5fe , < a05ebe384c7ca75476453f3070c67d9cf1d1a89f (git)
Affected: ba44dc04300441b47618f9933bf36e75a280e5fe , < 81159a6b064142b993f2f39828b77e199c77872a (git)
Affected: ba44dc04300441b47618f9933bf36e75a280e5fe , < 19fd9f5a69363d33079097d866eb6082d61bf31d (git)
Affected: ba44dc04300441b47618f9933bf36e75a280e5fe , < 548b0e81b9a0902a8bc8259430ed965663baadfc (git)
Affected: ba44dc04300441b47618f9933bf36e75a280e5fe , < a6c7c365734cd0fa1c5aa225a6294fdf80cad2ea (git)
Affected: ba44dc04300441b47618f9933bf36e75a280e5fe , < c23d87b43f7dba5eb12820f6cf21a1cd4f63eb3d (git)
Affected: ba44dc04300441b47618f9933bf36e75a280e5fe , < e1b144aebe6fb898d96ced8c990d7aa38fda4a7a (git)
Affected: ba44dc04300441b47618f9933bf36e75a280e5fe , < 86bcae88c9209e334b2f8c252f4cc66beb261886 (git)

Linux

Affected: 5.2
Unaffected: 0 , < 5.2 (semver)
Unaffected: 5.4.295 , ≤ 5.4.* (semver)
Unaffected: 5.10.239 , ≤ 5.10.* (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.94 , ≤ 6.6.* (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:27.045Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/tty/serial/milbeaut_usio.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a05ebe384c7ca75476453f3070c67d9cf1d1a89f",
              "status": "affected",
              "version": "ba44dc04300441b47618f9933bf36e75a280e5fe",
              "versionType": "git"
            },
            {
              "lessThan": "81159a6b064142b993f2f39828b77e199c77872a",
              "status": "affected",
              "version": "ba44dc04300441b47618f9933bf36e75a280e5fe",
              "versionType": "git"
            },
            {
              "lessThan": "19fd9f5a69363d33079097d866eb6082d61bf31d",
              "status": "affected",
              "version": "ba44dc04300441b47618f9933bf36e75a280e5fe",
              "versionType": "git"
            },
            {
              "lessThan": "548b0e81b9a0902a8bc8259430ed965663baadfc",
              "status": "affected",
              "version": "ba44dc04300441b47618f9933bf36e75a280e5fe",
              "versionType": "git"
            },
            {
              "lessThan": "a6c7c365734cd0fa1c5aa225a6294fdf80cad2ea",
              "status": "affected",
              "version": "ba44dc04300441b47618f9933bf36e75a280e5fe",
              "versionType": "git"
            },
            {
              "lessThan": "c23d87b43f7dba5eb12820f6cf21a1cd4f63eb3d",
              "status": "affected",
              "version": "ba44dc04300441b47618f9933bf36e75a280e5fe",
              "versionType": "git"
            },
            {
              "lessThan": "e1b144aebe6fb898d96ced8c990d7aa38fda4a7a",
              "status": "affected",
              "version": "ba44dc04300441b47618f9933bf36e75a280e5fe",
              "versionType": "git"
            },
            {
              "lessThan": "86bcae88c9209e334b2f8c252f4cc66beb261886",
              "status": "affected",
              "version": "ba44dc04300441b47618f9933bf36e75a280e5fe",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/tty/serial/milbeaut_usio.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.2"
            },
            {
              "lessThan": "5.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: Fix potential null-ptr-deref in mlb_usio_probe()\n\ndevm_ioremap() can return NULL on error. Currently, mlb_usio_probe()\ndoes not check for this case, which could result in a NULL pointer\ndereference.\n\nAdd NULL check after devm_ioremap() to prevent this issue."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:13:11.475Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a05ebe384c7ca75476453f3070c67d9cf1d1a89f"
        },
        {
          "url": "https://git.kernel.org/stable/c/81159a6b064142b993f2f39828b77e199c77872a"
        },
        {
          "url": "https://git.kernel.org/stable/c/19fd9f5a69363d33079097d866eb6082d61bf31d"
        },
        {
          "url": "https://git.kernel.org/stable/c/548b0e81b9a0902a8bc8259430ed965663baadfc"
        },
        {
          "url": "https://git.kernel.org/stable/c/a6c7c365734cd0fa1c5aa225a6294fdf80cad2ea"
        },
        {
          "url": "https://git.kernel.org/stable/c/c23d87b43f7dba5eb12820f6cf21a1cd4f63eb3d"
        },
        {
          "url": "https://git.kernel.org/stable/c/e1b144aebe6fb898d96ced8c990d7aa38fda4a7a"
        },
        {
          "url": "https://git.kernel.org/stable/c/86bcae88c9209e334b2f8c252f4cc66beb261886"
        }
      ],
      "title": "serial: Fix potential null-ptr-deref in mlb_usio_probe()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38135",
    "datePublished": "2025-07-03T08:35:38.295Z",
    "dateReserved": "2025-04-16T04:51:23.987Z",
    "dateUpdated": "2025-11-03T17:34:27.045Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21881 (GCVE-0-2025-21881)

Vulnerability from cvelistv5 – Published: 2025-03-27 14:57 – Updated: 2025-11-03 19:38

Title

uprobes: Reject the shared zeropage in uprobe_write_opcode()

Summary

In the Linux kernel, the following vulnerability has been resolved: uprobes: Reject the shared zeropage in uprobe_write_opcode() We triggered the following crash in syzkaller tests: BUG: Bad page state in process syz.7.38 pfn:1eff3 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1eff3 flags: 0x3fffff00004004(referenced|reserved|node=0|zone=1|lastcpupid=0x1fffff) raw: 003fffff00004004 ffffe6c6c07bfcc8 ffffe6c6c07bfcc8 0000000000000000 raw: 0000000000000000 0000000000000000 00000000fffffffe 0000000000000000 page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x32/0x50 bad_page+0x69/0xf0 free_unref_page_prepare+0x401/0x500 free_unref_page+0x6d/0x1b0 uprobe_write_opcode+0x460/0x8e0 install_breakpoint.part.0+0x51/0x80 register_for_each_vma+0x1d9/0x2b0 __uprobe_register+0x245/0x300 bpf_uprobe_multi_link_attach+0x29b/0x4f0 link_create+0x1e2/0x280 __sys_bpf+0x75f/0xac0 __x64_sys_bpf+0x1a/0x30 do_syscall_64+0x56/0x100 entry_SYSCALL_64_after_hwframe+0x78/0xe2 BUG: Bad rss-counter state mm:00000000452453e0 type:MM_FILEPAGES val:-1 The following syzkaller test case can be used to reproduce: r2 = creat(&(0x7f0000000000)='./file0\x00', 0x8) write$nbd(r2, &(0x7f0000000580)=ANY=[], 0x10) r4 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x42, 0x0) mmap$IORING_OFF_SQ_RING(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x0, 0x12, r4, 0x0) r5 = userfaultfd(0x80801) ioctl$UFFDIO_API(r5, 0xc018aa3f, &(0x7f0000000040)={0xaa, 0x20}) r6 = userfaultfd(0x80801) ioctl$UFFDIO_API(r6, 0xc018aa3f, &(0x7f0000000140)) ioctl$UFFDIO_REGISTER(r6, 0xc020aa00, &(0x7f0000000100)={{&(0x7f0000ffc000/0x4000)=nil, 0x4000}, 0x2}) ioctl$UFFDIO_ZEROPAGE(r5, 0xc020aa04, &(0x7f0000000000)={{&(0x7f0000ffd000/0x1000)=nil, 0x1000}}) r7 = bpf$PROG_LOAD(0x5, &(0x7f0000000140)={0x2, 0x3, &(0x7f0000000200)=ANY=[@ANYBLOB="1800000000120000000000000000000095"], &(0x7f0000000000)='GPL\x00', 0x7, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x30, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000040)={r7, 0x0, 0x30, 0x1e, @val=@uprobe_multi={&(0x7f0000000080)='./file0\x00', &(0x7f0000000100)=[0x2], 0x0, 0x0, 0x1}}, 0x40) The cause is that zero pfn is set to the PTE without increasing the RSS count in mfill_atomic_pte_zeropage() and the refcount of zero folio does not increase accordingly. Then, the operation on the same pfn is performed in uprobe_write_opcode()->__replace_page() to unconditional decrease the RSS count and old_folio's refcount. Therefore, two bugs are introduced: 1. The RSS count is incorrect, when process exit, the check_mm() report error "Bad rss-count". 2. The reserved folio (zero folio) is freed when folio->refcount is zero, then free_pages_prepare->free_page_is_bad() report error "Bad page state". There is more, the following warning could also theoretically be triggered: __replace_page() -> ... -> folio_remove_rmap_pte() -> VM_WARN_ON_FOLIO(is_zero_folio(folio), folio) Considering that uprobe hit on the zero folio is a very rare case, just reject zero old folio immediately after get_user_page_vma_remote(). [ mingo: Cleaned up the changelog ]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c4cb2bfa995133118…
	https://git.kernel.org/stable/c/0b6f19714588cf236…
	https://git.kernel.org/stable/c/13cca2b73e2b0ec3e…
	https://git.kernel.org/stable/c/54011fc94422f094e…
	https://git.kernel.org/stable/c/bddf10d26e6e5114e…

Impacted products

Vendor

Product

Version

Linux

Affected: 2b144498350860b6ee9dc57ff27a93ad488de5dc , < c4cb2bfa99513311886c1eb5c1c2ac26f3338a6e (git)
Affected: 2b144498350860b6ee9dc57ff27a93ad488de5dc , < 0b6f19714588cf2366b0364234f97ba963688f63 (git)
Affected: 2b144498350860b6ee9dc57ff27a93ad488de5dc , < 13cca2b73e2b0ec3ea6d6615d615395621d22752 (git)
Affected: 2b144498350860b6ee9dc57ff27a93ad488de5dc , < 54011fc94422f094eaf47555284de70a4bc32bb9 (git)
Affected: 2b144498350860b6ee9dc57ff27a93ad488de5dc , < bddf10d26e6e5114e7415a0e442ec6f51a559468 (git)

Linux

Affected: 3.5
Unaffected: 0 , < 3.5 (semver)
Unaffected: 6.1.130 , ≤ 6.1.* (semver)
Unaffected: 6.6.81 , ≤ 6.6.* (semver)
Unaffected: 6.12.18 , ≤ 6.12.* (semver)
Unaffected: 6.13.6 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:38:38.879Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/events/uprobes.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c4cb2bfa99513311886c1eb5c1c2ac26f3338a6e",
              "status": "affected",
              "version": "2b144498350860b6ee9dc57ff27a93ad488de5dc",
              "versionType": "git"
            },
            {
              "lessThan": "0b6f19714588cf2366b0364234f97ba963688f63",
              "status": "affected",
              "version": "2b144498350860b6ee9dc57ff27a93ad488de5dc",
              "versionType": "git"
            },
            {
              "lessThan": "13cca2b73e2b0ec3ea6d6615d615395621d22752",
              "status": "affected",
              "version": "2b144498350860b6ee9dc57ff27a93ad488de5dc",
              "versionType": "git"
            },
            {
              "lessThan": "54011fc94422f094eaf47555284de70a4bc32bb9",
              "status": "affected",
              "version": "2b144498350860b6ee9dc57ff27a93ad488de5dc",
              "versionType": "git"
            },
            {
              "lessThan": "bddf10d26e6e5114e7415a0e442ec6f51a559468",
              "status": "affected",
              "version": "2b144498350860b6ee9dc57ff27a93ad488de5dc",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/events/uprobes.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.5"
            },
            {
              "lessThan": "3.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.130",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.81",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.18",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.6",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nuprobes: Reject the shared zeropage in uprobe_write_opcode()\n\nWe triggered the following crash in syzkaller tests:\n\n  BUG: Bad page state in process syz.7.38  pfn:1eff3\n  page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1eff3\n  flags: 0x3fffff00004004(referenced|reserved|node=0|zone=1|lastcpupid=0x1fffff)\n  raw: 003fffff00004004 ffffe6c6c07bfcc8 ffffe6c6c07bfcc8 0000000000000000\n  raw: 0000000000000000 0000000000000000 00000000fffffffe 0000000000000000\n  page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\n  Call Trace:\n   \u003cTASK\u003e\n   dump_stack_lvl+0x32/0x50\n   bad_page+0x69/0xf0\n   free_unref_page_prepare+0x401/0x500\n   free_unref_page+0x6d/0x1b0\n   uprobe_write_opcode+0x460/0x8e0\n   install_breakpoint.part.0+0x51/0x80\n   register_for_each_vma+0x1d9/0x2b0\n   __uprobe_register+0x245/0x300\n   bpf_uprobe_multi_link_attach+0x29b/0x4f0\n   link_create+0x1e2/0x280\n   __sys_bpf+0x75f/0xac0\n   __x64_sys_bpf+0x1a/0x30\n   do_syscall_64+0x56/0x100\n   entry_SYSCALL_64_after_hwframe+0x78/0xe2\n\n   BUG: Bad rss-counter state mm:00000000452453e0 type:MM_FILEPAGES val:-1\n\nThe following syzkaller test case can be used to reproduce:\n\n  r2 = creat(\u0026(0x7f0000000000)=\u0027./file0\\x00\u0027, 0x8)\n  write$nbd(r2, \u0026(0x7f0000000580)=ANY=[], 0x10)\n  r4 = openat(0xffffffffffffff9c, \u0026(0x7f0000000040)=\u0027./file0\\x00\u0027, 0x42, 0x0)\n  mmap$IORING_OFF_SQ_RING(\u0026(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x0, 0x12, r4, 0x0)\n  r5 = userfaultfd(0x80801)\n  ioctl$UFFDIO_API(r5, 0xc018aa3f, \u0026(0x7f0000000040)={0xaa, 0x20})\n  r6 = userfaultfd(0x80801)\n  ioctl$UFFDIO_API(r6, 0xc018aa3f, \u0026(0x7f0000000140))\n  ioctl$UFFDIO_REGISTER(r6, 0xc020aa00, \u0026(0x7f0000000100)={{\u0026(0x7f0000ffc000/0x4000)=nil, 0x4000}, 0x2})\n  ioctl$UFFDIO_ZEROPAGE(r5, 0xc020aa04, \u0026(0x7f0000000000)={{\u0026(0x7f0000ffd000/0x1000)=nil, 0x1000}})\n  r7 = bpf$PROG_LOAD(0x5, \u0026(0x7f0000000140)={0x2, 0x3, \u0026(0x7f0000000200)=ANY=[@ANYBLOB=\"1800000000120000000000000000000095\"], \u0026(0x7f0000000000)=\u0027GPL\\x00\u0027, 0x7, 0x0, 0x0, 0x0, 0x0, \u0027\\x00\u0027, 0x0, @fallback=0x30, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)\n  bpf$BPF_LINK_CREATE_XDP(0x1c, \u0026(0x7f0000000040)={r7, 0x0, 0x30, 0x1e, @val=@uprobe_multi={\u0026(0x7f0000000080)=\u0027./file0\\x00\u0027, \u0026(0x7f0000000100)=[0x2], 0x0, 0x0, 0x1}}, 0x40)\n\nThe cause is that zero pfn is set to the PTE without increasing the RSS\ncount in mfill_atomic_pte_zeropage() and the refcount of zero folio does\nnot increase accordingly. Then, the operation on the same pfn is performed\nin uprobe_write_opcode()-\u003e__replace_page() to unconditional decrease the\nRSS count and old_folio\u0027s refcount.\n\nTherefore, two bugs are introduced:\n\n 1. The RSS count is incorrect, when process exit, the check_mm() report\n    error \"Bad rss-count\".\n\n 2. The reserved folio (zero folio) is freed when folio-\u003erefcount is zero,\n    then free_pages_prepare-\u003efree_page_is_bad() report error\n    \"Bad page state\".\n\nThere is more, the following warning could also theoretically be triggered:\n\n  __replace_page()\n    -\u003e ...\n      -\u003e folio_remove_rmap_pte()\n        -\u003e VM_WARN_ON_FOLIO(is_zero_folio(folio), folio)\n\nConsidering that uprobe hit on the zero folio is a very rare case, just\nreject zero old folio immediately after get_user_page_vma_remote().\n\n[ mingo: Cleaned up the changelog ]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:23:14.242Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c4cb2bfa99513311886c1eb5c1c2ac26f3338a6e"
        },
        {
          "url": "https://git.kernel.org/stable/c/0b6f19714588cf2366b0364234f97ba963688f63"
        },
        {
          "url": "https://git.kernel.org/stable/c/13cca2b73e2b0ec3ea6d6615d615395621d22752"
        },
        {
          "url": "https://git.kernel.org/stable/c/54011fc94422f094eaf47555284de70a4bc32bb9"
        },
        {
          "url": "https://git.kernel.org/stable/c/bddf10d26e6e5114e7415a0e442ec6f51a559468"
        }
      ],
      "title": "uprobes: Reject the shared zeropage in uprobe_write_opcode()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21881",
    "datePublished": "2025-03-27T14:57:10.241Z",
    "dateReserved": "2024-12-29T08:45:45.782Z",
    "dateUpdated": "2025-11-03T19:38:38.879Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38284 (GCVE-0-2025-38284)

Vulnerability from cvelistv5 – Published: 2025-07-10 07:42 – Updated: 2025-07-28 04:17

Title

wifi: rtw89: pci: configure manual DAC mode via PCI config API only

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: pci: configure manual DAC mode via PCI config API only To support 36-bit DMA, configure chip proprietary bit via PCI config API or chip DBI interface. However, the PCI device mmap isn't set yet and the DBI is also inaccessible via mmap, so only if the bit can be accessible via PCI config API, chip can support 36-bit DMA. Otherwise, fallback to 32-bit DMA. With NULL mmap address, kernel throws trace: BUG: unable to handle page fault for address: 0000000000001090 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: Oops: 0002 [#1] PREEMPT SMP PTI CPU: 1 UID: 0 PID: 71 Comm: irq/26-pciehp Tainted: G OE 6.14.2-061402-generic #202504101348 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE RIP: 0010:rtw89_pci_ops_write16+0x12/0x30 [rtw89_pci] RSP: 0018:ffffb0ffc0acf9d8 EFLAGS: 00010206 RAX: ffffffffc158f9c0 RBX: ffff94865e702020 RCX: 0000000000000000 RDX: 0000000000000718 RSI: 0000000000001090 RDI: ffff94865e702020 RBP: ffffb0ffc0acf9d8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000015 R13: 0000000000000719 R14: ffffb0ffc0acfa1f R15: ffffffffc1813060 FS: 0000000000000000(0000) GS:ffff9486f3480000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000001090 CR3: 0000000090440001 CR4: 00000000000626f0 Call Trace: <TASK> rtw89_pci_read_config_byte+0x6d/0x120 [rtw89_pci] rtw89_pci_cfg_dac+0x5b/0xb0 [rtw89_pci] rtw89_pci_probe+0xa96/0xbd0 [rtw89_pci] ? __pfx___device_attach_driver+0x10/0x10 ? __pfx___device_attach_driver+0x10/0x10 local_pci_probe+0x47/0xa0 pci_call_probe+0x5d/0x190 pci_device_probe+0xa7/0x160 really_probe+0xf9/0x370 ? pm_runtime_barrier+0x55/0xa0 __driver_probe_device+0x8c/0x140 driver_probe_device+0x24/0xd0 __device_attach_driver+0xcd/0x170 bus_for_each_drv+0x99/0x100 __device_attach+0xb4/0x1d0 device_attach+0x10/0x20 pci_bus_add_device+0x59/0x90 pci_bus_add_devices+0x31/0x80 pciehp_configure_device+0xaa/0x170 pciehp_enable_slot+0xd6/0x240 pciehp_handle_presence_or_link_change+0xf1/0x180 pciehp_ist+0x162/0x1c0 irq_thread_fn+0x24/0x70 irq_thread+0xef/0x1c0 ? __pfx_irq_thread_fn+0x10/0x10 ? __pfx_irq_thread_dtor+0x10/0x10 ? __pfx_irq_thread+0x10/0x10 kthread+0xfc/0x230 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x47/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK>

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e1e0f046041474004…
	https://git.kernel.org/stable/c/a70cf04b08f44f41b…

Impacted products

Vendor

Product

Version

Linux

Affected: 1fd4b3fe52efd5ad1647966f619c10988e7a4457 , < e1e0f046041474004dc6ebce5ce1d3e86556291d (git)
Affected: 1fd4b3fe52efd5ad1647966f619c10988e7a4457 , < a70cf04b08f44f41bce14659aa7012674b15d9de (git)

Linux

Affected: 6.11
Unaffected: 0 , < 6.11 (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/realtek/rtw89/pci.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e1e0f046041474004dc6ebce5ce1d3e86556291d",
              "status": "affected",
              "version": "1fd4b3fe52efd5ad1647966f619c10988e7a4457",
              "versionType": "git"
            },
            {
              "lessThan": "a70cf04b08f44f41bce14659aa7012674b15d9de",
              "status": "affected",
              "version": "1fd4b3fe52efd5ad1647966f619c10988e7a4457",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/realtek/rtw89/pci.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: pci: configure manual DAC mode via PCI config API only\n\nTo support 36-bit DMA, configure chip proprietary bit via PCI config API\nor chip DBI interface. However, the PCI device mmap isn\u0027t set yet and\nthe DBI is also inaccessible via mmap, so only if the bit can be accessible\nvia PCI config API, chip can support 36-bit DMA. Otherwise, fallback to\n32-bit DMA.\n\nWith NULL mmap address, kernel throws trace:\n\n  BUG: unable to handle page fault for address: 0000000000001090\n  #PF: supervisor write access in kernel mode\n  #PF: error_code(0x0002) - not-present page\n  PGD 0 P4D 0\n  Oops: Oops: 0002 [#1] PREEMPT SMP PTI\n  CPU: 1 UID: 0 PID: 71 Comm: irq/26-pciehp Tainted: G           OE      6.14.2-061402-generic #202504101348\n  Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n  RIP: 0010:rtw89_pci_ops_write16+0x12/0x30 [rtw89_pci]\n  RSP: 0018:ffffb0ffc0acf9d8 EFLAGS: 00010206\n  RAX: ffffffffc158f9c0 RBX: ffff94865e702020 RCX: 0000000000000000\n  RDX: 0000000000000718 RSI: 0000000000001090 RDI: ffff94865e702020\n  RBP: ffffb0ffc0acf9d8 R08: 0000000000000000 R09: 0000000000000000\n  R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000015\n  R13: 0000000000000719 R14: ffffb0ffc0acfa1f R15: ffffffffc1813060\n  FS:  0000000000000000(0000) GS:ffff9486f3480000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 0000000000001090 CR3: 0000000090440001 CR4: 00000000000626f0\n  Call Trace:\n   \u003cTASK\u003e\n   rtw89_pci_read_config_byte+0x6d/0x120 [rtw89_pci]\n   rtw89_pci_cfg_dac+0x5b/0xb0 [rtw89_pci]\n   rtw89_pci_probe+0xa96/0xbd0 [rtw89_pci]\n   ? __pfx___device_attach_driver+0x10/0x10\n   ? __pfx___device_attach_driver+0x10/0x10\n   local_pci_probe+0x47/0xa0\n   pci_call_probe+0x5d/0x190\n   pci_device_probe+0xa7/0x160\n   really_probe+0xf9/0x370\n   ? pm_runtime_barrier+0x55/0xa0\n   __driver_probe_device+0x8c/0x140\n   driver_probe_device+0x24/0xd0\n   __device_attach_driver+0xcd/0x170\n   bus_for_each_drv+0x99/0x100\n   __device_attach+0xb4/0x1d0\n   device_attach+0x10/0x20\n   pci_bus_add_device+0x59/0x90\n   pci_bus_add_devices+0x31/0x80\n   pciehp_configure_device+0xaa/0x170\n   pciehp_enable_slot+0xd6/0x240\n   pciehp_handle_presence_or_link_change+0xf1/0x180\n   pciehp_ist+0x162/0x1c0\n   irq_thread_fn+0x24/0x70\n   irq_thread+0xef/0x1c0\n   ? __pfx_irq_thread_fn+0x10/0x10\n   ? __pfx_irq_thread_dtor+0x10/0x10\n   ? __pfx_irq_thread+0x10/0x10\n   kthread+0xfc/0x230\n   ? __pfx_kthread+0x10/0x10\n   ret_from_fork+0x47/0x70\n   ? __pfx_kthread+0x10/0x10\n   ret_from_fork_asm+0x1a/0x30\n   \u003c/TASK\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:17:21.524Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e1e0f046041474004dc6ebce5ce1d3e86556291d"
        },
        {
          "url": "https://git.kernel.org/stable/c/a70cf04b08f44f41bce14659aa7012674b15d9de"
        }
      ],
      "title": "wifi: rtw89: pci: configure manual DAC mode via PCI config API only",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38284",
    "datePublished": "2025-07-10T07:42:01.667Z",
    "dateReserved": "2025-04-16T04:51:24.000Z",
    "dateUpdated": "2025-07-28T04:17:21.524Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38142 (GCVE-0-2025-38142)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:35 – Updated: 2025-11-03 17:34

Title

hwmon: (asus-ec-sensors) check sensor index in read_string()

Summary

In the Linux kernel, the following vulnerability has been resolved: hwmon: (asus-ec-sensors) check sensor index in read_string() Prevent a potential invalid memory access when the requested sensor is not found. find_ec_sensor_index() may return a negative value (e.g. -ENOENT), but its result was used without checking, which could lead to undefined behavior when passed to get_sensor_info(). Add a proper check to return -EINVAL if sensor_index is negative. Found by Linux Verification Center (linuxtesting.org) with SVACE. [groeck: Return error code returned from find_ec_sensor_index]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/6bf529ce84dccc007…
	https://git.kernel.org/stable/c/4e9e45746b861ebd5…
	https://git.kernel.org/stable/c/19bd9cde38dd4ca17…
	https://git.kernel.org/stable/c/7eeb3df6f07a886bd…
	https://git.kernel.org/stable/c/25be318324563c63c…

Impacted products

Vendor

Product

Version

Linux

Affected: d0ddfd241e5719d696bc0b081e260db69d368668 , < 6bf529ce84dccc0074dbc704e70aee4aa545057e (git)
Affected: d0ddfd241e5719d696bc0b081e260db69d368668 , < 4e9e45746b861ebd54c03ef301da2cb8fc990536 (git)
Affected: d0ddfd241e5719d696bc0b081e260db69d368668 , < 19bd9cde38dd4ca1771aed7afba623e7f4247c8e (git)
Affected: d0ddfd241e5719d696bc0b081e260db69d368668 , < 7eeb3df6f07a886bdfd52757ede127a59a8784dc (git)
Affected: d0ddfd241e5719d696bc0b081e260db69d368668 , < 25be318324563c63cbd9cb53186203a08d2f83a1 (git)

Linux

Affected: 5.18
Unaffected: 0 , < 5.18 (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.94 , ≤ 6.6.* (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:31.871Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/hwmon/asus-ec-sensors.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6bf529ce84dccc0074dbc704e70aee4aa545057e",
              "status": "affected",
              "version": "d0ddfd241e5719d696bc0b081e260db69d368668",
              "versionType": "git"
            },
            {
              "lessThan": "4e9e45746b861ebd54c03ef301da2cb8fc990536",
              "status": "affected",
              "version": "d0ddfd241e5719d696bc0b081e260db69d368668",
              "versionType": "git"
            },
            {
              "lessThan": "19bd9cde38dd4ca1771aed7afba623e7f4247c8e",
              "status": "affected",
              "version": "d0ddfd241e5719d696bc0b081e260db69d368668",
              "versionType": "git"
            },
            {
              "lessThan": "7eeb3df6f07a886bdfd52757ede127a59a8784dc",
              "status": "affected",
              "version": "d0ddfd241e5719d696bc0b081e260db69d368668",
              "versionType": "git"
            },
            {
              "lessThan": "25be318324563c63cbd9cb53186203a08d2f83a1",
              "status": "affected",
              "version": "d0ddfd241e5719d696bc0b081e260db69d368668",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/hwmon/asus-ec-sensors.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.18"
            },
            {
              "lessThan": "5.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (asus-ec-sensors) check sensor index in read_string()\n\nPrevent a potential invalid memory access when the requested sensor\nis not found.\n\nfind_ec_sensor_index() may return a negative value (e.g. -ENOENT),\nbut its result was used without checking, which could lead to\nundefined behavior when passed to get_sensor_info().\n\nAdd a proper check to return -EINVAL if sensor_index is negative.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\n\n[groeck: Return error code returned from find_ec_sensor_index]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:13:22.109Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6bf529ce84dccc0074dbc704e70aee4aa545057e"
        },
        {
          "url": "https://git.kernel.org/stable/c/4e9e45746b861ebd54c03ef301da2cb8fc990536"
        },
        {
          "url": "https://git.kernel.org/stable/c/19bd9cde38dd4ca1771aed7afba623e7f4247c8e"
        },
        {
          "url": "https://git.kernel.org/stable/c/7eeb3df6f07a886bdfd52757ede127a59a8784dc"
        },
        {
          "url": "https://git.kernel.org/stable/c/25be318324563c63cbd9cb53186203a08d2f83a1"
        }
      ],
      "title": "hwmon: (asus-ec-sensors) check sensor index in read_string()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38142",
    "datePublished": "2025-07-03T08:35:43.521Z",
    "dateReserved": "2025-04-16T04:51:23.987Z",
    "dateUpdated": "2025-11-03T17:34:31.871Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-22014 (GCVE-0-2025-22014)

Vulnerability from cvelistv5 – Published: 2025-04-08 08:18 – Updated: 2025-11-03 19:40

Title

soc: qcom: pdr: Fix the potential deadlock

Summary

In the Linux kernel, the following vulnerability has been resolved: soc: qcom: pdr: Fix the potential deadlock When some client process A call pdr_add_lookup() to add the look up for the service and does schedule locator work, later a process B got a new server packet indicating locator is up and call pdr_locator_new_server() which eventually sets pdr->locator_init_complete to true which process A sees and takes list lock and queries domain list but it will timeout due to deadlock as the response will queued to the same qmi->wq and it is ordered workqueue and process B is not able to complete new server request work due to deadlock on list lock. Fix it by removing the unnecessary list iteration as the list iteration is already being done inside locator work, so avoid it here and just call schedule_work() here. Process A Process B process_scheduled_works() pdr_add_lookup() qmi_data_ready_work() process_scheduled_works() pdr_locator_new_server() pdr->locator_init_complete=true; pdr_locator_work() mutex_lock(&pdr->list_lock); pdr_locate_service() mutex_lock(&pdr->list_lock); pdr_get_domain_list() pr_err("PDR: %s get domain list txn wait failed: %d\n", req->service_name, ret); Timeout error log due to deadlock: " PDR: tms/servreg get domain list txn wait failed: -110 PDR: service lookup for msm/adsp/sensor_pd:tms/servreg failed: -110 " Thanks to Bjorn and Johan for letting me know that this commit also fixes an audio regression when using the in-kernel pd-mapper as that makes it easier to hit this race. [1]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/72a222b6af10c2a05…
	https://git.kernel.org/stable/c/daba84612236de3ab…
	https://git.kernel.org/stable/c/0a566a79aca9851fa…
	https://git.kernel.org/stable/c/f2bbfd50e95bc1173…
	https://git.kernel.org/stable/c/f4489260f5713c94e…
	https://git.kernel.org/stable/c/02612f1e4c34d94d6…
	https://git.kernel.org/stable/c/2eeb03ad9f42dfece…

Impacted products

Vendor

Product

Version

Linux

Affected: fbe639b44a82755d639df1c5d147c93f02ac5a0f , < 72a222b6af10c2a05a5fad0029246229ed8912c2 (git)
Affected: fbe639b44a82755d639df1c5d147c93f02ac5a0f , < daba84612236de3ab39083e62c9e326a654ebd20 (git)
Affected: fbe639b44a82755d639df1c5d147c93f02ac5a0f , < 0a566a79aca9851fae140536e0fc5b0853c90a90 (git)
Affected: fbe639b44a82755d639df1c5d147c93f02ac5a0f , < f2bbfd50e95bc117360f0f59e629aa03d821ebd6 (git)
Affected: fbe639b44a82755d639df1c5d147c93f02ac5a0f , < f4489260f5713c94e1966e5f20445bff262876f4 (git)
Affected: fbe639b44a82755d639df1c5d147c93f02ac5a0f , < 02612f1e4c34d94d6c8ee75bf7d254ed697e22d4 (git)
Affected: fbe639b44a82755d639df1c5d147c93f02ac5a0f , < 2eeb03ad9f42dfece63051be2400af487ddb96d2 (git)

Linux

Affected: 5.7
Unaffected: 0 , < 5.7 (semver)
Unaffected: 5.10.236 , ≤ 5.10.* (semver)
Unaffected: 5.15.180 , ≤ 5.15.* (semver)
Unaffected: 6.1.132 , ≤ 6.1.* (semver)
Unaffected: 6.6.85 , ≤ 6.6.* (semver)
Unaffected: 6.12.21 , ≤ 6.12.* (semver)
Unaffected: 6.13.9 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:40:58.659Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/soc/qcom/pdr_interface.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "72a222b6af10c2a05a5fad0029246229ed8912c2",
              "status": "affected",
              "version": "fbe639b44a82755d639df1c5d147c93f02ac5a0f",
              "versionType": "git"
            },
            {
              "lessThan": "daba84612236de3ab39083e62c9e326a654ebd20",
              "status": "affected",
              "version": "fbe639b44a82755d639df1c5d147c93f02ac5a0f",
              "versionType": "git"
            },
            {
              "lessThan": "0a566a79aca9851fae140536e0fc5b0853c90a90",
              "status": "affected",
              "version": "fbe639b44a82755d639df1c5d147c93f02ac5a0f",
              "versionType": "git"
            },
            {
              "lessThan": "f2bbfd50e95bc117360f0f59e629aa03d821ebd6",
              "status": "affected",
              "version": "fbe639b44a82755d639df1c5d147c93f02ac5a0f",
              "versionType": "git"
            },
            {
              "lessThan": "f4489260f5713c94e1966e5f20445bff262876f4",
              "status": "affected",
              "version": "fbe639b44a82755d639df1c5d147c93f02ac5a0f",
              "versionType": "git"
            },
            {
              "lessThan": "02612f1e4c34d94d6c8ee75bf7d254ed697e22d4",
              "status": "affected",
              "version": "fbe639b44a82755d639df1c5d147c93f02ac5a0f",
              "versionType": "git"
            },
            {
              "lessThan": "2eeb03ad9f42dfece63051be2400af487ddb96d2",
              "status": "affected",
              "version": "fbe639b44a82755d639df1c5d147c93f02ac5a0f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/soc/qcom/pdr_interface.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.236",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.180",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.132",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.85",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.21",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.236",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.180",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.132",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.85",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.21",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.9",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: pdr: Fix the potential deadlock\n\nWhen some client process A call pdr_add_lookup() to add the look up for\nthe service and does schedule locator work, later a process B got a new\nserver packet indicating locator is up and call pdr_locator_new_server()\nwhich eventually sets pdr-\u003elocator_init_complete to true which process A\nsees and takes list lock and queries domain list but it will timeout due\nto deadlock as the response will queued to the same qmi-\u003ewq and it is\nordered workqueue and process B is not able to complete new server\nrequest work due to deadlock on list lock.\n\nFix it by removing the unnecessary list iteration as the list iteration\nis already being done inside locator work, so avoid it here and just\ncall schedule_work() here.\n\n       Process A                        Process B\n\n                                     process_scheduled_works()\npdr_add_lookup()                      qmi_data_ready_work()\n process_scheduled_works()             pdr_locator_new_server()\n                                         pdr-\u003elocator_init_complete=true;\n   pdr_locator_work()\n    mutex_lock(\u0026pdr-\u003elist_lock);\n\n     pdr_locate_service()                  mutex_lock(\u0026pdr-\u003elist_lock);\n\n      pdr_get_domain_list()\n       pr_err(\"PDR: %s get domain list\n               txn wait failed: %d\\n\",\n               req-\u003eservice_name,\n               ret);\n\nTimeout error log due to deadlock:\n\n\"\n PDR: tms/servreg get domain list txn wait failed: -110\n PDR: service lookup for msm/adsp/sensor_pd:tms/servreg failed: -110\n\"\n\nThanks to Bjorn and Johan for letting me know that this commit also fixes\nan audio regression when using the in-kernel pd-mapper as that makes it\neasier to hit this race. [1]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:27:43.506Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/72a222b6af10c2a05a5fad0029246229ed8912c2"
        },
        {
          "url": "https://git.kernel.org/stable/c/daba84612236de3ab39083e62c9e326a654ebd20"
        },
        {
          "url": "https://git.kernel.org/stable/c/0a566a79aca9851fae140536e0fc5b0853c90a90"
        },
        {
          "url": "https://git.kernel.org/stable/c/f2bbfd50e95bc117360f0f59e629aa03d821ebd6"
        },
        {
          "url": "https://git.kernel.org/stable/c/f4489260f5713c94e1966e5f20445bff262876f4"
        },
        {
          "url": "https://git.kernel.org/stable/c/02612f1e4c34d94d6c8ee75bf7d254ed697e22d4"
        },
        {
          "url": "https://git.kernel.org/stable/c/2eeb03ad9f42dfece63051be2400af487ddb96d2"
        }
      ],
      "title": "soc: qcom: pdr: Fix the potential deadlock",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22014",
    "datePublished": "2025-04-08T08:18:04.622Z",
    "dateReserved": "2024-12-29T08:45:45.806Z",
    "dateUpdated": "2025-11-03T19:40:58.659Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21891 (GCVE-0-2025-21891)

Vulnerability from cvelistv5 – Published: 2025-03-27 14:57 – Updated: 2025-11-03 19:38

Title

ipvlan: ensure network headers are in skb linear part

Summary

In the Linux kernel, the following vulnerability has been resolved: ipvlan: ensure network headers are in skb linear part syzbot found that ipvlan_process_v6_outbound() was assuming the IPv6 network header isis present in skb->head [1] Add the needed pskb_network_may_pull() calls for both IPv4 and IPv6 handlers. [1] BUG: KMSAN: uninit-value in __ipv6_addr_type+0xa2/0x490 net/ipv6/addrconf_core.c:47 __ipv6_addr_type+0xa2/0x490 net/ipv6/addrconf_core.c:47 ipv6_addr_type include/net/ipv6.h:555 [inline] ip6_route_output_flags_noref net/ipv6/route.c:2616 [inline] ip6_route_output_flags+0x51/0x720 net/ipv6/route.c:2651 ip6_route_output include/net/ip6_route.h:93 [inline] ipvlan_route_v6_outbound+0x24e/0x520 drivers/net/ipvlan/ipvlan_core.c:476 ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:491 [inline] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:541 [inline] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:605 [inline] ipvlan_queue_xmit+0xd72/0x1780 drivers/net/ipvlan/ipvlan_core.c:671 ipvlan_start_xmit+0x5b/0x210 drivers/net/ipvlan/ipvlan_main.c:223 __netdev_start_xmit include/linux/netdevice.h:5150 [inline] netdev_start_xmit include/linux/netdevice.h:5159 [inline] xmit_one net/core/dev.c:3735 [inline] dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3751 sch_direct_xmit+0x399/0xd40 net/sched/sch_generic.c:343 qdisc_restart net/sched/sch_generic.c:408 [inline] __qdisc_run+0x14da/0x35d0 net/sched/sch_generic.c:416 qdisc_run+0x141/0x4d0 include/net/pkt_sched.h:127 net_tx_action+0x78b/0x940 net/core/dev.c:5484 handle_softirqs+0x1a0/0x7c0 kernel/softirq.c:561 __do_softirq+0x14/0x1a kernel/softirq.c:595 do_softirq+0x9a/0x100 kernel/softirq.c:462 __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:389 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline] __dev_queue_xmit+0x2758/0x57d0 net/core/dev.c:4611 dev_queue_xmit include/linux/netdevice.h:3311 [inline] packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3132 [inline] packet_sendmsg+0x93e0/0xa7e0 net/packet/af_packet.c:3164 sock_sendmsg_nosec net/socket.c:718 [inline]

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-908 - Use of Uninitialized Resource

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/5b8dea8d1612dc715…
	https://git.kernel.org/stable/c/4ec48f812804f370f…
	https://git.kernel.org/stable/c/5353fd89663c48f56…
	https://git.kernel.org/stable/c/e2a4f76a2d8a44816…
	https://git.kernel.org/stable/c/27843ce6ba3d3122b…

Impacted products

Vendor

Product

Version

Linux

Affected: 2ad7bf3638411cb547f2823df08166c13ab04269 , < 5b8dea8d1612dc7151d2457d7d2e6a69820309bf (git)
Affected: 2ad7bf3638411cb547f2823df08166c13ab04269 , < 4ec48f812804f370f622e0874e6dd8fcc58241cd (git)
Affected: 2ad7bf3638411cb547f2823df08166c13ab04269 , < 5353fd89663c48f56bdff975c562cfe78b1a2e4c (git)
Affected: 2ad7bf3638411cb547f2823df08166c13ab04269 , < e2a4f76a2d8a44816ecd25bcbdb47b786d621974 (git)
Affected: 2ad7bf3638411cb547f2823df08166c13ab04269 , < 27843ce6ba3d3122b65066550fe33fb8839f8aef (git)

Linux

Affected: 3.19
Unaffected: 0 , < 3.19 (semver)
Unaffected: 6.1.130 , ≤ 6.1.* (semver)
Unaffected: 6.6.81 , ≤ 6.6.* (semver)
Unaffected: 6.12.18 , ≤ 6.12.* (semver)
Unaffected: 6.13.6 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21891",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:25:21.205802Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-908",
                "description": "CWE-908 Use of Uninitialized Resource",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:26:36.702Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:38:41.627Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ipvlan/ipvlan_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5b8dea8d1612dc7151d2457d7d2e6a69820309bf",
              "status": "affected",
              "version": "2ad7bf3638411cb547f2823df08166c13ab04269",
              "versionType": "git"
            },
            {
              "lessThan": "4ec48f812804f370f622e0874e6dd8fcc58241cd",
              "status": "affected",
              "version": "2ad7bf3638411cb547f2823df08166c13ab04269",
              "versionType": "git"
            },
            {
              "lessThan": "5353fd89663c48f56bdff975c562cfe78b1a2e4c",
              "status": "affected",
              "version": "2ad7bf3638411cb547f2823df08166c13ab04269",
              "versionType": "git"
            },
            {
              "lessThan": "e2a4f76a2d8a44816ecd25bcbdb47b786d621974",
              "status": "affected",
              "version": "2ad7bf3638411cb547f2823df08166c13ab04269",
              "versionType": "git"
            },
            {
              "lessThan": "27843ce6ba3d3122b65066550fe33fb8839f8aef",
              "status": "affected",
              "version": "2ad7bf3638411cb547f2823df08166c13ab04269",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ipvlan/ipvlan_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.19"
            },
            {
              "lessThan": "3.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.130",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.81",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.18",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.6",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvlan: ensure network headers are in skb linear part\n\nsyzbot found that ipvlan_process_v6_outbound() was assuming\nthe IPv6 network header isis present in skb-\u003ehead [1]\n\nAdd the needed pskb_network_may_pull() calls for both\nIPv4 and IPv6 handlers.\n\n[1]\nBUG: KMSAN: uninit-value in __ipv6_addr_type+0xa2/0x490 net/ipv6/addrconf_core.c:47\n  __ipv6_addr_type+0xa2/0x490 net/ipv6/addrconf_core.c:47\n  ipv6_addr_type include/net/ipv6.h:555 [inline]\n  ip6_route_output_flags_noref net/ipv6/route.c:2616 [inline]\n  ip6_route_output_flags+0x51/0x720 net/ipv6/route.c:2651\n  ip6_route_output include/net/ip6_route.h:93 [inline]\n  ipvlan_route_v6_outbound+0x24e/0x520 drivers/net/ipvlan/ipvlan_core.c:476\n  ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:491 [inline]\n  ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:541 [inline]\n  ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:605 [inline]\n  ipvlan_queue_xmit+0xd72/0x1780 drivers/net/ipvlan/ipvlan_core.c:671\n  ipvlan_start_xmit+0x5b/0x210 drivers/net/ipvlan/ipvlan_main.c:223\n  __netdev_start_xmit include/linux/netdevice.h:5150 [inline]\n  netdev_start_xmit include/linux/netdevice.h:5159 [inline]\n  xmit_one net/core/dev.c:3735 [inline]\n  dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3751\n  sch_direct_xmit+0x399/0xd40 net/sched/sch_generic.c:343\n  qdisc_restart net/sched/sch_generic.c:408 [inline]\n  __qdisc_run+0x14da/0x35d0 net/sched/sch_generic.c:416\n  qdisc_run+0x141/0x4d0 include/net/pkt_sched.h:127\n  net_tx_action+0x78b/0x940 net/core/dev.c:5484\n  handle_softirqs+0x1a0/0x7c0 kernel/softirq.c:561\n  __do_softirq+0x14/0x1a kernel/softirq.c:595\n  do_softirq+0x9a/0x100 kernel/softirq.c:462\n  __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:389\n  local_bh_enable include/linux/bottom_half.h:33 [inline]\n  rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline]\n  __dev_queue_xmit+0x2758/0x57d0 net/core/dev.c:4611\n  dev_queue_xmit include/linux/netdevice.h:3311 [inline]\n  packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276\n  packet_snd net/packet/af_packet.c:3132 [inline]\n  packet_sendmsg+0x93e0/0xa7e0 net/packet/af_packet.c:3164\n  sock_sendmsg_nosec net/socket.c:718 [inline]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:23:27.454Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5b8dea8d1612dc7151d2457d7d2e6a69820309bf"
        },
        {
          "url": "https://git.kernel.org/stable/c/4ec48f812804f370f622e0874e6dd8fcc58241cd"
        },
        {
          "url": "https://git.kernel.org/stable/c/5353fd89663c48f56bdff975c562cfe78b1a2e4c"
        },
        {
          "url": "https://git.kernel.org/stable/c/e2a4f76a2d8a44816ecd25bcbdb47b786d621974"
        },
        {
          "url": "https://git.kernel.org/stable/c/27843ce6ba3d3122b65066550fe33fb8839f8aef"
        }
      ],
      "title": "ipvlan: ensure network headers are in skb linear part",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21891",
    "datePublished": "2025-03-27T14:57:17.267Z",
    "dateReserved": "2024-12-29T08:45:45.783Z",
    "dateUpdated": "2025-11-03T19:38:41.627Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21913 (GCVE-0-2025-21913)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:40 – Updated: 2025-11-03 19:38

Title

x86/amd_nb: Use rdmsr_safe() in amd_get_mmconfig_range()

Summary

In the Linux kernel, the following vulnerability has been resolved: x86/amd_nb: Use rdmsr_safe() in amd_get_mmconfig_range() Xen doesn't offer MSR_FAM10H_MMIO_CONF_BASE to all guests. This results in the following warning: unchecked MSR access error: RDMSR from 0xc0010058 at rIP: 0xffffffff8101d19f (xen_do_read_msr+0x7f/0xa0) Call Trace: xen_read_msr+0x1e/0x30 amd_get_mmconfig_range+0x2b/0x80 quirk_amd_mmconfig_area+0x28/0x100 pnp_fixup_device+0x39/0x50 __pnp_add_device+0xf/0x150 pnp_add_device+0x3d/0x100 pnpacpi_add_device_handler+0x1f9/0x280 acpi_ns_get_device_callback+0x104/0x1c0 acpi_ns_walk_namespace+0x1d0/0x260 acpi_get_devices+0x8a/0xb0 pnpacpi_init+0x50/0x80 do_one_initcall+0x46/0x2e0 kernel_init_freeable+0x1da/0x2f0 kernel_init+0x16/0x1b0 ret_from_fork+0x30/0x50 ret_from_fork_asm+0x1b/0x30 based on quirks for a "PNP0c01" device. Treating MMCFG as disabled is the right course of action, so no change is needed there. This was most likely exposed by fixing the Xen MSR accessors to not be silently-safe.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/0c65d13bdcc54e5b9…
	https://git.kernel.org/stable/c/8f43ba5ee498fe037…
	https://git.kernel.org/stable/c/ebf6a763904e42dab…
	https://git.kernel.org/stable/c/923fede9eae9865af…
	https://git.kernel.org/stable/c/14cb5d83068ecf15d…

Impacted products

Vendor

Product

Version

Linux

Affected: 3fac3734c43a2e21fefeb72124d8bd31dff3956f , < 0c65d13bdcc54e5b924ebe790f85a7f01bfe1cb1 (git)
Affected: 3fac3734c43a2e21fefeb72124d8bd31dff3956f , < 8f43ba5ee498fe037d1570f6868d9aeaf49dda80 (git)
Affected: 3fac3734c43a2e21fefeb72124d8bd31dff3956f , < ebf6a763904e42dabeb2e270ceb0bbe0f825d7ae (git)
Affected: 3fac3734c43a2e21fefeb72124d8bd31dff3956f , < 923fede9eae9865af305bcdf8f111e4b62ae4bda (git)
Affected: 3fac3734c43a2e21fefeb72124d8bd31dff3956f , < 14cb5d83068ecf15d2da6f7d0e9ea9edbcbc0457 (git)

Linux

Affected: 6.1
Unaffected: 0 , < 6.1 (semver)
Unaffected: 6.1.131 , ≤ 6.1.* (semver)
Unaffected: 6.6.83 , ≤ 6.6.* (semver)
Unaffected: 6.12.19 , ≤ 6.12.* (semver)
Unaffected: 6.13.7 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:38:59.818Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kernel/amd_nb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0c65d13bdcc54e5b924ebe790f85a7f01bfe1cb1",
              "status": "affected",
              "version": "3fac3734c43a2e21fefeb72124d8bd31dff3956f",
              "versionType": "git"
            },
            {
              "lessThan": "8f43ba5ee498fe037d1570f6868d9aeaf49dda80",
              "status": "affected",
              "version": "3fac3734c43a2e21fefeb72124d8bd31dff3956f",
              "versionType": "git"
            },
            {
              "lessThan": "ebf6a763904e42dabeb2e270ceb0bbe0f825d7ae",
              "status": "affected",
              "version": "3fac3734c43a2e21fefeb72124d8bd31dff3956f",
              "versionType": "git"
            },
            {
              "lessThan": "923fede9eae9865af305bcdf8f111e4b62ae4bda",
              "status": "affected",
              "version": "3fac3734c43a2e21fefeb72124d8bd31dff3956f",
              "versionType": "git"
            },
            {
              "lessThan": "14cb5d83068ecf15d2da6f7d0e9ea9edbcbc0457",
              "status": "affected",
              "version": "3fac3734c43a2e21fefeb72124d8bd31dff3956f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kernel/amd_nb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.1"
            },
            {
              "lessThan": "6.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.131",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.131",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.83",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.19",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.7",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/amd_nb: Use rdmsr_safe() in amd_get_mmconfig_range()\n\nXen doesn\u0027t offer MSR_FAM10H_MMIO_CONF_BASE to all guests.  This results\nin the following warning:\n\n  unchecked MSR access error: RDMSR from 0xc0010058 at rIP: 0xffffffff8101d19f (xen_do_read_msr+0x7f/0xa0)\n  Call Trace:\n   xen_read_msr+0x1e/0x30\n   amd_get_mmconfig_range+0x2b/0x80\n   quirk_amd_mmconfig_area+0x28/0x100\n   pnp_fixup_device+0x39/0x50\n   __pnp_add_device+0xf/0x150\n   pnp_add_device+0x3d/0x100\n   pnpacpi_add_device_handler+0x1f9/0x280\n   acpi_ns_get_device_callback+0x104/0x1c0\n   acpi_ns_walk_namespace+0x1d0/0x260\n   acpi_get_devices+0x8a/0xb0\n   pnpacpi_init+0x50/0x80\n   do_one_initcall+0x46/0x2e0\n   kernel_init_freeable+0x1da/0x2f0\n   kernel_init+0x16/0x1b0\n   ret_from_fork+0x30/0x50\n   ret_from_fork_asm+0x1b/0x30\n\nbased on quirks for a \"PNP0c01\" device.  Treating MMCFG as disabled is the\nright course of action, so no change is needed there.\n\nThis was most likely exposed by fixing the Xen MSR accessors to not be\nsilently-safe."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:24:15.332Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0c65d13bdcc54e5b924ebe790f85a7f01bfe1cb1"
        },
        {
          "url": "https://git.kernel.org/stable/c/8f43ba5ee498fe037d1570f6868d9aeaf49dda80"
        },
        {
          "url": "https://git.kernel.org/stable/c/ebf6a763904e42dabeb2e270ceb0bbe0f825d7ae"
        },
        {
          "url": "https://git.kernel.org/stable/c/923fede9eae9865af305bcdf8f111e4b62ae4bda"
        },
        {
          "url": "https://git.kernel.org/stable/c/14cb5d83068ecf15d2da6f7d0e9ea9edbcbc0457"
        }
      ],
      "title": "x86/amd_nb: Use rdmsr_safe() in amd_get_mmconfig_range()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21913",
    "datePublished": "2025-04-01T15:40:50.907Z",
    "dateReserved": "2024-12-29T08:45:45.787Z",
    "dateUpdated": "2025-11-03T19:38:59.818Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38041 (GCVE-0-2025-38041)

Vulnerability from cvelistv5 – Published: 2025-06-18 09:33 – Updated: 2026-01-02 15:29

Title

clk: sunxi-ng: h616: Reparent GPU clock during frequency changes

Summary

In the Linux kernel, the following vulnerability has been resolved: clk: sunxi-ng: h616: Reparent GPU clock during frequency changes The H616 manual does not state that the GPU PLL supports dynamic frequency configuration, so we must take extra care when changing the frequency. Currently any attempt to do device DVFS on the GPU lead to panfrost various ooops, and GPU hangs. The manual describes the algorithm for changing the PLL frequency, which the CPU PLL notifier code already support, so we reuse that to reparent the GPU clock to GPU1 clock during frequency changes.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/1439673b78185eaaa…
	https://git.kernel.org/stable/c/eb963d7948ce65719…

Impacted products

Vendor

Product

Version

Linux

Affected: 88dde5e23da1a16fe9a417171e6c941736b8d3a6 , < 1439673b78185eaaa5fae444b3a9d58c434ee78e (git)
Affected: 88dde5e23da1a16fe9a417171e6c941736b8d3a6 , < eb963d7948ce6571939c6875424b557b25f16610 (git)

Linux

Affected: 5.12
Unaffected: 0 , < 5.12 (semver)
Unaffected: 6.14.9 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/clk/sunxi-ng/ccu-sun50i-h616.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1439673b78185eaaa5fae444b3a9d58c434ee78e",
              "status": "affected",
              "version": "88dde5e23da1a16fe9a417171e6c941736b8d3a6",
              "versionType": "git"
            },
            {
              "lessThan": "eb963d7948ce6571939c6875424b557b25f16610",
              "status": "affected",
              "version": "88dde5e23da1a16fe9a417171e6c941736b8d3a6",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/clk/sunxi-ng/ccu-sun50i-h616.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.12"
            },
            {
              "lessThan": "5.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: sunxi-ng: h616: Reparent GPU clock during frequency changes\n\nThe H616 manual does not state that the GPU PLL supports\ndynamic frequency configuration, so we must take extra care when changing\nthe frequency. Currently any attempt to do device DVFS on the GPU lead\nto panfrost various ooops, and GPU hangs.\n\nThe manual describes the algorithm for changing the PLL\nfrequency, which the CPU PLL notifier code already support, so we reuse\nthat to reparent the GPU clock to GPU1 clock during frequency\nchanges."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:29:43.414Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1439673b78185eaaa5fae444b3a9d58c434ee78e"
        },
        {
          "url": "https://git.kernel.org/stable/c/eb963d7948ce6571939c6875424b557b25f16610"
        }
      ],
      "title": "clk: sunxi-ng: h616: Reparent GPU clock during frequency changes",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38041",
    "datePublished": "2025-06-18T09:33:26.543Z",
    "dateReserved": "2025-04-16T04:51:23.978Z",
    "dateUpdated": "2026-01-02T15:29:43.414Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38498 (GCVE-0-2025-38498)

Vulnerability from cvelistv5 – Published: 2025-07-30 06:03 – Updated: 2025-11-03 17:39

Title

do_change_type(): refuse to operate on unmounted/not ours mounts

Summary

In the Linux kernel, the following vulnerability has been resolved: do_change_type(): refuse to operate on unmounted/not ours mounts Ensure that propagation settings can only be changed for mounts located in the caller's mount namespace. This change aligns permission checking with the rest of mount(2).

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/787937c4e373f1722…
	https://git.kernel.org/stable/c/c7d11fdf8e5db5f34…
	https://git.kernel.org/stable/c/432a171d600564892…
	https://git.kernel.org/stable/c/064014f7812744451…
	https://git.kernel.org/stable/c/4f091ad0862b02dc4…
	https://git.kernel.org/stable/c/9c1ddfeb662b668ff…
	https://git.kernel.org/stable/c/19554c79a2095ddde…
	https://git.kernel.org/stable/c/12f147ddd6de7382d…

Impacted products

Vendor

Product

Version

Linux

Affected: 07b20889e3052c7e77d6a6a54e7e83446eb1ba84 , < 787937c4e373f1722c4343e5a5a4eb0f8543e589 (git)
Affected: 07b20889e3052c7e77d6a6a54e7e83446eb1ba84 , < c7d11fdf8e5db5f34a6c062c7e6ba3a0971879d2 (git)
Affected: 07b20889e3052c7e77d6a6a54e7e83446eb1ba84 , < 432a171d60056489270c462e651e6c3a13f855b1 (git)
Affected: 07b20889e3052c7e77d6a6a54e7e83446eb1ba84 , < 064014f7812744451d5d0592f3d2bcd727f2ee93 (git)
Affected: 07b20889e3052c7e77d6a6a54e7e83446eb1ba84 , < 4f091ad0862b02dc42a19a120b7048de848561f8 (git)
Affected: 07b20889e3052c7e77d6a6a54e7e83446eb1ba84 , < 9c1ddfeb662b668fff69c5f1cfdd9f5d23d55d23 (git)
Affected: 07b20889e3052c7e77d6a6a54e7e83446eb1ba84 , < 19554c79a2095ddde850906a067915c1ef3a4114 (git)
Affected: 07b20889e3052c7e77d6a6a54e7e83446eb1ba84 , < 12f147ddd6de7382dad54812e65f3f08d05809fc (git)

Linux

Affected: 2.6.15
Unaffected: 0 , < 2.6.15 (semver)
Unaffected: 5.4.295 , ≤ 5.4.* (semver)
Unaffected: 5.10.239 , ≤ 5.10.* (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.94 , ≤ 6.6.* (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:39:07.695Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/namespace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "787937c4e373f1722c4343e5a5a4eb0f8543e589",
              "status": "affected",
              "version": "07b20889e3052c7e77d6a6a54e7e83446eb1ba84",
              "versionType": "git"
            },
            {
              "lessThan": "c7d11fdf8e5db5f34a6c062c7e6ba3a0971879d2",
              "status": "affected",
              "version": "07b20889e3052c7e77d6a6a54e7e83446eb1ba84",
              "versionType": "git"
            },
            {
              "lessThan": "432a171d60056489270c462e651e6c3a13f855b1",
              "status": "affected",
              "version": "07b20889e3052c7e77d6a6a54e7e83446eb1ba84",
              "versionType": "git"
            },
            {
              "lessThan": "064014f7812744451d5d0592f3d2bcd727f2ee93",
              "status": "affected",
              "version": "07b20889e3052c7e77d6a6a54e7e83446eb1ba84",
              "versionType": "git"
            },
            {
              "lessThan": "4f091ad0862b02dc42a19a120b7048de848561f8",
              "status": "affected",
              "version": "07b20889e3052c7e77d6a6a54e7e83446eb1ba84",
              "versionType": "git"
            },
            {
              "lessThan": "9c1ddfeb662b668fff69c5f1cfdd9f5d23d55d23",
              "status": "affected",
              "version": "07b20889e3052c7e77d6a6a54e7e83446eb1ba84",
              "versionType": "git"
            },
            {
              "lessThan": "19554c79a2095ddde850906a067915c1ef3a4114",
              "status": "affected",
              "version": "07b20889e3052c7e77d6a6a54e7e83446eb1ba84",
              "versionType": "git"
            },
            {
              "lessThan": "12f147ddd6de7382dad54812e65f3f08d05809fc",
              "status": "affected",
              "version": "07b20889e3052c7e77d6a6a54e7e83446eb1ba84",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/namespace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.15"
            },
            {
              "lessThan": "2.6.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "2.6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "2.6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "2.6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "2.6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "2.6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "2.6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "2.6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndo_change_type(): refuse to operate on unmounted/not ours mounts\n\nEnsure that propagation settings can only be changed for mounts located\nin the caller\u0027s mount namespace. This change aligns permission checking\nwith the rest of mount(2)."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-30T06:03:36.483Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/787937c4e373f1722c4343e5a5a4eb0f8543e589"
        },
        {
          "url": "https://git.kernel.org/stable/c/c7d11fdf8e5db5f34a6c062c7e6ba3a0971879d2"
        },
        {
          "url": "https://git.kernel.org/stable/c/432a171d60056489270c462e651e6c3a13f855b1"
        },
        {
          "url": "https://git.kernel.org/stable/c/064014f7812744451d5d0592f3d2bcd727f2ee93"
        },
        {
          "url": "https://git.kernel.org/stable/c/4f091ad0862b02dc42a19a120b7048de848561f8"
        },
        {
          "url": "https://git.kernel.org/stable/c/9c1ddfeb662b668fff69c5f1cfdd9f5d23d55d23"
        },
        {
          "url": "https://git.kernel.org/stable/c/19554c79a2095ddde850906a067915c1ef3a4114"
        },
        {
          "url": "https://git.kernel.org/stable/c/12f147ddd6de7382dad54812e65f3f08d05809fc"
        }
      ],
      "title": "do_change_type(): refuse to operate on unmounted/not ours mounts",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38498",
    "datePublished": "2025-07-30T06:03:36.483Z",
    "dateReserved": "2025-04-16T04:51:24.022Z",
    "dateUpdated": "2025-11-03T17:39:07.695Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38303 (GCVE-0-2025-38303)

Vulnerability from cvelistv5 – Published: 2025-07-10 07:42 – Updated: 2025-07-28 04:18

Title

Bluetooth: eir: Fix possible crashes on eir_create_adv_data

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: eir: Fix possible crashes on eir_create_adv_data eir_create_adv_data may attempt to add EIR_FLAGS and EIR_TX_POWER without checking if that would fit.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/2af40d795d3fb0ee5…
	https://git.kernel.org/stable/c/b9db0c27e73b7c8a1…
	https://git.kernel.org/stable/c/47c03902269aff377…

Impacted products

Vendor

Product

Version

Linux

Affected: 01ce70b0a274bd76a5a311fb90d4d446d9bdfea1 , < 2af40d795d3fb0ee5c074b7ac56ab22402aa6e4f (git)
Affected: 01ce70b0a274bd76a5a311fb90d4d446d9bdfea1 , < b9db0c27e73b7c8a19384a44af527edfda74ff3d (git)
Affected: 01ce70b0a274bd76a5a311fb90d4d446d9bdfea1 , < 47c03902269aff377f959dc3fd94a9733aa31d6e (git)

Linux

Affected: 5.16
Unaffected: 0 , < 5.16 (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/eir.c",
            "net/bluetooth/eir.h",
            "net/bluetooth/hci_sync.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2af40d795d3fb0ee5c074b7ac56ab22402aa6e4f",
              "status": "affected",
              "version": "01ce70b0a274bd76a5a311fb90d4d446d9bdfea1",
              "versionType": "git"
            },
            {
              "lessThan": "b9db0c27e73b7c8a19384a44af527edfda74ff3d",
              "status": "affected",
              "version": "01ce70b0a274bd76a5a311fb90d4d446d9bdfea1",
              "versionType": "git"
            },
            {
              "lessThan": "47c03902269aff377f959dc3fd94a9733aa31d6e",
              "status": "affected",
              "version": "01ce70b0a274bd76a5a311fb90d4d446d9bdfea1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/eir.c",
            "net/bluetooth/eir.h",
            "net/bluetooth/hci_sync.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.16"
            },
            {
              "lessThan": "5.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: eir: Fix possible crashes on eir_create_adv_data\n\neir_create_adv_data may attempt to add EIR_FLAGS and EIR_TX_POWER\nwithout checking if that would fit."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:18:04.131Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2af40d795d3fb0ee5c074b7ac56ab22402aa6e4f"
        },
        {
          "url": "https://git.kernel.org/stable/c/b9db0c27e73b7c8a19384a44af527edfda74ff3d"
        },
        {
          "url": "https://git.kernel.org/stable/c/47c03902269aff377f959dc3fd94a9733aa31d6e"
        }
      ],
      "title": "Bluetooth: eir: Fix possible crashes on eir_create_adv_data",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38303",
    "datePublished": "2025-07-10T07:42:14.728Z",
    "dateReserved": "2025-04-16T04:51:24.002Z",
    "dateUpdated": "2025-07-28T04:18:04.131Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38194 (GCVE-0-2025-38194)

Vulnerability from cvelistv5 – Published: 2025-07-04 13:37 – Updated: 2025-11-03 17:35

Title

jffs2: check that raw node were preallocated before writing summary

Summary

In the Linux kernel, the following vulnerability has been resolved: jffs2: check that raw node were preallocated before writing summary Syzkaller detected a kernel bug in jffs2_link_node_ref, caused by fault injection in jffs2_prealloc_raw_node_refs. jffs2_sum_write_sumnode doesn't check return value of jffs2_prealloc_raw_node_refs and simply lets any error propagate into jffs2_sum_write_data, which eventually calls jffs2_link_node_ref in order to link the summary to an expectedly allocated node. kernel BUG at fs/jffs2/nodelist.c:592! invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 1 PID: 31277 Comm: syz-executor.7 Not tainted 6.1.128-syzkaller-00139-ge10f83ca10a1 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:jffs2_link_node_ref+0x570/0x690 fs/jffs2/nodelist.c:592 Call Trace: <TASK> jffs2_sum_write_data fs/jffs2/summary.c:841 [inline] jffs2_sum_write_sumnode+0xd1a/0x1da0 fs/jffs2/summary.c:874 jffs2_do_reserve_space+0xa18/0xd60 fs/jffs2/nodemgmt.c:388 jffs2_reserve_space+0x55f/0xaa0 fs/jffs2/nodemgmt.c:197 jffs2_write_inode_range+0x246/0xb50 fs/jffs2/write.c:362 jffs2_write_end+0x726/0x15d0 fs/jffs2/file.c:301 generic_perform_write+0x314/0x5d0 mm/filemap.c:3856 __generic_file_write_iter+0x2ae/0x4d0 mm/filemap.c:3973 generic_file_write_iter+0xe3/0x350 mm/filemap.c:4005 call_write_iter include/linux/fs.h:2265 [inline] do_iter_readv_writev+0x20f/0x3c0 fs/read_write.c:735 do_iter_write+0x186/0x710 fs/read_write.c:861 vfs_iter_write+0x70/0xa0 fs/read_write.c:902 iter_file_splice_write+0x73b/0xc90 fs/splice.c:685 do_splice_from fs/splice.c:763 [inline] direct_splice_actor+0x10c/0x170 fs/splice.c:950 splice_direct_to_actor+0x337/0xa10 fs/splice.c:896 do_splice_direct+0x1a9/0x280 fs/splice.c:1002 do_sendfile+0xb13/0x12c0 fs/read_write.c:1255 __do_sys_sendfile64 fs/read_write.c:1323 [inline] __se_sys_sendfile64 fs/read_write.c:1309 [inline] __x64_sys_sendfile64+0x1cf/0x210 fs/read_write.c:1309 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Fix this issue by checking return value of jffs2_prealloc_raw_node_refs before calling jffs2_sum_write_data. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/337f80f3d546e131c…
	https://git.kernel.org/stable/c/8ce46dc5b10b0b6f6…
	https://git.kernel.org/stable/c/4adee34098a6ee86a…
	https://git.kernel.org/stable/c/c0edcdb4fc106d69a…
	https://git.kernel.org/stable/c/3f46644a5131a4793…
	https://git.kernel.org/stable/c/da12ef7e19048dc57…
	https://git.kernel.org/stable/c/346cfb9d19ea7feb6…
	https://git.kernel.org/stable/c/ec9e6f22bce433b26…

Impacted products

Vendor

Product

Version

Linux

Affected: 2f785402f39b96a077b6e62bf26164bfb8e0c980 , < 337f80f3d546e131c7aa90b61d8cde051ae858c7 (git)
Affected: 2f785402f39b96a077b6e62bf26164bfb8e0c980 , < 8ce46dc5b10b0b6f67663202a4921b0e11ad7367 (git)
Affected: 2f785402f39b96a077b6e62bf26164bfb8e0c980 , < 4adee34098a6ee86a54bf3ec885eab620c126a6b (git)
Affected: 2f785402f39b96a077b6e62bf26164bfb8e0c980 , < c0edcdb4fc106d69a2d1a0ce4868193511c389f3 (git)
Affected: 2f785402f39b96a077b6e62bf26164bfb8e0c980 , < 3f46644a5131a4793fc95c32a7d0a769745b06e7 (git)
Affected: 2f785402f39b96a077b6e62bf26164bfb8e0c980 , < da12ef7e19048dc5714032c2db587a215852b200 (git)
Affected: 2f785402f39b96a077b6e62bf26164bfb8e0c980 , < 346cfb9d19ea7feb6fb57917b21c4797fb444dab (git)
Affected: 2f785402f39b96a077b6e62bf26164bfb8e0c980 , < ec9e6f22bce433b260ea226de127ec68042849b0 (git)

Linux

Affected: 2.6.18
Unaffected: 0 , < 2.6.18 (semver)
Unaffected: 5.4.295 , ≤ 5.4.* (semver)
Unaffected: 5.10.239 , ≤ 5.10.* (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.95 , ≤ 6.6.* (semver)
Unaffected: 6.12.35 , ≤ 6.12.* (semver)
Unaffected: 6.15.4 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:35:19.096Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/jffs2/summary.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "337f80f3d546e131c7aa90b61d8cde051ae858c7",
              "status": "affected",
              "version": "2f785402f39b96a077b6e62bf26164bfb8e0c980",
              "versionType": "git"
            },
            {
              "lessThan": "8ce46dc5b10b0b6f67663202a4921b0e11ad7367",
              "status": "affected",
              "version": "2f785402f39b96a077b6e62bf26164bfb8e0c980",
              "versionType": "git"
            },
            {
              "lessThan": "4adee34098a6ee86a54bf3ec885eab620c126a6b",
              "status": "affected",
              "version": "2f785402f39b96a077b6e62bf26164bfb8e0c980",
              "versionType": "git"
            },
            {
              "lessThan": "c0edcdb4fc106d69a2d1a0ce4868193511c389f3",
              "status": "affected",
              "version": "2f785402f39b96a077b6e62bf26164bfb8e0c980",
              "versionType": "git"
            },
            {
              "lessThan": "3f46644a5131a4793fc95c32a7d0a769745b06e7",
              "status": "affected",
              "version": "2f785402f39b96a077b6e62bf26164bfb8e0c980",
              "versionType": "git"
            },
            {
              "lessThan": "da12ef7e19048dc5714032c2db587a215852b200",
              "status": "affected",
              "version": "2f785402f39b96a077b6e62bf26164bfb8e0c980",
              "versionType": "git"
            },
            {
              "lessThan": "346cfb9d19ea7feb6fb57917b21c4797fb444dab",
              "status": "affected",
              "version": "2f785402f39b96a077b6e62bf26164bfb8e0c980",
              "versionType": "git"
            },
            {
              "lessThan": "ec9e6f22bce433b260ea226de127ec68042849b0",
              "status": "affected",
              "version": "2f785402f39b96a077b6e62bf26164bfb8e0c980",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/jffs2/summary.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.18"
            },
            {
              "lessThan": "2.6.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "2.6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "2.6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "2.6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "2.6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "2.6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "2.6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "2.6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\njffs2: check that raw node were preallocated before writing summary\n\nSyzkaller detected a kernel bug in jffs2_link_node_ref, caused by fault\ninjection in jffs2_prealloc_raw_node_refs. jffs2_sum_write_sumnode doesn\u0027t\ncheck return value of jffs2_prealloc_raw_node_refs and simply lets any\nerror propagate into jffs2_sum_write_data, which eventually calls\njffs2_link_node_ref in order to link the summary to an expectedly allocated\nnode.\n\nkernel BUG at fs/jffs2/nodelist.c:592!\ninvalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 1 PID: 31277 Comm: syz-executor.7 Not tainted 6.1.128-syzkaller-00139-ge10f83ca10a1 #0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\nRIP: 0010:jffs2_link_node_ref+0x570/0x690 fs/jffs2/nodelist.c:592\nCall Trace:\n \u003cTASK\u003e\n jffs2_sum_write_data fs/jffs2/summary.c:841 [inline]\n jffs2_sum_write_sumnode+0xd1a/0x1da0 fs/jffs2/summary.c:874\n jffs2_do_reserve_space+0xa18/0xd60 fs/jffs2/nodemgmt.c:388\n jffs2_reserve_space+0x55f/0xaa0 fs/jffs2/nodemgmt.c:197\n jffs2_write_inode_range+0x246/0xb50 fs/jffs2/write.c:362\n jffs2_write_end+0x726/0x15d0 fs/jffs2/file.c:301\n generic_perform_write+0x314/0x5d0 mm/filemap.c:3856\n __generic_file_write_iter+0x2ae/0x4d0 mm/filemap.c:3973\n generic_file_write_iter+0xe3/0x350 mm/filemap.c:4005\n call_write_iter include/linux/fs.h:2265 [inline]\n do_iter_readv_writev+0x20f/0x3c0 fs/read_write.c:735\n do_iter_write+0x186/0x710 fs/read_write.c:861\n vfs_iter_write+0x70/0xa0 fs/read_write.c:902\n iter_file_splice_write+0x73b/0xc90 fs/splice.c:685\n do_splice_from fs/splice.c:763 [inline]\n direct_splice_actor+0x10c/0x170 fs/splice.c:950\n splice_direct_to_actor+0x337/0xa10 fs/splice.c:896\n do_splice_direct+0x1a9/0x280 fs/splice.c:1002\n do_sendfile+0xb13/0x12c0 fs/read_write.c:1255\n __do_sys_sendfile64 fs/read_write.c:1323 [inline]\n __se_sys_sendfile64 fs/read_write.c:1309 [inline]\n __x64_sys_sendfile64+0x1cf/0x210 fs/read_write.c:1309\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\nFix this issue by checking return value of jffs2_prealloc_raw_node_refs\nbefore calling jffs2_sum_write_data.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:14:42.102Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/337f80f3d546e131c7aa90b61d8cde051ae858c7"
        },
        {
          "url": "https://git.kernel.org/stable/c/8ce46dc5b10b0b6f67663202a4921b0e11ad7367"
        },
        {
          "url": "https://git.kernel.org/stable/c/4adee34098a6ee86a54bf3ec885eab620c126a6b"
        },
        {
          "url": "https://git.kernel.org/stable/c/c0edcdb4fc106d69a2d1a0ce4868193511c389f3"
        },
        {
          "url": "https://git.kernel.org/stable/c/3f46644a5131a4793fc95c32a7d0a769745b06e7"
        },
        {
          "url": "https://git.kernel.org/stable/c/da12ef7e19048dc5714032c2db587a215852b200"
        },
        {
          "url": "https://git.kernel.org/stable/c/346cfb9d19ea7feb6fb57917b21c4797fb444dab"
        },
        {
          "url": "https://git.kernel.org/stable/c/ec9e6f22bce433b260ea226de127ec68042849b0"
        }
      ],
      "title": "jffs2: check that raw node were preallocated before writing summary",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38194",
    "datePublished": "2025-07-04T13:37:17.922Z",
    "dateReserved": "2025-04-16T04:51:23.993Z",
    "dateUpdated": "2025-11-03T17:35:19.096Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38219 (GCVE-0-2025-38219)

Vulnerability from cvelistv5 – Published: 2025-07-04 13:37 – Updated: 2025-11-03 17:35

Title

f2fs: prevent kernel warning due to negative i_nlink from corrupted image

Summary

In the Linux kernel, the following vulnerability has been resolved: f2fs: prevent kernel warning due to negative i_nlink from corrupted image WARNING: CPU: 1 PID: 9426 at fs/inode.c:417 drop_nlink+0xac/0xd0 home/cc/linux/fs/inode.c:417 Modules linked in: CPU: 1 UID: 0 PID: 9426 Comm: syz-executor568 Not tainted 6.14.0-12627-g94d471a4f428 #2 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:drop_nlink+0xac/0xd0 home/cc/linux/fs/inode.c:417 Code: 48 8b 5d 28 be 08 00 00 00 48 8d bb 70 07 00 00 e8 f9 67 e6 ff f0 48 ff 83 70 07 00 00 5b 5d e9 9a 12 82 ff e8 95 12 82 ff 90 <0f> 0b 90 c7 45 48 ff ff ff ff 5b 5d e9 83 12 82 ff e8 fe 5f e6 ff RSP: 0018:ffffc900026b7c28 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8239710f RDX: ffff888041345a00 RSI: ffffffff8239717b RDI: 0000000000000005 RBP: ffff888054509ad0 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000000000000 R11: ffffffff9ab36f08 R12: ffff88804bb40000 R13: ffff8880545091e0 R14: 0000000000008000 R15: ffff8880545091e0 FS: 000055555d0c5880(0000) GS:ffff8880eb3e3000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f915c55b178 CR3: 0000000050d20000 CR4: 0000000000352ef0 Call Trace: <task> f2fs_i_links_write home/cc/linux/fs/f2fs/f2fs.h:3194 [inline] f2fs_drop_nlink+0xd1/0x3c0 home/cc/linux/fs/f2fs/dir.c:845 f2fs_delete_entry+0x542/0x1450 home/cc/linux/fs/f2fs/dir.c:909 f2fs_unlink+0x45c/0x890 home/cc/linux/fs/f2fs/namei.c:581 vfs_unlink+0x2fb/0x9b0 home/cc/linux/fs/namei.c:4544 do_unlinkat+0x4c5/0x6a0 home/cc/linux/fs/namei.c:4608 __do_sys_unlink home/cc/linux/fs/namei.c:4654 [inline] __se_sys_unlink home/cc/linux/fs/namei.c:4652 [inline] __x64_sys_unlink+0xc5/0x110 home/cc/linux/fs/namei.c:4652 do_syscall_x64 home/cc/linux/arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc7/0x250 home/cc/linux/arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb3d092324b Code: 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 57 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffdc232d938 EFLAGS: 00000206 ORIG_RAX: 0000000000000057 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb3d092324b RDX: 00007ffdc232d960 RSI: 00007ffdc232d960 RDI: 00007ffdc232d9f0 RBP: 00007ffdc232d9f0 R08: 0000000000000001 R09: 00007ffdc232d7c0 R10: 00000000fffffffd R11: 0000000000000206 R12: 00007ffdc232eaf0 R13: 000055555d0cebb0 R14: 00007ffdc232d958 R15: 0000000000000001 </task>

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d9a55869d8237e677…
	https://git.kernel.org/stable/c/1f6332872374b7f48…
	https://git.kernel.org/stable/c/fbfe8446cd3274b9e…
	https://git.kernel.org/stable/c/5018d035530b6fbfa…
	https://git.kernel.org/stable/c/a87cbcc909ccfd394…
	https://git.kernel.org/stable/c/aaa644e7ffff02e12…
	https://git.kernel.org/stable/c/d14cbed4baccd7124…
	https://git.kernel.org/stable/c/42cb74a92adaf8806…

Impacted products

Vendor

Product

Version

Linux

Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < d9a55869d8237e677ddaa18b0f58586364cfbc1c (git)
Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < 1f6332872374b7f482fc4ad865f9422fedb587fc (git)
Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < fbfe8446cd3274b9e367f5708d94574230a44409 (git)
Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < 5018d035530b6fbfad33eeb1dd1bc87da419a276 (git)
Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < a87cbcc909ccfd394d4936a94663f586453d0961 (git)
Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < aaa644e7ffff02e12c89cbce4753bc0b6f23ff87 (git)
Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < d14cbed4baccd712447fb3f9c011f008b56b2097 (git)
Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < 42cb74a92adaf88061039601ddf7c874f58b554e (git)

Linux

Affected: 3.8
Unaffected: 0 , < 3.8 (semver)
Unaffected: 5.4.295 , ≤ 5.4.* (semver)
Unaffected: 5.10.239 , ≤ 5.10.* (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.95 , ≤ 6.6.* (semver)
Unaffected: 6.12.35 , ≤ 6.12.* (semver)
Unaffected: 6.15.4 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:35:38.286Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/namei.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d9a55869d8237e677ddaa18b0f58586364cfbc1c",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            },
            {
              "lessThan": "1f6332872374b7f482fc4ad865f9422fedb587fc",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            },
            {
              "lessThan": "fbfe8446cd3274b9e367f5708d94574230a44409",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            },
            {
              "lessThan": "5018d035530b6fbfad33eeb1dd1bc87da419a276",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            },
            {
              "lessThan": "a87cbcc909ccfd394d4936a94663f586453d0961",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            },
            {
              "lessThan": "aaa644e7ffff02e12c89cbce4753bc0b6f23ff87",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            },
            {
              "lessThan": "d14cbed4baccd712447fb3f9c011f008b56b2097",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            },
            {
              "lessThan": "42cb74a92adaf88061039601ddf7c874f58b554e",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/namei.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.8"
            },
            {
              "lessThan": "3.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: prevent kernel warning due to negative i_nlink from corrupted image\n\nWARNING: CPU: 1 PID: 9426 at fs/inode.c:417 drop_nlink+0xac/0xd0\nhome/cc/linux/fs/inode.c:417\nModules linked in:\nCPU: 1 UID: 0 PID: 9426 Comm: syz-executor568 Not tainted\n6.14.0-12627-g94d471a4f428 #2 PREEMPT(full)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.13.0-1ubuntu1.1 04/01/2014\nRIP: 0010:drop_nlink+0xac/0xd0 home/cc/linux/fs/inode.c:417\nCode: 48 8b 5d 28 be 08 00 00 00 48 8d bb 70 07 00 00 e8 f9 67 e6 ff\nf0 48 ff 83 70 07 00 00 5b 5d e9 9a 12 82 ff e8 95 12 82 ff 90\n\u0026lt;0f\u0026gt; 0b 90 c7 45 48 ff ff ff ff 5b 5d e9 83 12 82 ff e8 fe 5f e6\nff\nRSP: 0018:ffffc900026b7c28 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8239710f\nRDX: ffff888041345a00 RSI: ffffffff8239717b RDI: 0000000000000005\nRBP: ffff888054509ad0 R08: 0000000000000005 R09: 0000000000000000\nR10: 0000000000000000 R11: ffffffff9ab36f08 R12: ffff88804bb40000\nR13: ffff8880545091e0 R14: 0000000000008000 R15: ffff8880545091e0\nFS:  000055555d0c5880(0000) GS:ffff8880eb3e3000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f915c55b178 CR3: 0000000050d20000 CR4: 0000000000352ef0\nCall Trace:\n \u003ctask\u003e\n f2fs_i_links_write home/cc/linux/fs/f2fs/f2fs.h:3194 [inline]\n f2fs_drop_nlink+0xd1/0x3c0 home/cc/linux/fs/f2fs/dir.c:845\n f2fs_delete_entry+0x542/0x1450 home/cc/linux/fs/f2fs/dir.c:909\n f2fs_unlink+0x45c/0x890 home/cc/linux/fs/f2fs/namei.c:581\n vfs_unlink+0x2fb/0x9b0 home/cc/linux/fs/namei.c:4544\n do_unlinkat+0x4c5/0x6a0 home/cc/linux/fs/namei.c:4608\n __do_sys_unlink home/cc/linux/fs/namei.c:4654 [inline]\n __se_sys_unlink home/cc/linux/fs/namei.c:4652 [inline]\n __x64_sys_unlink+0xc5/0x110 home/cc/linux/fs/namei.c:4652\n do_syscall_x64 home/cc/linux/arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xc7/0x250 home/cc/linux/arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fb3d092324b\nCode: 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66\n2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 57 00 00 00 0f 05\n\u0026lt;48\u0026gt; 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01\n48\nRSP: 002b:00007ffdc232d938 EFLAGS: 00000206 ORIG_RAX: 0000000000000057\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb3d092324b\nRDX: 00007ffdc232d960 RSI: 00007ffdc232d960 RDI: 00007ffdc232d9f0\nRBP: 00007ffdc232d9f0 R08: 0000000000000001 R09: 00007ffdc232d7c0\nR10: 00000000fffffffd R11: 0000000000000206 R12: 00007ffdc232eaf0\nR13: 000055555d0cebb0 R14: 00007ffdc232d958 R15: 0000000000000001\n \u003c/task\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:15:29.724Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d9a55869d8237e677ddaa18b0f58586364cfbc1c"
        },
        {
          "url": "https://git.kernel.org/stable/c/1f6332872374b7f482fc4ad865f9422fedb587fc"
        },
        {
          "url": "https://git.kernel.org/stable/c/fbfe8446cd3274b9e367f5708d94574230a44409"
        },
        {
          "url": "https://git.kernel.org/stable/c/5018d035530b6fbfad33eeb1dd1bc87da419a276"
        },
        {
          "url": "https://git.kernel.org/stable/c/a87cbcc909ccfd394d4936a94663f586453d0961"
        },
        {
          "url": "https://git.kernel.org/stable/c/aaa644e7ffff02e12c89cbce4753bc0b6f23ff87"
        },
        {
          "url": "https://git.kernel.org/stable/c/d14cbed4baccd712447fb3f9c011f008b56b2097"
        },
        {
          "url": "https://git.kernel.org/stable/c/42cb74a92adaf88061039601ddf7c874f58b554e"
        }
      ],
      "title": "f2fs: prevent kernel warning due to negative i_nlink from corrupted image",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38219",
    "datePublished": "2025-07-04T13:37:35.984Z",
    "dateReserved": "2025-04-16T04:51:23.995Z",
    "dateUpdated": "2025-11-03T17:35:38.286Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21992 (GCVE-0-2025-21992)

Vulnerability from cvelistv5 – Published: 2025-04-02 12:53 – Updated: 2026-01-02 15:28

Title

HID: ignore non-functional sensor in HP 5MP Camera

Summary

In the Linux kernel, the following vulnerability has been resolved: HID: ignore non-functional sensor in HP 5MP Camera The HP 5MP Camera (USB ID 0408:5473) reports a HID sensor interface that is not actually implemented. Attempting to access this non-functional sensor via iio_info causes system hangs as runtime PM tries to wake up an unresponsive sensor. [453] hid-sensor-hub 0003:0408:5473.0003: Report latency attributes: ffffffff:ffffffff [453] hid-sensor-hub 0003:0408:5473.0003: common attributes: 5:1, 2:1, 3:1 ffffffff:ffffffff Add this device to the HID ignore list since the sensor interface is non-functional by design and should not be exposed to userspace.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/7a7ada33879a631b0…
	https://git.kernel.org/stable/c/6ca3d4d87af406a39…
	https://git.kernel.org/stable/c/920ea73215dbf948b…
	https://git.kernel.org/stable/c/363236d709e75610b…

Impacted products

Vendor

Product

Version

Linux

Affected: e04955db6a7c3fc4a1e6978649b61a6f5f8028e3 , < 7a7ada33879a631b05b536e66d1c5b1219d3bade (git)
Affected: e04955db6a7c3fc4a1e6978649b61a6f5f8028e3 , < 6ca3d4d87af406a390a34ea924ab65c517e6e132 (git)
Affected: e04955db6a7c3fc4a1e6978649b61a6f5f8028e3 , < 920ea73215dbf948b661b88a79cb47b7f96adfbd (git)
Affected: e04955db6a7c3fc4a1e6978649b61a6f5f8028e3 , < 363236d709e75610b628c2a4337ccbe42e454b6d (git)

Linux

Affected: 6.3
Unaffected: 0 , < 6.3 (semver)
Unaffected: 6.6.84 , ≤ 6.6.* (semver)
Unaffected: 6.12.20 , ≤ 6.12.* (semver)
Unaffected: 6.13.8 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:40:30.985Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-ids.h",
            "drivers/hid/hid-quirks.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7a7ada33879a631b05b536e66d1c5b1219d3bade",
              "status": "affected",
              "version": "e04955db6a7c3fc4a1e6978649b61a6f5f8028e3",
              "versionType": "git"
            },
            {
              "lessThan": "6ca3d4d87af406a390a34ea924ab65c517e6e132",
              "status": "affected",
              "version": "e04955db6a7c3fc4a1e6978649b61a6f5f8028e3",
              "versionType": "git"
            },
            {
              "lessThan": "920ea73215dbf948b661b88a79cb47b7f96adfbd",
              "status": "affected",
              "version": "e04955db6a7c3fc4a1e6978649b61a6f5f8028e3",
              "versionType": "git"
            },
            {
              "lessThan": "363236d709e75610b628c2a4337ccbe42e454b6d",
              "status": "affected",
              "version": "e04955db6a7c3fc4a1e6978649b61a6f5f8028e3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-ids.h",
            "drivers/hid/hid-quirks.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.3"
            },
            {
              "lessThan": "6.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.84",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.84",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.20",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.8",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: ignore non-functional sensor in HP 5MP Camera\n\nThe HP 5MP Camera (USB ID 0408:5473) reports a HID sensor interface that\nis not actually implemented. Attempting to access this non-functional\nsensor via iio_info causes system hangs as runtime PM tries to wake up\nan unresponsive sensor.\n\n  [453] hid-sensor-hub 0003:0408:5473.0003: Report latency attributes: ffffffff:ffffffff\n  [453] hid-sensor-hub 0003:0408:5473.0003: common attributes: 5:1, 2:1, 3:1 ffffffff:ffffffff\n\nAdd this device to the HID ignore list since the sensor interface is\nnon-functional by design and should not be exposed to userspace."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:28:43.091Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7a7ada33879a631b05b536e66d1c5b1219d3bade"
        },
        {
          "url": "https://git.kernel.org/stable/c/6ca3d4d87af406a390a34ea924ab65c517e6e132"
        },
        {
          "url": "https://git.kernel.org/stable/c/920ea73215dbf948b661b88a79cb47b7f96adfbd"
        },
        {
          "url": "https://git.kernel.org/stable/c/363236d709e75610b628c2a4337ccbe42e454b6d"
        }
      ],
      "title": "HID: ignore non-functional sensor in HP 5MP Camera",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21992",
    "datePublished": "2025-04-02T12:53:14.833Z",
    "dateReserved": "2024-12-29T08:45:45.800Z",
    "dateUpdated": "2026-01-02T15:28:43.091Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21888 (GCVE-0-2025-21888)

Vulnerability from cvelistv5 – Published: 2025-03-27 14:57 – Updated: 2025-05-04 07:23

Title

RDMA/mlx5: Fix a WARN during dereg_mr for DM type

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix a WARN during dereg_mr for DM type Memory regions (MR) of type DM (device memory) do not have an associated umem. In the __mlx5_ib_dereg_mr() -> mlx5_free_priv_descs() flow, the code incorrectly takes the wrong branch, attempting to call dma_unmap_single() on a DMA address that is not mapped. This results in a WARN [1], as shown below. The issue is resolved by properly accounting for the DM type and ensuring the correct branch is selected in mlx5_free_priv_descs(). [1] WARNING: CPU: 12 PID: 1346 at drivers/iommu/dma-iommu.c:1230 iommu_dma_unmap_page+0x79/0x90 Modules linked in: ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry ovelay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core fuse mlx5_core CPU: 12 UID: 0 PID: 1346 Comm: ibv_rc_pingpong Not tainted 6.12.0-rc7+ #1631 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:iommu_dma_unmap_page+0x79/0x90 Code: 2b 49 3b 29 72 26 49 3b 69 08 73 20 4d 89 f0 44 89 e9 4c 89 e2 48 89 ee 48 89 df 5b 5d 41 5c 41 5d 41 5e 41 5f e9 07 b8 88 ff <0f> 0b 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 66 0f 1f 44 00 RSP: 0018:ffffc90001913a10 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff88810194b0a8 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001 RBP: ffff88810194b0a8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000 FS: 00007f537abdd740(0000) GS:ffff88885fb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f537aeb8000 CR3: 000000010c248001 CR4: 0000000000372eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? __warn+0x84/0x190 ? iommu_dma_unmap_page+0x79/0x90 ? report_bug+0xf8/0x1c0 ? handle_bug+0x55/0x90 ? exc_invalid_op+0x13/0x60 ? asm_exc_invalid_op+0x16/0x20 ? iommu_dma_unmap_page+0x79/0x90 dma_unmap_page_attrs+0xe6/0x290 mlx5_free_priv_descs+0xb0/0xe0 [mlx5_ib] __mlx5_ib_dereg_mr+0x37e/0x520 [mlx5_ib] ? _raw_spin_unlock_irq+0x24/0x40 ? wait_for_completion+0xfe/0x130 ? rdma_restrack_put+0x63/0xe0 [ib_core] ib_dereg_mr_user+0x5f/0x120 [ib_core] ? lock_release+0xc6/0x280 destroy_hw_idr_uobject+0x1d/0x60 [ib_uverbs] uverbs_destroy_uobject+0x58/0x1d0 [ib_uverbs] uobj_destroy+0x3f/0x70 [ib_uverbs] ib_uverbs_cmd_verbs+0x3e4/0xbb0 [ib_uverbs] ? __pfx_uverbs_destroy_def_handler+0x10/0x10 [ib_uverbs] ? lock_acquire+0xc1/0x2f0 ? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs] ? ib_uverbs_ioctl+0x116/0x170 [ib_uverbs] ? lock_release+0xc6/0x280 ib_uverbs_ioctl+0xe7/0x170 [ib_uverbs] ? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs] __x64_sys_ioctl+0x1b0/0xa70 do_syscall_64+0x6b/0x140 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f537adaf17b Code: 0f 1e fa 48 8b 05 1d ad 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ed ac 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007ffff218f0b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ffff218f1d8 RCX: 00007f537adaf17b RDX: 00007ffff218f1c0 RSI: 00000000c0181b01 RDI: 0000000000000003 RBP: 00007ffff218f1a0 R08: 00007f537aa8d010 R09: 0000561ee2e4f270 R10: 00007f537aace3a8 R11: 0000000000000246 R12: 00007ffff218f190 R13: 000000000000001c R14: 0000561ee2e4d7c0 R15: 00007ffff218f450 </TASK>

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/0bd34bdd468e93a77…
	https://git.kernel.org/stable/c/f1298cad47ae29828…
	https://git.kernel.org/stable/c/abc7b3f1f056d69a8…

Impacted products

Vendor

Product

Version

Linux

Affected: f18ec422311767738ef4033b61e91cae07163b22 , < 0bd34bdd468e93a779c403de3cf7d43ee633b3e0 (git)
Affected: f18ec422311767738ef4033b61e91cae07163b22 , < f1298cad47ae29828c5c5be77e733ccfcaef6a7f (git)
Affected: f18ec422311767738ef4033b61e91cae07163b22 , < abc7b3f1f056d69a8f11d6dceecc0c9549ace770 (git)

Linux

Affected: 5.13
Unaffected: 0 , < 5.13 (semver)
Unaffected: 6.12.18 , ≤ 6.12.* (semver)
Unaffected: 6.13.6 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/mlx5/mr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0bd34bdd468e93a779c403de3cf7d43ee633b3e0",
              "status": "affected",
              "version": "f18ec422311767738ef4033b61e91cae07163b22",
              "versionType": "git"
            },
            {
              "lessThan": "f1298cad47ae29828c5c5be77e733ccfcaef6a7f",
              "status": "affected",
              "version": "f18ec422311767738ef4033b61e91cae07163b22",
              "versionType": "git"
            },
            {
              "lessThan": "abc7b3f1f056d69a8f11d6dceecc0c9549ace770",
              "status": "affected",
              "version": "f18ec422311767738ef4033b61e91cae07163b22",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/mlx5/mr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.13"
            },
            {
              "lessThan": "5.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.18",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.6",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix a WARN during dereg_mr for DM type\n\nMemory regions (MR) of type DM (device memory) do not have an associated\numem.\n\nIn the __mlx5_ib_dereg_mr() -\u003e mlx5_free_priv_descs() flow, the code\nincorrectly takes the wrong branch, attempting to call\ndma_unmap_single() on a DMA address that is not mapped.\n\nThis results in a WARN [1], as shown below.\n\nThe issue is resolved by properly accounting for the DM type and\nensuring the correct branch is selected in mlx5_free_priv_descs().\n\n[1]\nWARNING: CPU: 12 PID: 1346 at drivers/iommu/dma-iommu.c:1230 iommu_dma_unmap_page+0x79/0x90\nModules linked in: ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry ovelay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core fuse mlx5_core\nCPU: 12 UID: 0 PID: 1346 Comm: ibv_rc_pingpong Not tainted 6.12.0-rc7+ #1631\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:iommu_dma_unmap_page+0x79/0x90\nCode: 2b 49 3b 29 72 26 49 3b 69 08 73 20 4d 89 f0 44 89 e9 4c 89 e2 48 89 ee 48 89 df 5b 5d 41 5c 41 5d 41 5e 41 5f e9 07 b8 88 ff \u003c0f\u003e 0b 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 66 0f 1f 44 00\nRSP: 0018:ffffc90001913a10 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff88810194b0a8 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001\nRBP: ffff88810194b0a8 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000\nFS:  00007f537abdd740(0000) GS:ffff88885fb00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f537aeb8000 CR3: 000000010c248001 CR4: 0000000000372eb0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\u003cTASK\u003e\n? __warn+0x84/0x190\n? iommu_dma_unmap_page+0x79/0x90\n? report_bug+0xf8/0x1c0\n? handle_bug+0x55/0x90\n? exc_invalid_op+0x13/0x60\n? asm_exc_invalid_op+0x16/0x20\n? iommu_dma_unmap_page+0x79/0x90\ndma_unmap_page_attrs+0xe6/0x290\nmlx5_free_priv_descs+0xb0/0xe0 [mlx5_ib]\n__mlx5_ib_dereg_mr+0x37e/0x520 [mlx5_ib]\n? _raw_spin_unlock_irq+0x24/0x40\n? wait_for_completion+0xfe/0x130\n? rdma_restrack_put+0x63/0xe0 [ib_core]\nib_dereg_mr_user+0x5f/0x120 [ib_core]\n? lock_release+0xc6/0x280\ndestroy_hw_idr_uobject+0x1d/0x60 [ib_uverbs]\nuverbs_destroy_uobject+0x58/0x1d0 [ib_uverbs]\nuobj_destroy+0x3f/0x70 [ib_uverbs]\nib_uverbs_cmd_verbs+0x3e4/0xbb0 [ib_uverbs]\n? __pfx_uverbs_destroy_def_handler+0x10/0x10 [ib_uverbs]\n? lock_acquire+0xc1/0x2f0\n? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs]\n? ib_uverbs_ioctl+0x116/0x170 [ib_uverbs]\n? lock_release+0xc6/0x280\nib_uverbs_ioctl+0xe7/0x170 [ib_uverbs]\n? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs]\n__x64_sys_ioctl+0x1b0/0xa70\ndo_syscall_64+0x6b/0x140\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7f537adaf17b\nCode: 0f 1e fa 48 8b 05 1d ad 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d ed ac 0c 00 f7 d8 64 89 01 48\nRSP: 002b:00007ffff218f0b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007ffff218f1d8 RCX: 00007f537adaf17b\nRDX: 00007ffff218f1c0 RSI: 00000000c0181b01 RDI: 0000000000000003\nRBP: 00007ffff218f1a0 R08: 00007f537aa8d010 R09: 0000561ee2e4f270\nR10: 00007f537aace3a8 R11: 0000000000000246 R12: 00007ffff218f190\nR13: 000000000000001c R14: 0000561ee2e4d7c0 R15: 00007ffff218f450\n\u003c/TASK\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:23:23.287Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0bd34bdd468e93a779c403de3cf7d43ee633b3e0"
        },
        {
          "url": "https://git.kernel.org/stable/c/f1298cad47ae29828c5c5be77e733ccfcaef6a7f"
        },
        {
          "url": "https://git.kernel.org/stable/c/abc7b3f1f056d69a8f11d6dceecc0c9549ace770"
        }
      ],
      "title": "RDMA/mlx5: Fix a WARN during dereg_mr for DM type",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21888",
    "datePublished": "2025-03-27T14:57:15.141Z",
    "dateReserved": "2024-12-29T08:45:45.782Z",
    "dateUpdated": "2025-05-04T07:23:23.287Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38443 (GCVE-0-2025-38443)

Vulnerability from cvelistv5 – Published: 2025-07-25 15:27 – Updated: 2025-11-03 17:38

Title

nbd: fix uaf in nbd_genl_connect() error path

Summary

In the Linux kernel, the following vulnerability has been resolved: nbd: fix uaf in nbd_genl_connect() error path There is a use-after-free issue in nbd: block nbd6: Receive control failed (result -104) block nbd6: shutting down sockets ================================================================== BUG: KASAN: slab-use-after-free in recv_work+0x694/0xa80 drivers/block/nbd.c:1022 Write of size 4 at addr ffff8880295de478 by task kworker/u33:0/67 CPU: 2 UID: 0 PID: 67 Comm: kworker/u33:0 Not tainted 6.15.0-rc5-syzkaller-00123-g2c89c1b655c0 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: nbd6-recv recv_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_dec include/linux/atomic/atomic-instrumented.h:592 [inline] recv_work+0x694/0xa80 drivers/block/nbd.c:1022 process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3319 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400 kthread+0x3c2/0x780 kernel/kthread.c:464 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> nbd_genl_connect() does not properly stop the device on certain error paths after nbd_start_device() has been called. This causes the error path to put nbd->config while recv_work continue to use the config after putting it, leading to use-after-free in recv_work. This patch moves nbd_start_device() after the backend file creation.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/cb121c47f364b5177…
	https://git.kernel.org/stable/c/91fa560c73a812686…
	https://git.kernel.org/stable/c/d46186eb7bbd9a11c…
	https://git.kernel.org/stable/c/8586552df591e0a36…
	https://git.kernel.org/stable/c/002aca89753f666d8…
	https://git.kernel.org/stable/c/aa9552438ebf015fc…

Impacted products

Vendor

Product

Version

Linux

Affected: 6497ef8df568afbf5f3e38825a4590ff41611a54 , < cb121c47f364b51776c4db904a6a5a90ab0a7ec5 (git)
Affected: 6497ef8df568afbf5f3e38825a4590ff41611a54 , < 91fa560c73a8126868848ed6cd70607cbf8d87e2 (git)
Affected: 6497ef8df568afbf5f3e38825a4590ff41611a54 , < d46186eb7bbd9a11c145120f2d77effa8d4d44c2 (git)
Affected: 6497ef8df568afbf5f3e38825a4590ff41611a54 , < 8586552df591e0a367eff44af0c586213eeecc3f (git)
Affected: 6497ef8df568afbf5f3e38825a4590ff41611a54 , < 002aca89753f666d878ca0eb8584c372684ac4ba (git)
Affected: 6497ef8df568afbf5f3e38825a4590ff41611a54 , < aa9552438ebf015fc5f9f890dbfe39f0c53cf37e (git)

Linux

Affected: 5.14
Unaffected: 0 , < 5.14 (semver)
Unaffected: 5.15.189 , ≤ 5.15.* (semver)
Unaffected: 6.1.146 , ≤ 6.1.* (semver)
Unaffected: 6.6.99 , ≤ 6.6.* (semver)
Unaffected: 6.12.39 , ≤ 6.12.* (semver)
Unaffected: 6.15.7 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:38:04.726Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/block/nbd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "cb121c47f364b51776c4db904a6a5a90ab0a7ec5",
              "status": "affected",
              "version": "6497ef8df568afbf5f3e38825a4590ff41611a54",
              "versionType": "git"
            },
            {
              "lessThan": "91fa560c73a8126868848ed6cd70607cbf8d87e2",
              "status": "affected",
              "version": "6497ef8df568afbf5f3e38825a4590ff41611a54",
              "versionType": "git"
            },
            {
              "lessThan": "d46186eb7bbd9a11c145120f2d77effa8d4d44c2",
              "status": "affected",
              "version": "6497ef8df568afbf5f3e38825a4590ff41611a54",
              "versionType": "git"
            },
            {
              "lessThan": "8586552df591e0a367eff44af0c586213eeecc3f",
              "status": "affected",
              "version": "6497ef8df568afbf5f3e38825a4590ff41611a54",
              "versionType": "git"
            },
            {
              "lessThan": "002aca89753f666d878ca0eb8584c372684ac4ba",
              "status": "affected",
              "version": "6497ef8df568afbf5f3e38825a4590ff41611a54",
              "versionType": "git"
            },
            {
              "lessThan": "aa9552438ebf015fc5f9f890dbfe39f0c53cf37e",
              "status": "affected",
              "version": "6497ef8df568afbf5f3e38825a4590ff41611a54",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/block/nbd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.14"
            },
            {
              "lessThan": "5.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.189",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.146",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.99",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.189",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.146",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.99",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.39",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.7",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: fix uaf in nbd_genl_connect() error path\n\nThere is a use-after-free issue in nbd:\n\nblock nbd6: Receive control failed (result -104)\nblock nbd6: shutting down sockets\n==================================================================\nBUG: KASAN: slab-use-after-free in recv_work+0x694/0xa80 drivers/block/nbd.c:1022\nWrite of size 4 at addr ffff8880295de478 by task kworker/u33:0/67\n\nCPU: 2 UID: 0 PID: 67 Comm: kworker/u33:0 Not tainted 6.15.0-rc5-syzkaller-00123-g2c89c1b655c0 #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nWorkqueue: nbd6-recv recv_work\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:408 [inline]\n print_report+0xc3/0x670 mm/kasan/report.c:521\n kasan_report+0xe0/0x110 mm/kasan/report.c:634\n check_region_inline mm/kasan/generic.c:183 [inline]\n kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189\n instrument_atomic_read_write include/linux/instrumented.h:96 [inline]\n atomic_dec include/linux/atomic/atomic-instrumented.h:592 [inline]\n recv_work+0x694/0xa80 drivers/block/nbd.c:1022\n process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238\n process_scheduled_works kernel/workqueue.c:3319 [inline]\n worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400\n kthread+0x3c2/0x780 kernel/kthread.c:464\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e\n\nnbd_genl_connect() does not properly stop the device on certain\nerror paths after nbd_start_device() has been called. This causes\nthe error path to put nbd-\u003econfig while recv_work continue to use\nthe config after putting it, leading to use-after-free in recv_work.\n\nThis patch moves nbd_start_device() after the backend file creation."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:22:25.589Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/cb121c47f364b51776c4db904a6a5a90ab0a7ec5"
        },
        {
          "url": "https://git.kernel.org/stable/c/91fa560c73a8126868848ed6cd70607cbf8d87e2"
        },
        {
          "url": "https://git.kernel.org/stable/c/d46186eb7bbd9a11c145120f2d77effa8d4d44c2"
        },
        {
          "url": "https://git.kernel.org/stable/c/8586552df591e0a367eff44af0c586213eeecc3f"
        },
        {
          "url": "https://git.kernel.org/stable/c/002aca89753f666d878ca0eb8584c372684ac4ba"
        },
        {
          "url": "https://git.kernel.org/stable/c/aa9552438ebf015fc5f9f890dbfe39f0c53cf37e"
        }
      ],
      "title": "nbd: fix uaf in nbd_genl_connect() error path",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38443",
    "datePublished": "2025-07-25T15:27:26.671Z",
    "dateReserved": "2025-04-16T04:51:24.017Z",
    "dateUpdated": "2025-11-03T17:38:04.726Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38206 (GCVE-0-2025-38206)

Vulnerability from cvelistv5 – Published: 2025-07-04 13:37 – Updated: 2025-11-03 17:35

Title

exfat: fix double free in delayed_free

Summary

In the Linux kernel, the following vulnerability has been resolved: exfat: fix double free in delayed_free The double free could happen in the following path. exfat_create_upcase_table() exfat_create_upcase_table() : return error exfat_free_upcase_table() : free ->vol_utbl exfat_load_default_upcase_table : return error exfat_kill_sb() delayed_free() exfat_free_upcase_table() <--------- double free This patch set ->vol_util as NULL after freeing it.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/13d8de1b6568dcc31…
	https://git.kernel.org/stable/c/66e84439ec2af776c…
	https://git.kernel.org/stable/c/d3cef0e7a5c1aa621…
	https://git.kernel.org/stable/c/1f3d9724e16d62c7d…

Impacted products

Vendor

Product

Version

Linux

Affected: 1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003 , < 13d8de1b6568dcc31a95534ced16bc0c9a67bc15 (git)
Affected: 1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003 , < 66e84439ec2af776ce749e8540f8fdd257774152 (git)
Affected: 1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003 , < d3cef0e7a5c1aa6217c51faa9ce8ecac35d6e1fd (git)
Affected: 1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003 , < 1f3d9724e16d62c7d42c67d6613b8512f2887c22 (git)

Linux

Affected: 5.7
Unaffected: 0 , < 5.7 (semver)
Unaffected: 5.10.239 , ≤ 5.10.* (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.15.4 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:35:27.691Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/exfat/nls.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "13d8de1b6568dcc31a95534ced16bc0c9a67bc15",
              "status": "affected",
              "version": "1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003",
              "versionType": "git"
            },
            {
              "lessThan": "66e84439ec2af776ce749e8540f8fdd257774152",
              "status": "affected",
              "version": "1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003",
              "versionType": "git"
            },
            {
              "lessThan": "d3cef0e7a5c1aa6217c51faa9ce8ecac35d6e1fd",
              "status": "affected",
              "version": "1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003",
              "versionType": "git"
            },
            {
              "lessThan": "1f3d9724e16d62c7d42c67d6613b8512f2887c22",
              "status": "affected",
              "version": "1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/exfat/nls.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix double free in delayed_free\n\nThe double free could happen in the following path.\n\nexfat_create_upcase_table()\n        exfat_create_upcase_table() : return error\n        exfat_free_upcase_table() : free -\u003evol_utbl\n        exfat_load_default_upcase_table : return error\n     exfat_kill_sb()\n           delayed_free()\n                  exfat_free_upcase_table() \u003c--------- double free\nThis patch set -\u003evol_util as NULL after freeing it."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:15:04.639Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/13d8de1b6568dcc31a95534ced16bc0c9a67bc15"
        },
        {
          "url": "https://git.kernel.org/stable/c/66e84439ec2af776ce749e8540f8fdd257774152"
        },
        {
          "url": "https://git.kernel.org/stable/c/d3cef0e7a5c1aa6217c51faa9ce8ecac35d6e1fd"
        },
        {
          "url": "https://git.kernel.org/stable/c/1f3d9724e16d62c7d42c67d6613b8512f2887c22"
        }
      ],
      "title": "exfat: fix double free in delayed_free",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38206",
    "datePublished": "2025-07-04T13:37:25.966Z",
    "dateReserved": "2025-04-16T04:51:23.994Z",
    "dateUpdated": "2025-11-03T17:35:27.691Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21997 (GCVE-0-2025-21997)

Vulnerability from cvelistv5 – Published: 2025-04-03 07:19 – Updated: 2025-11-03 19:40

Title

xsk: fix an integer overflow in xp_create_and_assign_umem()

Summary

In the Linux kernel, the following vulnerability has been resolved: xsk: fix an integer overflow in xp_create_and_assign_umem() Since the i and pool->chunk_size variables are of type 'u32', their product can wrap around and then be cast to 'u64'. This can lead to two different XDP buffers pointing to the same memory area. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-190 - Integer Overflow or Wraparound

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/205649d642a5b3767…
	https://git.kernel.org/stable/c/b7b4be1fa43294b50…
	https://git.kernel.org/stable/c/130290f44bce0eead…
	https://git.kernel.org/stable/c/c7670c197b0f1a872…
	https://git.kernel.org/stable/c/559847f56769037e5…

Impacted products

Vendor

Product

Version

Linux

Affected: 94033cd8e73b8632bab7c8b7bb54caa4f5616db7 , < 205649d642a5b376724f04f3a5b3586815e43d3b (git)
Affected: 94033cd8e73b8632bab7c8b7bb54caa4f5616db7 , < b7b4be1fa43294b50b22e812715198629806678a (git)
Affected: 94033cd8e73b8632bab7c8b7bb54caa4f5616db7 , < 130290f44bce0eead2b827302109afc3fe189ddd (git)
Affected: 94033cd8e73b8632bab7c8b7bb54caa4f5616db7 , < c7670c197b0f1a8726ad5c87bc2bf001a1fc1bbd (git)
Affected: 94033cd8e73b8632bab7c8b7bb54caa4f5616db7 , < 559847f56769037e5b2e0474d3dbff985b98083d (git)

Linux

Affected: 5.16
Unaffected: 0 , < 5.16 (semver)
Unaffected: 6.1.132 , ≤ 6.1.* (semver)
Unaffected: 6.6.85 , ≤ 6.6.* (semver)
Unaffected: 6.12.21 , ≤ 6.12.* (semver)
Unaffected: 6.13.9 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21997",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T17:11:27.222499Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-190",
                "description": "CWE-190 Integer Overflow or Wraparound",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T17:11:29.711Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:40:39.282Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/xdp/xsk_buff_pool.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "205649d642a5b376724f04f3a5b3586815e43d3b",
              "status": "affected",
              "version": "94033cd8e73b8632bab7c8b7bb54caa4f5616db7",
              "versionType": "git"
            },
            {
              "lessThan": "b7b4be1fa43294b50b22e812715198629806678a",
              "status": "affected",
              "version": "94033cd8e73b8632bab7c8b7bb54caa4f5616db7",
              "versionType": "git"
            },
            {
              "lessThan": "130290f44bce0eead2b827302109afc3fe189ddd",
              "status": "affected",
              "version": "94033cd8e73b8632bab7c8b7bb54caa4f5616db7",
              "versionType": "git"
            },
            {
              "lessThan": "c7670c197b0f1a8726ad5c87bc2bf001a1fc1bbd",
              "status": "affected",
              "version": "94033cd8e73b8632bab7c8b7bb54caa4f5616db7",
              "versionType": "git"
            },
            {
              "lessThan": "559847f56769037e5b2e0474d3dbff985b98083d",
              "status": "affected",
              "version": "94033cd8e73b8632bab7c8b7bb54caa4f5616db7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/xdp/xsk_buff_pool.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.16"
            },
            {
              "lessThan": "5.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.132",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.85",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.21",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.132",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.85",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.21",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.9",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: fix an integer overflow in xp_create_and_assign_umem()\n\nSince the i and pool-\u003echunk_size variables are of type \u0027u32\u0027,\ntheir product can wrap around and then be cast to \u0027u64\u0027.\nThis can lead to two different XDP buffers pointing to the same\nmemory area.\n\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with SVACE."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:27:05.891Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/205649d642a5b376724f04f3a5b3586815e43d3b"
        },
        {
          "url": "https://git.kernel.org/stable/c/b7b4be1fa43294b50b22e812715198629806678a"
        },
        {
          "url": "https://git.kernel.org/stable/c/130290f44bce0eead2b827302109afc3fe189ddd"
        },
        {
          "url": "https://git.kernel.org/stable/c/c7670c197b0f1a8726ad5c87bc2bf001a1fc1bbd"
        },
        {
          "url": "https://git.kernel.org/stable/c/559847f56769037e5b2e0474d3dbff985b98083d"
        }
      ],
      "title": "xsk: fix an integer overflow in xp_create_and_assign_umem()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21997",
    "datePublished": "2025-04-03T07:19:00.583Z",
    "dateReserved": "2024-12-29T08:45:45.801Z",
    "dateUpdated": "2025-11-03T19:40:39.282Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38305 (GCVE-0-2025-38305)

Vulnerability from cvelistv5 – Published: 2025-07-10 07:42 – Updated: 2025-11-03 17:36

Title

ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use()

Summary

In the Linux kernel, the following vulnerability has been resolved: ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use() There is no disagreement that we should check both ptp->is_virtual_clock and ptp->n_vclocks to check if the ptp virtual clock is in use. However, when we acquire ptp->n_vclocks_mux to read ptp->n_vclocks in ptp_vclock_in_use(), we observe a recursive lock in the call trace starting from n_vclocks_store(). ============================================ WARNING: possible recursive locking detected 6.15.0-rc6 #1 Not tainted -------------------------------------------- syz.0.1540/13807 is trying to acquire lock: ffff888035a24868 (&ptp->n_vclocks_mux){+.+.}-{4:4}, at: ptp_vclock_in_use drivers/ptp/ptp_private.h:103 [inline] ffff888035a24868 (&ptp->n_vclocks_mux){+.+.}-{4:4}, at: ptp_clock_unregister+0x21/0x250 drivers/ptp/ptp_clock.c:415 but task is already holding lock: ffff888030704868 (&ptp->n_vclocks_mux){+.+.}-{4:4}, at: n_vclocks_store+0xf1/0x6d0 drivers/ptp/ptp_sysfs.c:215 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&ptp->n_vclocks_mux); lock(&ptp->n_vclocks_mux); *** DEADLOCK *** .... ============================================ The best way to solve this is to remove the logic that checks ptp->n_vclocks in ptp_vclock_in_use(). The reason why this is appropriate is that any path that uses ptp->n_vclocks must unconditionally check if ptp->n_vclocks is greater than 0 before unregistering vclocks, and all functions are already written this way. And in the function that uses ptp->n_vclocks, we already get ptp->n_vclocks_mux before unregistering vclocks. Therefore, we need to remove the redundant check for ptp->n_vclocks in ptp_vclock_in_use() to prevent recursive locking.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/5d217e7031a5c06d3…
	https://git.kernel.org/stable/c/b1b73c45233145102…
	https://git.kernel.org/stable/c/259119595227fd20f…
	https://git.kernel.org/stable/c/b93e6fef4eda48e17…
	https://git.kernel.org/stable/c/ef8fc007c28a30a4c…
	https://git.kernel.org/stable/c/87f7ce260a3c838b4…

Impacted products

Vendor

Product

Version

Linux

Affected: 73f37068d540eba5f93ba3a0019bf479d35ebd76 , < 5d217e7031a5c06d366580fc6ddbf43527b780d4 (git)
Affected: 73f37068d540eba5f93ba3a0019bf479d35ebd76 , < b1b73c452331451020be3bf4b014901015ae6663 (git)
Affected: 73f37068d540eba5f93ba3a0019bf479d35ebd76 , < 259119595227fd20f6aa29d85abe086b6fdd9eb1 (git)
Affected: 73f37068d540eba5f93ba3a0019bf479d35ebd76 , < b93e6fef4eda48e17d9c642b9abad98a066fd4a3 (git)
Affected: 73f37068d540eba5f93ba3a0019bf479d35ebd76 , < ef8fc007c28a30a4c0d90bf755e0f343d99bb392 (git)
Affected: 73f37068d540eba5f93ba3a0019bf479d35ebd76 , < 87f7ce260a3c838b49e1dc1ceedf1006795157a2 (git)

Linux

Affected: 5.14
Unaffected: 0 , < 5.14 (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.94 , ≤ 6.6.* (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:36:22.602Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/ptp/ptp_private.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5d217e7031a5c06d366580fc6ddbf43527b780d4",
              "status": "affected",
              "version": "73f37068d540eba5f93ba3a0019bf479d35ebd76",
              "versionType": "git"
            },
            {
              "lessThan": "b1b73c452331451020be3bf4b014901015ae6663",
              "status": "affected",
              "version": "73f37068d540eba5f93ba3a0019bf479d35ebd76",
              "versionType": "git"
            },
            {
              "lessThan": "259119595227fd20f6aa29d85abe086b6fdd9eb1",
              "status": "affected",
              "version": "73f37068d540eba5f93ba3a0019bf479d35ebd76",
              "versionType": "git"
            },
            {
              "lessThan": "b93e6fef4eda48e17d9c642b9abad98a066fd4a3",
              "status": "affected",
              "version": "73f37068d540eba5f93ba3a0019bf479d35ebd76",
              "versionType": "git"
            },
            {
              "lessThan": "ef8fc007c28a30a4c0d90bf755e0f343d99bb392",
              "status": "affected",
              "version": "73f37068d540eba5f93ba3a0019bf479d35ebd76",
              "versionType": "git"
            },
            {
              "lessThan": "87f7ce260a3c838b49e1dc1ceedf1006795157a2",
              "status": "affected",
              "version": "73f37068d540eba5f93ba3a0019bf479d35ebd76",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/ptp/ptp_private.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.14"
            },
            {
              "lessThan": "5.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nptp: remove ptp-\u003en_vclocks check logic in ptp_vclock_in_use()\n\nThere is no disagreement that we should check both ptp-\u003eis_virtual_clock\nand ptp-\u003en_vclocks to check if the ptp virtual clock is in use.\n\nHowever, when we acquire ptp-\u003en_vclocks_mux to read ptp-\u003en_vclocks in\nptp_vclock_in_use(), we observe a recursive lock in the call trace\nstarting from n_vclocks_store().\n\n============================================\nWARNING: possible recursive locking detected\n6.15.0-rc6 #1 Not tainted\n--------------------------------------------\nsyz.0.1540/13807 is trying to acquire lock:\nffff888035a24868 (\u0026ptp-\u003en_vclocks_mux){+.+.}-{4:4}, at:\n ptp_vclock_in_use drivers/ptp/ptp_private.h:103 [inline]\nffff888035a24868 (\u0026ptp-\u003en_vclocks_mux){+.+.}-{4:4}, at:\n ptp_clock_unregister+0x21/0x250 drivers/ptp/ptp_clock.c:415\n\nbut task is already holding lock:\nffff888030704868 (\u0026ptp-\u003en_vclocks_mux){+.+.}-{4:4}, at:\n n_vclocks_store+0xf1/0x6d0 drivers/ptp/ptp_sysfs.c:215\n\nother info that might help us debug this:\n Possible unsafe locking scenario:\n\n       CPU0\n       ----\n  lock(\u0026ptp-\u003en_vclocks_mux);\n  lock(\u0026ptp-\u003en_vclocks_mux);\n\n *** DEADLOCK ***\n....\n============================================\n\nThe best way to solve this is to remove the logic that checks\nptp-\u003en_vclocks in ptp_vclock_in_use().\n\nThe reason why this is appropriate is that any path that uses\nptp-\u003en_vclocks must unconditionally check if ptp-\u003en_vclocks is greater\nthan 0 before unregistering vclocks, and all functions are already\nwritten this way. And in the function that uses ptp-\u003en_vclocks, we\nalready get ptp-\u003en_vclocks_mux before unregistering vclocks.\n\nTherefore, we need to remove the redundant check for ptp-\u003en_vclocks in\nptp_vclock_in_use() to prevent recursive locking."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:18:06.998Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5d217e7031a5c06d366580fc6ddbf43527b780d4"
        },
        {
          "url": "https://git.kernel.org/stable/c/b1b73c452331451020be3bf4b014901015ae6663"
        },
        {
          "url": "https://git.kernel.org/stable/c/259119595227fd20f6aa29d85abe086b6fdd9eb1"
        },
        {
          "url": "https://git.kernel.org/stable/c/b93e6fef4eda48e17d9c642b9abad98a066fd4a3"
        },
        {
          "url": "https://git.kernel.org/stable/c/ef8fc007c28a30a4c0d90bf755e0f343d99bb392"
        },
        {
          "url": "https://git.kernel.org/stable/c/87f7ce260a3c838b49e1dc1ceedf1006795157a2"
        }
      ],
      "title": "ptp: remove ptp-\u003en_vclocks check logic in ptp_vclock_in_use()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38305",
    "datePublished": "2025-07-10T07:42:16.127Z",
    "dateReserved": "2025-04-16T04:51:24.002Z",
    "dateUpdated": "2025-11-03T17:36:22.602Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21929 (GCVE-0-2025-21929)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:40 – Updated: 2025-05-04 07:24

Title

HID: intel-ish-hid: Fix use-after-free issue in hid_ishtp_cl_remove()

Summary

In the Linux kernel, the following vulnerability has been resolved: HID: intel-ish-hid: Fix use-after-free issue in hid_ishtp_cl_remove() During the `rmmod` operation for the `intel_ishtp_hid` driver, a use-after-free issue can occur in the hid_ishtp_cl_remove() function. The function hid_ishtp_cl_deinit() is called before ishtp_hid_remove(), which can lead to accessing freed memory or resources during the removal process. Call Trace: ? ishtp_cl_send+0x168/0x220 [intel_ishtp] ? hid_output_report+0xe3/0x150 [hid] hid_ishtp_set_feature+0xb5/0x120 [intel_ishtp_hid] ishtp_hid_request+0x7b/0xb0 [intel_ishtp_hid] hid_hw_request+0x1f/0x40 [hid] sensor_hub_set_feature+0x11f/0x190 [hid_sensor_hub] _hid_sensor_power_state+0x147/0x1e0 [hid_sensor_trigger] hid_sensor_runtime_resume+0x22/0x30 [hid_sensor_trigger] sensor_hub_remove+0xa8/0xe0 [hid_sensor_hub] hid_device_remove+0x49/0xb0 [hid] hid_destroy_device+0x6f/0x90 [hid] ishtp_hid_remove+0x42/0x70 [intel_ishtp_hid] hid_ishtp_cl_remove+0x6b/0xb0 [intel_ishtp_hid] ishtp_cl_device_remove+0x4a/0x60 [intel_ishtp] ... Additionally, ishtp_hid_remove() is a HID level power off, which should occur before the ISHTP level disconnect. This patch resolves the issue by reordering the calls in hid_ishtp_cl_remove(). The function ishtp_hid_remove() is now called before hid_ishtp_cl_deinit().

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/9c677fe859a73f5dd…
	https://git.kernel.org/stable/c/e040f11fbca868c6d…
	https://git.kernel.org/stable/c/82398784142428933…

Impacted products

Vendor

Product

Version

Linux

Affected: f645a90e8ff732c48dd9f18815baef08c44ac8a0 , < 9c677fe859a73f5dd3dd84c27f99e10d28047c73 (git)
Affected: f645a90e8ff732c48dd9f18815baef08c44ac8a0 , < e040f11fbca868c6d151e9f2c5730c476abfcf17 (git)
Affected: f645a90e8ff732c48dd9f18815baef08c44ac8a0 , < 823987841424289339fdb4ba90e6d2c3792836db (git)

Linux

Affected: 6.8
Unaffected: 0 , < 6.8 (semver)
Unaffected: 6.12.19 , ≤ 6.12.* (semver)
Unaffected: 6.13.7 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21929",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-16T13:14:59.850777Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-16T13:19:52.728Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/intel-ish-hid/ishtp-hid-client.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9c677fe859a73f5dd3dd84c27f99e10d28047c73",
              "status": "affected",
              "version": "f645a90e8ff732c48dd9f18815baef08c44ac8a0",
              "versionType": "git"
            },
            {
              "lessThan": "e040f11fbca868c6d151e9f2c5730c476abfcf17",
              "status": "affected",
              "version": "f645a90e8ff732c48dd9f18815baef08c44ac8a0",
              "versionType": "git"
            },
            {
              "lessThan": "823987841424289339fdb4ba90e6d2c3792836db",
              "status": "affected",
              "version": "f645a90e8ff732c48dd9f18815baef08c44ac8a0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/intel-ish-hid/ishtp-hid-client.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.19",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.7",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: intel-ish-hid: Fix use-after-free issue in hid_ishtp_cl_remove()\n\nDuring the `rmmod` operation for the `intel_ishtp_hid` driver, a\nuse-after-free issue can occur in the hid_ishtp_cl_remove() function.\nThe function hid_ishtp_cl_deinit() is called before ishtp_hid_remove(),\nwhich can lead to accessing freed memory or resources during the\nremoval process.\n\nCall Trace:\n ? ishtp_cl_send+0x168/0x220 [intel_ishtp]\n ? hid_output_report+0xe3/0x150 [hid]\n hid_ishtp_set_feature+0xb5/0x120 [intel_ishtp_hid]\n ishtp_hid_request+0x7b/0xb0 [intel_ishtp_hid]\n hid_hw_request+0x1f/0x40 [hid]\n sensor_hub_set_feature+0x11f/0x190 [hid_sensor_hub]\n _hid_sensor_power_state+0x147/0x1e0 [hid_sensor_trigger]\n hid_sensor_runtime_resume+0x22/0x30 [hid_sensor_trigger]\n sensor_hub_remove+0xa8/0xe0 [hid_sensor_hub]\n hid_device_remove+0x49/0xb0 [hid]\n hid_destroy_device+0x6f/0x90 [hid]\n ishtp_hid_remove+0x42/0x70 [intel_ishtp_hid]\n hid_ishtp_cl_remove+0x6b/0xb0 [intel_ishtp_hid]\n ishtp_cl_device_remove+0x4a/0x60 [intel_ishtp]\n ...\n\nAdditionally, ishtp_hid_remove() is a HID level power off, which should\noccur before the ISHTP level disconnect.\n\nThis patch resolves the issue by reordering the calls in\nhid_ishtp_cl_remove(). The function ishtp_hid_remove() is now\ncalled before hid_ishtp_cl_deinit()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:24:47.101Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9c677fe859a73f5dd3dd84c27f99e10d28047c73"
        },
        {
          "url": "https://git.kernel.org/stable/c/e040f11fbca868c6d151e9f2c5730c476abfcf17"
        },
        {
          "url": "https://git.kernel.org/stable/c/823987841424289339fdb4ba90e6d2c3792836db"
        }
      ],
      "title": "HID: intel-ish-hid: Fix use-after-free issue in hid_ishtp_cl_remove()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21929",
    "datePublished": "2025-04-01T15:40:59.761Z",
    "dateReserved": "2024-12-29T08:45:45.789Z",
    "dateUpdated": "2025-05-04T07:24:47.101Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21976 (GCVE-0-2025-21976)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:47 – Updated: 2025-05-04 07:26

Title

fbdev: hyperv_fb: Allow graceful removal of framebuffer

Summary

In the Linux kernel, the following vulnerability has been resolved: fbdev: hyperv_fb: Allow graceful removal of framebuffer When a Hyper-V framebuffer device is unbind, hyperv_fb driver tries to release the framebuffer forcefully. If this framebuffer is in use it produce the following WARN and hence this framebuffer is never released. [ 44.111220] WARNING: CPU: 35 PID: 1882 at drivers/video/fbdev/core/fb_info.c:70 framebuffer_release+0x2c/0x40 < snip > [ 44.111289] Call Trace: [ 44.111290] <TASK> [ 44.111291] ? show_regs+0x6c/0x80 [ 44.111295] ? __warn+0x8d/0x150 [ 44.111298] ? framebuffer_release+0x2c/0x40 [ 44.111300] ? report_bug+0x182/0x1b0 [ 44.111303] ? handle_bug+0x6e/0xb0 [ 44.111306] ? exc_invalid_op+0x18/0x80 [ 44.111308] ? asm_exc_invalid_op+0x1b/0x20 [ 44.111311] ? framebuffer_release+0x2c/0x40 [ 44.111313] ? hvfb_remove+0x86/0xa0 [hyperv_fb] [ 44.111315] vmbus_remove+0x24/0x40 [hv_vmbus] [ 44.111323] device_remove+0x40/0x80 [ 44.111325] device_release_driver_internal+0x20b/0x270 [ 44.111327] ? bus_find_device+0xb3/0xf0 Fix this by moving the release of framebuffer and assosiated memory to fb_ops.fb_destroy function, so that framebuffer framework handles it gracefully. While we fix this, also replace manual registrations/unregistration of framebuffer with devm_register_framebuffer.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/4545e2aa121aea304…
	https://git.kernel.org/stable/c/a7b583dc99c6cf4a9…
	https://git.kernel.org/stable/c/ea2f45ab0e53b255f…

Impacted products

Vendor

Product

Version

Linux

Affected: 68a2d20b79b105f02dcbc52c211d7e62f98996b7 , < 4545e2aa121aea304d33903099c03e29ed4fe50a (git)
Affected: 68a2d20b79b105f02dcbc52c211d7e62f98996b7 , < a7b583dc99c6cf4a96877017be1d08247e1ef2c7 (git)
Affected: 68a2d20b79b105f02dcbc52c211d7e62f98996b7 , < ea2f45ab0e53b255f72c85ccd99e2b394fc5fceb (git)

Linux

Affected: 3.10
Unaffected: 0 , < 3.10 (semver)
Unaffected: 6.12.20 , ≤ 6.12.* (semver)
Unaffected: 6.13.8 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/video/fbdev/hyperv_fb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4545e2aa121aea304d33903099c03e29ed4fe50a",
              "status": "affected",
              "version": "68a2d20b79b105f02dcbc52c211d7e62f98996b7",
              "versionType": "git"
            },
            {
              "lessThan": "a7b583dc99c6cf4a96877017be1d08247e1ef2c7",
              "status": "affected",
              "version": "68a2d20b79b105f02dcbc52c211d7e62f98996b7",
              "versionType": "git"
            },
            {
              "lessThan": "ea2f45ab0e53b255f72c85ccd99e2b394fc5fceb",
              "status": "affected",
              "version": "68a2d20b79b105f02dcbc52c211d7e62f98996b7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/video/fbdev/hyperv_fb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.10"
            },
            {
              "lessThan": "3.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.20",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.8",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: hyperv_fb: Allow graceful removal of framebuffer\n\nWhen a Hyper-V framebuffer device is unbind, hyperv_fb driver tries to\nrelease the framebuffer forcefully. If this framebuffer is in use it\nproduce the following WARN and hence this framebuffer is never released.\n\n[   44.111220] WARNING: CPU: 35 PID: 1882 at drivers/video/fbdev/core/fb_info.c:70 framebuffer_release+0x2c/0x40\n\u003c snip \u003e\n[   44.111289] Call Trace:\n[   44.111290]  \u003cTASK\u003e\n[   44.111291]  ? show_regs+0x6c/0x80\n[   44.111295]  ? __warn+0x8d/0x150\n[   44.111298]  ? framebuffer_release+0x2c/0x40\n[   44.111300]  ? report_bug+0x182/0x1b0\n[   44.111303]  ? handle_bug+0x6e/0xb0\n[   44.111306]  ? exc_invalid_op+0x18/0x80\n[   44.111308]  ? asm_exc_invalid_op+0x1b/0x20\n[   44.111311]  ? framebuffer_release+0x2c/0x40\n[   44.111313]  ? hvfb_remove+0x86/0xa0 [hyperv_fb]\n[   44.111315]  vmbus_remove+0x24/0x40 [hv_vmbus]\n[   44.111323]  device_remove+0x40/0x80\n[   44.111325]  device_release_driver_internal+0x20b/0x270\n[   44.111327]  ? bus_find_device+0xb3/0xf0\n\nFix this by moving the release of framebuffer and assosiated memory\nto fb_ops.fb_destroy function, so that framebuffer framework handles\nit gracefully.\n\nWhile we fix this, also replace manual registrations/unregistration of\nframebuffer with devm_register_framebuffer."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:26:20.310Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4545e2aa121aea304d33903099c03e29ed4fe50a"
        },
        {
          "url": "https://git.kernel.org/stable/c/a7b583dc99c6cf4a96877017be1d08247e1ef2c7"
        },
        {
          "url": "https://git.kernel.org/stable/c/ea2f45ab0e53b255f72c85ccd99e2b394fc5fceb"
        }
      ],
      "title": "fbdev: hyperv_fb: Allow graceful removal of framebuffer",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21976",
    "datePublished": "2025-04-01T15:47:07.120Z",
    "dateReserved": "2024-12-29T08:45:45.798Z",
    "dateUpdated": "2025-05-04T07:26:20.310Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38004 (GCVE-0-2025-38004)

Vulnerability from cvelistv5 – Published: 2025-06-08 10:34 – Updated: 2025-11-03 17:33

Title

can: bcm: add locking for bcm_op runtime updates

Summary

In the Linux kernel, the following vulnerability has been resolved: can: bcm: add locking for bcm_op runtime updates The CAN broadcast manager (CAN BCM) can send a sequence of CAN frames via hrtimer. The content and also the length of the sequence can be changed resp reduced at runtime where the 'currframe' counter is then set to zero. Although this appeared to be a safe operation the updates of 'currframe' can be triggered from user space and hrtimer context in bcm_can_tx(). Anderson Nascimento created a proof of concept that triggered a KASAN slab-out-of-bounds read access which can be prevented with a spin_lock_bh. At the rework of bcm_can_tx() the 'count' variable has been moved into the protected section as this variable can be modified from both contexts too.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/8f1c022541bf5a923…
	https://git.kernel.org/stable/c/7595de7bc56e0e52b…
	https://git.kernel.org/stable/c/fbd8fdc2b218e979c…
	https://git.kernel.org/stable/c/2a437b86ac5a9893c…
	https://git.kernel.org/stable/c/76c84c3728178b2d3…
	https://git.kernel.org/stable/c/cc55dd28c20a6611e…
	https://git.kernel.org/stable/c/c4e8a172501e677eb…
	https://git.kernel.org/stable/c/c2aba69d0c36a496a…

Impacted products

Vendor

Product

Version

Linux

Affected: ffd980f976e7fd666c2e61bf8ab35107efd11828 , < 8f1c022541bf5a923c8d6fa483112c15250f30a4 (git)
Affected: ffd980f976e7fd666c2e61bf8ab35107efd11828 , < 7595de7bc56e0e52b74e56c90f7e247bf626d628 (git)
Affected: ffd980f976e7fd666c2e61bf8ab35107efd11828 , < fbd8fdc2b218e979cfe422b139b8f74c12419d1f (git)
Affected: ffd980f976e7fd666c2e61bf8ab35107efd11828 , < 2a437b86ac5a9893c902f30ef66815bf13587bf6 (git)
Affected: ffd980f976e7fd666c2e61bf8ab35107efd11828 , < 76c84c3728178b2d38d5604e399dfe8b0752645e (git)
Affected: ffd980f976e7fd666c2e61bf8ab35107efd11828 , < cc55dd28c20a6611e30596019b3b2f636819a4c0 (git)
Affected: ffd980f976e7fd666c2e61bf8ab35107efd11828 , < c4e8a172501e677ebd8ea9d9161d97dc4df56fbd (git)
Affected: ffd980f976e7fd666c2e61bf8ab35107efd11828 , < c2aba69d0c36a496ab4f2e81e9c2b271f2693fd7 (git)

Linux

Affected: 2.6.25
Unaffected: 0 , < 2.6.25 (semver)
Unaffected: 5.4.294 , ≤ 5.4.* (semver)
Unaffected: 5.10.238 , ≤ 5.10.* (semver)
Unaffected: 5.15.185 , ≤ 5.15.* (semver)
Unaffected: 6.1.141 , ≤ 6.1.* (semver)
Unaffected: 6.6.93 , ≤ 6.6.* (semver)
Unaffected: 6.12.31 , ≤ 6.12.* (semver)
Unaffected: 6.14.9 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:33:04.853Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/can/bcm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8f1c022541bf5a923c8d6fa483112c15250f30a4",
              "status": "affected",
              "version": "ffd980f976e7fd666c2e61bf8ab35107efd11828",
              "versionType": "git"
            },
            {
              "lessThan": "7595de7bc56e0e52b74e56c90f7e247bf626d628",
              "status": "affected",
              "version": "ffd980f976e7fd666c2e61bf8ab35107efd11828",
              "versionType": "git"
            },
            {
              "lessThan": "fbd8fdc2b218e979cfe422b139b8f74c12419d1f",
              "status": "affected",
              "version": "ffd980f976e7fd666c2e61bf8ab35107efd11828",
              "versionType": "git"
            },
            {
              "lessThan": "2a437b86ac5a9893c902f30ef66815bf13587bf6",
              "status": "affected",
              "version": "ffd980f976e7fd666c2e61bf8ab35107efd11828",
              "versionType": "git"
            },
            {
              "lessThan": "76c84c3728178b2d38d5604e399dfe8b0752645e",
              "status": "affected",
              "version": "ffd980f976e7fd666c2e61bf8ab35107efd11828",
              "versionType": "git"
            },
            {
              "lessThan": "cc55dd28c20a6611e30596019b3b2f636819a4c0",
              "status": "affected",
              "version": "ffd980f976e7fd666c2e61bf8ab35107efd11828",
              "versionType": "git"
            },
            {
              "lessThan": "c4e8a172501e677ebd8ea9d9161d97dc4df56fbd",
              "status": "affected",
              "version": "ffd980f976e7fd666c2e61bf8ab35107efd11828",
              "versionType": "git"
            },
            {
              "lessThan": "c2aba69d0c36a496ab4f2e81e9c2b271f2693fd7",
              "status": "affected",
              "version": "ffd980f976e7fd666c2e61bf8ab35107efd11828",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/can/bcm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.25"
            },
            {
              "lessThan": "2.6.25",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.294",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.238",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.185",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.93",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.294",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.238",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.185",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.141",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.93",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.31",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: bcm: add locking for bcm_op runtime updates\n\nThe CAN broadcast manager (CAN BCM) can send a sequence of CAN frames via\nhrtimer. The content and also the length of the sequence can be changed\nresp reduced at runtime where the \u0027currframe\u0027 counter is then set to zero.\n\nAlthough this appeared to be a safe operation the updates of \u0027currframe\u0027\ncan be triggered from user space and hrtimer context in bcm_can_tx().\nAnderson Nascimento created a proof of concept that triggered a KASAN\nslab-out-of-bounds read access which can be prevented with a spin_lock_bh.\n\nAt the rework of bcm_can_tx() the \u0027count\u0027 variable has been moved into\nthe protected section as this variable can be modified from both contexts\ntoo."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-08T10:34:56.484Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8f1c022541bf5a923c8d6fa483112c15250f30a4"
        },
        {
          "url": "https://git.kernel.org/stable/c/7595de7bc56e0e52b74e56c90f7e247bf626d628"
        },
        {
          "url": "https://git.kernel.org/stable/c/fbd8fdc2b218e979cfe422b139b8f74c12419d1f"
        },
        {
          "url": "https://git.kernel.org/stable/c/2a437b86ac5a9893c902f30ef66815bf13587bf6"
        },
        {
          "url": "https://git.kernel.org/stable/c/76c84c3728178b2d38d5604e399dfe8b0752645e"
        },
        {
          "url": "https://git.kernel.org/stable/c/cc55dd28c20a6611e30596019b3b2f636819a4c0"
        },
        {
          "url": "https://git.kernel.org/stable/c/c4e8a172501e677ebd8ea9d9161d97dc4df56fbd"
        },
        {
          "url": "https://git.kernel.org/stable/c/c2aba69d0c36a496ab4f2e81e9c2b271f2693fd7"
        }
      ],
      "title": "can: bcm: add locking for bcm_op runtime updates",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38004",
    "datePublished": "2025-06-08T10:34:56.484Z",
    "dateReserved": "2025-04-16T04:51:23.977Z",
    "dateUpdated": "2025-11-03T17:33:04.853Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38050 (GCVE-0-2025-38050)

Vulnerability from cvelistv5 – Published: 2025-06-18 09:33 – Updated: 2025-06-18 09:33

Title

mm/hugetlb: fix kernel NULL pointer dereference when replacing free hugetlb folios

Summary

In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix kernel NULL pointer dereference when replacing free hugetlb folios A kernel crash was observed when replacing free hugetlb folios: BUG: kernel NULL pointer dereference, address: 0000000000000028 PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 28 UID: 0 PID: 29639 Comm: test_cma.sh Tainted 6.15.0-rc6-zp #41 PREEMPT(voluntary) RIP: 0010:alloc_and_dissolve_hugetlb_folio+0x1d/0x1f0 RSP: 0018:ffffc9000b30fa90 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000342cca RCX: ffffea0043000000 RDX: ffffc9000b30fb08 RSI: ffffea0043000000 RDI: 0000000000000000 RBP: ffffc9000b30fb20 R08: 0000000000001000 R09: 0000000000000000 R10: ffff88886f92eb00 R11: 0000000000000000 R12: ffffea0043000000 R13: 0000000000000000 R14: 00000000010c0200 R15: 0000000000000004 FS: 00007fcda5f14740(0000) GS:ffff8888ec1d8000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000028 CR3: 0000000391402000 CR4: 0000000000350ef0 Call Trace: <TASK> replace_free_hugepage_folios+0xb6/0x100 alloc_contig_range_noprof+0x18a/0x590 ? srso_return_thunk+0x5/0x5f ? down_read+0x12/0xa0 ? srso_return_thunk+0x5/0x5f cma_range_alloc.constprop.0+0x131/0x290 __cma_alloc+0xcf/0x2c0 cma_alloc_write+0x43/0xb0 simple_attr_write_xsigned.constprop.0.isra.0+0xb2/0x110 debugfs_attr_write+0x46/0x70 full_proxy_write+0x62/0xa0 vfs_write+0xf8/0x420 ? srso_return_thunk+0x5/0x5f ? filp_flush+0x86/0xa0 ? srso_return_thunk+0x5/0x5f ? filp_close+0x1f/0x30 ? srso_return_thunk+0x5/0x5f ? do_dup2+0xaf/0x160 ? srso_return_thunk+0x5/0x5f ksys_write+0x65/0xe0 do_syscall_64+0x64/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e There is a potential race between __update_and_free_hugetlb_folio() and replace_free_hugepage_folios(): CPU1 CPU2 __update_and_free_hugetlb_folio replace_free_hugepage_folios folio_test_hugetlb(folio) -- It's still hugetlb folio. __folio_clear_hugetlb(folio) hugetlb_free_folio(folio) h = folio_hstate(folio) -- Here, h is NULL pointer When the above race condition occurs, folio_hstate(folio) returns NULL, and subsequent access to this NULL pointer will cause the system to crash. To resolve this issue, execute folio_hstate(folio) under the protection of the hugetlb_lock lock, ensuring that folio_hstate(folio) does not return NULL.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e97283978a9848190…
	https://git.kernel.org/stable/c/113ed54ad276c352e…

Impacted products

Vendor

Product

Version

Linux

Affected: 04f13d241b8b146b23038bffd907cb8278391d07 , < e97283978a9848190d451f7038ac399613445f79 (git)
Affected: 04f13d241b8b146b23038bffd907cb8278391d07 , < 113ed54ad276c352ee5ce109bdcf0df118a43bda (git)

Linux

Affected: 6.14
Unaffected: 0 , < 6.14 (semver)
Unaffected: 6.14.9 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/hugetlb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e97283978a9848190d451f7038ac399613445f79",
              "status": "affected",
              "version": "04f13d241b8b146b23038bffd907cb8278391d07",
              "versionType": "git"
            },
            {
              "lessThan": "113ed54ad276c352ee5ce109bdcf0df118a43bda",
              "status": "affected",
              "version": "04f13d241b8b146b23038bffd907cb8278391d07",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/hugetlb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.14"
            },
            {
              "lessThan": "6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix kernel NULL pointer dereference when replacing free hugetlb folios\n\nA kernel crash was observed when replacing free hugetlb folios:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000028\nPGD 0 P4D 0\nOops: Oops: 0000 [#1] SMP NOPTI\nCPU: 28 UID: 0 PID: 29639 Comm: test_cma.sh Tainted 6.15.0-rc6-zp #41 PREEMPT(voluntary)\nRIP: 0010:alloc_and_dissolve_hugetlb_folio+0x1d/0x1f0\nRSP: 0018:ffffc9000b30fa90 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: 0000000000342cca RCX: ffffea0043000000\nRDX: ffffc9000b30fb08 RSI: ffffea0043000000 RDI: 0000000000000000\nRBP: ffffc9000b30fb20 R08: 0000000000001000 R09: 0000000000000000\nR10: ffff88886f92eb00 R11: 0000000000000000 R12: ffffea0043000000\nR13: 0000000000000000 R14: 00000000010c0200 R15: 0000000000000004\nFS:  00007fcda5f14740(0000) GS:ffff8888ec1d8000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000028 CR3: 0000000391402000 CR4: 0000000000350ef0\nCall Trace:\n\u003cTASK\u003e\n replace_free_hugepage_folios+0xb6/0x100\n alloc_contig_range_noprof+0x18a/0x590\n ? srso_return_thunk+0x5/0x5f\n ? down_read+0x12/0xa0\n ? srso_return_thunk+0x5/0x5f\n cma_range_alloc.constprop.0+0x131/0x290\n __cma_alloc+0xcf/0x2c0\n cma_alloc_write+0x43/0xb0\n simple_attr_write_xsigned.constprop.0.isra.0+0xb2/0x110\n debugfs_attr_write+0x46/0x70\n full_proxy_write+0x62/0xa0\n vfs_write+0xf8/0x420\n ? srso_return_thunk+0x5/0x5f\n ? filp_flush+0x86/0xa0\n ? srso_return_thunk+0x5/0x5f\n ? filp_close+0x1f/0x30\n ? srso_return_thunk+0x5/0x5f\n ? do_dup2+0xaf/0x160\n ? srso_return_thunk+0x5/0x5f\n ksys_write+0x65/0xe0\n do_syscall_64+0x64/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThere is a potential race between __update_and_free_hugetlb_folio() and\nreplace_free_hugepage_folios():\n\nCPU1                              CPU2\n__update_and_free_hugetlb_folio   replace_free_hugepage_folios\n                                    folio_test_hugetlb(folio)\n                                    -- It\u0027s still hugetlb folio.\n\n  __folio_clear_hugetlb(folio)\n  hugetlb_free_folio(folio)\n                                    h = folio_hstate(folio)\n                                    -- Here, h is NULL pointer\n\nWhen the above race condition occurs, folio_hstate(folio) returns NULL,\nand subsequent access to this NULL pointer will cause the system to crash.\nTo resolve this issue, execute folio_hstate(folio) under the protection\nof the hugetlb_lock lock, ensuring that folio_hstate(folio) does not\nreturn NULL."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-18T09:33:32.022Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e97283978a9848190d451f7038ac399613445f79"
        },
        {
          "url": "https://git.kernel.org/stable/c/113ed54ad276c352ee5ce109bdcf0df118a43bda"
        }
      ],
      "title": "mm/hugetlb: fix kernel NULL pointer dereference when replacing free hugetlb folios",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38050",
    "datePublished": "2025-06-18T09:33:32.022Z",
    "dateReserved": "2025-04-16T04:51:23.979Z",
    "dateUpdated": "2025-06-18T09:33:32.022Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21951 (GCVE-0-2025-21951)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:41 – Updated: 2025-11-03 19:39

Title

bus: mhi: host: pci_generic: Use pci_try_reset_function() to avoid deadlock

Summary

In the Linux kernel, the following vulnerability has been resolved: bus: mhi: host: pci_generic: Use pci_try_reset_function() to avoid deadlock There are multiple places from where the recovery work gets scheduled asynchronously. Also, there are multiple places where the caller waits synchronously for the recovery to be completed. One such place is during the PM shutdown() callback. If the device is not alive during recovery_work, it will try to reset the device using pci_reset_function(). This function internally will take the device_lock() first before resetting the device. By this time, if the lock has already been acquired, then recovery_work will get stalled while waiting for the lock. And if the lock was already acquired by the caller which waits for the recovery_work to be completed, it will lead to deadlock. This is what happened on the X1E80100 CRD device when the device died before shutdown() callback. Driver core calls the driver's shutdown() callback while holding the device_lock() leading to deadlock. And this deadlock scenario can occur on other paths as well, like during the PM suspend() callback, where the driver core would hold the device_lock() before calling driver's suspend() callback. And if the recovery_work was already started, it could lead to deadlock. This is also observed on the X1E80100 CRD. So to fix both issues, use pci_try_reset_function() in recovery_work. This function first checks for the availability of the device_lock() before trying to reset the device. If the lock is available, it will acquire it and reset the device. Otherwise, it will return -EAGAIN. If that happens, recovery_work will fail with the error message "Recovery failed" as not much could be done.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-667 - Improper Locking

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/7746f3bb8917fccb4…
	https://git.kernel.org/stable/c/7a5ffadd54fe2662f…
	https://git.kernel.org/stable/c/1f9eb7078bc6b5fb5…
	https://git.kernel.org/stable/c/985d3cf56d8745ca6…
	https://git.kernel.org/stable/c/62505657475c245c9…
	https://git.kernel.org/stable/c/a321d163de3d8aa38…

Impacted products

Vendor

Product

Version

Linux

Affected: 7389337f0a78ea099c47f0af08f64f20c52ab4ba , < 7746f3bb8917fccb4571a576f3837d80fc513054 (git)
Affected: 7389337f0a78ea099c47f0af08f64f20c52ab4ba , < 7a5ffadd54fe2662f5c99cdccf30144d060376f7 (git)
Affected: 7389337f0a78ea099c47f0af08f64f20c52ab4ba , < 1f9eb7078bc6b5fb5cbfbcb37c4bc01685332b95 (git)
Affected: 7389337f0a78ea099c47f0af08f64f20c52ab4ba , < 985d3cf56d8745ca637deee273929e01df449f85 (git)
Affected: 7389337f0a78ea099c47f0af08f64f20c52ab4ba , < 62505657475c245c9cd46e42ac01026d1e61f027 (git)
Affected: 7389337f0a78ea099c47f0af08f64f20c52ab4ba , < a321d163de3d8aa38a6449ab2becf4b1581aed96 (git)

Linux

Affected: 5.12
Unaffected: 0 , < 5.12 (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.131 , ≤ 6.1.* (semver)
Unaffected: 6.6.83 , ≤ 6.6.* (semver)
Unaffected: 6.12.19 , ≤ 6.12.* (semver)
Unaffected: 6.13.7 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21951",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T17:16:49.794913Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-667",
                "description": "CWE-667 Improper Locking",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T17:16:52.646Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:39:52.892Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/bus/mhi/host/pci_generic.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7746f3bb8917fccb4571a576f3837d80fc513054",
              "status": "affected",
              "version": "7389337f0a78ea099c47f0af08f64f20c52ab4ba",
              "versionType": "git"
            },
            {
              "lessThan": "7a5ffadd54fe2662f5c99cdccf30144d060376f7",
              "status": "affected",
              "version": "7389337f0a78ea099c47f0af08f64f20c52ab4ba",
              "versionType": "git"
            },
            {
              "lessThan": "1f9eb7078bc6b5fb5cbfbcb37c4bc01685332b95",
              "status": "affected",
              "version": "7389337f0a78ea099c47f0af08f64f20c52ab4ba",
              "versionType": "git"
            },
            {
              "lessThan": "985d3cf56d8745ca637deee273929e01df449f85",
              "status": "affected",
              "version": "7389337f0a78ea099c47f0af08f64f20c52ab4ba",
              "versionType": "git"
            },
            {
              "lessThan": "62505657475c245c9cd46e42ac01026d1e61f027",
              "status": "affected",
              "version": "7389337f0a78ea099c47f0af08f64f20c52ab4ba",
              "versionType": "git"
            },
            {
              "lessThan": "a321d163de3d8aa38a6449ab2becf4b1581aed96",
              "status": "affected",
              "version": "7389337f0a78ea099c47f0af08f64f20c52ab4ba",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/bus/mhi/host/pci_generic.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.12"
            },
            {
              "lessThan": "5.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.131",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.131",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.83",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.19",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.7",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: mhi: host: pci_generic: Use pci_try_reset_function() to avoid deadlock\n\nThere are multiple places from where the recovery work gets scheduled\nasynchronously. Also, there are multiple places where the caller waits\nsynchronously for the recovery to be completed. One such place is during\nthe PM shutdown() callback.\n\nIf the device is not alive during recovery_work, it will try to reset the\ndevice using pci_reset_function(). This function internally will take the\ndevice_lock() first before resetting the device. By this time, if the lock\nhas already been acquired, then recovery_work will get stalled while\nwaiting for the lock. And if the lock was already acquired by the caller\nwhich waits for the recovery_work to be completed, it will lead to\ndeadlock.\n\nThis is what happened on the X1E80100 CRD device when the device died\nbefore shutdown() callback. Driver core calls the driver\u0027s shutdown()\ncallback while holding the device_lock() leading to deadlock.\n\nAnd this deadlock scenario can occur on other paths as well, like during\nthe PM suspend() callback, where the driver core would hold the\ndevice_lock() before calling driver\u0027s suspend() callback. And if the\nrecovery_work was already started, it could lead to deadlock. This is also\nobserved on the X1E80100 CRD.\n\nSo to fix both issues, use pci_try_reset_function() in recovery_work. This\nfunction first checks for the availability of the device_lock() before\ntrying to reset the device. If the lock is available, it will acquire it\nand reset the device. Otherwise, it will return -EAGAIN. If that happens,\nrecovery_work will fail with the error message \"Recovery failed\" as not\nmuch could be done."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:25:37.191Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7746f3bb8917fccb4571a576f3837d80fc513054"
        },
        {
          "url": "https://git.kernel.org/stable/c/7a5ffadd54fe2662f5c99cdccf30144d060376f7"
        },
        {
          "url": "https://git.kernel.org/stable/c/1f9eb7078bc6b5fb5cbfbcb37c4bc01685332b95"
        },
        {
          "url": "https://git.kernel.org/stable/c/985d3cf56d8745ca637deee273929e01df449f85"
        },
        {
          "url": "https://git.kernel.org/stable/c/62505657475c245c9cd46e42ac01026d1e61f027"
        },
        {
          "url": "https://git.kernel.org/stable/c/a321d163de3d8aa38a6449ab2becf4b1581aed96"
        }
      ],
      "title": "bus: mhi: host: pci_generic: Use pci_try_reset_function() to avoid deadlock",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21951",
    "datePublished": "2025-04-01T15:41:11.487Z",
    "dateReserved": "2024-12-29T08:45:45.790Z",
    "dateUpdated": "2025-11-03T19:39:52.892Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38033 (GCVE-0-2025-38033)

Vulnerability from cvelistv5 – Published: 2025-06-18 09:33 – Updated: 2025-06-19 13:10

Title

x86/Kconfig: make CFI_AUTO_DEFAULT depend on !RUST or Rust >= 1.88

Summary

In the Linux kernel, the following vulnerability has been resolved: x86/Kconfig: make CFI_AUTO_DEFAULT depend on !RUST or Rust >= 1.88 Calling core::fmt::write() from rust code while FineIBT is enabled results in a kernel panic: [ 4614.199779] kernel BUG at arch/x86/kernel/cet.c:132! [ 4614.205343] Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 4614.211781] CPU: 2 UID: 0 PID: 6057 Comm: dmabuf_dump Tainted: G U O 6.12.17-android16-0-g6ab38c534a43 #1 9da040f27673ec3945e23b998a0f8bd64c846599 [ 4614.227832] Tainted: [U]=USER, [O]=OOT_MODULE [ 4614.241247] RIP: 0010:do_kernel_cp_fault+0xea/0xf0 ... [ 4614.398144] RIP: 0010:_RNvXs5_NtNtNtCs3o2tGsuHyou_4core3fmt3num3impyNtB9_7Display3fmt+0x0/0x20 [ 4614.407792] Code: 48 f7 df 48 0f 48 f9 48 89 f2 89 c6 5d e9 18 fd ff ff 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 41 81 ea 14 61 af 2c 74 03 0f 0b 90 <66> 0f 1f 00 55 48 89 e5 48 89 f2 48 8b 3f be 01 00 00 00 5d e9 e7 [ 4614.428775] RSP: 0018:ffffb95acfa4ba68 EFLAGS: 00010246 [ 4614.434609] RAX: 0000000000000000 RBX: 0000000000000010 RCX: 0000000000000000 [ 4614.442587] RDX: 0000000000000007 RSI: ffffb95acfa4ba70 RDI: ffffb95acfa4bc88 [ 4614.450557] RBP: ffffb95acfa4bae0 R08: ffff0a00ffffff05 R09: 0000000000000070 [ 4614.458527] R10: 0000000000000000 R11: ffffffffab67eaf0 R12: ffffb95acfa4bcc8 [ 4614.466493] R13: ffffffffac5d50f0 R14: 0000000000000000 R15: 0000000000000000 [ 4614.474473] ? __cfi__RNvXs5_NtNtNtCs3o2tGsuHyou_4core3fmt3num3impyNtB9_7Display3fmt+0x10/0x10 [ 4614.484118] ? _RNvNtCs3o2tGsuHyou_4core3fmt5write+0x1d2/0x250 This happens because core::fmt::write() calls core::fmt::rt::Argument::fmt(), which currently has CFI disabled: library/core/src/fmt/rt.rs: 171 // FIXME: Transmuting formatter in new and indirectly branching to/calling 172 // it here is an explicit CFI violation. 173 #[allow(inline_no_sanitize)] 174 #[no_sanitize(cfi, kcfi)] 175 #[inline] 176 pub(super) unsafe fn fmt(&self, f: &mut Formatter<'_>) -> Result { This causes a Control Protection exception, because FineIBT has sealed off the original function's endbr64. This makes rust currently incompatible with FineIBT. Add a Kconfig dependency that prevents FineIBT from getting turned on by default if rust is enabled. [ Rust 1.88.0 (scheduled for 2025-06-26) should have this fixed [1], and thus we relaxed the condition with Rust >= 1.88. When `objtool` lands checking for this with e.g. [2], the plan is to ideally run that in upstream Rust's CI to prevent regressions early [3], since we do not control `core`'s source code. Alice tested the Rust PR backported to an older compiler. Peter would like that Rust provides a stable `core` which can be pulled into the kernel: "Relying on that much out of tree code is 'unfortunate'". - Miguel ] [ Reduced splat. - Miguel ]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/5a8d073d87da4ad14…
	https://git.kernel.org/stable/c/6b9956d09382bcbd5…
	https://git.kernel.org/stable/c/5595c31c370957aab…

Impacted products

Vendor

Product

Version

Linux

Affected: d6f635bcaca8d38dfa47ee20658705f9eff156b5 , < 5a8d073d87da4ad1496b35adaee5719e94665d81 (git)
Affected: d6f635bcaca8d38dfa47ee20658705f9eff156b5 , < 6b9956d09382bcbd5fd260c4b60ec48680a4cffb (git)
Affected: d6f635bcaca8d38dfa47ee20658705f9eff156b5 , < 5595c31c370957aabe739ac3996aedba8267603f (git)

Linux

Affected: 6.11
Unaffected: 0 , < 6.11 (semver)
Unaffected: 6.12.31 , ≤ 6.12.* (semver)
Unaffected: 6.14.9 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/Kconfig"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5a8d073d87da4ad1496b35adaee5719e94665d81",
              "status": "affected",
              "version": "d6f635bcaca8d38dfa47ee20658705f9eff156b5",
              "versionType": "git"
            },
            {
              "lessThan": "6b9956d09382bcbd5fd260c4b60ec48680a4cffb",
              "status": "affected",
              "version": "d6f635bcaca8d38dfa47ee20658705f9eff156b5",
              "versionType": "git"
            },
            {
              "lessThan": "5595c31c370957aabe739ac3996aedba8267603f",
              "status": "affected",
              "version": "d6f635bcaca8d38dfa47ee20658705f9eff156b5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/Kconfig"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.31",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/Kconfig: make CFI_AUTO_DEFAULT depend on !RUST or Rust \u003e= 1.88\n\nCalling core::fmt::write() from rust code while FineIBT is enabled\nresults in a kernel panic:\n\n[ 4614.199779] kernel BUG at arch/x86/kernel/cet.c:132!\n[ 4614.205343] Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n[ 4614.211781] CPU: 2 UID: 0 PID: 6057 Comm: dmabuf_dump Tainted: G     U     O       6.12.17-android16-0-g6ab38c534a43 #1 9da040f27673ec3945e23b998a0f8bd64c846599\n[ 4614.227832] Tainted: [U]=USER, [O]=OOT_MODULE\n[ 4614.241247] RIP: 0010:do_kernel_cp_fault+0xea/0xf0\n...\n[ 4614.398144] RIP: 0010:_RNvXs5_NtNtNtCs3o2tGsuHyou_4core3fmt3num3impyNtB9_7Display3fmt+0x0/0x20\n[ 4614.407792] Code: 48 f7 df 48 0f 48 f9 48 89 f2 89 c6 5d e9 18 fd ff ff 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 41 81 ea 14 61 af 2c 74 03 0f 0b 90 \u003c66\u003e 0f 1f 00 55 48 89 e5 48 89 f2 48 8b 3f be 01 00 00 00 5d e9 e7\n[ 4614.428775] RSP: 0018:ffffb95acfa4ba68 EFLAGS: 00010246\n[ 4614.434609] RAX: 0000000000000000 RBX: 0000000000000010 RCX: 0000000000000000\n[ 4614.442587] RDX: 0000000000000007 RSI: ffffb95acfa4ba70 RDI: ffffb95acfa4bc88\n[ 4614.450557] RBP: ffffb95acfa4bae0 R08: ffff0a00ffffff05 R09: 0000000000000070\n[ 4614.458527] R10: 0000000000000000 R11: ffffffffab67eaf0 R12: ffffb95acfa4bcc8\n[ 4614.466493] R13: ffffffffac5d50f0 R14: 0000000000000000 R15: 0000000000000000\n[ 4614.474473]  ? __cfi__RNvXs5_NtNtNtCs3o2tGsuHyou_4core3fmt3num3impyNtB9_7Display3fmt+0x10/0x10\n[ 4614.484118]  ? _RNvNtCs3o2tGsuHyou_4core3fmt5write+0x1d2/0x250\n\nThis happens because core::fmt::write() calls\ncore::fmt::rt::Argument::fmt(), which currently has CFI disabled:\n\nlibrary/core/src/fmt/rt.rs:\n171     // FIXME: Transmuting formatter in new and indirectly branching to/calling\n172     // it here is an explicit CFI violation.\n173     #[allow(inline_no_sanitize)]\n174     #[no_sanitize(cfi, kcfi)]\n175     #[inline]\n176     pub(super) unsafe fn fmt(\u0026self, f: \u0026mut Formatter\u003c\u0027_\u003e) -\u003e Result {\n\nThis causes a Control Protection exception, because FineIBT has sealed\noff the original function\u0027s endbr64.\n\nThis makes rust currently incompatible with FineIBT. Add a Kconfig\ndependency that prevents FineIBT from getting turned on by default\nif rust is enabled.\n\n[ Rust 1.88.0 (scheduled for 2025-06-26) should have this fixed [1],\n  and thus we relaxed the condition with Rust \u003e= 1.88.\n\n  When `objtool` lands checking for this with e.g. [2], the plan is\n  to ideally run that in upstream Rust\u0027s CI to prevent regressions\n  early [3], since we do not control `core`\u0027s source code.\n\n  Alice tested the Rust PR backported to an older compiler.\n\n  Peter would like that Rust provides a stable `core` which can be\n  pulled into the kernel: \"Relying on that much out of tree code is\n  \u0027unfortunate\u0027\".\n\n    - Miguel ]\n\n[ Reduced splat. - Miguel ]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-19T13:10:55.693Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5a8d073d87da4ad1496b35adaee5719e94665d81"
        },
        {
          "url": "https://git.kernel.org/stable/c/6b9956d09382bcbd5fd260c4b60ec48680a4cffb"
        },
        {
          "url": "https://git.kernel.org/stable/c/5595c31c370957aabe739ac3996aedba8267603f"
        }
      ],
      "title": "x86/Kconfig: make CFI_AUTO_DEFAULT depend on !RUST or Rust \u003e= 1.88",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38033",
    "datePublished": "2025-06-18T09:33:20.195Z",
    "dateReserved": "2025-04-16T04:51:23.978Z",
    "dateUpdated": "2025-06-19T13:10:55.693Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21872 (GCVE-0-2025-21872)

Vulnerability from cvelistv5 – Published: 2025-03-27 14:57 – Updated: 2025-11-03 19:38

Title

efi: Don't map the entire mokvar table to determine its size

Summary

In the Linux kernel, the following vulnerability has been resolved: efi: Don't map the entire mokvar table to determine its size Currently, when validating the mokvar table, we (re)map the entire table on each iteration of the loop, adding space as we discover new entries. If the table grows over a certain size, this fails due to limitations of early_memmap(), and we get a failure and traceback: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 0 at mm/early_ioremap.c:139 __early_ioremap+0xef/0x220 ... Call Trace: <TASK> ? __early_ioremap+0xef/0x220 ? __warn.cold+0x93/0xfa ? __early_ioremap+0xef/0x220 ? report_bug+0xff/0x140 ? early_fixup_exception+0x5d/0xb0 ? early_idt_handler_common+0x2f/0x3a ? __early_ioremap+0xef/0x220 ? efi_mokvar_table_init+0xce/0x1d0 ? setup_arch+0x864/0xc10 ? start_kernel+0x6b/0xa10 ? x86_64_start_reservations+0x24/0x30 ? x86_64_start_kernel+0xed/0xf0 ? common_startup_64+0x13e/0x141 </TASK> ---[ end trace 0000000000000000 ]--- mokvar: Failed to map EFI MOKvar config table pa=0x7c4c3000, size=265187. Mapping the entire structure isn't actually necessary, as we don't ever need more than one entry header mapped at once. Changes efi_mokvar_table_init() to only map each entry header, not the entire table, when determining the table size. Since we're not mapping any data past the variable name, it also changes the code to enforce that each variable name is NUL terminated, rather than attempting to verify it in place.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/46c0454ffb78ce9d3…
	https://git.kernel.org/stable/c/ea3f0b362dfe4ef88…
	https://git.kernel.org/stable/c/65f4aebb8127708ba…
	https://git.kernel.org/stable/c/97bd560b6cc4c2638…
	https://git.kernel.org/stable/c/2b90e7ace79774a35…

Impacted products

Vendor

Product

Version

Linux

Affected: 58c909022a5a56cd1d9e89c8c5461fd1f6a27bb5 , < 46c0454ffb78ce9d3355a3cccac86383ea8ddd55 (git)
Affected: 58c909022a5a56cd1d9e89c8c5461fd1f6a27bb5 , < ea3f0b362dfe4ef885ef812bfaf4088176422c91 (git)
Affected: 58c909022a5a56cd1d9e89c8c5461fd1f6a27bb5 , < 65f4aebb8127708ba668dd938e83b8558abfc5cd (git)
Affected: 58c909022a5a56cd1d9e89c8c5461fd1f6a27bb5 , < 97bd560b6cc4c26386a53b4881bf03e96f9ba03a (git)
Affected: 58c909022a5a56cd1d9e89c8c5461fd1f6a27bb5 , < 2b90e7ace79774a3540ce569e000388f8d22c9e0 (git)

Linux

Affected: 5.10
Unaffected: 0 , < 5.10 (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 6.6.83 , ≤ 6.6.* (semver)
Unaffected: 6.12.18 , ≤ 6.12.* (semver)
Unaffected: 6.13.6 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:38:28.965Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/firmware/efi/mokvar-table.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "46c0454ffb78ce9d3355a3cccac86383ea8ddd55",
              "status": "affected",
              "version": "58c909022a5a56cd1d9e89c8c5461fd1f6a27bb5",
              "versionType": "git"
            },
            {
              "lessThan": "ea3f0b362dfe4ef885ef812bfaf4088176422c91",
              "status": "affected",
              "version": "58c909022a5a56cd1d9e89c8c5461fd1f6a27bb5",
              "versionType": "git"
            },
            {
              "lessThan": "65f4aebb8127708ba668dd938e83b8558abfc5cd",
              "status": "affected",
              "version": "58c909022a5a56cd1d9e89c8c5461fd1f6a27bb5",
              "versionType": "git"
            },
            {
              "lessThan": "97bd560b6cc4c26386a53b4881bf03e96f9ba03a",
              "status": "affected",
              "version": "58c909022a5a56cd1d9e89c8c5461fd1f6a27bb5",
              "versionType": "git"
            },
            {
              "lessThan": "2b90e7ace79774a3540ce569e000388f8d22c9e0",
              "status": "affected",
              "version": "58c909022a5a56cd1d9e89c8c5461fd1f6a27bb5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/firmware/efi/mokvar-table.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.10"
            },
            {
              "lessThan": "5.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.83",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.18",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.6",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi: Don\u0027t map the entire mokvar table to determine its size\n\nCurrently, when validating the mokvar table, we (re)map the entire table\non each iteration of the loop, adding space as we discover new entries.\nIf the table grows over a certain size, this fails due to limitations of\nearly_memmap(), and we get a failure and traceback:\n\n  ------------[ cut here ]------------\n  WARNING: CPU: 0 PID: 0 at mm/early_ioremap.c:139 __early_ioremap+0xef/0x220\n  ...\n  Call Trace:\n   \u003cTASK\u003e\n   ? __early_ioremap+0xef/0x220\n   ? __warn.cold+0x93/0xfa\n   ? __early_ioremap+0xef/0x220\n   ? report_bug+0xff/0x140\n   ? early_fixup_exception+0x5d/0xb0\n   ? early_idt_handler_common+0x2f/0x3a\n   ? __early_ioremap+0xef/0x220\n   ? efi_mokvar_table_init+0xce/0x1d0\n   ? setup_arch+0x864/0xc10\n   ? start_kernel+0x6b/0xa10\n   ? x86_64_start_reservations+0x24/0x30\n   ? x86_64_start_kernel+0xed/0xf0\n   ? common_startup_64+0x13e/0x141\n   \u003c/TASK\u003e\n  ---[ end trace 0000000000000000 ]---\n  mokvar: Failed to map EFI MOKvar config table pa=0x7c4c3000, size=265187.\n\nMapping the entire structure isn\u0027t actually necessary, as we don\u0027t ever\nneed more than one entry header mapped at once.\n\nChanges efi_mokvar_table_init() to only map each entry header, not the\nentire table, when determining the table size.  Since we\u0027re not mapping\nany data past the variable name, it also changes the code to enforce\nthat each variable name is NUL terminated, rather than attempting to\nverify it in place."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-10T16:48:44.937Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/46c0454ffb78ce9d3355a3cccac86383ea8ddd55"
        },
        {
          "url": "https://git.kernel.org/stable/c/ea3f0b362dfe4ef885ef812bfaf4088176422c91"
        },
        {
          "url": "https://git.kernel.org/stable/c/65f4aebb8127708ba668dd938e83b8558abfc5cd"
        },
        {
          "url": "https://git.kernel.org/stable/c/97bd560b6cc4c26386a53b4881bf03e96f9ba03a"
        },
        {
          "url": "https://git.kernel.org/stable/c/2b90e7ace79774a3540ce569e000388f8d22c9e0"
        }
      ],
      "title": "efi: Don\u0027t map the entire mokvar table to determine its size",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21872",
    "datePublished": "2025-03-27T14:57:04.206Z",
    "dateReserved": "2024-12-29T08:45:45.781Z",
    "dateUpdated": "2025-11-03T19:38:28.965Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38103 (GCVE-0-2025-38103)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:35 – Updated: 2025-11-03 17:34

Title

HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse()

Summary

In the Linux kernel, the following vulnerability has been resolved: HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() Update struct hid_descriptor to better reflect the mandatory and optional parts of the HID Descriptor as per USB HID 1.11 specification. Note: the kernel currently does not parse any optional HID class descriptors, only the mandatory report descriptor. Update all references to member element desc[0] to rpt_desc. Add test to verify bLength and bNumDescriptors values are valid. Replace the for loop with direct access to the mandatory HID class descriptor member for the report descriptor. This eliminates the possibility of getting an out-of-bounds fault. Add a warning message if the HID descriptor contains any unsupported optional HID class descriptors.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/7a6d6b68db128da20…
	https://git.kernel.org/stable/c/41827a2dbdd7880df…
	https://git.kernel.org/stable/c/1df80d748f984290c…
	https://git.kernel.org/stable/c/a8f842534807985d3…
	https://git.kernel.org/stable/c/4fa7831cf0ac71a0a…
	https://git.kernel.org/stable/c/74388368927e9c52a…
	https://git.kernel.org/stable/c/485e1b741eb838cbe…
	https://git.kernel.org/stable/c/fe7f7ac8e0c708446…

Impacted products

Vendor

Product

Version

Linux

Affected: f043bfc98c193c284e2cd768fefabe18ac2fed9b , < 7a6d6b68db128da2078ccd9a751dfa3f75c9cf5b (git)
Affected: f043bfc98c193c284e2cd768fefabe18ac2fed9b , < 41827a2dbdd7880df9881506dee13bc88d4230bb (git)
Affected: f043bfc98c193c284e2cd768fefabe18ac2fed9b , < 1df80d748f984290c895e843401824215dcfbfb0 (git)
Affected: f043bfc98c193c284e2cd768fefabe18ac2fed9b , < a8f842534807985d3a676006d140541b87044345 (git)
Affected: f043bfc98c193c284e2cd768fefabe18ac2fed9b , < 4fa7831cf0ac71a0a345369d1a6084f2b096e55e (git)
Affected: f043bfc98c193c284e2cd768fefabe18ac2fed9b , < 74388368927e9c52a69524af5bbd6c55eb4690de (git)
Affected: f043bfc98c193c284e2cd768fefabe18ac2fed9b , < 485e1b741eb838cbe1d6b0e81e5ab62ae6c095cf (git)
Affected: f043bfc98c193c284e2cd768fefabe18ac2fed9b , < fe7f7ac8e0c708446ff017453add769ffc15deed (git)
Affected: 99de0781e0de7c866f762b931351c2a501c3074f (git)
Affected: 8d675aa967d3927ac100f7af48f2a2af8a041d2d (git)
Affected: f4cf5d75416ae3d79e03179fe6f4b9f1231ae42c (git)
Affected: 439f76690d7d5dd212ea7bebc1f2fa077e3d645d (git)
Affected: 2929cb995378205bceda86d6fd3cbc22e522f97f (git)
Affected: 57265cddde308292af881ce634a5378dd4e25900 (git)
Affected: 984154e7eef1f9e543dabd7422cfc99015778732 (git)

Linux

Affected: 4.14
Unaffected: 0 , < 4.14 (semver)
Unaffected: 5.4.295 , ≤ 5.4.* (semver)
Unaffected: 5.10.239 , ≤ 5.10.* (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.94 , ≤ 6.6.* (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:07.793Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-hyperv.c",
            "drivers/hid/usbhid/hid-core.c",
            "drivers/usb/gadget/function/f_hid.c",
            "include/linux/hid.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7a6d6b68db128da2078ccd9a751dfa3f75c9cf5b",
              "status": "affected",
              "version": "f043bfc98c193c284e2cd768fefabe18ac2fed9b",
              "versionType": "git"
            },
            {
              "lessThan": "41827a2dbdd7880df9881506dee13bc88d4230bb",
              "status": "affected",
              "version": "f043bfc98c193c284e2cd768fefabe18ac2fed9b",
              "versionType": "git"
            },
            {
              "lessThan": "1df80d748f984290c895e843401824215dcfbfb0",
              "status": "affected",
              "version": "f043bfc98c193c284e2cd768fefabe18ac2fed9b",
              "versionType": "git"
            },
            {
              "lessThan": "a8f842534807985d3a676006d140541b87044345",
              "status": "affected",
              "version": "f043bfc98c193c284e2cd768fefabe18ac2fed9b",
              "versionType": "git"
            },
            {
              "lessThan": "4fa7831cf0ac71a0a345369d1a6084f2b096e55e",
              "status": "affected",
              "version": "f043bfc98c193c284e2cd768fefabe18ac2fed9b",
              "versionType": "git"
            },
            {
              "lessThan": "74388368927e9c52a69524af5bbd6c55eb4690de",
              "status": "affected",
              "version": "f043bfc98c193c284e2cd768fefabe18ac2fed9b",
              "versionType": "git"
            },
            {
              "lessThan": "485e1b741eb838cbe1d6b0e81e5ab62ae6c095cf",
              "status": "affected",
              "version": "f043bfc98c193c284e2cd768fefabe18ac2fed9b",
              "versionType": "git"
            },
            {
              "lessThan": "fe7f7ac8e0c708446ff017453add769ffc15deed",
              "status": "affected",
              "version": "f043bfc98c193c284e2cd768fefabe18ac2fed9b",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "99de0781e0de7c866f762b931351c2a501c3074f",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "8d675aa967d3927ac100f7af48f2a2af8a041d2d",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "f4cf5d75416ae3d79e03179fe6f4b9f1231ae42c",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "439f76690d7d5dd212ea7bebc1f2fa077e3d645d",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "2929cb995378205bceda86d6fd3cbc22e522f97f",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "57265cddde308292af881ce634a5378dd4e25900",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "984154e7eef1f9e543dabd7422cfc99015778732",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-hyperv.c",
            "drivers/hid/usbhid/hid-core.c",
            "drivers/usb/gadget/function/f_hid.c",
            "include/linux/hid.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.14"
            },
            {
              "lessThan": "4.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.2.95",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.16.50",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.18.76",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.1.46",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.4.93",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.9.57",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.13.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse()\n\nUpdate struct hid_descriptor to better reflect the mandatory and\noptional parts of the HID Descriptor as per USB HID 1.11 specification.\nNote: the kernel currently does not parse any optional HID class\ndescriptors, only the mandatory report descriptor.\n\nUpdate all references to member element desc[0] to rpt_desc.\n\nAdd test to verify bLength and bNumDescriptors values are valid.\n\nReplace the for loop with direct access to the mandatory HID class\ndescriptor member for the report descriptor. This eliminates the\npossibility of getting an out-of-bounds fault.\n\nAdd a warning message if the HID descriptor contains any unsupported\noptional HID class descriptors."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:12:18.213Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7a6d6b68db128da2078ccd9a751dfa3f75c9cf5b"
        },
        {
          "url": "https://git.kernel.org/stable/c/41827a2dbdd7880df9881506dee13bc88d4230bb"
        },
        {
          "url": "https://git.kernel.org/stable/c/1df80d748f984290c895e843401824215dcfbfb0"
        },
        {
          "url": "https://git.kernel.org/stable/c/a8f842534807985d3a676006d140541b87044345"
        },
        {
          "url": "https://git.kernel.org/stable/c/4fa7831cf0ac71a0a345369d1a6084f2b096e55e"
        },
        {
          "url": "https://git.kernel.org/stable/c/74388368927e9c52a69524af5bbd6c55eb4690de"
        },
        {
          "url": "https://git.kernel.org/stable/c/485e1b741eb838cbe1d6b0e81e5ab62ae6c095cf"
        },
        {
          "url": "https://git.kernel.org/stable/c/fe7f7ac8e0c708446ff017453add769ffc15deed"
        }
      ],
      "title": "HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38103",
    "datePublished": "2025-07-03T08:35:13.941Z",
    "dateReserved": "2025-04-16T04:51:23.985Z",
    "dateUpdated": "2025-11-03T17:34:07.793Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38307 (GCVE-0-2025-38307)

Vulnerability from cvelistv5 – Published: 2025-07-10 07:42 – Updated: 2025-07-28 04:18

Title

ASoC: Intel: avs: Verify content returned by parse_int_array()

Summary

In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Verify content returned by parse_int_array() The first element of the returned array stores its length. If it is 0, any manipulation beyond the element at index 0 ends with null-ptr-deref.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/cc03c899e6d9812b2…
	https://git.kernel.org/stable/c/18ff538aac63de186…
	https://git.kernel.org/stable/c/2916794ffbce604cc…
	https://git.kernel.org/stable/c/93e246b6769bdacb0…

Impacted products

Vendor

Product

Version

Linux

Affected: 5a565ba23abe478f3d4c3b0c8798bcb5215b82f5 , < cc03c899e6d9812b25c3754c9a95c3830c4aec26 (git)
Affected: 5a565ba23abe478f3d4c3b0c8798bcb5215b82f5 , < 18ff538aac63de1866e5a49d57e22788b5c21d12 (git)
Affected: 5a565ba23abe478f3d4c3b0c8798bcb5215b82f5 , < 2916794ffbce604cc2cda105f6b8a4a7c748dd7f (git)
Affected: 5a565ba23abe478f3d4c3b0c8798bcb5215b82f5 , < 93e246b6769bdacb09cfff4ea0f00fe5ab4f0d7a (git)

Linux

Affected: 6.2
Unaffected: 0 , < 6.2 (semver)
Unaffected: 6.6.94 , ≤ 6.6.* (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/soc/intel/avs/debugfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "cc03c899e6d9812b25c3754c9a95c3830c4aec26",
              "status": "affected",
              "version": "5a565ba23abe478f3d4c3b0c8798bcb5215b82f5",
              "versionType": "git"
            },
            {
              "lessThan": "18ff538aac63de1866e5a49d57e22788b5c21d12",
              "status": "affected",
              "version": "5a565ba23abe478f3d4c3b0c8798bcb5215b82f5",
              "versionType": "git"
            },
            {
              "lessThan": "2916794ffbce604cc2cda105f6b8a4a7c748dd7f",
              "status": "affected",
              "version": "5a565ba23abe478f3d4c3b0c8798bcb5215b82f5",
              "versionType": "git"
            },
            {
              "lessThan": "93e246b6769bdacb09cfff4ea0f00fe5ab4f0d7a",
              "status": "affected",
              "version": "5a565ba23abe478f3d4c3b0c8798bcb5215b82f5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "sound/soc/intel/avs/debugfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: Intel: avs: Verify content returned by parse_int_array()\n\nThe first element of the returned array stores its length. If it is 0,\nany manipulation beyond the element at index 0 ends with null-ptr-deref."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:18:10.079Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/cc03c899e6d9812b25c3754c9a95c3830c4aec26"
        },
        {
          "url": "https://git.kernel.org/stable/c/18ff538aac63de1866e5a49d57e22788b5c21d12"
        },
        {
          "url": "https://git.kernel.org/stable/c/2916794ffbce604cc2cda105f6b8a4a7c748dd7f"
        },
        {
          "url": "https://git.kernel.org/stable/c/93e246b6769bdacb09cfff4ea0f00fe5ab4f0d7a"
        }
      ],
      "title": "ASoC: Intel: avs: Verify content returned by parse_int_array()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38307",
    "datePublished": "2025-07-10T07:42:17.427Z",
    "dateReserved": "2025-04-16T04:51:24.003Z",
    "dateUpdated": "2025-07-28T04:18:10.079Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-39890 (GCVE-0-2025-39890)

Vulnerability from cvelistv5 – Published: 2025-09-24 11:02 – Updated: 2026-01-14 17:35

Title

wifi: ath12k: fix memory leak in ath12k_service_ready_ext_event

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix memory leak in ath12k_service_ready_ext_event Currently, in ath12k_service_ready_ext_event(), svc_rdy_ext.mac_phy_caps is not freed in the failure case, causing a memory leak. The following trace is observed in kmemleak: unreferenced object 0xffff8b3eb5789c00 (size 1024): comm "softirq", pid 0, jiffies 4294942577 hex dump (first 32 bytes): 00 00 00 00 01 00 00 00 00 00 00 00 7b 00 00 10 ............{... 01 00 00 00 00 00 00 00 01 00 00 00 1f 38 00 00 .............8.. backtrace (crc 44e1c357): __kmalloc_noprof+0x30b/0x410 ath12k_wmi_mac_phy_caps_parse+0x84/0x100 [ath12k] ath12k_wmi_tlv_iter+0x5e/0x140 [ath12k] ath12k_wmi_svc_rdy_ext_parse+0x308/0x4c0 [ath12k] ath12k_wmi_tlv_iter+0x5e/0x140 [ath12k] ath12k_service_ready_ext_event.isra.0+0x44/0xd0 [ath12k] ath12k_wmi_op_rx+0x2eb/0xd70 [ath12k] ath12k_htc_rx_completion_handler+0x1f4/0x330 [ath12k] ath12k_ce_recv_process_cb+0x218/0x300 [ath12k] ath12k_pci_ce_workqueue+0x1b/0x30 [ath12k] process_one_work+0x219/0x680 bh_worker+0x198/0x1f0 tasklet_action+0x13/0x30 handle_softirqs+0xca/0x460 __irq_exit_rcu+0xbe/0x110 irq_exit_rcu+0x9/0x30 Free svc_rdy_ext.mac_phy_caps in the error case to fix this memory leak. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-401 - Missing Release of Memory after Effective Lifetime

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/99dbad1b01d3b2f36…
	https://git.kernel.org/stable/c/3a392f874ac83a77a…
	https://git.kernel.org/stable/c/1089f65b2de78c783…
	https://git.kernel.org/stable/c/89142d34d5602c744…

Impacted products

Vendor

Product

Version

Linux

Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < 99dbad1b01d3b2f361a9db55c1af1212be497a3d (git)
Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < 3a392f874ac83a77ad0e53eb8aafdbeb787c9298 (git)
Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < 1089f65b2de78c7837ef6b4f26146a5a5b0b9749 (git)
Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < 89142d34d5602c7447827beb181fa06eb08b9d5c (git)

Linux

Affected: 6.3
Unaffected: 0 , < 6.3 (semver)
Unaffected: 6.6.94 , ≤ 6.6.* (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-39890",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-14T17:35:11.239595Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-401",
                "description": "CWE-401 Missing Release of Memory after Effective Lifetime",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-14T17:35:29.384Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath12k/wmi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "99dbad1b01d3b2f361a9db55c1af1212be497a3d",
              "status": "affected",
              "version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
              "versionType": "git"
            },
            {
              "lessThan": "3a392f874ac83a77ad0e53eb8aafdbeb787c9298",
              "status": "affected",
              "version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
              "versionType": "git"
            },
            {
              "lessThan": "1089f65b2de78c7837ef6b4f26146a5a5b0b9749",
              "status": "affected",
              "version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
              "versionType": "git"
            },
            {
              "lessThan": "89142d34d5602c7447827beb181fa06eb08b9d5c",
              "status": "affected",
              "version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath12k/wmi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.3"
            },
            {
              "lessThan": "6.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix memory leak in ath12k_service_ready_ext_event\n\nCurrently, in ath12k_service_ready_ext_event(), svc_rdy_ext.mac_phy_caps\nis not freed in the failure case, causing a memory leak. The following\ntrace is observed in kmemleak:\n\nunreferenced object 0xffff8b3eb5789c00 (size 1024):\n comm \"softirq\", pid 0, jiffies 4294942577\n hex dump (first 32 bytes):\n   00 00 00 00 01 00 00 00 00 00 00 00 7b 00 00 10  ............{...\n   01 00 00 00 00 00 00 00 01 00 00 00 1f 38 00 00  .............8..\n backtrace (crc 44e1c357):\n   __kmalloc_noprof+0x30b/0x410\n   ath12k_wmi_mac_phy_caps_parse+0x84/0x100 [ath12k]\n   ath12k_wmi_tlv_iter+0x5e/0x140 [ath12k]\n   ath12k_wmi_svc_rdy_ext_parse+0x308/0x4c0 [ath12k]\n   ath12k_wmi_tlv_iter+0x5e/0x140 [ath12k]\n   ath12k_service_ready_ext_event.isra.0+0x44/0xd0 [ath12k]\n   ath12k_wmi_op_rx+0x2eb/0xd70 [ath12k]\n   ath12k_htc_rx_completion_handler+0x1f4/0x330 [ath12k]\n   ath12k_ce_recv_process_cb+0x218/0x300 [ath12k]\n   ath12k_pci_ce_workqueue+0x1b/0x30 [ath12k]\n   process_one_work+0x219/0x680\n   bh_worker+0x198/0x1f0\n   tasklet_action+0x13/0x30\n   handle_softirqs+0xca/0x460\n   __irq_exit_rcu+0xbe/0x110\n   irq_exit_rcu+0x9/0x30\n\nFree svc_rdy_ext.mac_phy_caps in the error case to fix this memory leak.\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-24T11:02:53.539Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/99dbad1b01d3b2f361a9db55c1af1212be497a3d"
        },
        {
          "url": "https://git.kernel.org/stable/c/3a392f874ac83a77ad0e53eb8aafdbeb787c9298"
        },
        {
          "url": "https://git.kernel.org/stable/c/1089f65b2de78c7837ef6b4f26146a5a5b0b9749"
        },
        {
          "url": "https://git.kernel.org/stable/c/89142d34d5602c7447827beb181fa06eb08b9d5c"
        }
      ],
      "title": "wifi: ath12k: fix memory leak in ath12k_service_ready_ext_event",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39890",
    "datePublished": "2025-09-24T11:02:53.539Z",
    "dateReserved": "2025-04-16T07:20:57.145Z",
    "dateUpdated": "2026-01-14T17:35:29.384Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38125 (GCVE-0-2025-38125)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:35 – Updated: 2026-01-11 16:29

Title

net: stmmac: make sure that ptp_rate is not 0 before configuring EST

Summary

In the Linux kernel, the following vulnerability has been resolved: net: stmmac: make sure that ptp_rate is not 0 before configuring EST If the ptp_rate recorded earlier in the driver happens to be 0, this bogus value will propagate up to EST configuration, where it will trigger a division by 0. Prevent this division by 0 by adding the corresponding check and error code.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b92ec4a848728460f…
	https://git.kernel.org/stable/c/451ee661d0f627201…
	https://git.kernel.org/stable/c/d5e3bfdba0dc41949…
	https://git.kernel.org/stable/c/cbefe2ffa7784525e…

Impacted products

Vendor

Product

Version

Linux

Affected: 8572aec3d0dc43045254fd1bf581fb980bfdbc4b , < b92ec4a848728460f181def33735605f154d438f (git)
Affected: 8572aec3d0dc43045254fd1bf581fb980bfdbc4b , < 451ee661d0f6272017fa012f99617101aa8ddf2c (git)
Affected: 8572aec3d0dc43045254fd1bf581fb980bfdbc4b , < d5e3bfdba0dc419499b801937128957f77503761 (git)
Affected: 8572aec3d0dc43045254fd1bf581fb980bfdbc4b , < cbefe2ffa7784525ec5d008ba87c7add19ec631a (git)

Linux

Affected: 5.6
Unaffected: 0 , < 5.6 (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/stmicro/stmmac/stmmac_est.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b92ec4a848728460f181def33735605f154d438f",
              "status": "affected",
              "version": "8572aec3d0dc43045254fd1bf581fb980bfdbc4b",
              "versionType": "git"
            },
            {
              "lessThan": "451ee661d0f6272017fa012f99617101aa8ddf2c",
              "status": "affected",
              "version": "8572aec3d0dc43045254fd1bf581fb980bfdbc4b",
              "versionType": "git"
            },
            {
              "lessThan": "d5e3bfdba0dc419499b801937128957f77503761",
              "status": "affected",
              "version": "8572aec3d0dc43045254fd1bf581fb980bfdbc4b",
              "versionType": "git"
            },
            {
              "lessThan": "cbefe2ffa7784525ec5d008ba87c7add19ec631a",
              "status": "affected",
              "version": "8572aec3d0dc43045254fd1bf581fb980bfdbc4b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/stmicro/stmmac/stmmac_est.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.6"
            },
            {
              "lessThan": "5.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: make sure that ptp_rate is not 0 before configuring EST\n\nIf the ptp_rate recorded earlier in the driver happens to be 0, this\nbogus value will propagate up to EST configuration, where it will\ntrigger a division by 0.\n\nPrevent this division by 0 by adding the corresponding check and error\ncode."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-11T16:29:19.166Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b92ec4a848728460f181def33735605f154d438f"
        },
        {
          "url": "https://git.kernel.org/stable/c/451ee661d0f6272017fa012f99617101aa8ddf2c"
        },
        {
          "url": "https://git.kernel.org/stable/c/d5e3bfdba0dc419499b801937128957f77503761"
        },
        {
          "url": "https://git.kernel.org/stable/c/cbefe2ffa7784525ec5d008ba87c7add19ec631a"
        }
      ],
      "title": "net: stmmac: make sure that ptp_rate is not 0 before configuring EST",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38125",
    "datePublished": "2025-07-03T08:35:31.176Z",
    "dateReserved": "2025-04-16T04:51:23.986Z",
    "dateUpdated": "2026-01-11T16:29:19.166Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38337 (GCVE-0-2025-38337)

Vulnerability from cvelistv5 – Published: 2025-07-10 08:15 – Updated: 2025-11-03 17:36

Title

jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata()

Summary

In the Linux kernel, the following vulnerability has been resolved: jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata() Since handle->h_transaction may be a NULL pointer, so we should change it to call is_handle_aborted(handle) first before dereferencing it. And the following data-race was reported in my fuzzer: ================================================================== BUG: KCSAN: data-race in jbd2_journal_dirty_metadata / jbd2_journal_dirty_metadata write to 0xffff888011024104 of 4 bytes by task 10881 on cpu 1: jbd2_journal_dirty_metadata+0x2a5/0x770 fs/jbd2/transaction.c:1556 __ext4_handle_dirty_metadata+0xe7/0x4b0 fs/ext4/ext4_jbd2.c:358 ext4_do_update_inode fs/ext4/inode.c:5220 [inline] ext4_mark_iloc_dirty+0x32c/0xd50 fs/ext4/inode.c:5869 __ext4_mark_inode_dirty+0xe1/0x450 fs/ext4/inode.c:6074 ext4_dirty_inode+0x98/0xc0 fs/ext4/inode.c:6103 .... read to 0xffff888011024104 of 4 bytes by task 10880 on cpu 0: jbd2_journal_dirty_metadata+0xf2/0x770 fs/jbd2/transaction.c:1512 __ext4_handle_dirty_metadata+0xe7/0x4b0 fs/ext4/ext4_jbd2.c:358 ext4_do_update_inode fs/ext4/inode.c:5220 [inline] ext4_mark_iloc_dirty+0x32c/0xd50 fs/ext4/inode.c:5869 __ext4_mark_inode_dirty+0xe1/0x450 fs/ext4/inode.c:6074 ext4_dirty_inode+0x98/0xc0 fs/ext4/inode.c:6103 .... value changed: 0x00000000 -> 0x00000001 ================================================================== This issue is caused by missing data-race annotation for jh->b_modified. Therefore, the missing annotation needs to be added.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/5c1a34ff5b0bfdfd2…
	https://git.kernel.org/stable/c/ec669e5bf409f16e4…
	https://git.kernel.org/stable/c/43d5e3bb5f1dcd91e…
	https://git.kernel.org/stable/c/23361b479f2700c00…
	https://git.kernel.org/stable/c/2e7c64d7a92c031d0…
	https://git.kernel.org/stable/c/f78b38af3540b4875…
	https://git.kernel.org/stable/c/a377996d714afb8d4…
	https://git.kernel.org/stable/c/af98b0157adf6504f…

Impacted products

Vendor

Product

Version

Linux

Affected: 6e06ae88edae77379bef7c0cb7d3c2dd88676867 , < 5c1a34ff5b0bfdfd2f9343aa9b08d25df618bac5 (git)
Affected: 6e06ae88edae77379bef7c0cb7d3c2dd88676867 , < ec669e5bf409f16e464bfad75f0ba039a45de29a (git)
Affected: 6e06ae88edae77379bef7c0cb7d3c2dd88676867 , < 43d5e3bb5f1dcd91e30238ea0b59a5f77063f84e (git)
Affected: 6e06ae88edae77379bef7c0cb7d3c2dd88676867 , < 23361b479f2700c00960d3ae9cdc8ededa762d47 (git)
Affected: 6e06ae88edae77379bef7c0cb7d3c2dd88676867 , < 2e7c64d7a92c031d016f11c8e8cb05131ab7b75a (git)
Affected: 6e06ae88edae77379bef7c0cb7d3c2dd88676867 , < f78b38af3540b4875147b7b884ee11a27b3dbf4c (git)
Affected: 6e06ae88edae77379bef7c0cb7d3c2dd88676867 , < a377996d714afb8d4d5f4906336f78510039da29 (git)
Affected: 6e06ae88edae77379bef7c0cb7d3c2dd88676867 , < af98b0157adf6504fade79b3e6cb260c4ff68e37 (git)

Linux

Affected: 4.3
Unaffected: 0 , < 4.3 (semver)
Unaffected: 5.4.295 , ≤ 5.4.* (semver)
Unaffected: 5.10.239 , ≤ 5.10.* (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.95 , ≤ 6.6.* (semver)
Unaffected: 6.12.35 , ≤ 6.12.* (semver)
Unaffected: 6.15.4 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:36:47.615Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/jbd2/transaction.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5c1a34ff5b0bfdfd2f9343aa9b08d25df618bac5",
              "status": "affected",
              "version": "6e06ae88edae77379bef7c0cb7d3c2dd88676867",
              "versionType": "git"
            },
            {
              "lessThan": "ec669e5bf409f16e464bfad75f0ba039a45de29a",
              "status": "affected",
              "version": "6e06ae88edae77379bef7c0cb7d3c2dd88676867",
              "versionType": "git"
            },
            {
              "lessThan": "43d5e3bb5f1dcd91e30238ea0b59a5f77063f84e",
              "status": "affected",
              "version": "6e06ae88edae77379bef7c0cb7d3c2dd88676867",
              "versionType": "git"
            },
            {
              "lessThan": "23361b479f2700c00960d3ae9cdc8ededa762d47",
              "status": "affected",
              "version": "6e06ae88edae77379bef7c0cb7d3c2dd88676867",
              "versionType": "git"
            },
            {
              "lessThan": "2e7c64d7a92c031d016f11c8e8cb05131ab7b75a",
              "status": "affected",
              "version": "6e06ae88edae77379bef7c0cb7d3c2dd88676867",
              "versionType": "git"
            },
            {
              "lessThan": "f78b38af3540b4875147b7b884ee11a27b3dbf4c",
              "status": "affected",
              "version": "6e06ae88edae77379bef7c0cb7d3c2dd88676867",
              "versionType": "git"
            },
            {
              "lessThan": "a377996d714afb8d4d5f4906336f78510039da29",
              "status": "affected",
              "version": "6e06ae88edae77379bef7c0cb7d3c2dd88676867",
              "versionType": "git"
            },
            {
              "lessThan": "af98b0157adf6504fade79b3e6cb260c4ff68e37",
              "status": "affected",
              "version": "6e06ae88edae77379bef7c0cb7d3c2dd88676867",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/jbd2/transaction.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.3"
            },
            {
              "lessThan": "4.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\njbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata()\n\nSince handle-\u003eh_transaction may be a NULL pointer, so we should change it\nto call is_handle_aborted(handle) first before dereferencing it.\n\nAnd the following data-race was reported in my fuzzer:\n\n==================================================================\nBUG: KCSAN: data-race in jbd2_journal_dirty_metadata / jbd2_journal_dirty_metadata\n\nwrite to 0xffff888011024104 of 4 bytes by task 10881 on cpu 1:\n jbd2_journal_dirty_metadata+0x2a5/0x770 fs/jbd2/transaction.c:1556\n __ext4_handle_dirty_metadata+0xe7/0x4b0 fs/ext4/ext4_jbd2.c:358\n ext4_do_update_inode fs/ext4/inode.c:5220 [inline]\n ext4_mark_iloc_dirty+0x32c/0xd50 fs/ext4/inode.c:5869\n __ext4_mark_inode_dirty+0xe1/0x450 fs/ext4/inode.c:6074\n ext4_dirty_inode+0x98/0xc0 fs/ext4/inode.c:6103\n....\n\nread to 0xffff888011024104 of 4 bytes by task 10880 on cpu 0:\n jbd2_journal_dirty_metadata+0xf2/0x770 fs/jbd2/transaction.c:1512\n __ext4_handle_dirty_metadata+0xe7/0x4b0 fs/ext4/ext4_jbd2.c:358\n ext4_do_update_inode fs/ext4/inode.c:5220 [inline]\n ext4_mark_iloc_dirty+0x32c/0xd50 fs/ext4/inode.c:5869\n __ext4_mark_inode_dirty+0xe1/0x450 fs/ext4/inode.c:6074\n ext4_dirty_inode+0x98/0xc0 fs/ext4/inode.c:6103\n....\n\nvalue changed: 0x00000000 -\u003e 0x00000001\n==================================================================\n\nThis issue is caused by missing data-race annotation for jh-\u003eb_modified.\nTherefore, the missing annotation needs to be added."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:19:18.470Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5c1a34ff5b0bfdfd2f9343aa9b08d25df618bac5"
        },
        {
          "url": "https://git.kernel.org/stable/c/ec669e5bf409f16e464bfad75f0ba039a45de29a"
        },
        {
          "url": "https://git.kernel.org/stable/c/43d5e3bb5f1dcd91e30238ea0b59a5f77063f84e"
        },
        {
          "url": "https://git.kernel.org/stable/c/23361b479f2700c00960d3ae9cdc8ededa762d47"
        },
        {
          "url": "https://git.kernel.org/stable/c/2e7c64d7a92c031d016f11c8e8cb05131ab7b75a"
        },
        {
          "url": "https://git.kernel.org/stable/c/f78b38af3540b4875147b7b884ee11a27b3dbf4c"
        },
        {
          "url": "https://git.kernel.org/stable/c/a377996d714afb8d4d5f4906336f78510039da29"
        },
        {
          "url": "https://git.kernel.org/stable/c/af98b0157adf6504fade79b3e6cb260c4ff68e37"
        }
      ],
      "title": "jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38337",
    "datePublished": "2025-07-10T08:15:08.396Z",
    "dateReserved": "2025-04-16T04:51:24.005Z",
    "dateUpdated": "2025-11-03T17:36:47.615Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38154 (GCVE-0-2025-38154)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:35 – Updated: 2025-11-03 17:34

Title

bpf, sockmap: Avoid using sk_socket after free when sending

Summary

In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Avoid using sk_socket after free when sending The sk->sk_socket is not locked or referenced in backlog thread, and during the call to skb_send_sock(), there is a race condition with the release of sk_socket. All types of sockets(tcp/udp/unix/vsock) will be affected. Race conditions: ''' CPU0 CPU1 backlog::skb_send_sock sendmsg_unlocked sock_sendmsg sock_sendmsg_nosec close(fd): ... ops->release() -> sock_map_close() sk_socket->ops = NULL free(socket) sock->ops->sendmsg ^ panic here ''' The ref of psock become 0 after sock_map_close() executed. ''' void sock_map_close() { ... if (likely(psock)) { ... // !! here we remove psock and the ref of psock become 0 sock_map_remove_links(sk, psock) psock = sk_psock_get(sk); if (unlikely(!psock)) goto no_psock; <=== Control jumps here via goto ... cancel_delayed_work_sync(&psock->work); <=== not executed sk_psock_put(sk, psock); ... } ''' Based on the fact that we already wait for the workqueue to finish in sock_map_close() if psock is held, we simply increase the psock reference count to avoid race conditions. With this patch, if the backlog thread is running, sock_map_close() will wait for the backlog thread to complete and cancel all pending work. If no backlog running, any pending work that hasn't started by then will fail when invoked by sk_psock_get(), as the psock reference count have been zeroed, and sk_psock_drop() will cancel all jobs via cancel_delayed_work_sync(). In summary, we require synchronization to coordinate the backlog thread and close() thread. The panic I catched: ''' Workqueue: events sk_psock_backlog RIP: 0010:sock_sendmsg+0x21d/0x440 RAX: 0000000000000000 RBX: ffffc9000521fad8 RCX: 0000000000000001 ... Call Trace: <TASK> ? die_addr+0x40/0xa0 ? exc_general_protection+0x14c/0x230 ? asm_exc_general_protection+0x26/0x30 ? sock_sendmsg+0x21d/0x440 ? sock_sendmsg+0x3e0/0x440 ? __pfx_sock_sendmsg+0x10/0x10 __skb_send_sock+0x543/0xb70 sk_psock_backlog+0x247/0xb80 ... '''

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/4edb40b05cb6a2617…
	https://git.kernel.org/stable/c/b19cbf0b9a91f5a0d…
	https://git.kernel.org/stable/c/4c6fa65ab2aec7df9…
	https://git.kernel.org/stable/c/15c0250dae3b48a39…
	https://git.kernel.org/stable/c/7c0a16f6ea2b1c82a…
	https://git.kernel.org/stable/c/8259eb0e06d8f64c7…

Impacted products

Vendor

Product

Version

Linux

Affected: 4959ffc65a0e94f8acaac20deac49f89e6ded52d , < 4edb40b05cb6a261775abfd8046804ca139a5546 (git)
Affected: 5eabdf17fed2ad41b836bb4055ec36d95e512c50 , < b19cbf0b9a91f5a0d93fbcd761ff71c48ab40ed9 (git)
Affected: e946428439a0d2079959f5603256ac51b6047017 , < 4c6fa65ab2aec7df94809478c8d28ef38676a1b7 (git)
Affected: 4b4647add7d3c8530493f7247d11e257ee425bf0 , < 15c0250dae3b48a398447d2b364603821ed4ed90 (git)
Affected: 4b4647add7d3c8530493f7247d11e257ee425bf0 , < 7c0a16f6ea2b1c82a03bccd5d1bdb4a7bbd4d987 (git)
Affected: 4b4647add7d3c8530493f7247d11e257ee425bf0 , < 8259eb0e06d8f64c700f5fbdb28a5c18e10de291 (git)
Affected: 3627605de498639a3c586c8684d12c89cba11073 (git)

Linux

Affected: 6.10
Unaffected: 0 , < 6.10 (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.94 , ≤ 6.6.* (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:44.423Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/core/skmsg.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4edb40b05cb6a261775abfd8046804ca139a5546",
              "status": "affected",
              "version": "4959ffc65a0e94f8acaac20deac49f89e6ded52d",
              "versionType": "git"
            },
            {
              "lessThan": "b19cbf0b9a91f5a0d93fbcd761ff71c48ab40ed9",
              "status": "affected",
              "version": "5eabdf17fed2ad41b836bb4055ec36d95e512c50",
              "versionType": "git"
            },
            {
              "lessThan": "4c6fa65ab2aec7df94809478c8d28ef38676a1b7",
              "status": "affected",
              "version": "e946428439a0d2079959f5603256ac51b6047017",
              "versionType": "git"
            },
            {
              "lessThan": "15c0250dae3b48a398447d2b364603821ed4ed90",
              "status": "affected",
              "version": "4b4647add7d3c8530493f7247d11e257ee425bf0",
              "versionType": "git"
            },
            {
              "lessThan": "7c0a16f6ea2b1c82a03bccd5d1bdb4a7bbd4d987",
              "status": "affected",
              "version": "4b4647add7d3c8530493f7247d11e257ee425bf0",
              "versionType": "git"
            },
            {
              "lessThan": "8259eb0e06d8f64c700f5fbdb28a5c18e10de291",
              "status": "affected",
              "version": "4b4647add7d3c8530493f7247d11e257ee425bf0",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "3627605de498639a3c586c8684d12c89cba11073",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/core/skmsg.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "5.15.162",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "6.1.95",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "6.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.9.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Avoid using sk_socket after free when sending\n\nThe sk-\u003esk_socket is not locked or referenced in backlog thread, and\nduring the call to skb_send_sock(), there is a race condition with\nthe release of sk_socket. All types of sockets(tcp/udp/unix/vsock)\nwill be affected.\n\nRace conditions:\n\u0027\u0027\u0027\nCPU0                               CPU1\n\nbacklog::skb_send_sock\n  sendmsg_unlocked\n    sock_sendmsg\n      sock_sendmsg_nosec\n                                   close(fd):\n                                     ...\n                                     ops-\u003erelease() -\u003e sock_map_close()\n                                     sk_socket-\u003eops = NULL\n                                     free(socket)\n      sock-\u003eops-\u003esendmsg\n            ^\n            panic here\n\u0027\u0027\u0027\n\nThe ref of psock become 0 after sock_map_close() executed.\n\u0027\u0027\u0027\nvoid sock_map_close()\n{\n    ...\n    if (likely(psock)) {\n    ...\n    // !! here we remove psock and the ref of psock become 0\n    sock_map_remove_links(sk, psock)\n    psock = sk_psock_get(sk);\n    if (unlikely(!psock))\n        goto no_psock; \u003c=== Control jumps here via goto\n        ...\n        cancel_delayed_work_sync(\u0026psock-\u003ework); \u003c=== not executed\n        sk_psock_put(sk, psock);\n        ...\n}\n\u0027\u0027\u0027\n\nBased on the fact that we already wait for the workqueue to finish in\nsock_map_close() if psock is held, we simply increase the psock\nreference count to avoid race conditions.\n\nWith this patch, if the backlog thread is running, sock_map_close() will\nwait for the backlog thread to complete and cancel all pending work.\n\nIf no backlog running, any pending work that hasn\u0027t started by then will\nfail when invoked by sk_psock_get(), as the psock reference count have\nbeen zeroed, and sk_psock_drop() will cancel all jobs via\ncancel_delayed_work_sync().\n\nIn summary, we require synchronization to coordinate the backlog thread\nand close() thread.\n\nThe panic I catched:\n\u0027\u0027\u0027\nWorkqueue: events sk_psock_backlog\nRIP: 0010:sock_sendmsg+0x21d/0x440\nRAX: 0000000000000000 RBX: ffffc9000521fad8 RCX: 0000000000000001\n...\nCall Trace:\n \u003cTASK\u003e\n ? die_addr+0x40/0xa0\n ? exc_general_protection+0x14c/0x230\n ? asm_exc_general_protection+0x26/0x30\n ? sock_sendmsg+0x21d/0x440\n ? sock_sendmsg+0x3e0/0x440\n ? __pfx_sock_sendmsg+0x10/0x10\n __skb_send_sock+0x543/0xb70\n sk_psock_backlog+0x247/0xb80\n...\n\u0027\u0027\u0027"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:13:44.043Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4edb40b05cb6a261775abfd8046804ca139a5546"
        },
        {
          "url": "https://git.kernel.org/stable/c/b19cbf0b9a91f5a0d93fbcd761ff71c48ab40ed9"
        },
        {
          "url": "https://git.kernel.org/stable/c/4c6fa65ab2aec7df94809478c8d28ef38676a1b7"
        },
        {
          "url": "https://git.kernel.org/stable/c/15c0250dae3b48a398447d2b364603821ed4ed90"
        },
        {
          "url": "https://git.kernel.org/stable/c/7c0a16f6ea2b1c82a03bccd5d1bdb4a7bbd4d987"
        },
        {
          "url": "https://git.kernel.org/stable/c/8259eb0e06d8f64c700f5fbdb28a5c18e10de291"
        }
      ],
      "title": "bpf, sockmap: Avoid using sk_socket after free when sending",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38154",
    "datePublished": "2025-07-03T08:35:57.188Z",
    "dateReserved": "2025-04-16T04:51:23.990Z",
    "dateUpdated": "2025-11-03T17:34:44.423Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38386 (GCVE-0-2025-38386)

Vulnerability from cvelistv5 – Published: 2025-07-25 12:53 – Updated: 2026-01-02 15:30

Title

ACPICA: Refuse to evaluate a method if arguments are missing

Summary

In the Linux kernel, the following vulnerability has been resolved: ACPICA: Refuse to evaluate a method if arguments are missing As reported in [1], a platform firmware update that increased the number of method parameters and forgot to update a least one of its callers, caused ACPICA to crash due to use-after-free. Since this a result of a clear AML issue that arguably cannot be fixed up by the interpreter (it cannot produce missing data out of thin air), address it by making ACPICA refuse to evaluate a method if the caller attempts to pass fewer arguments than expected to it.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b49d224d1830c46e2…
	https://git.kernel.org/stable/c/2219e49857ffd6aea…
	https://git.kernel.org/stable/c/ab1e8491c19eb2ea0…
	https://git.kernel.org/stable/c/4305d936abde795c2…
	https://git.kernel.org/stable/c/d547779e72cea9865…
	https://git.kernel.org/stable/c/18ff4ed6a33a7e3f2…
	https://git.kernel.org/stable/c/c9e4da550ae196132…
	https://git.kernel.org/stable/c/6fcab2791543924d4…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b49d224d1830c46e20adce2a239c454cdab426f1 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2219e49857ffd6aea1b1ca5214d3270f84623a16 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ab1e8491c19eb2ea0fda81ef28e841c7cb6399f5 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4305d936abde795c2ef6ba916de8f00a50f64d2d (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d547779e72cea9865b732cd45393c4cd02b3598e (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 18ff4ed6a33a7e3f2097710eacc96bea7696e803 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c9e4da550ae196132b990bd77ed3d8f2d9747f87 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6fcab2791543924d438e7fa49276d0998b0a069f (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.4.296 , ≤ 5.4.* (semver)
Unaffected: 5.10.240 , ≤ 5.10.* (semver)
Unaffected: 5.15.187 , ≤ 5.15.* (semver)
Unaffected: 6.1.144 , ≤ 6.1.* (semver)
Unaffected: 6.6.97 , ≤ 6.6.* (semver)
Unaffected: 6.12.37 , ≤ 6.12.* (semver)
Unaffected: 6.15.6 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:37:19.069Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/acpi/acpica/dsmethod.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b49d224d1830c46e20adce2a239c454cdab426f1",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "2219e49857ffd6aea1b1ca5214d3270f84623a16",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ab1e8491c19eb2ea0fda81ef28e841c7cb6399f5",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "4305d936abde795c2ef6ba916de8f00a50f64d2d",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "d547779e72cea9865b732cd45393c4cd02b3598e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "18ff4ed6a33a7e3f2097710eacc96bea7696e803",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "c9e4da550ae196132b990bd77ed3d8f2d9747f87",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "6fcab2791543924d438e7fa49276d0998b0a069f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/acpi/acpica/dsmethod.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.187",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.144",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.97",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.37",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.187",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.144",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.97",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.37",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.6",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: Refuse to evaluate a method if arguments are missing\n\nAs reported in [1], a platform firmware update that increased the number\nof method parameters and forgot to update a least one of its callers,\ncaused ACPICA to crash due to use-after-free.\n\nSince this a result of a clear AML issue that arguably cannot be fixed\nup by the interpreter (it cannot produce missing data out of thin air),\naddress it by making ACPICA refuse to evaluate a method if the caller\nattempts to pass fewer arguments than expected to it."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:30:32.467Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b49d224d1830c46e20adce2a239c454cdab426f1"
        },
        {
          "url": "https://git.kernel.org/stable/c/2219e49857ffd6aea1b1ca5214d3270f84623a16"
        },
        {
          "url": "https://git.kernel.org/stable/c/ab1e8491c19eb2ea0fda81ef28e841c7cb6399f5"
        },
        {
          "url": "https://git.kernel.org/stable/c/4305d936abde795c2ef6ba916de8f00a50f64d2d"
        },
        {
          "url": "https://git.kernel.org/stable/c/d547779e72cea9865b732cd45393c4cd02b3598e"
        },
        {
          "url": "https://git.kernel.org/stable/c/18ff4ed6a33a7e3f2097710eacc96bea7696e803"
        },
        {
          "url": "https://git.kernel.org/stable/c/c9e4da550ae196132b990bd77ed3d8f2d9747f87"
        },
        {
          "url": "https://git.kernel.org/stable/c/6fcab2791543924d438e7fa49276d0998b0a069f"
        }
      ],
      "title": "ACPICA: Refuse to evaluate a method if arguments are missing",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38386",
    "datePublished": "2025-07-25T12:53:27.229Z",
    "dateReserved": "2025-04-16T04:51:24.010Z",
    "dateUpdated": "2026-01-02T15:30:32.467Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21917 (GCVE-0-2025-21917)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:40 – Updated: 2025-11-03 19:39

Title

usb: renesas_usbhs: Flush the notify_hotplug_work

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: renesas_usbhs: Flush the notify_hotplug_work When performing continuous unbind/bind operations on the USB drivers available on the Renesas RZ/G2L SoC, a kernel crash with the message "Unable to handle kernel NULL pointer dereference at virtual address" may occur. This issue points to the usbhsc_notify_hotplug() function. Flush the delayed work to avoid its execution when driver resources are unavailable.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/4cd847a7b630a8549…
	https://git.kernel.org/stable/c/394965f90454d6f00…
	https://git.kernel.org/stable/c/3248c1f833f924246…
	https://git.kernel.org/stable/c/4ca078084cdd5f32d…
	https://git.kernel.org/stable/c/d50f5c0cd949593eb…
	https://git.kernel.org/stable/c/e5aac1c9b2974636d…
	https://git.kernel.org/stable/c/830818c8e70c0364e…
	https://git.kernel.org/stable/c/552ca6b87e3778f3d…

Impacted products

Vendor

Product

Version

Linux

Affected: bc57381e634782009b1cb2e86b18013699ada576 , < 4cd847a7b630a85493d0294ad9542c21aafaa246 (git)
Affected: bc57381e634782009b1cb2e86b18013699ada576 , < 394965f90454d6f00fe11879142b720c6c1a872e (git)
Affected: bc57381e634782009b1cb2e86b18013699ada576 , < 3248c1f833f924246cb98ce7da4569133c1b2292 (git)
Affected: bc57381e634782009b1cb2e86b18013699ada576 , < 4ca078084cdd5f32d533311d6a0b63a60dcadd41 (git)
Affected: bc57381e634782009b1cb2e86b18013699ada576 , < d50f5c0cd949593eb9a3d822b34d7b50046a06b7 (git)
Affected: bc57381e634782009b1cb2e86b18013699ada576 , < e5aac1c9b2974636db7ce796ffa6de88fa08335e (git)
Affected: bc57381e634782009b1cb2e86b18013699ada576 , < 830818c8e70c0364e377f0c243b28061ef7967eb (git)
Affected: bc57381e634782009b1cb2e86b18013699ada576 , < 552ca6b87e3778f3dd5b87842f95138162e16c82 (git)

Linux

Affected: 3.0
Unaffected: 0 , < 3.0 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.131 , ≤ 6.1.* (semver)
Unaffected: 6.6.83 , ≤ 6.6.* (semver)
Unaffected: 6.12.19 , ≤ 6.12.* (semver)
Unaffected: 6.13.7 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21917",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:24:08.656222Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:26:34.122Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:39:08.336Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/renesas_usbhs/common.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4cd847a7b630a85493d0294ad9542c21aafaa246",
              "status": "affected",
              "version": "bc57381e634782009b1cb2e86b18013699ada576",
              "versionType": "git"
            },
            {
              "lessThan": "394965f90454d6f00fe11879142b720c6c1a872e",
              "status": "affected",
              "version": "bc57381e634782009b1cb2e86b18013699ada576",
              "versionType": "git"
            },
            {
              "lessThan": "3248c1f833f924246cb98ce7da4569133c1b2292",
              "status": "affected",
              "version": "bc57381e634782009b1cb2e86b18013699ada576",
              "versionType": "git"
            },
            {
              "lessThan": "4ca078084cdd5f32d533311d6a0b63a60dcadd41",
              "status": "affected",
              "version": "bc57381e634782009b1cb2e86b18013699ada576",
              "versionType": "git"
            },
            {
              "lessThan": "d50f5c0cd949593eb9a3d822b34d7b50046a06b7",
              "status": "affected",
              "version": "bc57381e634782009b1cb2e86b18013699ada576",
              "versionType": "git"
            },
            {
              "lessThan": "e5aac1c9b2974636db7ce796ffa6de88fa08335e",
              "status": "affected",
              "version": "bc57381e634782009b1cb2e86b18013699ada576",
              "versionType": "git"
            },
            {
              "lessThan": "830818c8e70c0364e377f0c243b28061ef7967eb",
              "status": "affected",
              "version": "bc57381e634782009b1cb2e86b18013699ada576",
              "versionType": "git"
            },
            {
              "lessThan": "552ca6b87e3778f3dd5b87842f95138162e16c82",
              "status": "affected",
              "version": "bc57381e634782009b1cb2e86b18013699ada576",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/renesas_usbhs/common.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.0"
            },
            {
              "lessThan": "3.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.131",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.131",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.83",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.19",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.7",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: renesas_usbhs: Flush the notify_hotplug_work\n\nWhen performing continuous unbind/bind operations on the USB drivers\navailable on the Renesas RZ/G2L SoC, a kernel crash with the message\n\"Unable to handle kernel NULL pointer dereference at virtual address\"\nmay occur. This issue points to the usbhsc_notify_hotplug() function.\n\nFlush the delayed work to avoid its execution when driver resources are\nunavailable."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:24:31.050Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4cd847a7b630a85493d0294ad9542c21aafaa246"
        },
        {
          "url": "https://git.kernel.org/stable/c/394965f90454d6f00fe11879142b720c6c1a872e"
        },
        {
          "url": "https://git.kernel.org/stable/c/3248c1f833f924246cb98ce7da4569133c1b2292"
        },
        {
          "url": "https://git.kernel.org/stable/c/4ca078084cdd5f32d533311d6a0b63a60dcadd41"
        },
        {
          "url": "https://git.kernel.org/stable/c/d50f5c0cd949593eb9a3d822b34d7b50046a06b7"
        },
        {
          "url": "https://git.kernel.org/stable/c/e5aac1c9b2974636db7ce796ffa6de88fa08335e"
        },
        {
          "url": "https://git.kernel.org/stable/c/830818c8e70c0364e377f0c243b28061ef7967eb"
        },
        {
          "url": "https://git.kernel.org/stable/c/552ca6b87e3778f3dd5b87842f95138162e16c82"
        }
      ],
      "title": "usb: renesas_usbhs: Flush the notify_hotplug_work",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21917",
    "datePublished": "2025-04-01T15:40:53.042Z",
    "dateReserved": "2024-12-29T08:45:45.787Z",
    "dateUpdated": "2025-11-03T19:39:08.336Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38269 (GCVE-0-2025-38269)

Vulnerability from cvelistv5 – Published: 2025-07-10 07:41 – Updated: 2026-01-02 15:30

Title

btrfs: exit after state insertion failure at btrfs_convert_extent_bit()

Summary

In the Linux kernel, the following vulnerability has been resolved: btrfs: exit after state insertion failure at btrfs_convert_extent_bit() If insert_state() state failed it returns an error pointer and we call extent_io_tree_panic() which will trigger a BUG() call. However if CONFIG_BUG is disabled, which is an uncommon and exotic scenario, then we fallthrough and call cache_state() which will dereference the error pointer, resulting in an invalid memory access. So jump to the 'out' label after calling extent_io_tree_panic(), it also makes the code more clear besides dealing with the exotic scenario where CONFIG_BUG is disabled.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/58c50f45e1821a04d…
	https://git.kernel.org/stable/c/8d9d32088e304e2bc…
	https://git.kernel.org/stable/c/3bf179e36da917c5d…

Impacted products

Vendor

Product

Version

Linux

Affected: c91ea4bfa6dda549295ea7c15dfc990094d1fcd3 , < 58c50f45e1821a04d61b62514f9bd34afe67c622 (git)
Affected: c91ea4bfa6dda549295ea7c15dfc990094d1fcd3 , < 8d9d32088e304e2bc444a3087cab0bbbd9951866 (git)
Affected: c91ea4bfa6dda549295ea7c15dfc990094d1fcd3 , < 3bf179e36da917c5d9bec71c714573ed1649b7c1 (git)

Linux

Affected: 6.7
Unaffected: 0 , < 6.7 (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/extent-io-tree.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "58c50f45e1821a04d61b62514f9bd34afe67c622",
              "status": "affected",
              "version": "c91ea4bfa6dda549295ea7c15dfc990094d1fcd3",
              "versionType": "git"
            },
            {
              "lessThan": "8d9d32088e304e2bc444a3087cab0bbbd9951866",
              "status": "affected",
              "version": "c91ea4bfa6dda549295ea7c15dfc990094d1fcd3",
              "versionType": "git"
            },
            {
              "lessThan": "3bf179e36da917c5d9bec71c714573ed1649b7c1",
              "status": "affected",
              "version": "c91ea4bfa6dda549295ea7c15dfc990094d1fcd3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/extent-io-tree.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: exit after state insertion failure at btrfs_convert_extent_bit()\n\nIf insert_state() state failed it returns an error pointer and we call\nextent_io_tree_panic() which will trigger a BUG() call. However if\nCONFIG_BUG is disabled, which is an uncommon and exotic scenario, then\nwe fallthrough and call cache_state() which will dereference the error\npointer, resulting in an invalid memory access.\n\nSo jump to the \u0027out\u0027 label after calling extent_io_tree_panic(), it also\nmakes the code more clear besides dealing with the exotic scenario where\nCONFIG_BUG is disabled."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:30:20.068Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/58c50f45e1821a04d61b62514f9bd34afe67c622"
        },
        {
          "url": "https://git.kernel.org/stable/c/8d9d32088e304e2bc444a3087cab0bbbd9951866"
        },
        {
          "url": "https://git.kernel.org/stable/c/3bf179e36da917c5d9bec71c714573ed1649b7c1"
        }
      ],
      "title": "btrfs: exit after state insertion failure at btrfs_convert_extent_bit()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38269",
    "datePublished": "2025-07-10T07:41:51.846Z",
    "dateReserved": "2025-04-16T04:51:23.998Z",
    "dateUpdated": "2026-01-02T15:30:20.068Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38314 (GCVE-0-2025-38314)

Vulnerability from cvelistv5 – Published: 2025-07-10 07:42 – Updated: 2025-07-28 04:18

Title

virtio-pci: Fix result size returned for the admin command completion

Summary

In the Linux kernel, the following vulnerability has been resolved: virtio-pci: Fix result size returned for the admin command completion The result size returned by virtio_pci_admin_dev_parts_get() is 8 bytes larger than the actual result data size. This occurs because the result_sg_size field of the command is filled with the result length from virtqueue_get_buf(), which includes both the data size and an additional 8 bytes of status. This oversized result size causes two issues: 1. The state transferred to the destination includes 8 bytes of extra data at the end. 2. The allocated buffer in the kernel may be smaller than the returned size, leading to failures when reading beyond the allocated size. The commit fixes this by subtracting the status size from the result of virtqueue_get_buf(). This fix has been tested through live migrations with virtio-net, virtio-net-transitional, and virtio-blk devices.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/920b6720bb63893b8…
	https://git.kernel.org/stable/c/9ef41ebf787fcbde9…

Impacted products

Vendor

Product

Version

Linux

Affected: 704806ca400e5daa86c110f14bfdda9d28203bb7 , < 920b6720bb63893b81516c0c45884a8350f9e4bf (git)
Affected: 704806ca400e5daa86c110f14bfdda9d28203bb7 , < 9ef41ebf787fcbde99ac404ae473f8467641f983 (git)

Linux

Affected: 6.13
Unaffected: 0 , < 6.13 (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/virtio/virtio_pci_modern.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "920b6720bb63893b81516c0c45884a8350f9e4bf",
              "status": "affected",
              "version": "704806ca400e5daa86c110f14bfdda9d28203bb7",
              "versionType": "git"
            },
            {
              "lessThan": "9ef41ebf787fcbde99ac404ae473f8467641f983",
              "status": "affected",
              "version": "704806ca400e5daa86c110f14bfdda9d28203bb7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/virtio/virtio_pci_modern.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.13"
            },
            {
              "lessThan": "6.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-pci: Fix result size returned for the admin command completion\n\nThe result size returned by virtio_pci_admin_dev_parts_get() is 8 bytes\nlarger than the actual result data size. This occurs because the\nresult_sg_size field of the command is filled with the result length\nfrom virtqueue_get_buf(), which includes both the data size and an\nadditional 8 bytes of status.\n\nThis oversized result size causes two issues:\n1. The state transferred to the destination includes 8 bytes of extra\n   data at the end.\n2. The allocated buffer in the kernel may be smaller than the returned\n   size, leading to failures when reading beyond the allocated size.\n\nThe commit fixes this by subtracting the status size from the result of\nvirtqueue_get_buf().\n\nThis fix has been tested through live migrations with virtio-net,\nvirtio-net-transitional, and virtio-blk devices."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:18:24.788Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/920b6720bb63893b81516c0c45884a8350f9e4bf"
        },
        {
          "url": "https://git.kernel.org/stable/c/9ef41ebf787fcbde99ac404ae473f8467641f983"
        }
      ],
      "title": "virtio-pci: Fix result size returned for the admin command completion",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38314",
    "datePublished": "2025-07-10T07:42:21.937Z",
    "dateReserved": "2025-04-16T04:51:24.003Z",
    "dateUpdated": "2025-07-28T04:18:24.788Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38302 (GCVE-0-2025-38302)

Vulnerability from cvelistv5 – Published: 2025-07-10 07:42 – Updated: 2025-07-28 04:18

Title

block: don't use submit_bio_noacct_nocheck in blk_zone_wplug_bio_work

Summary

In the Linux kernel, the following vulnerability has been resolved: block: don't use submit_bio_noacct_nocheck in blk_zone_wplug_bio_work Bios queued up in the zone write plug have already gone through all all preparation in the submit_bio path, including the freeze protection. Submitting them through submit_bio_noacct_nocheck duplicates the work and can can cause deadlocks when freezing a queue with pending bio write plugs. Go straight to ->submit_bio or blk_mq_submit_bio to bypass the superfluous extra freeze protection and checks.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/0fccb6773b1f4f992…
	https://git.kernel.org/stable/c/6ffae5d53f704d300…
	https://git.kernel.org/stable/c/cf625013d8741c014…

Impacted products

Vendor

Product

Version

Linux

Affected: 9b1ce7f0c6f82e241196febabddba5fab66c8f05 , < 0fccb6773b1f4f992e435582cf8e050de421b678 (git)
Affected: 9b1ce7f0c6f82e241196febabddba5fab66c8f05 , < 6ffae5d53f704d300cc73b06b4ea99e4507f7cf1 (git)
Affected: 9b1ce7f0c6f82e241196febabddba5fab66c8f05 , < cf625013d8741c01407bbb4a60c111b61b9fa69d (git)

Linux

Affected: 6.10
Unaffected: 0 , < 6.10 (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "block/blk-zoned.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0fccb6773b1f4f992e435582cf8e050de421b678",
              "status": "affected",
              "version": "9b1ce7f0c6f82e241196febabddba5fab66c8f05",
              "versionType": "git"
            },
            {
              "lessThan": "6ffae5d53f704d300cc73b06b4ea99e4507f7cf1",
              "status": "affected",
              "version": "9b1ce7f0c6f82e241196febabddba5fab66c8f05",
              "versionType": "git"
            },
            {
              "lessThan": "cf625013d8741c01407bbb4a60c111b61b9fa69d",
              "status": "affected",
              "version": "9b1ce7f0c6f82e241196febabddba5fab66c8f05",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "block/blk-zoned.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: don\u0027t use submit_bio_noacct_nocheck in blk_zone_wplug_bio_work\n\nBios queued up in the zone write plug have already gone through all all\npreparation in the submit_bio path, including the freeze protection.\n\nSubmitting them through submit_bio_noacct_nocheck duplicates the work\nand can can cause deadlocks when freezing a queue with pending bio\nwrite plugs.\n\nGo straight to -\u003esubmit_bio or blk_mq_submit_bio to bypass the\nsuperfluous extra freeze protection and checks."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:18:02.625Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0fccb6773b1f4f992e435582cf8e050de421b678"
        },
        {
          "url": "https://git.kernel.org/stable/c/6ffae5d53f704d300cc73b06b4ea99e4507f7cf1"
        },
        {
          "url": "https://git.kernel.org/stable/c/cf625013d8741c01407bbb4a60c111b61b9fa69d"
        }
      ],
      "title": "block: don\u0027t use submit_bio_noacct_nocheck in blk_zone_wplug_bio_work",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38302",
    "datePublished": "2025-07-10T07:42:14.076Z",
    "dateReserved": "2025-04-16T04:51:24.002Z",
    "dateUpdated": "2025-07-28T04:18:02.625Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-22001 (GCVE-0-2025-22001)

Vulnerability from cvelistv5 – Published: 2025-04-03 07:19 – Updated: 2025-10-01 17:10

Title

accel/qaic: Fix integer overflow in qaic_validate_req()

Summary

In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Fix integer overflow in qaic_validate_req() These are u64 variables that come from the user via qaic_attach_slice_bo_ioctl(). Use check_add_overflow() to ensure that the math doesn't have an integer wrapping bug.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-190 - Integer Overflow or Wraparound

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/4b2a170c25862ad11…
	https://git.kernel.org/stable/c/b362fc904d264a88b…
	https://git.kernel.org/stable/c/57fae0c505f49bb1e…
	https://git.kernel.org/stable/c/67d15c7aa0864dfd8…

Impacted products

Vendor

Product

Version

Linux

Affected: ff13be8303336ead5621712f2c55012d738878b5 , < 4b2a170c25862ad116bd31be6b9841646b4862e8 (git)
Affected: ff13be8303336ead5621712f2c55012d738878b5 , < b362fc904d264a88b4af20baae9e82491c285e9c (git)
Affected: ff13be8303336ead5621712f2c55012d738878b5 , < 57fae0c505f49bb1e3d5660cd2cc49697ed85f7c (git)
Affected: ff13be8303336ead5621712f2c55012d738878b5 , < 67d15c7aa0864dfd82325c7e7e7d8548b5224c7b (git)

Linux

Affected: 6.4
Unaffected: 0 , < 6.4 (semver)
Unaffected: 6.6.85 , ≤ 6.6.* (semver)
Unaffected: 6.12.21 , ≤ 6.12.* (semver)
Unaffected: 6.13.9 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-22001",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T17:10:27.696134Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-190",
                "description": "CWE-190 Integer Overflow or Wraparound",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T17:10:29.970Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/accel/qaic/qaic_data.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4b2a170c25862ad116bd31be6b9841646b4862e8",
              "status": "affected",
              "version": "ff13be8303336ead5621712f2c55012d738878b5",
              "versionType": "git"
            },
            {
              "lessThan": "b362fc904d264a88b4af20baae9e82491c285e9c",
              "status": "affected",
              "version": "ff13be8303336ead5621712f2c55012d738878b5",
              "versionType": "git"
            },
            {
              "lessThan": "57fae0c505f49bb1e3d5660cd2cc49697ed85f7c",
              "status": "affected",
              "version": "ff13be8303336ead5621712f2c55012d738878b5",
              "versionType": "git"
            },
            {
              "lessThan": "67d15c7aa0864dfd82325c7e7e7d8548b5224c7b",
              "status": "affected",
              "version": "ff13be8303336ead5621712f2c55012d738878b5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/accel/qaic/qaic_data.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.85",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.21",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.85",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.21",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.9",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/qaic: Fix integer overflow in qaic_validate_req()\n\nThese are u64 variables that come from the user via\nqaic_attach_slice_bo_ioctl().  Use check_add_overflow() to ensure that\nthe math doesn\u0027t have an integer wrapping bug."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:27:11.881Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4b2a170c25862ad116bd31be6b9841646b4862e8"
        },
        {
          "url": "https://git.kernel.org/stable/c/b362fc904d264a88b4af20baae9e82491c285e9c"
        },
        {
          "url": "https://git.kernel.org/stable/c/57fae0c505f49bb1e3d5660cd2cc49697ed85f7c"
        },
        {
          "url": "https://git.kernel.org/stable/c/67d15c7aa0864dfd82325c7e7e7d8548b5224c7b"
        }
      ],
      "title": "accel/qaic: Fix integer overflow in qaic_validate_req()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22001",
    "datePublished": "2025-04-03T07:19:04.251Z",
    "dateReserved": "2024-12-29T08:45:45.802Z",
    "dateUpdated": "2025-10-01T17:10:29.970Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38342 (GCVE-0-2025-38342)

Vulnerability from cvelistv5 – Published: 2025-07-10 08:15 – Updated: 2025-11-03 17:36

Title

software node: Correct a OOB check in software_node_get_reference_args()

Summary

In the Linux kernel, the following vulnerability has been resolved: software node: Correct a OOB check in software_node_get_reference_args() software_node_get_reference_args() wants to get @index-th element, so the property value requires at least '(index + 1) * sizeof(*ref)' bytes but that can not be guaranteed by current OOB check, and may cause OOB for malformed property. Fix by using as OOB check '((index + 1) * sizeof(*ref) > prop->length)'.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/142acd739eb6f08c1…
	https://git.kernel.org/stable/c/56ce76e8d406cc72b…
	https://git.kernel.org/stable/c/9324127b07dde8529…
	https://git.kernel.org/stable/c/f9397cf7bfb680799…
	https://git.kernel.org/stable/c/4b3383110b6df48e0…
	https://git.kernel.org/stable/c/7af18e42bdefe1dba…
	https://git.kernel.org/stable/c/31e4e12e0e9609850…

Impacted products

Vendor

Product

Version

Linux

Affected: 59abd83672f70cac4b6bf9b237506c5bc6837606 , < 142acd739eb6f08c148a96ae8309256f1422ff4b (git)
Affected: 59abd83672f70cac4b6bf9b237506c5bc6837606 , < 56ce76e8d406cc72b89aee7931df5cf3f18db49d (git)
Affected: 59abd83672f70cac4b6bf9b237506c5bc6837606 , < 9324127b07dde8529222dc19233aa57ec810856c (git)
Affected: 59abd83672f70cac4b6bf9b237506c5bc6837606 , < f9397cf7bfb680799fb8c7f717c8f756384c3280 (git)
Affected: 59abd83672f70cac4b6bf9b237506c5bc6837606 , < 4b3383110b6df48e0ba5936af2cb68d5eb6bd43b (git)
Affected: 59abd83672f70cac4b6bf9b237506c5bc6837606 , < 7af18e42bdefe1dba5bcb32555a4d524fd504939 (git)
Affected: 59abd83672f70cac4b6bf9b237506c5bc6837606 , < 31e4e12e0e9609850cefd4b2e1adf782f56337d6 (git)

Linux

Affected: 5.0
Unaffected: 0 , < 5.0 (semver)
Unaffected: 5.10.239 , ≤ 5.10.* (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.95 , ≤ 6.6.* (semver)
Unaffected: 6.12.35 , ≤ 6.12.* (semver)
Unaffected: 6.15.4 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:36:49.489Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/base/swnode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "142acd739eb6f08c148a96ae8309256f1422ff4b",
              "status": "affected",
              "version": "59abd83672f70cac4b6bf9b237506c5bc6837606",
              "versionType": "git"
            },
            {
              "lessThan": "56ce76e8d406cc72b89aee7931df5cf3f18db49d",
              "status": "affected",
              "version": "59abd83672f70cac4b6bf9b237506c5bc6837606",
              "versionType": "git"
            },
            {
              "lessThan": "9324127b07dde8529222dc19233aa57ec810856c",
              "status": "affected",
              "version": "59abd83672f70cac4b6bf9b237506c5bc6837606",
              "versionType": "git"
            },
            {
              "lessThan": "f9397cf7bfb680799fb8c7f717c8f756384c3280",
              "status": "affected",
              "version": "59abd83672f70cac4b6bf9b237506c5bc6837606",
              "versionType": "git"
            },
            {
              "lessThan": "4b3383110b6df48e0ba5936af2cb68d5eb6bd43b",
              "status": "affected",
              "version": "59abd83672f70cac4b6bf9b237506c5bc6837606",
              "versionType": "git"
            },
            {
              "lessThan": "7af18e42bdefe1dba5bcb32555a4d524fd504939",
              "status": "affected",
              "version": "59abd83672f70cac4b6bf9b237506c5bc6837606",
              "versionType": "git"
            },
            {
              "lessThan": "31e4e12e0e9609850cefd4b2e1adf782f56337d6",
              "status": "affected",
              "version": "59abd83672f70cac4b6bf9b237506c5bc6837606",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/base/swnode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.0"
            },
            {
              "lessThan": "5.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoftware node: Correct a OOB check in software_node_get_reference_args()\n\nsoftware_node_get_reference_args() wants to get @index-th element, so\nthe property value requires at least \u0027(index + 1) * sizeof(*ref)\u0027 bytes\nbut that can not be guaranteed by current OOB check, and may cause OOB\nfor malformed property.\n\nFix by using as OOB check \u0027((index + 1) * sizeof(*ref) \u003e prop-\u003elength)\u0027."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:19:26.155Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/142acd739eb6f08c148a96ae8309256f1422ff4b"
        },
        {
          "url": "https://git.kernel.org/stable/c/56ce76e8d406cc72b89aee7931df5cf3f18db49d"
        },
        {
          "url": "https://git.kernel.org/stable/c/9324127b07dde8529222dc19233aa57ec810856c"
        },
        {
          "url": "https://git.kernel.org/stable/c/f9397cf7bfb680799fb8c7f717c8f756384c3280"
        },
        {
          "url": "https://git.kernel.org/stable/c/4b3383110b6df48e0ba5936af2cb68d5eb6bd43b"
        },
        {
          "url": "https://git.kernel.org/stable/c/7af18e42bdefe1dba5bcb32555a4d524fd504939"
        },
        {
          "url": "https://git.kernel.org/stable/c/31e4e12e0e9609850cefd4b2e1adf782f56337d6"
        }
      ],
      "title": "software node: Correct a OOB check in software_node_get_reference_args()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38342",
    "datePublished": "2025-07-10T08:15:11.561Z",
    "dateReserved": "2025-04-16T04:51:24.005Z",
    "dateUpdated": "2025-11-03T17:36:49.489Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-22007 (GCVE-0-2025-22007)

Vulnerability from cvelistv5 – Published: 2025-04-03 07:19 – Updated: 2025-11-03 19:40

Title

Bluetooth: Fix error code in chan_alloc_skb_cb()

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix error code in chan_alloc_skb_cb() The chan_alloc_skb_cb() function is supposed to return error pointers on error. Returning NULL will lead to a NULL dereference.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b3d607e36fef4bd05…
	https://git.kernel.org/stable/c/1bd68db7beb426ab5…
	https://git.kernel.org/stable/c/76304cba8cba12bb1…
	https://git.kernel.org/stable/c/788ae2ae4cf484e24…
	https://git.kernel.org/stable/c/ecd06ad0823a90b44…
	https://git.kernel.org/stable/c/761b7c36addd22c7e…
	https://git.kernel.org/stable/c/a78692ec0d1e17a96…
	https://git.kernel.org/stable/c/72d061ee630d0dbb4…

Impacted products

Vendor

Product

Version

Linux

Affected: 6b8d4a6a03144c5996f98db7f8256267b0d72a3a , < b3d607e36fef4bd05fb938a8a868ff70e9fedbe2 (git)
Affected: 6b8d4a6a03144c5996f98db7f8256267b0d72a3a , < 1bd68db7beb426ab5a45d81516ed9611284affc8 (git)
Affected: 6b8d4a6a03144c5996f98db7f8256267b0d72a3a , < 76304cba8cba12bb10d89d016c28403a2dd89a29 (git)
Affected: 6b8d4a6a03144c5996f98db7f8256267b0d72a3a , < 788ae2ae4cf484e248b5bc29211c7ac6510e3e92 (git)
Affected: 6b8d4a6a03144c5996f98db7f8256267b0d72a3a , < ecd06ad0823a90b4420c377ef8917e44e23ee841 (git)
Affected: 6b8d4a6a03144c5996f98db7f8256267b0d72a3a , < 761b7c36addd22c7e6ceb05caaadc3b062d99faa (git)
Affected: 6b8d4a6a03144c5996f98db7f8256267b0d72a3a , < a78692ec0d1e17a96b09f2349a028878f5b305e4 (git)
Affected: 6b8d4a6a03144c5996f98db7f8256267b0d72a3a , < 72d061ee630d0dbb45c2920d8d19b3861c413e54 (git)

Linux

Affected: 3.17
Unaffected: 0 , < 3.17 (semver)
Unaffected: 5.4.292 , ≤ 5.4.* (semver)
Unaffected: 5.10.236 , ≤ 5.10.* (semver)
Unaffected: 5.15.180 , ≤ 5.15.* (semver)
Unaffected: 6.1.132 , ≤ 6.1.* (semver)
Unaffected: 6.6.85 , ≤ 6.6.* (semver)
Unaffected: 6.12.21 , ≤ 6.12.* (semver)
Unaffected: 6.13.9 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-22007",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T17:09:13.331998Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T17:09:19.513Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:40:50.363Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/6lowpan.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b3d607e36fef4bd05fb938a8a868ff70e9fedbe2",
              "status": "affected",
              "version": "6b8d4a6a03144c5996f98db7f8256267b0d72a3a",
              "versionType": "git"
            },
            {
              "lessThan": "1bd68db7beb426ab5a45d81516ed9611284affc8",
              "status": "affected",
              "version": "6b8d4a6a03144c5996f98db7f8256267b0d72a3a",
              "versionType": "git"
            },
            {
              "lessThan": "76304cba8cba12bb10d89d016c28403a2dd89a29",
              "status": "affected",
              "version": "6b8d4a6a03144c5996f98db7f8256267b0d72a3a",
              "versionType": "git"
            },
            {
              "lessThan": "788ae2ae4cf484e248b5bc29211c7ac6510e3e92",
              "status": "affected",
              "version": "6b8d4a6a03144c5996f98db7f8256267b0d72a3a",
              "versionType": "git"
            },
            {
              "lessThan": "ecd06ad0823a90b4420c377ef8917e44e23ee841",
              "status": "affected",
              "version": "6b8d4a6a03144c5996f98db7f8256267b0d72a3a",
              "versionType": "git"
            },
            {
              "lessThan": "761b7c36addd22c7e6ceb05caaadc3b062d99faa",
              "status": "affected",
              "version": "6b8d4a6a03144c5996f98db7f8256267b0d72a3a",
              "versionType": "git"
            },
            {
              "lessThan": "a78692ec0d1e17a96b09f2349a028878f5b305e4",
              "status": "affected",
              "version": "6b8d4a6a03144c5996f98db7f8256267b0d72a3a",
              "versionType": "git"
            },
            {
              "lessThan": "72d061ee630d0dbb45c2920d8d19b3861c413e54",
              "status": "affected",
              "version": "6b8d4a6a03144c5996f98db7f8256267b0d72a3a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/6lowpan.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.17"
            },
            {
              "lessThan": "3.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.292",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.236",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.180",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.132",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.85",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.21",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.292",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.236",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.180",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.132",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.85",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.21",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.9",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix error code in chan_alloc_skb_cb()\n\nThe chan_alloc_skb_cb() function is supposed to return error pointers on\nerror.  Returning NULL will lead to a NULL dereference."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:27:24.035Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b3d607e36fef4bd05fb938a8a868ff70e9fedbe2"
        },
        {
          "url": "https://git.kernel.org/stable/c/1bd68db7beb426ab5a45d81516ed9611284affc8"
        },
        {
          "url": "https://git.kernel.org/stable/c/76304cba8cba12bb10d89d016c28403a2dd89a29"
        },
        {
          "url": "https://git.kernel.org/stable/c/788ae2ae4cf484e248b5bc29211c7ac6510e3e92"
        },
        {
          "url": "https://git.kernel.org/stable/c/ecd06ad0823a90b4420c377ef8917e44e23ee841"
        },
        {
          "url": "https://git.kernel.org/stable/c/761b7c36addd22c7e6ceb05caaadc3b062d99faa"
        },
        {
          "url": "https://git.kernel.org/stable/c/a78692ec0d1e17a96b09f2349a028878f5b305e4"
        },
        {
          "url": "https://git.kernel.org/stable/c/72d061ee630d0dbb45c2920d8d19b3861c413e54"
        }
      ],
      "title": "Bluetooth: Fix error code in chan_alloc_skb_cb()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22007",
    "datePublished": "2025-04-03T07:19:07.986Z",
    "dateReserved": "2024-12-29T08:45:45.803Z",
    "dateUpdated": "2025-11-03T19:40:50.363Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38324 (GCVE-0-2025-38324)

Vulnerability from cvelistv5 – Published: 2025-07-10 08:14 – Updated: 2025-11-03 17:36

Title

mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu().

Summary

In the Linux kernel, the following vulnerability has been resolved: mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu(). As syzbot reported [0], mpls_route_input_rcu() can be called from mpls_getroute(), where is under RTNL. net->mpls.platform_label is only updated under RTNL. Let's use rcu_dereference_rtnl() in mpls_route_input_rcu() to silence the splat. [0]: WARNING: suspicious RCU usage 6.15.0-rc7-syzkaller-00082-g5cdb2c77c4c3 #0 Not tainted ---------------------------- net/mpls/af_mpls.c:84 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by syz.2.4451/17730: #0: ffffffff9012a3e8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline] #0: ffffffff9012a3e8 (rtnl_mutex){+.+.}-{4:4}, at: rtnetlink_rcv_msg+0x371/0xe90 net/core/rtnetlink.c:6961 stack backtrace: CPU: 1 UID: 0 PID: 17730 Comm: syz.2.4451 Not tainted 6.15.0-rc7-syzkaller-00082-g5cdb2c77c4c3 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 lockdep_rcu_suspicious+0x166/0x260 kernel/locking/lockdep.c:6865 mpls_route_input_rcu+0x1d4/0x200 net/mpls/af_mpls.c:84 mpls_getroute+0x621/0x1ea0 net/mpls/af_mpls.c:2381 rtnetlink_rcv_msg+0x3c9/0xe90 net/core/rtnetlink.c:6964 netlink_rcv_skb+0x16d/0x440 net/netlink/af_netlink.c:2534 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] netlink_unicast+0x53a/0x7f0 net/netlink/af_netlink.c:1339 netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1883 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg net/socket.c:727 [inline] ____sys_sendmsg+0xa98/0xc70 net/socket.c:2566 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2620 __sys_sendmmsg+0x200/0x420 net/socket.c:2709 __do_sys_sendmmsg net/socket.c:2736 [inline] __se_sys_sendmmsg net/socket.c:2733 [inline] __x64_sys_sendmmsg+0x9c/0x100 net/socket.c:2733 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x230 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f0a2818e969 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f0a28f52038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 RAX: ffffffffffffffda RBX: 00007f0a283b5fa0 RCX: 00007f0a2818e969 RDX: 0000000000000003 RSI: 0000200000000080 RDI: 0000000000000003 RBP: 00007f0a28210ab1 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f0a283b5fa0 R15: 00007ffce5e9f268 </TASK>

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/2919297b18e5a5fb7…
	https://git.kernel.org/stable/c/36af82f25fbdcd719…
	https://git.kernel.org/stable/c/d8cd847fb86268726…
	https://git.kernel.org/stable/c/49b8a9d7d44401a18…
	https://git.kernel.org/stable/c/a060781640012d5d5…
	https://git.kernel.org/stable/c/517bc6836ee9fcffe…
	https://git.kernel.org/stable/c/f19cbd84e645e39bc…
	https://git.kernel.org/stable/c/6dbb0d97c5096072c…

Impacted products

Vendor

Product

Version

Linux

Affected: 0189197f441602acdca3f97750d392a895b778fd , < 2919297b18e5a5fb7e643f9e32c12c0b17cce1be (git)
Affected: 0189197f441602acdca3f97750d392a895b778fd , < 36af82f25fbdcd719eb947c15ea874bf80bcf229 (git)
Affected: 0189197f441602acdca3f97750d392a895b778fd , < d8cd847fb8626872631cc22d44be5127b4ebfb74 (git)
Affected: 0189197f441602acdca3f97750d392a895b778fd , < 49b8a9d7d44401a186e20b1aaf591d2e62727aeb (git)
Affected: 0189197f441602acdca3f97750d392a895b778fd , < a060781640012d5d5105072f4c44ed6ad6830ef9 (git)
Affected: 0189197f441602acdca3f97750d392a895b778fd , < 517bc6836ee9fcffe2539f6f6aa3fdd9c7a7ae73 (git)
Affected: 0189197f441602acdca3f97750d392a895b778fd , < f19cbd84e645e39bc3228e1191bb151ef0ffac8c (git)
Affected: 0189197f441602acdca3f97750d392a895b778fd , < 6dbb0d97c5096072c78a6abffe393584e57ae945 (git)

Linux

Affected: 4.1
Unaffected: 0 , < 4.1 (semver)
Unaffected: 5.4.295 , ≤ 5.4.* (semver)
Unaffected: 5.10.239 , ≤ 5.10.* (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.95 , ≤ 6.6.* (semver)
Unaffected: 6.12.35 , ≤ 6.12.* (semver)
Unaffected: 6.15.4 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:36:35.272Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/mpls/af_mpls.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2919297b18e5a5fb7e643f9e32c12c0b17cce1be",
              "status": "affected",
              "version": "0189197f441602acdca3f97750d392a895b778fd",
              "versionType": "git"
            },
            {
              "lessThan": "36af82f25fbdcd719eb947c15ea874bf80bcf229",
              "status": "affected",
              "version": "0189197f441602acdca3f97750d392a895b778fd",
              "versionType": "git"
            },
            {
              "lessThan": "d8cd847fb8626872631cc22d44be5127b4ebfb74",
              "status": "affected",
              "version": "0189197f441602acdca3f97750d392a895b778fd",
              "versionType": "git"
            },
            {
              "lessThan": "49b8a9d7d44401a186e20b1aaf591d2e62727aeb",
              "status": "affected",
              "version": "0189197f441602acdca3f97750d392a895b778fd",
              "versionType": "git"
            },
            {
              "lessThan": "a060781640012d5d5105072f4c44ed6ad6830ef9",
              "status": "affected",
              "version": "0189197f441602acdca3f97750d392a895b778fd",
              "versionType": "git"
            },
            {
              "lessThan": "517bc6836ee9fcffe2539f6f6aa3fdd9c7a7ae73",
              "status": "affected",
              "version": "0189197f441602acdca3f97750d392a895b778fd",
              "versionType": "git"
            },
            {
              "lessThan": "f19cbd84e645e39bc3228e1191bb151ef0ffac8c",
              "status": "affected",
              "version": "0189197f441602acdca3f97750d392a895b778fd",
              "versionType": "git"
            },
            {
              "lessThan": "6dbb0d97c5096072c78a6abffe393584e57ae945",
              "status": "affected",
              "version": "0189197f441602acdca3f97750d392a895b778fd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/mpls/af_mpls.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.1"
            },
            {
              "lessThan": "4.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu().\n\nAs syzbot reported [0], mpls_route_input_rcu() can be called\nfrom mpls_getroute(), where is under RTNL.\n\nnet-\u003empls.platform_label is only updated under RTNL.\n\nLet\u0027s use rcu_dereference_rtnl() in mpls_route_input_rcu() to\nsilence the splat.\n\n[0]:\nWARNING: suspicious RCU usage\n6.15.0-rc7-syzkaller-00082-g5cdb2c77c4c3 #0 Not tainted\n ----------------------------\nnet/mpls/af_mpls.c:84 suspicious rcu_dereference_check() usage!\n\nother info that might help us debug this:\n\nrcu_scheduler_active = 2, debug_locks = 1\n1 lock held by syz.2.4451/17730:\n #0: ffffffff9012a3e8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]\n #0: ffffffff9012a3e8 (rtnl_mutex){+.+.}-{4:4}, at: rtnetlink_rcv_msg+0x371/0xe90 net/core/rtnetlink.c:6961\n\nstack backtrace:\nCPU: 1 UID: 0 PID: 17730 Comm: syz.2.4451 Not tainted 6.15.0-rc7-syzkaller-00082-g5cdb2c77c4c3 #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120\n lockdep_rcu_suspicious+0x166/0x260 kernel/locking/lockdep.c:6865\n mpls_route_input_rcu+0x1d4/0x200 net/mpls/af_mpls.c:84\n mpls_getroute+0x621/0x1ea0 net/mpls/af_mpls.c:2381\n rtnetlink_rcv_msg+0x3c9/0xe90 net/core/rtnetlink.c:6964\n netlink_rcv_skb+0x16d/0x440 net/netlink/af_netlink.c:2534\n netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]\n netlink_unicast+0x53a/0x7f0 net/netlink/af_netlink.c:1339\n netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1883\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg net/socket.c:727 [inline]\n ____sys_sendmsg+0xa98/0xc70 net/socket.c:2566\n ___sys_sendmsg+0x134/0x1d0 net/socket.c:2620\n __sys_sendmmsg+0x200/0x420 net/socket.c:2709\n __do_sys_sendmmsg net/socket.c:2736 [inline]\n __se_sys_sendmmsg net/socket.c:2733 [inline]\n __x64_sys_sendmmsg+0x9c/0x100 net/socket.c:2733\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0x230 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f0a2818e969\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f0a28f52038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133\nRAX: ffffffffffffffda RBX: 00007f0a283b5fa0 RCX: 00007f0a2818e969\nRDX: 0000000000000003 RSI: 0000200000000080 RDI: 0000000000000003\nRBP: 00007f0a28210ab1 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 00007f0a283b5fa0 R15: 00007ffce5e9f268\n \u003c/TASK\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:18:48.551Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2919297b18e5a5fb7e643f9e32c12c0b17cce1be"
        },
        {
          "url": "https://git.kernel.org/stable/c/36af82f25fbdcd719eb947c15ea874bf80bcf229"
        },
        {
          "url": "https://git.kernel.org/stable/c/d8cd847fb8626872631cc22d44be5127b4ebfb74"
        },
        {
          "url": "https://git.kernel.org/stable/c/49b8a9d7d44401a186e20b1aaf591d2e62727aeb"
        },
        {
          "url": "https://git.kernel.org/stable/c/a060781640012d5d5105072f4c44ed6ad6830ef9"
        },
        {
          "url": "https://git.kernel.org/stable/c/517bc6836ee9fcffe2539f6f6aa3fdd9c7a7ae73"
        },
        {
          "url": "https://git.kernel.org/stable/c/f19cbd84e645e39bc3228e1191bb151ef0ffac8c"
        },
        {
          "url": "https://git.kernel.org/stable/c/6dbb0d97c5096072c78a6abffe393584e57ae945"
        }
      ],
      "title": "mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu().",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38324",
    "datePublished": "2025-07-10T08:14:58.857Z",
    "dateReserved": "2025-04-16T04:51:24.004Z",
    "dateUpdated": "2025-11-03T17:36:35.272Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38267 (GCVE-0-2025-38267)

Vulnerability from cvelistv5 – Published: 2025-07-10 07:41 – Updated: 2025-07-28 04:16

Title

ring-buffer: Do not trigger WARN_ON() due to a commit_overrun

Summary

In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Do not trigger WARN_ON() due to a commit_overrun When reading a memory mapped buffer the reader page is just swapped out with the last page written in the write buffer. If the reader page is the same as the commit buffer (the buffer that is currently being written to) it was assumed that it should never have missed events. If it does, it triggers a WARN_ON_ONCE(). But there just happens to be one scenario where this can legitimately happen. That is on a commit_overrun. A commit overrun is when an interrupt preempts an event being written to the buffer and then the interrupt adds so many new events that it fills and wraps the buffer back to the commit. Any new events would then be dropped and be reported as "missed_events". In this case, the next page to read is the commit buffer and after the swap of the reader page, the reader page will be the commit buffer, but this time there will be missed events and this triggers the following warning: ------------[ cut here ]------------ WARNING: CPU: 2 PID: 1127 at kernel/trace/ring_buffer.c:7357 ring_buffer_map_get_reader+0x49a/0x780 Modules linked in: kvm_intel kvm irqbypass CPU: 2 UID: 0 PID: 1127 Comm: trace-cmd Not tainted 6.15.0-rc7-test-00004-g478bc2824b45-dirty #564 PREEMPT Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:ring_buffer_map_get_reader+0x49a/0x780 Code: 00 00 00 48 89 fe 48 c1 ee 03 80 3c 2e 00 0f 85 ec 01 00 00 4d 3b a6 a8 00 00 00 0f 85 8a fd ff ff 48 85 c0 0f 84 55 fe ff ff <0f> 0b e9 4e fe ff ff be 08 00 00 00 4c 89 54 24 58 48 89 54 24 50 RSP: 0018:ffff888121787dc0 EFLAGS: 00010002 RAX: 00000000000006a2 RBX: ffff888100062800 RCX: ffffffff8190cb49 RDX: ffff888126934c00 RSI: 1ffff11020200a15 RDI: ffff8881010050a8 RBP: dffffc0000000000 R08: 0000000000000000 R09: ffffed1024d26982 R10: ffff888126934c17 R11: ffff8881010050a8 R12: ffff888126934c00 R13: ffff8881010050b8 R14: ffff888101005000 R15: ffff888126930008 FS: 00007f95c8cd7540(0000) GS:ffff8882b576e000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f95c8de4dc0 CR3: 0000000128452002 CR4: 0000000000172ef0 Call Trace: <TASK> ? __pfx_ring_buffer_map_get_reader+0x10/0x10 tracing_buffers_ioctl+0x283/0x370 __x64_sys_ioctl+0x134/0x190 do_syscall_64+0x79/0x1c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f95c8de48db Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 RSP: 002b:00007ffe037ba110 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ffe037bb2b0 RCX: 00007f95c8de48db RDX: 0000000000000000 RSI: 0000000000005220 RDI: 0000000000000006 RBP: 00007ffe037ba180 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffe037bb6f8 R14: 00007f95c9065000 R15: 00005575c7492c90 </TASK> irq event stamp: 5080 hardirqs last enabled at (5079): [<ffffffff83e0adb0>] _raw_spin_unlock_irqrestore+0x50/0x70 hardirqs last disabled at (5080): [<ffffffff83e0aa83>] _raw_spin_lock_irqsave+0x63/0x70 softirqs last enabled at (4182): [<ffffffff81516122>] handle_softirqs+0x552/0x710 softirqs last disabled at (4159): [<ffffffff815163f7>] __irq_exit_rcu+0x107/0x210 ---[ end trace 0000000000000000 ]--- The above was triggered by running on a kernel with both lockdep and KASAN as well as kmemleak enabled and executing the following command: # perf record -o perf-test.dat -a -- trace-cmd record --nosplice -e all -p function hackbench 50 With perf interjecting a lot of interrupts and trace-cmd enabling all events as well as function tracing, with lockdep, KASAN and kmemleak enabled, it could cause an interrupt preempting an event being written to add enough event ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b8df8cb8f7eef52ba…
	https://git.kernel.org/stable/c/e018053632bad8ee0…
	https://git.kernel.org/stable/c/4fc78a7c9ca994e1d…

Impacted products

Vendor

Product

Version

Linux

Affected: fe832be05a8eee5f1488cbcc2c562dd82d079fd6 , < b8df8cb8f7eef52baa9ac5bf36a405ca67945a91 (git)
Affected: fe832be05a8eee5f1488cbcc2c562dd82d079fd6 , < e018053632bad8ee0752242c7d2cffb0bbf45404 (git)
Affected: fe832be05a8eee5f1488cbcc2c562dd82d079fd6 , < 4fc78a7c9ca994e1da5d3940704d4e8f0ea8c5e4 (git)

Linux

Affected: 6.10
Unaffected: 0 , < 6.10 (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/ring_buffer.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b8df8cb8f7eef52baa9ac5bf36a405ca67945a91",
              "status": "affected",
              "version": "fe832be05a8eee5f1488cbcc2c562dd82d079fd6",
              "versionType": "git"
            },
            {
              "lessThan": "e018053632bad8ee0752242c7d2cffb0bbf45404",
              "status": "affected",
              "version": "fe832be05a8eee5f1488cbcc2c562dd82d079fd6",
              "versionType": "git"
            },
            {
              "lessThan": "4fc78a7c9ca994e1da5d3940704d4e8f0ea8c5e4",
              "status": "affected",
              "version": "fe832be05a8eee5f1488cbcc2c562dd82d079fd6",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/ring_buffer.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Do not trigger WARN_ON() due to a commit_overrun\n\nWhen reading a memory mapped buffer the reader page is just swapped out\nwith the last page written in the write buffer. If the reader page is the\nsame as the commit buffer (the buffer that is currently being written to)\nit was assumed that it should never have missed events. If it does, it\ntriggers a WARN_ON_ONCE().\n\nBut there just happens to be one scenario where this can legitimately\nhappen. That is on a commit_overrun. A commit overrun is when an interrupt\npreempts an event being written to the buffer and then the interrupt adds\nso many new events that it fills and wraps the buffer back to the commit.\nAny new events would then be dropped and be reported as \"missed_events\".\n\nIn this case, the next page to read is the commit buffer and after the\nswap of the reader page, the reader page will be the commit buffer, but\nthis time there will be missed events and this triggers the following\nwarning:\n\n ------------[ cut here ]------------\n WARNING: CPU: 2 PID: 1127 at kernel/trace/ring_buffer.c:7357 ring_buffer_map_get_reader+0x49a/0x780\n Modules linked in: kvm_intel kvm irqbypass\n CPU: 2 UID: 0 PID: 1127 Comm: trace-cmd Not tainted 6.15.0-rc7-test-00004-g478bc2824b45-dirty #564 PREEMPT\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n RIP: 0010:ring_buffer_map_get_reader+0x49a/0x780\n Code: 00 00 00 48 89 fe 48 c1 ee 03 80 3c 2e 00 0f 85 ec 01 00 00 4d 3b a6 a8 00 00 00 0f 85 8a fd ff ff 48 85 c0 0f 84 55 fe ff ff \u003c0f\u003e 0b e9 4e fe ff ff be 08 00 00 00 4c 89 54 24 58 48 89 54 24 50\n RSP: 0018:ffff888121787dc0 EFLAGS: 00010002\n RAX: 00000000000006a2 RBX: ffff888100062800 RCX: ffffffff8190cb49\n RDX: ffff888126934c00 RSI: 1ffff11020200a15 RDI: ffff8881010050a8\n RBP: dffffc0000000000 R08: 0000000000000000 R09: ffffed1024d26982\n R10: ffff888126934c17 R11: ffff8881010050a8 R12: ffff888126934c00\n R13: ffff8881010050b8 R14: ffff888101005000 R15: ffff888126930008\n FS:  00007f95c8cd7540(0000) GS:ffff8882b576e000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f95c8de4dc0 CR3: 0000000128452002 CR4: 0000000000172ef0\n Call Trace:\n  \u003cTASK\u003e\n  ? __pfx_ring_buffer_map_get_reader+0x10/0x10\n  tracing_buffers_ioctl+0x283/0x370\n  __x64_sys_ioctl+0x134/0x190\n  do_syscall_64+0x79/0x1c0\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7f95c8de48db\n Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 \u003c89\u003e c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00\n RSP: 002b:00007ffe037ba110 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n RAX: ffffffffffffffda RBX: 00007ffe037bb2b0 RCX: 00007f95c8de48db\n RDX: 0000000000000000 RSI: 0000000000005220 RDI: 0000000000000006\n RBP: 00007ffe037ba180 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n R13: 00007ffe037bb6f8 R14: 00007f95c9065000 R15: 00005575c7492c90\n  \u003c/TASK\u003e\n irq event stamp: 5080\n hardirqs last  enabled at (5079): [\u003cffffffff83e0adb0\u003e] _raw_spin_unlock_irqrestore+0x50/0x70\n hardirqs last disabled at (5080): [\u003cffffffff83e0aa83\u003e] _raw_spin_lock_irqsave+0x63/0x70\n softirqs last  enabled at (4182): [\u003cffffffff81516122\u003e] handle_softirqs+0x552/0x710\n softirqs last disabled at (4159): [\u003cffffffff815163f7\u003e] __irq_exit_rcu+0x107/0x210\n ---[ end trace 0000000000000000 ]---\n\nThe above was triggered by running on a kernel with both lockdep and KASAN\nas well as kmemleak enabled and executing the following command:\n\n # perf record -o perf-test.dat -a -- trace-cmd record --nosplice  -e all -p function hackbench 50\n\nWith perf interjecting a lot of interrupts and trace-cmd enabling all\nevents as well as function tracing, with lockdep, KASAN and kmemleak\nenabled, it could cause an interrupt preempting an event being written to\nadd enough event\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:16:47.030Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b8df8cb8f7eef52baa9ac5bf36a405ca67945a91"
        },
        {
          "url": "https://git.kernel.org/stable/c/e018053632bad8ee0752242c7d2cffb0bbf45404"
        },
        {
          "url": "https://git.kernel.org/stable/c/4fc78a7c9ca994e1da5d3940704d4e8f0ea8c5e4"
        }
      ],
      "title": "ring-buffer: Do not trigger WARN_ON() due to a commit_overrun",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38267",
    "datePublished": "2025-07-10T07:41:50.551Z",
    "dateReserved": "2025-04-16T04:51:23.998Z",
    "dateUpdated": "2025-07-28T04:16:47.030Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-37752 (GCVE-0-2025-37752)

Vulnerability from cvelistv5 – Published: 2025-05-01 12:55 – Updated: 2025-11-03 19:54

Title

net_sched: sch_sfq: move the limit validation

Summary

In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: move the limit validation It is not sufficient to directly validate the limit on the data that the user passes as it can be updated based on how the other parameters are changed. Move the check at the end of the configuration update process to also catch scenarios where the limit is indirectly updated, for example with the following configurations: tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 depth 1 tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 divisor 1 This fixes the following syzkaller reported crash: ------------[ cut here ]------------ UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:203:6 index 65535 is out of range for type 'struct sfq_head[128]' CPU: 1 UID: 0 PID: 3037 Comm: syz.2.16 Not tainted 6.14.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x201/0x300 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_out_of_bounds+0xf5/0x120 lib/ubsan.c:429 sfq_link net/sched/sch_sfq.c:203 [inline] sfq_dec+0x53c/0x610 net/sched/sch_sfq.c:231 sfq_dequeue+0x34e/0x8c0 net/sched/sch_sfq.c:493 sfq_reset+0x17/0x60 net/sched/sch_sfq.c:518 qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035 tbf_reset+0x41/0x110 net/sched/sch_tbf.c:339 qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035 dev_reset_queue+0x100/0x1b0 net/sched/sch_generic.c:1311 netdev_for_each_tx_queue include/linux/netdevice.h:2590 [inline] dev_deactivate_many+0x7e5/0xe70 net/sched/sch_generic.c:1375

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/8fadc871a42933aac…
	https://git.kernel.org/stable/c/7d62ded97db6b7c94…
	https://git.kernel.org/stable/c/6c589aa318023690f…
	https://git.kernel.org/stable/c/1348214fa042a7140…
	https://git.kernel.org/stable/c/d2718324f9e329b10…
	https://git.kernel.org/stable/c/f86293adce0c201cf…
	https://git.kernel.org/stable/c/5e5e1fcc1b8ed57f9…
	https://git.kernel.org/stable/c/b36a68192037d1614…
	https://git.kernel.org/stable/c/b3bf8f63e6179076b…

Impacted products

Vendor

Product

Version

Linux

Affected: e12f6013d0a69660e8b99bfe381b9546ae667328 , < 8fadc871a42933aacb7f1ce9ed9a96485e2c9cf4 (git)
Affected: 1e6d9d87626cf89eeffb4d943db12cb5b10bf961 , < 7d62ded97db6b7c94c891f704151f372b1ba4688 (git)
Affected: 1b562b7f9231432da40d12e19786c1bd7df653a7 , < 6c589aa318023690f1606c666a7fb5f4c1c9c219 (git)
Affected: 35d0137305ae2f97260a9047f445bd4434bd6cc7 , < 1348214fa042a71406964097e743c87a42c85a49 (git)
Affected: 833e9a1c27b82024db7ff5038a51651f48f05e5e , < d2718324f9e329b10ddc091fba5a0ba2b9d4d96a (git)
Affected: 7d8947f2153ee9c5ab4cb17861a11cc45f30e8c4 , < f86293adce0c201cfabb283ef9d6f21292089bb8 (git)
Affected: 7fefc294204f10a3405f175f4ac2be16d63f135e , < 5e5e1fcc1b8ed57f902c424c5d9b328a3a19073d (git)
Affected: 10685681bafce6febb39770f3387621bf5d67d0b , < b36a68192037d1614317a09b0d78c7814e2eecf9 (git)
Affected: 10685681bafce6febb39770f3387621bf5d67d0b , < b3bf8f63e6179076b57c9de660c9f80b5abefe70 (git)

Linux

Affected: 6.14
Unaffected: 0 , < 6.14 (semver)
Unaffected: 6.1.135 , ≤ 6.1.* (semver)
Unaffected: 6.6.88 , ≤ 6.6.* (semver)
Unaffected: 6.12.24 , ≤ 6.12.* (semver)
Unaffected: 6.13.12 , ≤ 6.13.* (semver)
Unaffected: 6.14.3 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:54:26.177Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_sfq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8fadc871a42933aacb7f1ce9ed9a96485e2c9cf4",
              "status": "affected",
              "version": "e12f6013d0a69660e8b99bfe381b9546ae667328",
              "versionType": "git"
            },
            {
              "lessThan": "7d62ded97db6b7c94c891f704151f372b1ba4688",
              "status": "affected",
              "version": "1e6d9d87626cf89eeffb4d943db12cb5b10bf961",
              "versionType": "git"
            },
            {
              "lessThan": "6c589aa318023690f1606c666a7fb5f4c1c9c219",
              "status": "affected",
              "version": "1b562b7f9231432da40d12e19786c1bd7df653a7",
              "versionType": "git"
            },
            {
              "lessThan": "1348214fa042a71406964097e743c87a42c85a49",
              "status": "affected",
              "version": "35d0137305ae2f97260a9047f445bd4434bd6cc7",
              "versionType": "git"
            },
            {
              "lessThan": "d2718324f9e329b10ddc091fba5a0ba2b9d4d96a",
              "status": "affected",
              "version": "833e9a1c27b82024db7ff5038a51651f48f05e5e",
              "versionType": "git"
            },
            {
              "lessThan": "f86293adce0c201cfabb283ef9d6f21292089bb8",
              "status": "affected",
              "version": "7d8947f2153ee9c5ab4cb17861a11cc45f30e8c4",
              "versionType": "git"
            },
            {
              "lessThan": "5e5e1fcc1b8ed57f902c424c5d9b328a3a19073d",
              "status": "affected",
              "version": "7fefc294204f10a3405f175f4ac2be16d63f135e",
              "versionType": "git"
            },
            {
              "lessThan": "b36a68192037d1614317a09b0d78c7814e2eecf9",
              "status": "affected",
              "version": "10685681bafce6febb39770f3387621bf5d67d0b",
              "versionType": "git"
            },
            {
              "lessThan": "b3bf8f63e6179076b57c9de660c9f80b5abefe70",
              "status": "affected",
              "version": "10685681bafce6febb39770f3387621bf5d67d0b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_sfq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.14"
            },
            {
              "lessThan": "6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "versionStartIncluding": "6.1.129",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "6.6.76",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.24",
                  "versionStartIncluding": "6.12.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.12",
                  "versionStartIncluding": "6.13.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: sch_sfq: move the limit validation\n\nIt is not sufficient to directly validate the limit on the data that\nthe user passes as it can be updated based on how the other parameters\nare changed.\n\nMove the check at the end of the configuration update process to also\ncatch scenarios where the limit is indirectly updated, for example\nwith the following configurations:\n\ntc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 depth 1\ntc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 divisor 1\n\nThis fixes the following syzkaller reported crash:\n\n------------[ cut here ]------------\nUBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:203:6\nindex 65535 is out of range for type \u0027struct sfq_head[128]\u0027\nCPU: 1 UID: 0 PID: 3037 Comm: syz.2.16 Not tainted 6.14.0-rc2-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x201/0x300 lib/dump_stack.c:120\n ubsan_epilogue lib/ubsan.c:231 [inline]\n __ubsan_handle_out_of_bounds+0xf5/0x120 lib/ubsan.c:429\n sfq_link net/sched/sch_sfq.c:203 [inline]\n sfq_dec+0x53c/0x610 net/sched/sch_sfq.c:231\n sfq_dequeue+0x34e/0x8c0 net/sched/sch_sfq.c:493\n sfq_reset+0x17/0x60 net/sched/sch_sfq.c:518\n qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035\n tbf_reset+0x41/0x110 net/sched/sch_tbf.c:339\n qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035\n dev_reset_queue+0x100/0x1b0 net/sched/sch_generic.c:1311\n netdev_for_each_tx_queue include/linux/netdevice.h:2590 [inline]\n dev_deactivate_many+0x7e5/0xe70 net/sched/sch_generic.c:1375"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-28T14:42:49.885Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8fadc871a42933aacb7f1ce9ed9a96485e2c9cf4"
        },
        {
          "url": "https://git.kernel.org/stable/c/7d62ded97db6b7c94c891f704151f372b1ba4688"
        },
        {
          "url": "https://git.kernel.org/stable/c/6c589aa318023690f1606c666a7fb5f4c1c9c219"
        },
        {
          "url": "https://git.kernel.org/stable/c/1348214fa042a71406964097e743c87a42c85a49"
        },
        {
          "url": "https://git.kernel.org/stable/c/d2718324f9e329b10ddc091fba5a0ba2b9d4d96a"
        },
        {
          "url": "https://git.kernel.org/stable/c/f86293adce0c201cfabb283ef9d6f21292089bb8"
        },
        {
          "url": "https://git.kernel.org/stable/c/5e5e1fcc1b8ed57f902c424c5d9b328a3a19073d"
        },
        {
          "url": "https://git.kernel.org/stable/c/b36a68192037d1614317a09b0d78c7814e2eecf9"
        },
        {
          "url": "https://git.kernel.org/stable/c/b3bf8f63e6179076b57c9de660c9f80b5abefe70"
        }
      ],
      "title": "net_sched: sch_sfq: move the limit validation",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37752",
    "datePublished": "2025-05-01T12:55:57.280Z",
    "dateReserved": "2025-04-16T04:51:23.937Z",
    "dateUpdated": "2025-11-03T19:54:26.177Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38172 (GCVE-0-2025-38172)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:36 – Updated: 2025-07-28 04:14

Title

erofs: avoid using multiple devices with different type

Summary

In the Linux kernel, the following vulnerability has been resolved: erofs: avoid using multiple devices with different type For multiple devices, both primary and extra devices should be the same type. `erofs_init_device` has already guaranteed that if the primary is a file-backed device, extra devices should also be regular files. However, if the primary is a block device while the extra device is a file-backed device, `erofs_init_device` will get an ENOTBLK, which is not treated as an error in `erofs_fc_get_tree`, and that leads to an UAF: erofs_fc_get_tree get_tree_bdev_flags(erofs_fc_fill_super) erofs_read_superblock erofs_init_device // sbi->dif0 is not inited yet, // return -ENOTBLK deactivate_locked_super free(sbi) if (err is -ENOTBLK) sbi->dif0.file = filp_open() // sbi UAF So if -ENOTBLK is hitted in `erofs_init_device`, it means the primary device must be a block device, and the extra device is not a block device. The error can be converted to -EINVAL.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/65115472f741ca000…
	https://git.kernel.org/stable/c/cd04beb9ce2773a16…
	https://git.kernel.org/stable/c/9748f2f54f66743ac…

Impacted products

Vendor

Product

Version

Linux

Affected: fb176750266a3d7f42ebdcf28e8ba40350b27847 , < 65115472f741ca000d7ea4a5922214f93cd1516e (git)
Affected: fb176750266a3d7f42ebdcf28e8ba40350b27847 , < cd04beb9ce2773a16057248bb4fa424068ae3807 (git)
Affected: fb176750266a3d7f42ebdcf28e8ba40350b27847 , < 9748f2f54f66743ac77275c34886a9f890e18409 (git)

Linux

Affected: 6.12
Unaffected: 0 , < 6.12 (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/erofs/super.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "65115472f741ca000d7ea4a5922214f93cd1516e",
              "status": "affected",
              "version": "fb176750266a3d7f42ebdcf28e8ba40350b27847",
              "versionType": "git"
            },
            {
              "lessThan": "cd04beb9ce2773a16057248bb4fa424068ae3807",
              "status": "affected",
              "version": "fb176750266a3d7f42ebdcf28e8ba40350b27847",
              "versionType": "git"
            },
            {
              "lessThan": "9748f2f54f66743ac77275c34886a9f890e18409",
              "status": "affected",
              "version": "fb176750266a3d7f42ebdcf28e8ba40350b27847",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/erofs/super.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.12"
            },
            {
              "lessThan": "6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: avoid using multiple devices with different type\n\nFor multiple devices, both primary and extra devices should be the\nsame type. `erofs_init_device` has already guaranteed that if the\nprimary is a file-backed device, extra devices should also be\nregular files.\n\nHowever, if the primary is a block device while the extra device\nis a file-backed device, `erofs_init_device` will get an ENOTBLK,\nwhich is not treated as an error in `erofs_fc_get_tree`, and that\nleads to an UAF:\n\n  erofs_fc_get_tree\n    get_tree_bdev_flags(erofs_fc_fill_super)\n      erofs_read_superblock\n        erofs_init_device  // sbi-\u003edif0 is not inited yet,\n                           // return -ENOTBLK\n      deactivate_locked_super\n        free(sbi)\n    if (err is -ENOTBLK)\n      sbi-\u003edif0.file = filp_open()  // sbi UAF\n\nSo if -ENOTBLK is hitted in `erofs_init_device`, it means the\nprimary device must be a block device, and the extra device\nis not a block device. The error can be converted to -EINVAL."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:14:13.860Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/65115472f741ca000d7ea4a5922214f93cd1516e"
        },
        {
          "url": "https://git.kernel.org/stable/c/cd04beb9ce2773a16057248bb4fa424068ae3807"
        },
        {
          "url": "https://git.kernel.org/stable/c/9748f2f54f66743ac77275c34886a9f890e18409"
        }
      ],
      "title": "erofs: avoid using multiple devices with different type",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38172",
    "datePublished": "2025-07-03T08:36:10.334Z",
    "dateReserved": "2025-04-16T04:51:23.991Z",
    "dateUpdated": "2025-07-28T04:14:13.860Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38371 (GCVE-0-2025-38371)

Vulnerability from cvelistv5 – Published: 2025-07-25 12:53 – Updated: 2025-11-03 17:37

Title

drm/v3d: Disable interrupts before resetting the GPU

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Disable interrupts before resetting the GPU Currently, an interrupt can be triggered during a GPU reset, which can lead to GPU hangs and NULL pointer dereference in an interrupt context as shown in the following trace: [ 314.035040] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000c0 [ 314.043822] Mem abort info: [ 314.046606] ESR = 0x0000000096000005 [ 314.050347] EC = 0x25: DABT (current EL), IL = 32 bits [ 314.055651] SET = 0, FnV = 0 [ 314.058695] EA = 0, S1PTW = 0 [ 314.061826] FSC = 0x05: level 1 translation fault [ 314.066694] Data abort info: [ 314.069564] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 314.075039] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 314.080080] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 314.085382] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000102728000 [ 314.091814] [00000000000000c0] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 [ 314.100511] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP [ 314.106770] Modules linked in: v3d i2c_brcmstb vc4 snd_soc_hdmi_codec gpu_sched drm_shmem_helper drm_display_helper cec drm_dma_helper drm_kms_helper drm drm_panel_orientation_quirks snd_soc_core snd_compress snd_pcm_dmaengine snd_pcm snd_timer snd backlight [ 314.129654] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.25+rpt-rpi-v8 #1 Debian 1:6.12.25-1+rpt1 [ 314.139388] Hardware name: Raspberry Pi 4 Model B Rev 1.4 (DT) [ 314.145211] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 314.152165] pc : v3d_irq+0xec/0x2e0 [v3d] [ 314.156187] lr : v3d_irq+0xe0/0x2e0 [v3d] [ 314.160198] sp : ffffffc080003ea0 [ 314.163502] x29: ffffffc080003ea0 x28: ffffffec1f184980 x27: 021202b000000000 [ 314.170633] x26: ffffffec1f17f630 x25: ffffff8101372000 x24: ffffffec1f17d9f0 [ 314.177764] x23: 000000000000002a x22: 000000000000002a x21: ffffff8103252000 [ 314.184895] x20: 0000000000000001 x19: 00000000deadbeef x18: 0000000000000000 [ 314.192026] x17: ffffff94e51d2000 x16: ffffffec1dac3cb0 x15: c306000000000000 [ 314.199156] x14: 0000000000000000 x13: b2fc982e03cc5168 x12: 0000000000000001 [ 314.206286] x11: ffffff8103f8bcc0 x10: ffffffec1f196868 x9 : ffffffec1dac3874 [ 314.213416] x8 : 0000000000000000 x7 : 0000000000042a3a x6 : ffffff810017a180 [ 314.220547] x5 : ffffffec1ebad400 x4 : ffffffec1ebad320 x3 : 00000000000bebeb [ 314.227677] x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000 [ 314.234807] Call trace: [ 314.237243] v3d_irq+0xec/0x2e0 [v3d] [ 314.240906] __handle_irq_event_percpu+0x58/0x218 [ 314.245609] handle_irq_event+0x54/0xb8 [ 314.249439] handle_fasteoi_irq+0xac/0x240 [ 314.253527] handle_irq_desc+0x48/0x68 [ 314.257269] generic_handle_domain_irq+0x24/0x38 [ 314.261879] gic_handle_irq+0x48/0xd8 [ 314.265533] call_on_irq_stack+0x24/0x58 [ 314.269448] do_interrupt_handler+0x88/0x98 [ 314.273624] el1_interrupt+0x34/0x68 [ 314.277193] el1h_64_irq_handler+0x18/0x28 [ 314.281281] el1h_64_irq+0x64/0x68 [ 314.284673] default_idle_call+0x3c/0x168 [ 314.288675] do_idle+0x1fc/0x230 [ 314.291895] cpu_startup_entry+0x3c/0x50 [ 314.295810] rest_init+0xe4/0xf0 [ 314.299030] start_kernel+0x5e8/0x790 [ 314.302684] __primary_switched+0x80/0x90 [ 314.306691] Code: 940029eb 360ffc13 f9442ea0 52800001 (f9406017) [ 314.312775] ---[ end trace 0000000000000000 ]--- [ 314.317384] Kernel panic - not syncing: Oops: Fatal exception in interrupt [ 314.324249] SMP: stopping secondary CPUs [ 314.328167] Kernel Offset: 0x2b9da00000 from 0xffffffc080000000 [ 314.334076] PHYS_OFFSET: 0x0 [ 314.336946] CPU features: 0x08,00002013,c0200000,0200421b [ 314.342337] Memory Limit: none [ 314.345382] ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]--- Before resetting the G ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b9c403d1236cecb10…
	https://git.kernel.org/stable/c/2446e25e9246e0642…
	https://git.kernel.org/stable/c/576a6739e08ac06c6…
	https://git.kernel.org/stable/c/c8851a6ab19d9f390…
	https://git.kernel.org/stable/c/387da3b6d1a90e321…
	https://git.kernel.org/stable/c/9ff95ed0371aec4d9…
	https://git.kernel.org/stable/c/dc805c927cd832bb8…
	https://git.kernel.org/stable/c/226862f50a7a88e4e…

Impacted products

Vendor

Product

Version

Linux

Affected: 57692c94dcbe99a1e0444409a3da13fb3443562c , < b9c403d1236cecb10dd0246a30d81e4b265f8e8d (git)
Affected: 57692c94dcbe99a1e0444409a3da13fb3443562c , < 2446e25e9246e0642a41d91cbf54c33b275da3c3 (git)
Affected: 57692c94dcbe99a1e0444409a3da13fb3443562c , < 576a6739e08ac06c67f2916f71204557232388b0 (git)
Affected: 57692c94dcbe99a1e0444409a3da13fb3443562c , < c8851a6ab19d9f390677c42a3cc01ff9b2eb6241 (git)
Affected: 57692c94dcbe99a1e0444409a3da13fb3443562c , < 387da3b6d1a90e3210bc9a7fb56703bdad2ac18a (git)
Affected: 57692c94dcbe99a1e0444409a3da13fb3443562c , < 9ff95ed0371aec4d9617e478e9c69cde86cd7c38 (git)
Affected: 57692c94dcbe99a1e0444409a3da13fb3443562c , < dc805c927cd832bb8f790b756880ae6c769d5fbc (git)
Affected: 57692c94dcbe99a1e0444409a3da13fb3443562c , < 226862f50a7a88e4e4de9abbf36c64d19acd6fd0 (git)

Linux

Affected: 4.18
Unaffected: 0 , < 4.18 (semver)
Unaffected: 5.4.296 , ≤ 5.4.* (semver)
Unaffected: 5.10.240 , ≤ 5.10.* (semver)
Unaffected: 5.15.187 , ≤ 5.15.* (semver)
Unaffected: 6.1.144 , ≤ 6.1.* (semver)
Unaffected: 6.6.97 , ≤ 6.6.* (semver)
Unaffected: 6.12.37 , ≤ 6.12.* (semver)
Unaffected: 6.15.6 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:37:10.513Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/v3d/v3d_drv.h",
            "drivers/gpu/drm/v3d/v3d_gem.c",
            "drivers/gpu/drm/v3d/v3d_irq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b9c403d1236cecb10dd0246a30d81e4b265f8e8d",
              "status": "affected",
              "version": "57692c94dcbe99a1e0444409a3da13fb3443562c",
              "versionType": "git"
            },
            {
              "lessThan": "2446e25e9246e0642a41d91cbf54c33b275da3c3",
              "status": "affected",
              "version": "57692c94dcbe99a1e0444409a3da13fb3443562c",
              "versionType": "git"
            },
            {
              "lessThan": "576a6739e08ac06c67f2916f71204557232388b0",
              "status": "affected",
              "version": "57692c94dcbe99a1e0444409a3da13fb3443562c",
              "versionType": "git"
            },
            {
              "lessThan": "c8851a6ab19d9f390677c42a3cc01ff9b2eb6241",
              "status": "affected",
              "version": "57692c94dcbe99a1e0444409a3da13fb3443562c",
              "versionType": "git"
            },
            {
              "lessThan": "387da3b6d1a90e3210bc9a7fb56703bdad2ac18a",
              "status": "affected",
              "version": "57692c94dcbe99a1e0444409a3da13fb3443562c",
              "versionType": "git"
            },
            {
              "lessThan": "9ff95ed0371aec4d9617e478e9c69cde86cd7c38",
              "status": "affected",
              "version": "57692c94dcbe99a1e0444409a3da13fb3443562c",
              "versionType": "git"
            },
            {
              "lessThan": "dc805c927cd832bb8f790b756880ae6c769d5fbc",
              "status": "affected",
              "version": "57692c94dcbe99a1e0444409a3da13fb3443562c",
              "versionType": "git"
            },
            {
              "lessThan": "226862f50a7a88e4e4de9abbf36c64d19acd6fd0",
              "status": "affected",
              "version": "57692c94dcbe99a1e0444409a3da13fb3443562c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/v3d/v3d_drv.h",
            "drivers/gpu/drm/v3d/v3d_gem.c",
            "drivers/gpu/drm/v3d/v3d_irq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.18"
            },
            {
              "lessThan": "4.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.187",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.144",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.97",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.37",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.187",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.144",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.97",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.37",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.6",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/v3d: Disable interrupts before resetting the GPU\n\nCurrently, an interrupt can be triggered during a GPU reset, which can\nlead to GPU hangs and NULL pointer dereference in an interrupt context\nas shown in the following trace:\n\n [  314.035040] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000c0\n [  314.043822] Mem abort info:\n [  314.046606]   ESR = 0x0000000096000005\n [  314.050347]   EC = 0x25: DABT (current EL), IL = 32 bits\n [  314.055651]   SET = 0, FnV = 0\n [  314.058695]   EA = 0, S1PTW = 0\n [  314.061826]   FSC = 0x05: level 1 translation fault\n [  314.066694] Data abort info:\n [  314.069564]   ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n [  314.075039]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n [  314.080080]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n [  314.085382] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000102728000\n [  314.091814] [00000000000000c0] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000\n [  314.100511] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n [  314.106770] Modules linked in: v3d i2c_brcmstb vc4 snd_soc_hdmi_codec gpu_sched drm_shmem_helper drm_display_helper cec drm_dma_helper drm_kms_helper drm drm_panel_orientation_quirks snd_soc_core snd_compress snd_pcm_dmaengine snd_pcm snd_timer snd backlight\n [  314.129654] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.25+rpt-rpi-v8 #1  Debian 1:6.12.25-1+rpt1\n [  314.139388] Hardware name: Raspberry Pi 4 Model B Rev 1.4 (DT)\n [  314.145211] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n [  314.152165] pc : v3d_irq+0xec/0x2e0 [v3d]\n [  314.156187] lr : v3d_irq+0xe0/0x2e0 [v3d]\n [  314.160198] sp : ffffffc080003ea0\n [  314.163502] x29: ffffffc080003ea0 x28: ffffffec1f184980 x27: 021202b000000000\n [  314.170633] x26: ffffffec1f17f630 x25: ffffff8101372000 x24: ffffffec1f17d9f0\n [  314.177764] x23: 000000000000002a x22: 000000000000002a x21: ffffff8103252000\n [  314.184895] x20: 0000000000000001 x19: 00000000deadbeef x18: 0000000000000000\n [  314.192026] x17: ffffff94e51d2000 x16: ffffffec1dac3cb0 x15: c306000000000000\n [  314.199156] x14: 0000000000000000 x13: b2fc982e03cc5168 x12: 0000000000000001\n [  314.206286] x11: ffffff8103f8bcc0 x10: ffffffec1f196868 x9 : ffffffec1dac3874\n [  314.213416] x8 : 0000000000000000 x7 : 0000000000042a3a x6 : ffffff810017a180\n [  314.220547] x5 : ffffffec1ebad400 x4 : ffffffec1ebad320 x3 : 00000000000bebeb\n [  314.227677] x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000\n [  314.234807] Call trace:\n [  314.237243]  v3d_irq+0xec/0x2e0 [v3d]\n [  314.240906]  __handle_irq_event_percpu+0x58/0x218\n [  314.245609]  handle_irq_event+0x54/0xb8\n [  314.249439]  handle_fasteoi_irq+0xac/0x240\n [  314.253527]  handle_irq_desc+0x48/0x68\n [  314.257269]  generic_handle_domain_irq+0x24/0x38\n [  314.261879]  gic_handle_irq+0x48/0xd8\n [  314.265533]  call_on_irq_stack+0x24/0x58\n [  314.269448]  do_interrupt_handler+0x88/0x98\n [  314.273624]  el1_interrupt+0x34/0x68\n [  314.277193]  el1h_64_irq_handler+0x18/0x28\n [  314.281281]  el1h_64_irq+0x64/0x68\n [  314.284673]  default_idle_call+0x3c/0x168\n [  314.288675]  do_idle+0x1fc/0x230\n [  314.291895]  cpu_startup_entry+0x3c/0x50\n [  314.295810]  rest_init+0xe4/0xf0\n [  314.299030]  start_kernel+0x5e8/0x790\n [  314.302684]  __primary_switched+0x80/0x90\n [  314.306691] Code: 940029eb 360ffc13 f9442ea0 52800001 (f9406017)\n [  314.312775] ---[ end trace 0000000000000000 ]---\n [  314.317384] Kernel panic - not syncing: Oops: Fatal exception in interrupt\n [  314.324249] SMP: stopping secondary CPUs\n [  314.328167] Kernel Offset: 0x2b9da00000 from 0xffffffc080000000\n [  314.334076] PHYS_OFFSET: 0x0\n [  314.336946] CPU features: 0x08,00002013,c0200000,0200421b\n [  314.342337] Memory Limit: none\n [  314.345382] ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---\n\nBefore resetting the G\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:20:15.525Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b9c403d1236cecb10dd0246a30d81e4b265f8e8d"
        },
        {
          "url": "https://git.kernel.org/stable/c/2446e25e9246e0642a41d91cbf54c33b275da3c3"
        },
        {
          "url": "https://git.kernel.org/stable/c/576a6739e08ac06c67f2916f71204557232388b0"
        },
        {
          "url": "https://git.kernel.org/stable/c/c8851a6ab19d9f390677c42a3cc01ff9b2eb6241"
        },
        {
          "url": "https://git.kernel.org/stable/c/387da3b6d1a90e3210bc9a7fb56703bdad2ac18a"
        },
        {
          "url": "https://git.kernel.org/stable/c/9ff95ed0371aec4d9617e478e9c69cde86cd7c38"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc805c927cd832bb8f790b756880ae6c769d5fbc"
        },
        {
          "url": "https://git.kernel.org/stable/c/226862f50a7a88e4e4de9abbf36c64d19acd6fd0"
        }
      ],
      "title": "drm/v3d: Disable interrupts before resetting the GPU",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38371",
    "datePublished": "2025-07-25T12:53:14.292Z",
    "dateReserved": "2025-04-16T04:51:24.009Z",
    "dateUpdated": "2025-11-03T17:37:10.513Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38029 (GCVE-0-2025-38029)

Vulnerability from cvelistv5 – Published: 2025-06-18 09:33 – Updated: 2025-06-18 09:33

Title

kasan: avoid sleepable page allocation from atomic context

Summary

In the Linux kernel, the following vulnerability has been resolved: kasan: avoid sleepable page allocation from atomic context apply_to_pte_range() enters the lazy MMU mode and then invokes kasan_populate_vmalloc_pte() callback on each page table walk iteration. However, the callback can go into sleep when trying to allocate a single page, e.g. if an architecutre disables preemption on lazy MMU mode enter. On s390 if make arch_enter_lazy_mmu_mode() -> preempt_enable() and arch_leave_lazy_mmu_mode() -> preempt_disable(), such crash occurs: [ 0.663336] BUG: sleeping function called from invalid context at ./include/linux/sched/mm.h:321 [ 0.663348] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, name: kthreadd [ 0.663358] preempt_count: 1, expected: 0 [ 0.663366] RCU nest depth: 0, expected: 0 [ 0.663375] no locks held by kthreadd/2. [ 0.663383] Preemption disabled at: [ 0.663386] [<0002f3284cbb4eda>] apply_to_pte_range+0xfa/0x4a0 [ 0.663405] CPU: 0 UID: 0 PID: 2 Comm: kthreadd Not tainted 6.15.0-rc5-gcc-kasan-00043-gd76bb1ebb558-dirty #162 PREEMPT [ 0.663408] Hardware name: IBM 3931 A01 701 (KVM/Linux) [ 0.663409] Call Trace: [ 0.663410] [<0002f3284c385f58>] dump_stack_lvl+0xe8/0x140 [ 0.663413] [<0002f3284c507b9e>] __might_resched+0x66e/0x700 [ 0.663415] [<0002f3284cc4f6c0>] __alloc_frozen_pages_noprof+0x370/0x4b0 [ 0.663419] [<0002f3284ccc73c0>] alloc_pages_mpol+0x1a0/0x4a0 [ 0.663421] [<0002f3284ccc8518>] alloc_frozen_pages_noprof+0x88/0xc0 [ 0.663424] [<0002f3284ccc8572>] alloc_pages_noprof+0x22/0x120 [ 0.663427] [<0002f3284cc341ac>] get_free_pages_noprof+0x2c/0xc0 [ 0.663429] [<0002f3284cceba70>] kasan_populate_vmalloc_pte+0x50/0x120 [ 0.663433] [<0002f3284cbb4ef8>] apply_to_pte_range+0x118/0x4a0 [ 0.663435] [<0002f3284cbc7c14>] apply_to_pmd_range+0x194/0x3e0 [ 0.663437] [<0002f3284cbc99be>] __apply_to_page_range+0x2fe/0x7a0 [ 0.663440] [<0002f3284cbc9e88>] apply_to_page_range+0x28/0x40 [ 0.663442] [<0002f3284ccebf12>] kasan_populate_vmalloc+0x82/0xa0 [ 0.663445] [<0002f3284cc1578c>] alloc_vmap_area+0x34c/0xc10 [ 0.663448] [<0002f3284cc1c2a6>] __get_vm_area_node+0x186/0x2a0 [ 0.663451] [<0002f3284cc1e696>] __vmalloc_node_range_noprof+0x116/0x310 [ 0.663454] [<0002f3284cc1d950>] __vmalloc_node_noprof+0xd0/0x110 [ 0.663457] [<0002f3284c454b88>] alloc_thread_stack_node+0xf8/0x330 [ 0.663460] [<0002f3284c458d56>] dup_task_struct+0x66/0x4d0 [ 0.663463] [<0002f3284c45be90>] copy_process+0x280/0x4b90 [ 0.663465] [<0002f3284c460940>] kernel_clone+0xd0/0x4b0 [ 0.663467] [<0002f3284c46115e>] kernel_thread+0xbe/0xe0 [ 0.663469] [<0002f3284c4e440e>] kthreadd+0x50e/0x7f0 [ 0.663472] [<0002f3284c38c04a>] __ret_from_fork+0x8a/0xf0 [ 0.663475] [<0002f3284ed57ff2>] ret_from_fork+0xa/0x38 Instead of allocating single pages per-PTE, bulk-allocate the shadow memory prior to applying kasan_populate_vmalloc_pte() callback on a page range.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/6748dd09196248b98…
	https://git.kernel.org/stable/c/b6ea95a34cbd014ab…

Impacted products

Vendor

Product

Version

Linux

Affected: 3c5c3cfb9ef4da957e3357a2bd36f76ee34c0862 , < 6748dd09196248b985cca39eaf651d5317271977 (git)
Affected: 3c5c3cfb9ef4da957e3357a2bd36f76ee34c0862 , < b6ea95a34cbd014ab6ade4248107b86b0aaf2d6c (git)

Linux

Affected: 5.5
Unaffected: 0 , < 5.5 (semver)
Unaffected: 6.14.9 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/kasan/shadow.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6748dd09196248b985cca39eaf651d5317271977",
              "status": "affected",
              "version": "3c5c3cfb9ef4da957e3357a2bd36f76ee34c0862",
              "versionType": "git"
            },
            {
              "lessThan": "b6ea95a34cbd014ab6ade4248107b86b0aaf2d6c",
              "status": "affected",
              "version": "3c5c3cfb9ef4da957e3357a2bd36f76ee34c0862",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/kasan/shadow.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.5"
            },
            {
              "lessThan": "5.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkasan: avoid sleepable page allocation from atomic context\n\napply_to_pte_range() enters the lazy MMU mode and then invokes\nkasan_populate_vmalloc_pte() callback on each page table walk iteration. \nHowever, the callback can go into sleep when trying to allocate a single\npage, e.g.  if an architecutre disables preemption on lazy MMU mode enter.\n\nOn s390 if make arch_enter_lazy_mmu_mode() -\u003e preempt_enable() and\narch_leave_lazy_mmu_mode() -\u003e preempt_disable(), such crash occurs:\n\n[    0.663336] BUG: sleeping function called from invalid context at ./include/linux/sched/mm.h:321\n[    0.663348] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, name: kthreadd\n[    0.663358] preempt_count: 1, expected: 0\n[    0.663366] RCU nest depth: 0, expected: 0\n[    0.663375] no locks held by kthreadd/2.\n[    0.663383] Preemption disabled at:\n[    0.663386] [\u003c0002f3284cbb4eda\u003e] apply_to_pte_range+0xfa/0x4a0\n[    0.663405] CPU: 0 UID: 0 PID: 2 Comm: kthreadd Not tainted 6.15.0-rc5-gcc-kasan-00043-gd76bb1ebb558-dirty #162 PREEMPT\n[    0.663408] Hardware name: IBM 3931 A01 701 (KVM/Linux)\n[    0.663409] Call Trace:\n[    0.663410]  [\u003c0002f3284c385f58\u003e] dump_stack_lvl+0xe8/0x140\n[    0.663413]  [\u003c0002f3284c507b9e\u003e] __might_resched+0x66e/0x700\n[    0.663415]  [\u003c0002f3284cc4f6c0\u003e] __alloc_frozen_pages_noprof+0x370/0x4b0\n[    0.663419]  [\u003c0002f3284ccc73c0\u003e] alloc_pages_mpol+0x1a0/0x4a0\n[    0.663421]  [\u003c0002f3284ccc8518\u003e] alloc_frozen_pages_noprof+0x88/0xc0\n[    0.663424]  [\u003c0002f3284ccc8572\u003e] alloc_pages_noprof+0x22/0x120\n[    0.663427]  [\u003c0002f3284cc341ac\u003e] get_free_pages_noprof+0x2c/0xc0\n[    0.663429]  [\u003c0002f3284cceba70\u003e] kasan_populate_vmalloc_pte+0x50/0x120\n[    0.663433]  [\u003c0002f3284cbb4ef8\u003e] apply_to_pte_range+0x118/0x4a0\n[    0.663435]  [\u003c0002f3284cbc7c14\u003e] apply_to_pmd_range+0x194/0x3e0\n[    0.663437]  [\u003c0002f3284cbc99be\u003e] __apply_to_page_range+0x2fe/0x7a0\n[    0.663440]  [\u003c0002f3284cbc9e88\u003e] apply_to_page_range+0x28/0x40\n[    0.663442]  [\u003c0002f3284ccebf12\u003e] kasan_populate_vmalloc+0x82/0xa0\n[    0.663445]  [\u003c0002f3284cc1578c\u003e] alloc_vmap_area+0x34c/0xc10\n[    0.663448]  [\u003c0002f3284cc1c2a6\u003e] __get_vm_area_node+0x186/0x2a0\n[    0.663451]  [\u003c0002f3284cc1e696\u003e] __vmalloc_node_range_noprof+0x116/0x310\n[    0.663454]  [\u003c0002f3284cc1d950\u003e] __vmalloc_node_noprof+0xd0/0x110\n[    0.663457]  [\u003c0002f3284c454b88\u003e] alloc_thread_stack_node+0xf8/0x330\n[    0.663460]  [\u003c0002f3284c458d56\u003e] dup_task_struct+0x66/0x4d0\n[    0.663463]  [\u003c0002f3284c45be90\u003e] copy_process+0x280/0x4b90\n[    0.663465]  [\u003c0002f3284c460940\u003e] kernel_clone+0xd0/0x4b0\n[    0.663467]  [\u003c0002f3284c46115e\u003e] kernel_thread+0xbe/0xe0\n[    0.663469]  [\u003c0002f3284c4e440e\u003e] kthreadd+0x50e/0x7f0\n[    0.663472]  [\u003c0002f3284c38c04a\u003e] __ret_from_fork+0x8a/0xf0\n[    0.663475]  [\u003c0002f3284ed57ff2\u003e] ret_from_fork+0xa/0x38\n\nInstead of allocating single pages per-PTE, bulk-allocate the shadow\nmemory prior to applying kasan_populate_vmalloc_pte() callback on a page\nrange."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-18T09:33:17.632Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6748dd09196248b985cca39eaf651d5317271977"
        },
        {
          "url": "https://git.kernel.org/stable/c/b6ea95a34cbd014ab6ade4248107b86b0aaf2d6c"
        }
      ],
      "title": "kasan: avoid sleepable page allocation from atomic context",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38029",
    "datePublished": "2025-06-18T09:33:17.632Z",
    "dateReserved": "2025-04-16T04:51:23.978Z",
    "dateUpdated": "2025-06-18T09:33:17.632Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38054 (GCVE-0-2025-38054)

Vulnerability from cvelistv5 – Published: 2025-06-18 09:33 – Updated: 2025-06-18 09:33

Title

ptp: ocp: Limit signal/freq counts in summary output functions

Summary

In the Linux kernel, the following vulnerability has been resolved: ptp: ocp: Limit signal/freq counts in summary output functions The debugfs summary output could access uninitialized elements in the freq_in[] and signal_out[] arrays, causing NULL pointer dereferences and triggering a kernel Oops (page_fault_oops). This patch adds u8 fields (nr_freq_in, nr_signal_out) to track the number of initialized elements, with a maximum of 4 per array. The summary output functions are updated to respect these limits, preventing out-of-bounds access and ensuring safe array handling. Widen the label variables because the change confuses GCC about max length of the strings.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/0b7d3e782027ac3b6…
	https://git.kernel.org/stable/c/fcad74f894ac89790…
	https://git.kernel.org/stable/c/c9e455581e2ba87ee…

Impacted products

Vendor

Product

Version

Linux

Affected: ef61f5528fca6c3bbb2f8bc002fd1949c9d1f9b9 , < 0b7d3e782027ac3b6fec56159e8e348042000aef (git)
Affected: ef61f5528fca6c3bbb2f8bc002fd1949c9d1f9b9 , < fcad74f894ac89790084cc2e1ec61b08220941d1 (git)
Affected: ef61f5528fca6c3bbb2f8bc002fd1949c9d1f9b9 , < c9e455581e2ba87ee38c126e8dc49a424b9df0cf (git)

Linux

Affected: 6.9
Unaffected: 0 , < 6.9 (semver)
Unaffected: 6.12.31 , ≤ 6.12.* (semver)
Unaffected: 6.14.9 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/ptp/ptp_ocp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0b7d3e782027ac3b6fec56159e8e348042000aef",
              "status": "affected",
              "version": "ef61f5528fca6c3bbb2f8bc002fd1949c9d1f9b9",
              "versionType": "git"
            },
            {
              "lessThan": "fcad74f894ac89790084cc2e1ec61b08220941d1",
              "status": "affected",
              "version": "ef61f5528fca6c3bbb2f8bc002fd1949c9d1f9b9",
              "versionType": "git"
            },
            {
              "lessThan": "c9e455581e2ba87ee38c126e8dc49a424b9df0cf",
              "status": "affected",
              "version": "ef61f5528fca6c3bbb2f8bc002fd1949c9d1f9b9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/ptp/ptp_ocp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.9"
            },
            {
              "lessThan": "6.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.31",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nptp: ocp: Limit signal/freq counts in summary output functions\n\nThe debugfs summary output could access uninitialized elements in\nthe freq_in[] and signal_out[] arrays, causing NULL pointer\ndereferences and triggering a kernel Oops (page_fault_oops).\nThis patch adds u8 fields (nr_freq_in, nr_signal_out) to track the\nnumber of initialized elements, with a maximum of 4 per array.\nThe summary output functions are updated to respect these limits,\npreventing out-of-bounds access and ensuring safe array handling.\n\nWiden the label variables because the change confuses GCC about\nmax length of the strings."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-18T09:33:34.686Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0b7d3e782027ac3b6fec56159e8e348042000aef"
        },
        {
          "url": "https://git.kernel.org/stable/c/fcad74f894ac89790084cc2e1ec61b08220941d1"
        },
        {
          "url": "https://git.kernel.org/stable/c/c9e455581e2ba87ee38c126e8dc49a424b9df0cf"
        }
      ],
      "title": "ptp: ocp: Limit signal/freq counts in summary output functions",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38054",
    "datePublished": "2025-06-18T09:33:34.686Z",
    "dateReserved": "2025-04-16T04:51:23.979Z",
    "dateUpdated": "2025-06-18T09:33:34.686Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38617 (GCVE-0-2025-38617)

Vulnerability from cvelistv5 – Published: 2025-08-22 13:01 – Updated: 2025-11-03 17:40

Title

net/packet: fix a race in packet_set_ring() and packet_notifier()

Summary

In the Linux kernel, the following vulnerability has been resolved: net/packet: fix a race in packet_set_ring() and packet_notifier() When packet_set_ring() releases po->bind_lock, another thread can run packet_notifier() and process an NETDEV_UP event. This race and the fix are both similar to that of commit 15fe076edea7 ("net/packet: fix a race in packet_bind() and packet_notifier()"). There too the packet_notifier NETDEV_UP event managed to run while a po->bind_lock critical section had to be temporarily released. And the fix was similarly to temporarily set po->num to zero to keep the socket unhooked until the lock is retaken. The po->bind_lock in packet_set_ring and packet_notifier precede the introduction of git history.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/18f13f2a83eb81be3…
	https://git.kernel.org/stable/c/7da733f117533e9b2…
	https://git.kernel.org/stable/c/ba2257034755ae773…
	https://git.kernel.org/stable/c/7de07705007c7e349…
	https://git.kernel.org/stable/c/88caf46db8239e647…
	https://git.kernel.org/stable/c/f2e8fcfd2b1bc7549…
	https://git.kernel.org/stable/c/e50ccfaca9e3c671c…
	https://git.kernel.org/stable/c/f1791fd7b845bea0c…
	https://git.kernel.org/stable/c/01d3c8417b9c1b884…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 18f13f2a83eb81be349a9757ba2141ff1da9ad73 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7da733f117533e9b2ebbd530a22ae4028713955c (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ba2257034755ae773722f15f4c3ad1dcdad15ca9 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7de07705007c7e34995a5599aaab1d23e762d7ca (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 88caf46db8239e6471413d28aabaa6b8bd552805 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f2e8fcfd2b1bc754920108b7f2cd75082c5a18df (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e50ccfaca9e3c671cae917dcb994831a859cf588 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f1791fd7b845bea0ce9674fcf2febee7bc87a893 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 01d3c8417b9c1b884a8a981a3b886da556512f36 (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.4.297 , ≤ 5.4.* (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.148 , ≤ 6.1.* (semver)
Unaffected: 6.6.102 , ≤ 6.6.* (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:40:28.543Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/packet/af_packet.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "18f13f2a83eb81be349a9757ba2141ff1da9ad73",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "7da733f117533e9b2ebbd530a22ae4028713955c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ba2257034755ae773722f15f4c3ad1dcdad15ca9",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "7de07705007c7e34995a5599aaab1d23e762d7ca",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "88caf46db8239e6471413d28aabaa6b8bd552805",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "f2e8fcfd2b1bc754920108b7f2cd75082c5a18df",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "e50ccfaca9e3c671cae917dcb994831a859cf588",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "f1791fd7b845bea0ce9674fcf2febee7bc87a893",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "01d3c8417b9c1b884a8a981a3b886da556512f36",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/packet/af_packet.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.148",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.102",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.148",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.102",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/packet: fix a race in packet_set_ring() and packet_notifier()\n\nWhen packet_set_ring() releases po-\u003ebind_lock, another thread can\nrun packet_notifier() and process an NETDEV_UP event.\n\nThis race and the fix are both similar to that of commit 15fe076edea7\n(\"net/packet: fix a race in packet_bind() and packet_notifier()\").\n\nThere too the packet_notifier NETDEV_UP event managed to run while a\npo-\u003ebind_lock critical section had to be temporarily released. And\nthe fix was similarly to temporarily set po-\u003enum to zero to keep\nthe socket unhooked until the lock is retaken.\n\nThe po-\u003ebind_lock in packet_set_ring and packet_notifier precede the\nintroduction of git history."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:54:52.280Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/18f13f2a83eb81be349a9757ba2141ff1da9ad73"
        },
        {
          "url": "https://git.kernel.org/stable/c/7da733f117533e9b2ebbd530a22ae4028713955c"
        },
        {
          "url": "https://git.kernel.org/stable/c/ba2257034755ae773722f15f4c3ad1dcdad15ca9"
        },
        {
          "url": "https://git.kernel.org/stable/c/7de07705007c7e34995a5599aaab1d23e762d7ca"
        },
        {
          "url": "https://git.kernel.org/stable/c/88caf46db8239e6471413d28aabaa6b8bd552805"
        },
        {
          "url": "https://git.kernel.org/stable/c/f2e8fcfd2b1bc754920108b7f2cd75082c5a18df"
        },
        {
          "url": "https://git.kernel.org/stable/c/e50ccfaca9e3c671cae917dcb994831a859cf588"
        },
        {
          "url": "https://git.kernel.org/stable/c/f1791fd7b845bea0ce9674fcf2febee7bc87a893"
        },
        {
          "url": "https://git.kernel.org/stable/c/01d3c8417b9c1b884a8a981a3b886da556512f36"
        }
      ],
      "title": "net/packet: fix a race in packet_set_ring() and packet_notifier()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38617",
    "datePublished": "2025-08-22T13:01:23.963Z",
    "dateReserved": "2025-04-16T04:51:24.029Z",
    "dateUpdated": "2025-11-03T17:40:28.543Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21961 (GCVE-0-2025-21961)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:46 – Updated: 2025-10-01 17:15

Title

eth: bnxt: fix truesize for mb-xdp-pass case

Summary

In the Linux kernel, the following vulnerability has been resolved: eth: bnxt: fix truesize for mb-xdp-pass case When mb-xdp is set and return is XDP_PASS, packet is converted from xdp_buff to sk_buff with xdp_update_skb_shared_info() in bnxt_xdp_build_skb(). bnxt_xdp_build_skb() passes incorrect truesize argument to xdp_update_skb_shared_info(). The truesize is calculated as BNXT_RX_PAGE_SIZE * sinfo->nr_frags but the skb_shared_info was wiped by napi_build_skb() before. So it stores sinfo->nr_frags before bnxt_xdp_build_skb() and use it instead of getting skb_shared_info from xdp_get_shared_info_from_buff(). Splat looks like: ------------[ cut here ]------------ WARNING: CPU: 2 PID: 0 at net/core/skbuff.c:6072 skb_try_coalesce+0x504/0x590 Modules linked in: xt_nat xt_tcpudp veth af_packet xt_conntrack nft_chain_nat xt_MASQUERADE nf_conntrack_netlink xfrm_user xt_addrtype nft_coms CPU: 2 UID: 0 PID: 0 Comm: swapper/2 Not tainted 6.14.0-rc2+ #3 RIP: 0010:skb_try_coalesce+0x504/0x590 Code: 4b fd ff ff 49 8b 34 24 40 80 e6 40 0f 84 3d fd ff ff 49 8b 74 24 48 40 f6 c6 01 0f 84 2e fd ff ff 48 8d 4e ff e9 25 fd ff ff <0f> 0b e99 RSP: 0018:ffffb62c4120caa8 EFLAGS: 00010287 RAX: 0000000000000003 RBX: ffffb62c4120cb14 RCX: 0000000000000ec0 RDX: 0000000000001000 RSI: ffffa06e5d7dc000 RDI: 0000000000000003 RBP: ffffa06e5d7ddec0 R08: ffffa06e6120a800 R09: ffffa06e7a119900 R10: 0000000000002310 R11: ffffa06e5d7dcec0 R12: ffffe4360575f740 R13: ffffe43600000000 R14: 0000000000000002 R15: 0000000000000002 FS: 0000000000000000(0000) GS:ffffa0755f700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f147b76b0f8 CR3: 00000001615d4000 CR4: 00000000007506f0 PKRU: 55555554 Call Trace: <IRQ> ? __warn+0x84/0x130 ? skb_try_coalesce+0x504/0x590 ? report_bug+0x18a/0x1a0 ? handle_bug+0x53/0x90 ? exc_invalid_op+0x14/0x70 ? asm_exc_invalid_op+0x16/0x20 ? skb_try_coalesce+0x504/0x590 inet_frag_reasm_finish+0x11f/0x2e0 ip_defrag+0x37a/0x900 ip_local_deliver+0x51/0x120 ip_sublist_rcv_finish+0x64/0x70 ip_sublist_rcv+0x179/0x210 ip_list_rcv+0xf9/0x130 How to reproduce: <Node A> ip link set $interface1 xdp obj xdp_pass.o ip link set $interface1 mtu 9000 up ip a a 10.0.0.1/24 dev $interface1 <Node B> ip link set $interfac2 mtu 9000 up ip a a 10.0.0.2/24 dev $interface2 ping 10.0.0.1 -s 65000 Following ping.py patch adds xdp-mb-pass case. so ping.py is going to be able to reproduce this issue.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-noinfo Not enough information

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/19107e71be330dbcc…
	https://git.kernel.org/stable/c/b4679807c6083ade4…
	https://git.kernel.org/stable/c/9f7b2aa5034e24d3c…

Impacted products

Vendor

Product

Version

Linux

Affected: 1dc4c557bfedfcdf7fc0c46795857773b7ad66e7 , < 19107e71be330dbccb9f8f9f4cf0a9abeadad802 (git)
Affected: 1dc4c557bfedfcdf7fc0c46795857773b7ad66e7 , < b4679807c6083ade4d47f03f80da891afcb6ef62 (git)
Affected: 1dc4c557bfedfcdf7fc0c46795857773b7ad66e7 , < 9f7b2aa5034e24d3c49db73d5f760c0435fe31c2 (git)

Linux

Affected: 5.19
Unaffected: 0 , < 5.19 (semver)
Unaffected: 6.12.20 , ≤ 6.12.* (semver)
Unaffected: 6.13.8 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21961",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T17:15:46.557576Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T17:15:48.731Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/broadcom/bnxt/bnxt.c",
            "drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "19107e71be330dbccb9f8f9f4cf0a9abeadad802",
              "status": "affected",
              "version": "1dc4c557bfedfcdf7fc0c46795857773b7ad66e7",
              "versionType": "git"
            },
            {
              "lessThan": "b4679807c6083ade4d47f03f80da891afcb6ef62",
              "status": "affected",
              "version": "1dc4c557bfedfcdf7fc0c46795857773b7ad66e7",
              "versionType": "git"
            },
            {
              "lessThan": "9f7b2aa5034e24d3c49db73d5f760c0435fe31c2",
              "status": "affected",
              "version": "1dc4c557bfedfcdf7fc0c46795857773b7ad66e7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/broadcom/bnxt/bnxt.c",
            "drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.19"
            },
            {
              "lessThan": "5.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.20",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.8",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\neth: bnxt: fix truesize for mb-xdp-pass case\n\nWhen mb-xdp is set and return is XDP_PASS, packet is converted from\nxdp_buff to sk_buff with xdp_update_skb_shared_info() in\nbnxt_xdp_build_skb().\nbnxt_xdp_build_skb() passes incorrect truesize argument to\nxdp_update_skb_shared_info().\nThe truesize is calculated as BNXT_RX_PAGE_SIZE * sinfo-\u003enr_frags but\nthe skb_shared_info was wiped by napi_build_skb() before.\nSo it stores sinfo-\u003enr_frags before bnxt_xdp_build_skb() and use it\ninstead of getting skb_shared_info from xdp_get_shared_info_from_buff().\n\nSplat looks like:\n ------------[ cut here ]------------\n WARNING: CPU: 2 PID: 0 at net/core/skbuff.c:6072 skb_try_coalesce+0x504/0x590\n Modules linked in: xt_nat xt_tcpudp veth af_packet xt_conntrack nft_chain_nat xt_MASQUERADE nf_conntrack_netlink xfrm_user xt_addrtype nft_coms\n CPU: 2 UID: 0 PID: 0 Comm: swapper/2 Not tainted 6.14.0-rc2+ #3\n RIP: 0010:skb_try_coalesce+0x504/0x590\n Code: 4b fd ff ff 49 8b 34 24 40 80 e6 40 0f 84 3d fd ff ff 49 8b 74 24 48 40 f6 c6 01 0f 84 2e fd ff ff 48 8d 4e ff e9 25 fd ff ff \u003c0f\u003e 0b e99\n RSP: 0018:ffffb62c4120caa8 EFLAGS: 00010287\n RAX: 0000000000000003 RBX: ffffb62c4120cb14 RCX: 0000000000000ec0\n RDX: 0000000000001000 RSI: ffffa06e5d7dc000 RDI: 0000000000000003\n RBP: ffffa06e5d7ddec0 R08: ffffa06e6120a800 R09: ffffa06e7a119900\n R10: 0000000000002310 R11: ffffa06e5d7dcec0 R12: ffffe4360575f740\n R13: ffffe43600000000 R14: 0000000000000002 R15: 0000000000000002\n FS:  0000000000000000(0000) GS:ffffa0755f700000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f147b76b0f8 CR3: 00000001615d4000 CR4: 00000000007506f0\n PKRU: 55555554\n Call Trace:\n  \u003cIRQ\u003e\n  ? __warn+0x84/0x130\n  ? skb_try_coalesce+0x504/0x590\n  ? report_bug+0x18a/0x1a0\n  ? handle_bug+0x53/0x90\n  ? exc_invalid_op+0x14/0x70\n  ? asm_exc_invalid_op+0x16/0x20\n  ? skb_try_coalesce+0x504/0x590\n  inet_frag_reasm_finish+0x11f/0x2e0\n  ip_defrag+0x37a/0x900\n  ip_local_deliver+0x51/0x120\n  ip_sublist_rcv_finish+0x64/0x70\n  ip_sublist_rcv+0x179/0x210\n  ip_list_rcv+0xf9/0x130\n\nHow to reproduce:\n\u003cNode A\u003e\nip link set $interface1 xdp obj xdp_pass.o\nip link set $interface1 mtu 9000 up\nip a a 10.0.0.1/24 dev $interface1\n\u003cNode B\u003e\nip link set $interfac2 mtu 9000 up\nip a a 10.0.0.2/24 dev $interface2\nping 10.0.0.1 -s 65000\n\nFollowing ping.py patch adds xdp-mb-pass case. so ping.py is going to be\nable to reproduce this issue."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:25:50.120Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/19107e71be330dbccb9f8f9f4cf0a9abeadad802"
        },
        {
          "url": "https://git.kernel.org/stable/c/b4679807c6083ade4d47f03f80da891afcb6ef62"
        },
        {
          "url": "https://git.kernel.org/stable/c/9f7b2aa5034e24d3c49db73d5f760c0435fe31c2"
        }
      ],
      "title": "eth: bnxt: fix truesize for mb-xdp-pass case",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21961",
    "datePublished": "2025-04-01T15:46:58.795Z",
    "dateReserved": "2024-12-29T08:45:45.795Z",
    "dateUpdated": "2025-10-01T17:15:48.731Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38310 (GCVE-0-2025-38310)

Vulnerability from cvelistv5 – Published: 2025-07-10 07:42 – Updated: 2025-11-03 17:36

Title

seg6: Fix validation of nexthop addresses

Summary

In the Linux kernel, the following vulnerability has been resolved: seg6: Fix validation of nexthop addresses The kernel currently validates that the length of the provided nexthop address does not exceed the specified length. This can lead to the kernel reading uninitialized memory if user space provided a shorter length than the specified one. Fix by validating that the provided length exactly matches the specified one.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/668923c474608dd9e…
	https://git.kernel.org/stable/c/cef33a86bcb04ecf4…
	https://git.kernel.org/stable/c/d2507aeea45b3c5aa…
	https://git.kernel.org/stable/c/d5d9fd13bc19a3f9f…
	https://git.kernel.org/stable/c/cd4cd09810211fa23…
	https://git.kernel.org/stable/c/7632fedb266d93ed0…

Impacted products

Vendor

Product

Version

Linux

Affected: d1df6fd8a1d22d37cffa0075ab8ad423ce656777 , < 668923c474608dd9ebce0fbcc41bd8a27aa73dd6 (git)
Affected: d1df6fd8a1d22d37cffa0075ab8ad423ce656777 , < cef33a86bcb04ecf4dc10c56f6c42ee9d1c54bac (git)
Affected: d1df6fd8a1d22d37cffa0075ab8ad423ce656777 , < d2507aeea45b3c5aa24d5daae0cf3db76895c0b7 (git)
Affected: d1df6fd8a1d22d37cffa0075ab8ad423ce656777 , < d5d9fd13bc19a3f9f2a951c5b6e934d84205789e (git)
Affected: d1df6fd8a1d22d37cffa0075ab8ad423ce656777 , < cd4cd09810211fa23609c5c1018352e9e1cd8e5a (git)
Affected: d1df6fd8a1d22d37cffa0075ab8ad423ce656777 , < 7632fedb266d93ed0ed9f487133e6c6314a9b2d1 (git)

Linux

Affected: 4.14
Unaffected: 0 , < 4.14 (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.94 , ≤ 6.6.* (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:36:23.610Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/seg6_local.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "668923c474608dd9ebce0fbcc41bd8a27aa73dd6",
              "status": "affected",
              "version": "d1df6fd8a1d22d37cffa0075ab8ad423ce656777",
              "versionType": "git"
            },
            {
              "lessThan": "cef33a86bcb04ecf4dc10c56f6c42ee9d1c54bac",
              "status": "affected",
              "version": "d1df6fd8a1d22d37cffa0075ab8ad423ce656777",
              "versionType": "git"
            },
            {
              "lessThan": "d2507aeea45b3c5aa24d5daae0cf3db76895c0b7",
              "status": "affected",
              "version": "d1df6fd8a1d22d37cffa0075ab8ad423ce656777",
              "versionType": "git"
            },
            {
              "lessThan": "d5d9fd13bc19a3f9f2a951c5b6e934d84205789e",
              "status": "affected",
              "version": "d1df6fd8a1d22d37cffa0075ab8ad423ce656777",
              "versionType": "git"
            },
            {
              "lessThan": "cd4cd09810211fa23609c5c1018352e9e1cd8e5a",
              "status": "affected",
              "version": "d1df6fd8a1d22d37cffa0075ab8ad423ce656777",
              "versionType": "git"
            },
            {
              "lessThan": "7632fedb266d93ed0ed9f487133e6c6314a9b2d1",
              "status": "affected",
              "version": "d1df6fd8a1d22d37cffa0075ab8ad423ce656777",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/seg6_local.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.14"
            },
            {
              "lessThan": "4.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nseg6: Fix validation of nexthop addresses\n\nThe kernel currently validates that the length of the provided nexthop\naddress does not exceed the specified length. This can lead to the\nkernel reading uninitialized memory if user space provided a shorter\nlength than the specified one.\n\nFix by validating that the provided length exactly matches the specified\none."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:18:14.297Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/668923c474608dd9ebce0fbcc41bd8a27aa73dd6"
        },
        {
          "url": "https://git.kernel.org/stable/c/cef33a86bcb04ecf4dc10c56f6c42ee9d1c54bac"
        },
        {
          "url": "https://git.kernel.org/stable/c/d2507aeea45b3c5aa24d5daae0cf3db76895c0b7"
        },
        {
          "url": "https://git.kernel.org/stable/c/d5d9fd13bc19a3f9f2a951c5b6e934d84205789e"
        },
        {
          "url": "https://git.kernel.org/stable/c/cd4cd09810211fa23609c5c1018352e9e1cd8e5a"
        },
        {
          "url": "https://git.kernel.org/stable/c/7632fedb266d93ed0ed9f487133e6c6314a9b2d1"
        }
      ],
      "title": "seg6: Fix validation of nexthop addresses",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38310",
    "datePublished": "2025-07-10T07:42:19.338Z",
    "dateReserved": "2025-04-16T04:51:24.003Z",
    "dateUpdated": "2025-11-03T17:36:23.610Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38477 (GCVE-0-2025-38477)

Vulnerability from cvelistv5 – Published: 2025-07-28 11:21 – Updated: 2025-11-03 17:38

Title

net/sched: sch_qfq: Fix race condition on qfq_aggregate

Summary

In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix race condition on qfq_aggregate A race condition can occur when 'agg' is modified in qfq_change_agg (called during qfq_enqueue) while other threads access it concurrently. For example, qfq_dump_class may trigger a NULL dereference, and qfq_delete_class may cause a use-after-free. This patch addresses the issue by: 1. Moved qfq_destroy_class into the critical section. 2. Added sch_tree_lock protection to qfq_dump_class and qfq_dump_class_stats.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/aa7a22c4d678bf649…
	https://git.kernel.org/stable/c/d841aa5518508ab19…
	https://git.kernel.org/stable/c/c6df794000147a3a0…
	https://git.kernel.org/stable/c/466e10194ab81caa2…
	https://git.kernel.org/stable/c/fbe48f06e64134dfe…
	https://git.kernel.org/stable/c/a6d735100f602c830…
	https://git.kernel.org/stable/c/c000a3a330d97f6c0…
	https://git.kernel.org/stable/c/5e28d5a3f774f1188…

Impacted products

Vendor

Product

Version

Linux

Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < aa7a22c4d678bf649fd3a1d27debec583563414d (git)
Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < d841aa5518508ab195b6781ad0d73ee378d713dd (git)
Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < c6df794000147a3a02f79984aada4ce83f8d0a1e (git)
Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < 466e10194ab81caa2ee6a332d33ba16bcceeeba6 (git)
Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < fbe48f06e64134dfeafa89ad23387f66ebca3527 (git)
Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < a6d735100f602c830c16d69fb6d780eebd8c9ae1 (git)
Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < c000a3a330d97f6c073ace5aa5faf94b9adb4b79 (git)
Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < 5e28d5a3f774f118896aec17a3a20a9c5c9dfc64 (git)

Linux

Affected: 3.8
Unaffected: 0 , < 3.8 (semver)
Unaffected: 5.4.297 , ≤ 5.4.* (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.147 , ≤ 6.1.* (semver)
Unaffected: 6.6.100 , ≤ 6.6.* (semver)
Unaffected: 6.12.40 , ≤ 6.12.* (semver)
Unaffected: 6.15.8 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:38:44.755Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_qfq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "aa7a22c4d678bf649fd3a1d27debec583563414d",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            },
            {
              "lessThan": "d841aa5518508ab195b6781ad0d73ee378d713dd",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            },
            {
              "lessThan": "c6df794000147a3a02f79984aada4ce83f8d0a1e",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            },
            {
              "lessThan": "466e10194ab81caa2ee6a332d33ba16bcceeeba6",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            },
            {
              "lessThan": "fbe48f06e64134dfeafa89ad23387f66ebca3527",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            },
            {
              "lessThan": "a6d735100f602c830c16d69fb6d780eebd8c9ae1",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            },
            {
              "lessThan": "c000a3a330d97f6c073ace5aa5faf94b9adb4b79",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            },
            {
              "lessThan": "5e28d5a3f774f118896aec17a3a20a9c5c9dfc64",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_qfq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.8"
            },
            {
              "lessThan": "3.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.147",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.100",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.40",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.147",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.100",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.40",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.8",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_qfq: Fix race condition on qfq_aggregate\n\nA race condition can occur when \u0027agg\u0027 is modified in qfq_change_agg\n(called during qfq_enqueue) while other threads access it\nconcurrently. For example, qfq_dump_class may trigger a NULL\ndereference, and qfq_delete_class may cause a use-after-free.\n\nThis patch addresses the issue by:\n\n1. Moved qfq_destroy_class into the critical section.\n\n2. Added sch_tree_lock protection to qfq_dump_class and\nqfq_dump_class_stats."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-28T14:43:15.237Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/aa7a22c4d678bf649fd3a1d27debec583563414d"
        },
        {
          "url": "https://git.kernel.org/stable/c/d841aa5518508ab195b6781ad0d73ee378d713dd"
        },
        {
          "url": "https://git.kernel.org/stable/c/c6df794000147a3a02f79984aada4ce83f8d0a1e"
        },
        {
          "url": "https://git.kernel.org/stable/c/466e10194ab81caa2ee6a332d33ba16bcceeeba6"
        },
        {
          "url": "https://git.kernel.org/stable/c/fbe48f06e64134dfeafa89ad23387f66ebca3527"
        },
        {
          "url": "https://git.kernel.org/stable/c/a6d735100f602c830c16d69fb6d780eebd8c9ae1"
        },
        {
          "url": "https://git.kernel.org/stable/c/c000a3a330d97f6c073ace5aa5faf94b9adb4b79"
        },
        {
          "url": "https://git.kernel.org/stable/c/5e28d5a3f774f118896aec17a3a20a9c5c9dfc64"
        }
      ],
      "title": "net/sched: sch_qfq: Fix race condition on qfq_aggregate",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38477",
    "datePublished": "2025-07-28T11:21:38.319Z",
    "dateReserved": "2025-04-16T04:51:24.021Z",
    "dateUpdated": "2025-11-03T17:38:44.755Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-22016 (GCVE-0-2025-22016)

Vulnerability from cvelistv5 – Published: 2025-04-08 08:18 – Updated: 2025-05-04 07:27

Title

dpll: fix xa_alloc_cyclic() error handling

Summary

In the Linux kernel, the following vulnerability has been resolved: dpll: fix xa_alloc_cyclic() error handling In case of returning 1 from xa_alloc_cyclic() (wrapping) ERR_PTR(1) will be returned, which will cause IS_ERR() to be false. Which can lead to dereference not allocated pointer (pin). Fix it by checking if err is lower than zero. This wasn't found in real usecase, only noticed. Credit to Pierre.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/cb2f8a5c1fd9e7a1f…
	https://git.kernel.org/stable/c/4d350043be684762e…
	https://git.kernel.org/stable/c/3614bf90130d60f19…

Impacted products

Vendor

Product

Version

Linux

Affected: 97f265ef7f5b526b33d6030b2a1fc69a2259bf4a , < cb2f8a5c1fd9e7a1fefa23afe20570e16da1ada4 (git)
Affected: 97f265ef7f5b526b33d6030b2a1fc69a2259bf4a , < 4d350043be684762e581d9bdd32d543621d01a9c (git)
Affected: 97f265ef7f5b526b33d6030b2a1fc69a2259bf4a , < 3614bf90130d60f191a5fe218d04f6251c678e13 (git)

Linux

Affected: 6.8
Unaffected: 0 , < 6.8 (semver)
Unaffected: 6.12.21 , ≤ 6.12.* (semver)
Unaffected: 6.13.9 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/dpll/dpll_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "cb2f8a5c1fd9e7a1fefa23afe20570e16da1ada4",
              "status": "affected",
              "version": "97f265ef7f5b526b33d6030b2a1fc69a2259bf4a",
              "versionType": "git"
            },
            {
              "lessThan": "4d350043be684762e581d9bdd32d543621d01a9c",
              "status": "affected",
              "version": "97f265ef7f5b526b33d6030b2a1fc69a2259bf4a",
              "versionType": "git"
            },
            {
              "lessThan": "3614bf90130d60f191a5fe218d04f6251c678e13",
              "status": "affected",
              "version": "97f265ef7f5b526b33d6030b2a1fc69a2259bf4a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/dpll/dpll_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.21",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.21",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.9",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndpll: fix xa_alloc_cyclic() error handling\n\nIn case of returning 1 from xa_alloc_cyclic() (wrapping) ERR_PTR(1) will\nbe returned, which will cause IS_ERR() to be false. Which can lead to\ndereference not allocated pointer (pin).\n\nFix it by checking if err is lower than zero.\n\nThis wasn\u0027t found in real usecase, only noticed. Credit to Pierre."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:27:46.043Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/cb2f8a5c1fd9e7a1fefa23afe20570e16da1ada4"
        },
        {
          "url": "https://git.kernel.org/stable/c/4d350043be684762e581d9bdd32d543621d01a9c"
        },
        {
          "url": "https://git.kernel.org/stable/c/3614bf90130d60f191a5fe218d04f6251c678e13"
        }
      ],
      "title": "dpll: fix xa_alloc_cyclic() error handling",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22016",
    "datePublished": "2025-04-08T08:18:05.907Z",
    "dateReserved": "2024-12-29T08:45:45.806Z",
    "dateUpdated": "2025-05-04T07:27:46.043Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21875 (GCVE-0-2025-21875)

Vulnerability from cvelistv5 – Published: 2025-03-27 14:57 – Updated: 2025-11-03 19:38

Title

mptcp: always handle address removal under msk socket lock

Summary

In the Linux kernel, the following vulnerability has been resolved: mptcp: always handle address removal under msk socket lock Syzkaller reported a lockdep splat in the PM control path: WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 sock_owned_by_me include/net/sock.h:1711 [inline] WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 msk_owned_by_me net/mptcp/protocol.h:363 [inline] WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 mptcp_pm_nl_addr_send_ack+0x57c/0x610 net/mptcp/pm_netlink.c:788 Modules linked in: CPU: 0 UID: 0 PID: 6693 Comm: syz.0.205 Not tainted 6.14.0-rc2-syzkaller-00303-gad1b832bf1cf #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 RIP: 0010:sock_owned_by_me include/net/sock.h:1711 [inline] RIP: 0010:msk_owned_by_me net/mptcp/protocol.h:363 [inline] RIP: 0010:mptcp_pm_nl_addr_send_ack+0x57c/0x610 net/mptcp/pm_netlink.c:788 Code: 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 ca 7b d3 f5 eb b9 e8 c3 7b d3 f5 90 0f 0b 90 e9 dd fb ff ff e8 b5 7b d3 f5 90 <0f> 0b 90 e9 3e fb ff ff 44 89 f1 80 e1 07 38 c1 0f 8c eb fb ff ff RSP: 0000:ffffc900034f6f60 EFLAGS: 00010283 RAX: ffffffff8bee3c2b RBX: 0000000000000001 RCX: 0000000000080000 RDX: ffffc90004d42000 RSI: 000000000000a407 RDI: 000000000000a408 RBP: ffffc900034f7030 R08: ffffffff8bee37f6 R09: 0100000000000000 R10: dffffc0000000000 R11: ffffed100bcc62e4 R12: ffff88805e6316e0 R13: ffff88805e630c00 R14: dffffc0000000000 R15: ffff88805e630c00 FS: 00007f7e9a7e96c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2fd18ff8 CR3: 0000000032c24000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> mptcp_pm_remove_addr+0x103/0x1d0 net/mptcp/pm.c:59 mptcp_pm_remove_anno_addr+0x1f4/0x2f0 net/mptcp/pm_netlink.c:1486 mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_netlink.c:1518 [inline] mptcp_pm_nl_del_addr_doit+0x118d/0x1af0 net/mptcp/pm_netlink.c:1629 genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline] genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0xb1f/0xec0 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x206/0x480 net/netlink/af_netlink.c:2543 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1348 netlink_sendmsg+0x8de/0xcb0 net/netlink/af_netlink.c:1892 sock_sendmsg_nosec net/socket.c:718 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:733 ____sys_sendmsg+0x53a/0x860 net/socket.c:2573 ___sys_sendmsg net/socket.c:2627 [inline] __sys_sendmsg+0x269/0x350 net/socket.c:2659 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f7e9998cde9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f7e9a7e9038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f7e99ba5fa0 RCX: 00007f7e9998cde9 RDX: 000000002000c094 RSI: 0000400000000000 RDI: 0000000000000007 RBP: 00007f7e99a0e2a0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f7e99ba5fa0 R15: 00007fff49231088 Indeed the PM can try to send a RM_ADDR over a msk without acquiring first the msk socket lock. The bugged code-path comes from an early optimization: when there are no subflows, the PM should (usually) not send RM_ADDR notifications. The above statement is incorrect, as without locks another process could concur ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/494ec285535632732…
	https://git.kernel.org/stable/c/7cca31035c0581964…
	https://git.kernel.org/stable/c/8116fb4acd5d3f06c…
	https://git.kernel.org/stable/c/a05da2be18aae7e82…
	https://git.kernel.org/stable/c/4124b782ec2b1e2e4…
	https://git.kernel.org/stable/c/2c3de6dff4373f103…
	https://git.kernel.org/stable/c/f865c24bc55158313…

Impacted products

Vendor

Product

Version

Linux

Affected: b6c08380860b926752d57c8fa9911fa388c4b876 , < 494ec285535632732eaa5786297a9ae4f731b5ff (git)
Affected: b6c08380860b926752d57c8fa9911fa388c4b876 , < 7cca31035c05819643ffb5d7518e9a331b3f6651 (git)
Affected: b6c08380860b926752d57c8fa9911fa388c4b876 , < 8116fb4acd5d3f06cd37f84887dbe962b6703b1c (git)
Affected: b6c08380860b926752d57c8fa9911fa388c4b876 , < a05da2be18aae7e82572f8d795f41bb49f5dfc7d (git)
Affected: b6c08380860b926752d57c8fa9911fa388c4b876 , < 4124b782ec2b1e2e490cf0bbf10f53dfd3479890 (git)
Affected: b6c08380860b926752d57c8fa9911fa388c4b876 , < 2c3de6dff4373f1036e003f49a32629359530bdb (git)
Affected: b6c08380860b926752d57c8fa9911fa388c4b876 , < f865c24bc55158313d5779fc81116023a6940ca3 (git)

Linux

Affected: 5.10
Unaffected: 0 , < 5.10 (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.130 , ≤ 6.1.* (semver)
Unaffected: 6.6.81 , ≤ 6.6.* (semver)
Unaffected: 6.12.18 , ≤ 6.12.* (semver)
Unaffected: 6.13.6 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:38:31.794Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/pm_netlink.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "494ec285535632732eaa5786297a9ae4f731b5ff",
              "status": "affected",
              "version": "b6c08380860b926752d57c8fa9911fa388c4b876",
              "versionType": "git"
            },
            {
              "lessThan": "7cca31035c05819643ffb5d7518e9a331b3f6651",
              "status": "affected",
              "version": "b6c08380860b926752d57c8fa9911fa388c4b876",
              "versionType": "git"
            },
            {
              "lessThan": "8116fb4acd5d3f06cd37f84887dbe962b6703b1c",
              "status": "affected",
              "version": "b6c08380860b926752d57c8fa9911fa388c4b876",
              "versionType": "git"
            },
            {
              "lessThan": "a05da2be18aae7e82572f8d795f41bb49f5dfc7d",
              "status": "affected",
              "version": "b6c08380860b926752d57c8fa9911fa388c4b876",
              "versionType": "git"
            },
            {
              "lessThan": "4124b782ec2b1e2e490cf0bbf10f53dfd3479890",
              "status": "affected",
              "version": "b6c08380860b926752d57c8fa9911fa388c4b876",
              "versionType": "git"
            },
            {
              "lessThan": "2c3de6dff4373f1036e003f49a32629359530bdb",
              "status": "affected",
              "version": "b6c08380860b926752d57c8fa9911fa388c4b876",
              "versionType": "git"
            },
            {
              "lessThan": "f865c24bc55158313d5779fc81116023a6940ca3",
              "status": "affected",
              "version": "b6c08380860b926752d57c8fa9911fa388c4b876",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/pm_netlink.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.10"
            },
            {
              "lessThan": "5.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.130",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.81",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.18",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.6",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: always handle address removal under msk socket lock\n\nSyzkaller reported a lockdep splat in the PM control path:\n\n  WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 sock_owned_by_me include/net/sock.h:1711 [inline]\n  WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 msk_owned_by_me net/mptcp/protocol.h:363 [inline]\n  WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 mptcp_pm_nl_addr_send_ack+0x57c/0x610 net/mptcp/pm_netlink.c:788\n  Modules linked in:\n  CPU: 0 UID: 0 PID: 6693 Comm: syz.0.205 Not tainted 6.14.0-rc2-syzkaller-00303-gad1b832bf1cf #0\n  Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024\n  RIP: 0010:sock_owned_by_me include/net/sock.h:1711 [inline]\n  RIP: 0010:msk_owned_by_me net/mptcp/protocol.h:363 [inline]\n  RIP: 0010:mptcp_pm_nl_addr_send_ack+0x57c/0x610 net/mptcp/pm_netlink.c:788\n  Code: 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 ca 7b d3 f5 eb b9 e8 c3 7b d3 f5 90 0f 0b 90 e9 dd fb ff ff e8 b5 7b d3 f5 90 \u003c0f\u003e 0b 90 e9 3e fb ff ff 44 89 f1 80 e1 07 38 c1 0f 8c eb fb ff ff\n  RSP: 0000:ffffc900034f6f60 EFLAGS: 00010283\n  RAX: ffffffff8bee3c2b RBX: 0000000000000001 RCX: 0000000000080000\n  RDX: ffffc90004d42000 RSI: 000000000000a407 RDI: 000000000000a408\n  RBP: ffffc900034f7030 R08: ffffffff8bee37f6 R09: 0100000000000000\n  R10: dffffc0000000000 R11: ffffed100bcc62e4 R12: ffff88805e6316e0\n  R13: ffff88805e630c00 R14: dffffc0000000000 R15: ffff88805e630c00\n  FS:  00007f7e9a7e96c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 0000001b2fd18ff8 CR3: 0000000032c24000 CR4: 00000000003526f0\n  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n  Call Trace:\n   \u003cTASK\u003e\n   mptcp_pm_remove_addr+0x103/0x1d0 net/mptcp/pm.c:59\n   mptcp_pm_remove_anno_addr+0x1f4/0x2f0 net/mptcp/pm_netlink.c:1486\n   mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_netlink.c:1518 [inline]\n   mptcp_pm_nl_del_addr_doit+0x118d/0x1af0 net/mptcp/pm_netlink.c:1629\n   genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]\n   genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n   genl_rcv_msg+0xb1f/0xec0 net/netlink/genetlink.c:1210\n   netlink_rcv_skb+0x206/0x480 net/netlink/af_netlink.c:2543\n   genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n   netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]\n   netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1348\n   netlink_sendmsg+0x8de/0xcb0 net/netlink/af_netlink.c:1892\n   sock_sendmsg_nosec net/socket.c:718 [inline]\n   __sock_sendmsg+0x221/0x270 net/socket.c:733\n   ____sys_sendmsg+0x53a/0x860 net/socket.c:2573\n   ___sys_sendmsg net/socket.c:2627 [inline]\n   __sys_sendmsg+0x269/0x350 net/socket.c:2659\n   do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n   do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\n  RIP: 0033:0x7f7e9998cde9\n  Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\n  RSP: 002b:00007f7e9a7e9038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\n  RAX: ffffffffffffffda RBX: 00007f7e99ba5fa0 RCX: 00007f7e9998cde9\n  RDX: 000000002000c094 RSI: 0000400000000000 RDI: 0000000000000007\n  RBP: 00007f7e99a0e2a0 R08: 0000000000000000 R09: 0000000000000000\n  R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n  R13: 0000000000000000 R14: 00007f7e99ba5fa0 R15: 00007fff49231088\n\nIndeed the PM can try to send a RM_ADDR over a msk without acquiring\nfirst the msk socket lock.\n\nThe bugged code-path comes from an early optimization: when there\nare no subflows, the PM should (usually) not send RM_ADDR\nnotifications.\n\nThe above statement is incorrect, as without locks another process\ncould concur\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:23:01.132Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/494ec285535632732eaa5786297a9ae4f731b5ff"
        },
        {
          "url": "https://git.kernel.org/stable/c/7cca31035c05819643ffb5d7518e9a331b3f6651"
        },
        {
          "url": "https://git.kernel.org/stable/c/8116fb4acd5d3f06cd37f84887dbe962b6703b1c"
        },
        {
          "url": "https://git.kernel.org/stable/c/a05da2be18aae7e82572f8d795f41bb49f5dfc7d"
        },
        {
          "url": "https://git.kernel.org/stable/c/4124b782ec2b1e2e490cf0bbf10f53dfd3479890"
        },
        {
          "url": "https://git.kernel.org/stable/c/2c3de6dff4373f1036e003f49a32629359530bdb"
        },
        {
          "url": "https://git.kernel.org/stable/c/f865c24bc55158313d5779fc81116023a6940ca3"
        }
      ],
      "title": "mptcp: always handle address removal under msk socket lock",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21875",
    "datePublished": "2025-03-27T14:57:06.154Z",
    "dateReserved": "2024-12-29T08:45:45.781Z",
    "dateUpdated": "2025-11-03T19:38:31.794Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38048 (GCVE-0-2025-38048)

Vulnerability from cvelistv5 – Published: 2025-06-18 09:33 – Updated: 2026-01-02 15:29

Title

virtio_ring: Fix data race by tagging event_triggered as racy for KCSAN

Summary

In the Linux kernel, the following vulnerability has been resolved: virtio_ring: Fix data race by tagging event_triggered as racy for KCSAN syzbot reports a data-race when accessing the event_triggered, here is the simplified stack when the issue occurred: ================================================================== BUG: KCSAN: data-race in virtqueue_disable_cb / virtqueue_enable_cb_delayed write to 0xffff8881025bc452 of 1 bytes by task 3288 on cpu 0: virtqueue_enable_cb_delayed+0x42/0x3c0 drivers/virtio/virtio_ring.c:2653 start_xmit+0x230/0x1310 drivers/net/virtio_net.c:3264 __netdev_start_xmit include/linux/netdevice.h:5151 [inline] netdev_start_xmit include/linux/netdevice.h:5160 [inline] xmit_one net/core/dev.c:3800 [inline] read to 0xffff8881025bc452 of 1 bytes by interrupt on cpu 1: virtqueue_disable_cb_split drivers/virtio/virtio_ring.c:880 [inline] virtqueue_disable_cb+0x92/0x180 drivers/virtio/virtio_ring.c:2566 skb_xmit_done+0x5f/0x140 drivers/net/virtio_net.c:777 vring_interrupt+0x161/0x190 drivers/virtio/virtio_ring.c:2715 __handle_irq_event_percpu+0x95/0x490 kernel/irq/handle.c:158 handle_irq_event_percpu kernel/irq/handle.c:193 [inline] value changed: 0x01 -> 0x00 ================================================================== When the data race occurs, the function virtqueue_enable_cb_delayed() sets event_triggered to false, and virtqueue_disable_cb_split/packed() reads it as false due to the race condition. Since event_triggered is an unreliable hint used for optimization, this should only cause the driver temporarily suggest that the device not send an interrupt notification when the event index is used. Fix this KCSAN reported data-race issue by explicitly tagging the access as data_racy.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/02d2d6caee3abc933…
	https://git.kernel.org/stable/c/b6d6419548286b2b9…
	https://git.kernel.org/stable/c/b49b5132e4c730759…
	https://git.kernel.org/stable/c/b730cb109633c455c…
	https://git.kernel.org/stable/c/4ed8f0e808b3fcc71…
	https://git.kernel.org/stable/c/2e2f925fe737576df…

Impacted products

Vendor

Product

Version

Linux

Affected: 8d622d21d24803408b256d96463eac4574dcf067 , < 02d2d6caee3abc9335cfca35f8eb4492173ae6f2 (git)
Affected: 8d622d21d24803408b256d96463eac4574dcf067 , < b6d6419548286b2b9d2b90df824d3cab797f6ae8 (git)
Affected: 8d622d21d24803408b256d96463eac4574dcf067 , < b49b5132e4c7307599492aee1cdc6d89f7f2a7da (git)
Affected: 8d622d21d24803408b256d96463eac4574dcf067 , < b730cb109633c455ce8a7cd6934986c6a16d88d8 (git)
Affected: 8d622d21d24803408b256d96463eac4574dcf067 , < 4ed8f0e808b3fcc71c5b8be7902d8738ed595b17 (git)
Affected: 8d622d21d24803408b256d96463eac4574dcf067 , < 2e2f925fe737576df2373931c95e1a2b66efdfef (git)

Linux

Affected: 5.14
Unaffected: 0 , < 5.14 (semver)
Unaffected: 5.15.185 , ≤ 5.15.* (semver)
Unaffected: 6.1.141 , ≤ 6.1.* (semver)
Unaffected: 6.6.93 , ≤ 6.6.* (semver)
Unaffected: 6.12.31 , ≤ 6.12.* (semver)
Unaffected: 6.14.9 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:33:21.278Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/virtio/virtio_ring.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "02d2d6caee3abc9335cfca35f8eb4492173ae6f2",
              "status": "affected",
              "version": "8d622d21d24803408b256d96463eac4574dcf067",
              "versionType": "git"
            },
            {
              "lessThan": "b6d6419548286b2b9d2b90df824d3cab797f6ae8",
              "status": "affected",
              "version": "8d622d21d24803408b256d96463eac4574dcf067",
              "versionType": "git"
            },
            {
              "lessThan": "b49b5132e4c7307599492aee1cdc6d89f7f2a7da",
              "status": "affected",
              "version": "8d622d21d24803408b256d96463eac4574dcf067",
              "versionType": "git"
            },
            {
              "lessThan": "b730cb109633c455ce8a7cd6934986c6a16d88d8",
              "status": "affected",
              "version": "8d622d21d24803408b256d96463eac4574dcf067",
              "versionType": "git"
            },
            {
              "lessThan": "4ed8f0e808b3fcc71c5b8be7902d8738ed595b17",
              "status": "affected",
              "version": "8d622d21d24803408b256d96463eac4574dcf067",
              "versionType": "git"
            },
            {
              "lessThan": "2e2f925fe737576df2373931c95e1a2b66efdfef",
              "status": "affected",
              "version": "8d622d21d24803408b256d96463eac4574dcf067",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/virtio/virtio_ring.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.14"
            },
            {
              "lessThan": "5.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.185",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.93",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.185",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.141",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.93",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.31",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_ring: Fix data race by tagging event_triggered as racy for KCSAN\n\nsyzbot reports a data-race when accessing the event_triggered, here is the\nsimplified stack when the issue occurred:\n\n==================================================================\nBUG: KCSAN: data-race in virtqueue_disable_cb / virtqueue_enable_cb_delayed\n\nwrite to 0xffff8881025bc452 of 1 bytes by task 3288 on cpu 0:\n virtqueue_enable_cb_delayed+0x42/0x3c0 drivers/virtio/virtio_ring.c:2653\n start_xmit+0x230/0x1310 drivers/net/virtio_net.c:3264\n __netdev_start_xmit include/linux/netdevice.h:5151 [inline]\n netdev_start_xmit include/linux/netdevice.h:5160 [inline]\n xmit_one net/core/dev.c:3800 [inline]\n\nread to 0xffff8881025bc452 of 1 bytes by interrupt on cpu 1:\n virtqueue_disable_cb_split drivers/virtio/virtio_ring.c:880 [inline]\n virtqueue_disable_cb+0x92/0x180 drivers/virtio/virtio_ring.c:2566\n skb_xmit_done+0x5f/0x140 drivers/net/virtio_net.c:777\n vring_interrupt+0x161/0x190 drivers/virtio/virtio_ring.c:2715\n __handle_irq_event_percpu+0x95/0x490 kernel/irq/handle.c:158\n handle_irq_event_percpu kernel/irq/handle.c:193 [inline]\n\nvalue changed: 0x01 -\u003e 0x00\n==================================================================\n\nWhen the data race occurs, the function virtqueue_enable_cb_delayed() sets\nevent_triggered to false, and virtqueue_disable_cb_split/packed() reads it\nas false due to the race condition. Since event_triggered is an unreliable\nhint used for optimization, this should only cause the driver temporarily\nsuggest that the device not send an interrupt notification when the event\nindex is used.\n\nFix this KCSAN reported data-race issue by explicitly tagging the access as\ndata_racy."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:29:48.041Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/02d2d6caee3abc9335cfca35f8eb4492173ae6f2"
        },
        {
          "url": "https://git.kernel.org/stable/c/b6d6419548286b2b9d2b90df824d3cab797f6ae8"
        },
        {
          "url": "https://git.kernel.org/stable/c/b49b5132e4c7307599492aee1cdc6d89f7f2a7da"
        },
        {
          "url": "https://git.kernel.org/stable/c/b730cb109633c455ce8a7cd6934986c6a16d88d8"
        },
        {
          "url": "https://git.kernel.org/stable/c/4ed8f0e808b3fcc71c5b8be7902d8738ed595b17"
        },
        {
          "url": "https://git.kernel.org/stable/c/2e2f925fe737576df2373931c95e1a2b66efdfef"
        }
      ],
      "title": "virtio_ring: Fix data race by tagging event_triggered as racy for KCSAN",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38048",
    "datePublished": "2025-06-18T09:33:31.413Z",
    "dateReserved": "2025-04-16T04:51:23.979Z",
    "dateUpdated": "2026-01-02T15:29:48.041Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21962 (GCVE-0-2025-21962)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:46 – Updated: 2025-11-03 19:40

Title

cifs: Fix integer overflow while processing closetimeo mount option

Summary

In the Linux kernel, the following vulnerability has been resolved: cifs: Fix integer overflow while processing closetimeo mount option User-provided mount parameter closetimeo of type u32 is intended to have an upper limit, but before it is validated, the value is converted from seconds to jiffies which can lead to an integer overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-190 - Integer Overflow or Wraparound

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/513f6cf2e906a504b…
	https://git.kernel.org/stable/c/9968fcf02cf6b0f78…
	https://git.kernel.org/stable/c/6c13fcb7cf59ae659…
	https://git.kernel.org/stable/c/1c46673be93dd2954…
	https://git.kernel.org/stable/c/b24edd5c191c2689c…
	https://git.kernel.org/stable/c/d5a30fddfe2f2e540…

Impacted products

Vendor

Product

Version

Linux

Affected: 1d9cad9c5873097ea141ffc5da1e7921ce765aa8 , < 513f6cf2e906a504b7ab0b62b2eea993a6f64558 (git)
Affected: 5efdd9122eff772eae2feae9f0fc0ec02d4846a3 , < 9968fcf02cf6b0f78fbacf3f63e782162603855a (git)
Affected: 5efdd9122eff772eae2feae9f0fc0ec02d4846a3 , < 6c13fcb7cf59ae65940da1dfea80144e42921e53 (git)
Affected: 5efdd9122eff772eae2feae9f0fc0ec02d4846a3 , < 1c46673be93dd2954f44fe370fb4f2b8e6214224 (git)
Affected: 5efdd9122eff772eae2feae9f0fc0ec02d4846a3 , < b24edd5c191c2689c59d0509f0903f9487eb6317 (git)
Affected: 5efdd9122eff772eae2feae9f0fc0ec02d4846a3 , < d5a30fddfe2f2e540f6c43b59cf701809995faef (git)

Linux

Affected: 6.0
Unaffected: 0 , < 6.0 (semver)
Unaffected: 5.15.180 , ≤ 5.15.* (semver)
Unaffected: 6.1.132 , ≤ 6.1.* (semver)
Unaffected: 6.6.84 , ≤ 6.6.* (semver)
Unaffected: 6.12.20 , ≤ 6.12.* (semver)
Unaffected: 6.13.8 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21962",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:22:06.495160Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-190",
                "description": "CWE-190 Integer Overflow or Wraparound",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:26:32.531Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:40:04.218Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/fs_context.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "513f6cf2e906a504b7ab0b62b2eea993a6f64558",
              "status": "affected",
              "version": "1d9cad9c5873097ea141ffc5da1e7921ce765aa8",
              "versionType": "git"
            },
            {
              "lessThan": "9968fcf02cf6b0f78fbacf3f63e782162603855a",
              "status": "affected",
              "version": "5efdd9122eff772eae2feae9f0fc0ec02d4846a3",
              "versionType": "git"
            },
            {
              "lessThan": "6c13fcb7cf59ae65940da1dfea80144e42921e53",
              "status": "affected",
              "version": "5efdd9122eff772eae2feae9f0fc0ec02d4846a3",
              "versionType": "git"
            },
            {
              "lessThan": "1c46673be93dd2954f44fe370fb4f2b8e6214224",
              "status": "affected",
              "version": "5efdd9122eff772eae2feae9f0fc0ec02d4846a3",
              "versionType": "git"
            },
            {
              "lessThan": "b24edd5c191c2689c59d0509f0903f9487eb6317",
              "status": "affected",
              "version": "5efdd9122eff772eae2feae9f0fc0ec02d4846a3",
              "versionType": "git"
            },
            {
              "lessThan": "d5a30fddfe2f2e540f6c43b59cf701809995faef",
              "status": "affected",
              "version": "5efdd9122eff772eae2feae9f0fc0ec02d4846a3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/fs_context.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.180",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.132",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.84",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.180",
                  "versionStartIncluding": "5.15.107",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.132",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.84",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.20",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.8",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix integer overflow while processing closetimeo mount option\n\nUser-provided mount parameter closetimeo of type u32 is intended to have\nan upper limit, but before it is validated, the value is converted from\nseconds to jiffies which can lead to an integer overflow.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:25:51.487Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/513f6cf2e906a504b7ab0b62b2eea993a6f64558"
        },
        {
          "url": "https://git.kernel.org/stable/c/9968fcf02cf6b0f78fbacf3f63e782162603855a"
        },
        {
          "url": "https://git.kernel.org/stable/c/6c13fcb7cf59ae65940da1dfea80144e42921e53"
        },
        {
          "url": "https://git.kernel.org/stable/c/1c46673be93dd2954f44fe370fb4f2b8e6214224"
        },
        {
          "url": "https://git.kernel.org/stable/c/b24edd5c191c2689c59d0509f0903f9487eb6317"
        },
        {
          "url": "https://git.kernel.org/stable/c/d5a30fddfe2f2e540f6c43b59cf701809995faef"
        }
      ],
      "title": "cifs: Fix integer overflow while processing closetimeo mount option",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21962",
    "datePublished": "2025-04-01T15:46:59.285Z",
    "dateReserved": "2024-12-29T08:45:45.795Z",
    "dateUpdated": "2025-11-03T19:40:04.218Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21894 (GCVE-0-2025-21894)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:26 – Updated: 2025-05-04 07:23

Title

net: enetc: VFs do not support HWTSTAMP_TX_ONESTEP_SYNC

Summary

In the Linux kernel, the following vulnerability has been resolved: net: enetc: VFs do not support HWTSTAMP_TX_ONESTEP_SYNC Actually ENETC VFs do not support HWTSTAMP_TX_ONESTEP_SYNC because only ENETC PF can access PMa_SINGLE_STEP registers. And there will be a crash if VFs are used to test one-step timestamp, the crash log as follows. [ 129.110909] Unable to handle kernel paging request at virtual address 00000000000080c0 [ 129.287769] Call trace: [ 129.290219] enetc_port_mac_wr+0x30/0xec (P) [ 129.294504] enetc_start_xmit+0xda4/0xe74 [ 129.298525] enetc_xmit+0x70/0xec [ 129.301848] dev_hard_start_xmit+0x98/0x118

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/1748531839298ab7b…
	https://git.kernel.org/stable/c/3d963421112170056…
	https://git.kernel.org/stable/c/8c393efd7420cc994…
	https://git.kernel.org/stable/c/a562d0c4a893eae3e…

Impacted products

Vendor

Product

Version

Linux

Affected: 41514737ecaa603a5127cdccdc5f17ef11b9b3dc , < 1748531839298ab7be682155f6cd98ae04773e6a (git)
Affected: 41514737ecaa603a5127cdccdc5f17ef11b9b3dc , < 3d9634211121700568d0e3635ebdd5df06d20440 (git)
Affected: 41514737ecaa603a5127cdccdc5f17ef11b9b3dc , < 8c393efd7420cc994864d059fcc6219bfd7cb840 (git)
Affected: 41514737ecaa603a5127cdccdc5f17ef11b9b3dc , < a562d0c4a893eae3ea51d512c4d90ab858a6b7ec (git)

Linux

Affected: 5.3
Unaffected: 0 , < 5.3 (semver)
Unaffected: 6.6.83 , ≤ 6.6.* (semver)
Unaffected: 6.12.18 , ≤ 6.12.* (semver)
Unaffected: 6.13.6 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/freescale/enetc/enetc.c",
            "drivers/net/ethernet/freescale/enetc/enetc_ethtool.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1748531839298ab7be682155f6cd98ae04773e6a",
              "status": "affected",
              "version": "41514737ecaa603a5127cdccdc5f17ef11b9b3dc",
              "versionType": "git"
            },
            {
              "lessThan": "3d9634211121700568d0e3635ebdd5df06d20440",
              "status": "affected",
              "version": "41514737ecaa603a5127cdccdc5f17ef11b9b3dc",
              "versionType": "git"
            },
            {
              "lessThan": "8c393efd7420cc994864d059fcc6219bfd7cb840",
              "status": "affected",
              "version": "41514737ecaa603a5127cdccdc5f17ef11b9b3dc",
              "versionType": "git"
            },
            {
              "lessThan": "a562d0c4a893eae3ea51d512c4d90ab858a6b7ec",
              "status": "affected",
              "version": "41514737ecaa603a5127cdccdc5f17ef11b9b3dc",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/freescale/enetc/enetc.c",
            "drivers/net/ethernet/freescale/enetc/enetc_ethtool.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.3"
            },
            {
              "lessThan": "5.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.83",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.18",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.6",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: enetc: VFs do not support HWTSTAMP_TX_ONESTEP_SYNC\n\nActually ENETC VFs do not support HWTSTAMP_TX_ONESTEP_SYNC because only\nENETC PF can access PMa_SINGLE_STEP registers. And there will be a crash\nif VFs are used to test one-step timestamp, the crash log as follows.\n\n[  129.110909] Unable to handle kernel paging request at virtual address 00000000000080c0\n[  129.287769] Call trace:\n[  129.290219]  enetc_port_mac_wr+0x30/0xec (P)\n[  129.294504]  enetc_start_xmit+0xda4/0xe74\n[  129.298525]  enetc_xmit+0x70/0xec\n[  129.301848]  dev_hard_start_xmit+0x98/0x118"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:23:41.483Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1748531839298ab7be682155f6cd98ae04773e6a"
        },
        {
          "url": "https://git.kernel.org/stable/c/3d9634211121700568d0e3635ebdd5df06d20440"
        },
        {
          "url": "https://git.kernel.org/stable/c/8c393efd7420cc994864d059fcc6219bfd7cb840"
        },
        {
          "url": "https://git.kernel.org/stable/c/a562d0c4a893eae3ea51d512c4d90ab858a6b7ec"
        }
      ],
      "title": "net: enetc: VFs do not support HWTSTAMP_TX_ONESTEP_SYNC",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21894",
    "datePublished": "2025-04-01T15:26:47.980Z",
    "dateReserved": "2024-12-29T08:45:45.783Z",
    "dateUpdated": "2025-05-04T07:23:41.483Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21966 (GCVE-0-2025-21966)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:47 – Updated: 2025-10-01 18:16

Title

dm-flakey: Fix memory corruption in optional corrupt_bio_byte feature

Summary

In the Linux kernel, the following vulnerability has been resolved: dm-flakey: Fix memory corruption in optional corrupt_bio_byte feature Fix memory corruption due to incorrect parameter being passed to bio_init

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-787 - Out-of-bounds Write

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/818330f756f3800c3…
	https://git.kernel.org/stable/c/5a87e46da2418c57b…
	https://git.kernel.org/stable/c/da070843e153471be…
	https://git.kernel.org/stable/c/57e9417f69839cb10…

Impacted products

Vendor

Product

Version

Linux

Affected: 1d9a943898533e83f20370c0e1448d606627522e , < 818330f756f3800c37d738bd36bce60eac949938 (git)
Affected: 1d9a943898533e83f20370c0e1448d606627522e , < 5a87e46da2418c57b445371f5ca0958d5779ba5f (git)
Affected: 1d9a943898533e83f20370c0e1448d606627522e , < da070843e153471be4297a12fdaa64023276f40e (git)
Affected: 1d9a943898533e83f20370c0e1448d606627522e , < 57e9417f69839cb10f7ffca684c38acd28ceb57b (git)

Linux

Affected: 6.5
Unaffected: 0 , < 6.5 (semver)
Unaffected: 6.6.84 , ≤ 6.6.* (semver)
Unaffected: 6.12.20 , ≤ 6.12.* (semver)
Unaffected: 6.13.8 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21966",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T18:16:20.613850Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-787",
                "description": "CWE-787 Out-of-bounds Write",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T18:16:24.672Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/dm-flakey.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "818330f756f3800c37d738bd36bce60eac949938",
              "status": "affected",
              "version": "1d9a943898533e83f20370c0e1448d606627522e",
              "versionType": "git"
            },
            {
              "lessThan": "5a87e46da2418c57b445371f5ca0958d5779ba5f",
              "status": "affected",
              "version": "1d9a943898533e83f20370c0e1448d606627522e",
              "versionType": "git"
            },
            {
              "lessThan": "da070843e153471be4297a12fdaa64023276f40e",
              "status": "affected",
              "version": "1d9a943898533e83f20370c0e1448d606627522e",
              "versionType": "git"
            },
            {
              "lessThan": "57e9417f69839cb10f7ffca684c38acd28ceb57b",
              "status": "affected",
              "version": "1d9a943898533e83f20370c0e1448d606627522e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/dm-flakey.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.5"
            },
            {
              "lessThan": "6.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.84",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.84",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.20",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.8",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-flakey: Fix memory corruption in optional corrupt_bio_byte feature\n\nFix memory corruption due to incorrect parameter being passed to bio_init"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:25:56.882Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/818330f756f3800c37d738bd36bce60eac949938"
        },
        {
          "url": "https://git.kernel.org/stable/c/5a87e46da2418c57b445371f5ca0958d5779ba5f"
        },
        {
          "url": "https://git.kernel.org/stable/c/da070843e153471be4297a12fdaa64023276f40e"
        },
        {
          "url": "https://git.kernel.org/stable/c/57e9417f69839cb10f7ffca684c38acd28ceb57b"
        }
      ],
      "title": "dm-flakey: Fix memory corruption in optional corrupt_bio_byte feature",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21966",
    "datePublished": "2025-04-01T15:47:01.836Z",
    "dateReserved": "2024-12-29T08:45:45.796Z",
    "dateUpdated": "2025-10-01T18:16:24.672Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38328 (GCVE-0-2025-38328)

Vulnerability from cvelistv5 – Published: 2025-07-10 08:15 – Updated: 2025-11-03 17:36

Title

jffs2: check jffs2_prealloc_raw_node_refs() result in few other places

Summary

In the Linux kernel, the following vulnerability has been resolved: jffs2: check jffs2_prealloc_raw_node_refs() result in few other places Fuzzing hit another invalid pointer dereference due to the lack of checking whether jffs2_prealloc_raw_node_refs() completed successfully. Subsequent logic implies that the node refs have been allocated. Handle that. The code is ready for propagating the error upwards. KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 1 PID: 5835 Comm: syz-executor145 Not tainted 5.10.234-syzkaller #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:jffs2_link_node_ref+0xac/0x690 fs/jffs2/nodelist.c:600 Call Trace: jffs2_mark_erased_block fs/jffs2/erase.c:460 [inline] jffs2_erase_pending_blocks+0x688/0x1860 fs/jffs2/erase.c:118 jffs2_garbage_collect_pass+0x638/0x1a00 fs/jffs2/gc.c:253 jffs2_reserve_space+0x3f4/0xad0 fs/jffs2/nodemgmt.c:167 jffs2_write_inode_range+0x246/0xb50 fs/jffs2/write.c:362 jffs2_write_end+0x712/0x1110 fs/jffs2/file.c:302 generic_perform_write+0x2c2/0x500 mm/filemap.c:3347 __generic_file_write_iter+0x252/0x610 mm/filemap.c:3465 generic_file_write_iter+0xdb/0x230 mm/filemap.c:3497 call_write_iter include/linux/fs.h:2039 [inline] do_iter_readv_writev+0x46d/0x750 fs/read_write.c:740 do_iter_write+0x18c/0x710 fs/read_write.c:866 vfs_writev+0x1db/0x6a0 fs/read_write.c:939 do_pwritev fs/read_write.c:1036 [inline] __do_sys_pwritev fs/read_write.c:1083 [inline] __se_sys_pwritev fs/read_write.c:1078 [inline] __x64_sys_pwritev+0x235/0x310 fs/read_write.c:1078 do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x67/0xd1 Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/7e860296d7808de1d…
	https://git.kernel.org/stable/c/d96e6451a8d0fe624…
	https://git.kernel.org/stable/c/f41c625328777f9ad…
	https://git.kernel.org/stable/c/38d767fb4a7766ec2…
	https://git.kernel.org/stable/c/cd42ddddd70abc712…
	https://git.kernel.org/stable/c/d1b81776f337a9b99…
	https://git.kernel.org/stable/c/042fa922c84b50804…
	https://git.kernel.org/stable/c/2b6d96503255a3ed6…

Impacted products

Vendor

Product

Version

Linux

Affected: 2f785402f39b96a077b6e62bf26164bfb8e0c980 , < 7e860296d7808de1db175c1eda29f94a2955dcc4 (git)
Affected: 2f785402f39b96a077b6e62bf26164bfb8e0c980 , < d96e6451a8d0fe62492d4cc942d695772293c05a (git)
Affected: 2f785402f39b96a077b6e62bf26164bfb8e0c980 , < f41c625328777f9ad572901ba0b0065bb9c9c1da (git)
Affected: 2f785402f39b96a077b6e62bf26164bfb8e0c980 , < 38d767fb4a7766ec2058f97787e4c6e8d10343d6 (git)
Affected: 2f785402f39b96a077b6e62bf26164bfb8e0c980 , < cd42ddddd70abc7127c12b96c8c85dbd080ea56f (git)
Affected: 2f785402f39b96a077b6e62bf26164bfb8e0c980 , < d1b81776f337a9b997f797c70ac0a26d838a2168 (git)
Affected: 2f785402f39b96a077b6e62bf26164bfb8e0c980 , < 042fa922c84b5080401bcd8897d4ac4919d15075 (git)
Affected: 2f785402f39b96a077b6e62bf26164bfb8e0c980 , < 2b6d96503255a3ed676cd70f8368870c6d6a25c6 (git)

Linux

Affected: 2.6.18
Unaffected: 0 , < 2.6.18 (semver)
Unaffected: 5.4.295 , ≤ 5.4.* (semver)
Unaffected: 5.10.239 , ≤ 5.10.* (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.95 , ≤ 6.6.* (semver)
Unaffected: 6.12.35 , ≤ 6.12.* (semver)
Unaffected: 6.15.4 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:36:39.057Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/jffs2/erase.c",
            "fs/jffs2/scan.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7e860296d7808de1db175c1eda29f94a2955dcc4",
              "status": "affected",
              "version": "2f785402f39b96a077b6e62bf26164bfb8e0c980",
              "versionType": "git"
            },
            {
              "lessThan": "d96e6451a8d0fe62492d4cc942d695772293c05a",
              "status": "affected",
              "version": "2f785402f39b96a077b6e62bf26164bfb8e0c980",
              "versionType": "git"
            },
            {
              "lessThan": "f41c625328777f9ad572901ba0b0065bb9c9c1da",
              "status": "affected",
              "version": "2f785402f39b96a077b6e62bf26164bfb8e0c980",
              "versionType": "git"
            },
            {
              "lessThan": "38d767fb4a7766ec2058f97787e4c6e8d10343d6",
              "status": "affected",
              "version": "2f785402f39b96a077b6e62bf26164bfb8e0c980",
              "versionType": "git"
            },
            {
              "lessThan": "cd42ddddd70abc7127c12b96c8c85dbd080ea56f",
              "status": "affected",
              "version": "2f785402f39b96a077b6e62bf26164bfb8e0c980",
              "versionType": "git"
            },
            {
              "lessThan": "d1b81776f337a9b997f797c70ac0a26d838a2168",
              "status": "affected",
              "version": "2f785402f39b96a077b6e62bf26164bfb8e0c980",
              "versionType": "git"
            },
            {
              "lessThan": "042fa922c84b5080401bcd8897d4ac4919d15075",
              "status": "affected",
              "version": "2f785402f39b96a077b6e62bf26164bfb8e0c980",
              "versionType": "git"
            },
            {
              "lessThan": "2b6d96503255a3ed676cd70f8368870c6d6a25c6",
              "status": "affected",
              "version": "2f785402f39b96a077b6e62bf26164bfb8e0c980",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/jffs2/erase.c",
            "fs/jffs2/scan.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.18"
            },
            {
              "lessThan": "2.6.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "2.6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "2.6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "2.6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "2.6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "2.6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "2.6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "2.6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\njffs2: check jffs2_prealloc_raw_node_refs() result in few other places\n\nFuzzing hit another invalid pointer dereference due to the lack of\nchecking whether jffs2_prealloc_raw_node_refs() completed successfully.\nSubsequent logic implies that the node refs have been allocated.\n\nHandle that. The code is ready for propagating the error upwards.\n\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 1 PID: 5835 Comm: syz-executor145 Not tainted 5.10.234-syzkaller #0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\nRIP: 0010:jffs2_link_node_ref+0xac/0x690 fs/jffs2/nodelist.c:600\nCall Trace:\n jffs2_mark_erased_block fs/jffs2/erase.c:460 [inline]\n jffs2_erase_pending_blocks+0x688/0x1860 fs/jffs2/erase.c:118\n jffs2_garbage_collect_pass+0x638/0x1a00 fs/jffs2/gc.c:253\n jffs2_reserve_space+0x3f4/0xad0 fs/jffs2/nodemgmt.c:167\n jffs2_write_inode_range+0x246/0xb50 fs/jffs2/write.c:362\n jffs2_write_end+0x712/0x1110 fs/jffs2/file.c:302\n generic_perform_write+0x2c2/0x500 mm/filemap.c:3347\n __generic_file_write_iter+0x252/0x610 mm/filemap.c:3465\n generic_file_write_iter+0xdb/0x230 mm/filemap.c:3497\n call_write_iter include/linux/fs.h:2039 [inline]\n do_iter_readv_writev+0x46d/0x750 fs/read_write.c:740\n do_iter_write+0x18c/0x710 fs/read_write.c:866\n vfs_writev+0x1db/0x6a0 fs/read_write.c:939\n do_pwritev fs/read_write.c:1036 [inline]\n __do_sys_pwritev fs/read_write.c:1083 [inline]\n __se_sys_pwritev fs/read_write.c:1078 [inline]\n __x64_sys_pwritev+0x235/0x310 fs/read_write.c:1078\n do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x67/0xd1\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:18:54.303Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7e860296d7808de1db175c1eda29f94a2955dcc4"
        },
        {
          "url": "https://git.kernel.org/stable/c/d96e6451a8d0fe62492d4cc942d695772293c05a"
        },
        {
          "url": "https://git.kernel.org/stable/c/f41c625328777f9ad572901ba0b0065bb9c9c1da"
        },
        {
          "url": "https://git.kernel.org/stable/c/38d767fb4a7766ec2058f97787e4c6e8d10343d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/cd42ddddd70abc7127c12b96c8c85dbd080ea56f"
        },
        {
          "url": "https://git.kernel.org/stable/c/d1b81776f337a9b997f797c70ac0a26d838a2168"
        },
        {
          "url": "https://git.kernel.org/stable/c/042fa922c84b5080401bcd8897d4ac4919d15075"
        },
        {
          "url": "https://git.kernel.org/stable/c/2b6d96503255a3ed676cd70f8368870c6d6a25c6"
        }
      ],
      "title": "jffs2: check jffs2_prealloc_raw_node_refs() result in few other places",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38328",
    "datePublished": "2025-07-10T08:15:02.296Z",
    "dateReserved": "2025-04-16T04:51:24.004Z",
    "dateUpdated": "2025-11-03T17:36:39.057Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38111 (GCVE-0-2025-38111)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:35 – Updated: 2025-11-03 17:34

Title

net/mdiobus: Fix potential out-of-bounds read/write access

Summary

In the Linux kernel, the following vulnerability has been resolved: net/mdiobus: Fix potential out-of-bounds read/write access When using publicly available tools like 'mdio-tools' to read/write data from/to network interface and its PHY via mdiobus, there is no verification of parameters passed to the ioctl and it accepts any mdio address. Currently there is support for 32 addresses in kernel via PHY_MAX_ADDR define, but it is possible to pass higher value than that via ioctl. While read/write operation should generally fail in this case, mdiobus provides stats array, where wrong address may allow out-of-bounds read/write. Fix that by adding address verification before read/write operation. While this excludes this access from any statistics, it improves security of read/write operation.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/19c5875e26c4ed568…
	https://git.kernel.org/stable/c/014ad9210373d2104…
	https://git.kernel.org/stable/c/73d478234a619f347…
	https://git.kernel.org/stable/c/bab6bca0834cbb5be…
	https://git.kernel.org/stable/c/b02d9d2732483e670…
	https://git.kernel.org/stable/c/049af7ac45a6b4077…
	https://git.kernel.org/stable/c/0e629694126ca3889…

Impacted products

Vendor

Product

Version

Linux

Affected: 080bb352fad00d04995102f681b134e3754bfb6e , < 19c5875e26c4ed5686d82a7d8f7051385461b9eb (git)
Affected: 080bb352fad00d04995102f681b134e3754bfb6e , < 014ad9210373d2104f6ef10e6bb999a7a0a4c50e (git)
Affected: 080bb352fad00d04995102f681b134e3754bfb6e , < 73d478234a619f3476028cb02dee699c30ae8262 (git)
Affected: 080bb352fad00d04995102f681b134e3754bfb6e , < bab6bca0834cbb5be2a7cfe59ec6ad016ec72608 (git)
Affected: 080bb352fad00d04995102f681b134e3754bfb6e , < b02d9d2732483e670bc34cb233d28e1d43b15da4 (git)
Affected: 080bb352fad00d04995102f681b134e3754bfb6e , < 049af7ac45a6b407748ee0995278fd861e36df8f (git)
Affected: 080bb352fad00d04995102f681b134e3754bfb6e , < 0e629694126ca388916f059453a1c36adde219c4 (git)

Linux

Affected: 5.6
Unaffected: 0 , < 5.6 (semver)
Unaffected: 5.10.239 , ≤ 5.10.* (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.94 , ≤ 6.6.* (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:13.486Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/phy/mdio_bus.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "19c5875e26c4ed5686d82a7d8f7051385461b9eb",
              "status": "affected",
              "version": "080bb352fad00d04995102f681b134e3754bfb6e",
              "versionType": "git"
            },
            {
              "lessThan": "014ad9210373d2104f6ef10e6bb999a7a0a4c50e",
              "status": "affected",
              "version": "080bb352fad00d04995102f681b134e3754bfb6e",
              "versionType": "git"
            },
            {
              "lessThan": "73d478234a619f3476028cb02dee699c30ae8262",
              "status": "affected",
              "version": "080bb352fad00d04995102f681b134e3754bfb6e",
              "versionType": "git"
            },
            {
              "lessThan": "bab6bca0834cbb5be2a7cfe59ec6ad016ec72608",
              "status": "affected",
              "version": "080bb352fad00d04995102f681b134e3754bfb6e",
              "versionType": "git"
            },
            {
              "lessThan": "b02d9d2732483e670bc34cb233d28e1d43b15da4",
              "status": "affected",
              "version": "080bb352fad00d04995102f681b134e3754bfb6e",
              "versionType": "git"
            },
            {
              "lessThan": "049af7ac45a6b407748ee0995278fd861e36df8f",
              "status": "affected",
              "version": "080bb352fad00d04995102f681b134e3754bfb6e",
              "versionType": "git"
            },
            {
              "lessThan": "0e629694126ca388916f059453a1c36adde219c4",
              "status": "affected",
              "version": "080bb352fad00d04995102f681b134e3754bfb6e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/phy/mdio_bus.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.6"
            },
            {
              "lessThan": "5.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mdiobus: Fix potential out-of-bounds read/write access\n\nWhen using publicly available tools like \u0027mdio-tools\u0027 to read/write data\nfrom/to network interface and its PHY via mdiobus, there is no verification of\nparameters passed to the ioctl and it accepts any mdio address.\nCurrently there is support for 32 addresses in kernel via PHY_MAX_ADDR define,\nbut it is possible to pass higher value than that via ioctl.\nWhile read/write operation should generally fail in this case,\nmdiobus provides stats array, where wrong address may allow out-of-bounds\nread/write.\n\nFix that by adding address verification before read/write operation.\nWhile this excludes this access from any statistics, it improves security of\nread/write operation."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:12:27.829Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/19c5875e26c4ed5686d82a7d8f7051385461b9eb"
        },
        {
          "url": "https://git.kernel.org/stable/c/014ad9210373d2104f6ef10e6bb999a7a0a4c50e"
        },
        {
          "url": "https://git.kernel.org/stable/c/73d478234a619f3476028cb02dee699c30ae8262"
        },
        {
          "url": "https://git.kernel.org/stable/c/bab6bca0834cbb5be2a7cfe59ec6ad016ec72608"
        },
        {
          "url": "https://git.kernel.org/stable/c/b02d9d2732483e670bc34cb233d28e1d43b15da4"
        },
        {
          "url": "https://git.kernel.org/stable/c/049af7ac45a6b407748ee0995278fd861e36df8f"
        },
        {
          "url": "https://git.kernel.org/stable/c/0e629694126ca388916f059453a1c36adde219c4"
        }
      ],
      "title": "net/mdiobus: Fix potential out-of-bounds read/write access",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38111",
    "datePublished": "2025-07-03T08:35:20.643Z",
    "dateReserved": "2025-04-16T04:51:23.985Z",
    "dateUpdated": "2025-11-03T17:34:13.486Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-22005 (GCVE-0-2025-22005)

Vulnerability from cvelistv5 – Published: 2025-04-03 07:19 – Updated: 2025-11-03 19:40

Title

ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw().

Summary

In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw(). fib_check_nh_v6_gw() expects that fib6_nh_init() cleans up everything when it fails. Commit 7dd73168e273 ("ipv6: Always allocate pcpu memory in a fib6_nh") moved fib_nh_common_init() before alloc_percpu_gfp() within fib6_nh_init() but forgot to add cleanup for fib6_nh->nh_common.nhc_pcpu_rth_output in case it fails to allocate fib6_nh->rt6i_pcpu, resulting in memleak. Let's call fib_nh_common_release() and clear nhc_pcpu_rth_output in the error path. Note that we can remove the fib6_nh_release() call in nh_create_ipv6() later in net-next.git.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-401 - Missing Release of Memory after Effective Lifetime

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/16267a5036173d017…
	https://git.kernel.org/stable/c/1bd12dfc058e1e687…
	https://git.kernel.org/stable/c/596a883c4ce2d2e9c…
	https://git.kernel.org/stable/c/77c41cdbe6bce476e…
	https://git.kernel.org/stable/c/119dcafe36795a15a…
	https://git.kernel.org/stable/c/29d91820184d5cbc7…
	https://git.kernel.org/stable/c/d3d5b4b5ae263c322…
	https://git.kernel.org/stable/c/9740890ee20e01f99…

Impacted products

Vendor

Product

Version

Linux

Affected: 7dd73168e273938b9e9bb42ca51b0c27d807992b , < 16267a5036173d0173377545b4b6021b081d0933 (git)
Affected: 7dd73168e273938b9e9bb42ca51b0c27d807992b , < 1bd12dfc058e1e68759d313d7727d68dbc1b8964 (git)
Affected: 7dd73168e273938b9e9bb42ca51b0c27d807992b , < 596a883c4ce2d2e9c175f25b98fed3a1f33fea38 (git)
Affected: 7dd73168e273938b9e9bb42ca51b0c27d807992b , < 77c41cdbe6bce476e08d3251c0d501feaf10a9f3 (git)
Affected: 7dd73168e273938b9e9bb42ca51b0c27d807992b , < 119dcafe36795a15ae53351cbbd6177aaf94ffef (git)
Affected: 7dd73168e273938b9e9bb42ca51b0c27d807992b , < 29d91820184d5cbc70f3246d4911d96eaeb930d6 (git)
Affected: 7dd73168e273938b9e9bb42ca51b0c27d807992b , < d3d5b4b5ae263c3225db363ba08b937e2e2b0380 (git)
Affected: 7dd73168e273938b9e9bb42ca51b0c27d807992b , < 9740890ee20e01f99ff1dde84c63dcf089fabb98 (git)

Linux

Affected: 5.3
Unaffected: 0 , < 5.3 (semver)
Unaffected: 5.4.292 , ≤ 5.4.* (semver)
Unaffected: 5.10.236 , ≤ 5.10.* (semver)
Unaffected: 5.15.180 , ≤ 5.15.* (semver)
Unaffected: 6.1.132 , ≤ 6.1.* (semver)
Unaffected: 6.6.85 , ≤ 6.6.* (semver)
Unaffected: 6.12.21 , ≤ 6.12.* (semver)
Unaffected: 6.13.9 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-22005",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T17:09:45.806528Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-401",
                "description": "CWE-401 Missing Release of Memory after Effective Lifetime",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T17:09:48.269Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:40:47.614Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/route.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "16267a5036173d0173377545b4b6021b081d0933",
              "status": "affected",
              "version": "7dd73168e273938b9e9bb42ca51b0c27d807992b",
              "versionType": "git"
            },
            {
              "lessThan": "1bd12dfc058e1e68759d313d7727d68dbc1b8964",
              "status": "affected",
              "version": "7dd73168e273938b9e9bb42ca51b0c27d807992b",
              "versionType": "git"
            },
            {
              "lessThan": "596a883c4ce2d2e9c175f25b98fed3a1f33fea38",
              "status": "affected",
              "version": "7dd73168e273938b9e9bb42ca51b0c27d807992b",
              "versionType": "git"
            },
            {
              "lessThan": "77c41cdbe6bce476e08d3251c0d501feaf10a9f3",
              "status": "affected",
              "version": "7dd73168e273938b9e9bb42ca51b0c27d807992b",
              "versionType": "git"
            },
            {
              "lessThan": "119dcafe36795a15ae53351cbbd6177aaf94ffef",
              "status": "affected",
              "version": "7dd73168e273938b9e9bb42ca51b0c27d807992b",
              "versionType": "git"
            },
            {
              "lessThan": "29d91820184d5cbc70f3246d4911d96eaeb930d6",
              "status": "affected",
              "version": "7dd73168e273938b9e9bb42ca51b0c27d807992b",
              "versionType": "git"
            },
            {
              "lessThan": "d3d5b4b5ae263c3225db363ba08b937e2e2b0380",
              "status": "affected",
              "version": "7dd73168e273938b9e9bb42ca51b0c27d807992b",
              "versionType": "git"
            },
            {
              "lessThan": "9740890ee20e01f99ff1dde84c63dcf089fabb98",
              "status": "affected",
              "version": "7dd73168e273938b9e9bb42ca51b0c27d807992b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/route.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.3"
            },
            {
              "lessThan": "5.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.292",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.236",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.180",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.132",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.85",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.21",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.292",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.236",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.180",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.132",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.85",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.21",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.9",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw().\n\nfib_check_nh_v6_gw() expects that fib6_nh_init() cleans up everything\nwhen it fails.\n\nCommit 7dd73168e273 (\"ipv6: Always allocate pcpu memory in a fib6_nh\")\nmoved fib_nh_common_init() before alloc_percpu_gfp() within fib6_nh_init()\nbut forgot to add cleanup for fib6_nh-\u003enh_common.nhc_pcpu_rth_output in\ncase it fails to allocate fib6_nh-\u003ert6i_pcpu, resulting in memleak.\n\nLet\u0027s call fib_nh_common_release() and clear nhc_pcpu_rth_output in the\nerror path.\n\nNote that we can remove the fib6_nh_release() call in nh_create_ipv6()\nlater in net-next.git."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:27:16.458Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/16267a5036173d0173377545b4b6021b081d0933"
        },
        {
          "url": "https://git.kernel.org/stable/c/1bd12dfc058e1e68759d313d7727d68dbc1b8964"
        },
        {
          "url": "https://git.kernel.org/stable/c/596a883c4ce2d2e9c175f25b98fed3a1f33fea38"
        },
        {
          "url": "https://git.kernel.org/stable/c/77c41cdbe6bce476e08d3251c0d501feaf10a9f3"
        },
        {
          "url": "https://git.kernel.org/stable/c/119dcafe36795a15ae53351cbbd6177aaf94ffef"
        },
        {
          "url": "https://git.kernel.org/stable/c/29d91820184d5cbc70f3246d4911d96eaeb930d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/d3d5b4b5ae263c3225db363ba08b937e2e2b0380"
        },
        {
          "url": "https://git.kernel.org/stable/c/9740890ee20e01f99ff1dde84c63dcf089fabb98"
        }
      ],
      "title": "ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw().",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22005",
    "datePublished": "2025-04-03T07:19:06.716Z",
    "dateReserved": "2024-12-29T08:45:45.803Z",
    "dateUpdated": "2025-11-03T19:40:47.614Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38117 (GCVE-0-2025-38117)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:35 – Updated: 2025-07-28 04:12

Title

Bluetooth: MGMT: Protect mgmt_pending list with its own lock

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Protect mgmt_pending list with its own lock This uses a mutex to protect from concurrent access of mgmt_pending list which can cause crashes like: ================================================================== BUG: KASAN: slab-use-after-free in hci_sock_get_channel+0x60/0x68 net/bluetooth/hci_sock.c:91 Read of size 2 at addr ffff0000c48885b2 by task syz.4.334/7318 CPU: 0 UID: 0 PID: 7318 Comm: syz.4.334 Not tainted 6.15.0-rc7-syzkaller-g187899f4124a #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C) __dump_stack+0x30/0x40 lib/dump_stack.c:94 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 print_address_description+0xa8/0x254 mm/kasan/report.c:408 print_report+0x68/0x84 mm/kasan/report.c:521 kasan_report+0xb0/0x110 mm/kasan/report.c:634 __asan_report_load2_noabort+0x20/0x2c mm/kasan/report_generic.c:379 hci_sock_get_channel+0x60/0x68 net/bluetooth/hci_sock.c:91 mgmt_pending_find+0x7c/0x140 net/bluetooth/mgmt_util.c:223 pending_find net/bluetooth/mgmt.c:947 [inline] remove_adv_monitor+0x44/0x1a4 net/bluetooth/mgmt.c:5445 hci_mgmt_cmd+0x780/0xc00 net/bluetooth/hci_sock.c:1712 hci_sock_sendmsg+0x544/0xbb0 net/bluetooth/hci_sock.c:1832 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg net/socket.c:727 [inline] sock_write_iter+0x25c/0x378 net/socket.c:1131 new_sync_write fs/read_write.c:591 [inline] vfs_write+0x62c/0x97c fs/read_write.c:684 ksys_write+0x120/0x210 fs/read_write.c:736 __do_sys_write fs/read_write.c:747 [inline] __se_sys_write fs/read_write.c:744 [inline] __arm64_sys_write+0x7c/0x90 fs/read_write.c:744 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Allocated by task 7037: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_alloc_info+0x44/0x54 mm/kasan/generic.c:562 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x9c/0xb4 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4327 [inline] __kmalloc_noprof+0x2fc/0x4c8 mm/slub.c:4339 kmalloc_noprof include/linux/slab.h:909 [inline] sk_prot_alloc+0xc4/0x1f0 net/core/sock.c:2198 sk_alloc+0x44/0x3ac net/core/sock.c:2254 bt_sock_alloc+0x4c/0x300 net/bluetooth/af_bluetooth.c:148 hci_sock_create+0xa8/0x194 net/bluetooth/hci_sock.c:2202 bt_sock_create+0x14c/0x24c net/bluetooth/af_bluetooth.c:132 __sock_create+0x43c/0x91c net/socket.c:1541 sock_create net/socket.c:1599 [inline] __sys_socket_create net/socket.c:1636 [inline] __sys_socket+0xd4/0x1c0 net/socket.c:1683 __do_sys_socket net/socket.c:1697 [inline] __se_sys_socket net/socket.c:1695 [inline] __arm64_sys_socket+0x7c/0x94 net/socket.c:1695 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Freed by task 6607: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x68/0x88 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/bdd56875c6926d800…
	https://git.kernel.org/stable/c/4e83f2dbb2bf677e6…
	https://git.kernel.org/stable/c/d7882db79135c829a…
	https://git.kernel.org/stable/c/6fe26f694c824b8a4…

Impacted products

Vendor

Product

Version

Linux

Affected: a380b6cff1a2d2139772e88219d08330f84d0381 , < bdd56875c6926d8009914f427df71797693e90d4 (git)
Affected: a380b6cff1a2d2139772e88219d08330f84d0381 , < 4e83f2dbb2bf677e614109df24426c4dded472d4 (git)
Affected: a380b6cff1a2d2139772e88219d08330f84d0381 , < d7882db79135c829a922daf3571f33ea1e056ae3 (git)
Affected: a380b6cff1a2d2139772e88219d08330f84d0381 , < 6fe26f694c824b8a4dbf50c635bee1302e3f099c (git)

Linux

Affected: 4.1
Unaffected: 0 , < 4.1 (semver)
Unaffected: 6.6.94 , ≤ 6.6.* (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/net/bluetooth/hci_core.h",
            "net/bluetooth/hci_core.c",
            "net/bluetooth/mgmt.c",
            "net/bluetooth/mgmt_util.c",
            "net/bluetooth/mgmt_util.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "bdd56875c6926d8009914f427df71797693e90d4",
              "status": "affected",
              "version": "a380b6cff1a2d2139772e88219d08330f84d0381",
              "versionType": "git"
            },
            {
              "lessThan": "4e83f2dbb2bf677e614109df24426c4dded472d4",
              "status": "affected",
              "version": "a380b6cff1a2d2139772e88219d08330f84d0381",
              "versionType": "git"
            },
            {
              "lessThan": "d7882db79135c829a922daf3571f33ea1e056ae3",
              "status": "affected",
              "version": "a380b6cff1a2d2139772e88219d08330f84d0381",
              "versionType": "git"
            },
            {
              "lessThan": "6fe26f694c824b8a4dbf50c635bee1302e3f099c",
              "status": "affected",
              "version": "a380b6cff1a2d2139772e88219d08330f84d0381",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/net/bluetooth/hci_core.h",
            "net/bluetooth/hci_core.c",
            "net/bluetooth/mgmt.c",
            "net/bluetooth/mgmt_util.c",
            "net/bluetooth/mgmt_util.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.1"
            },
            {
              "lessThan": "4.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Protect mgmt_pending list with its own lock\n\nThis uses a mutex to protect from concurrent access of mgmt_pending\nlist which can cause crashes like:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in hci_sock_get_channel+0x60/0x68 net/bluetooth/hci_sock.c:91\nRead of size 2 at addr ffff0000c48885b2 by task syz.4.334/7318\n\nCPU: 0 UID: 0 PID: 7318 Comm: syz.4.334 Not tainted 6.15.0-rc7-syzkaller-g187899f4124a #0 PREEMPT\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025\nCall trace:\n show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)\n __dump_stack+0x30/0x40 lib/dump_stack.c:94\n dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120\n print_address_description+0xa8/0x254 mm/kasan/report.c:408\n print_report+0x68/0x84 mm/kasan/report.c:521\n kasan_report+0xb0/0x110 mm/kasan/report.c:634\n __asan_report_load2_noabort+0x20/0x2c mm/kasan/report_generic.c:379\n hci_sock_get_channel+0x60/0x68 net/bluetooth/hci_sock.c:91\n mgmt_pending_find+0x7c/0x140 net/bluetooth/mgmt_util.c:223\n pending_find net/bluetooth/mgmt.c:947 [inline]\n remove_adv_monitor+0x44/0x1a4 net/bluetooth/mgmt.c:5445\n hci_mgmt_cmd+0x780/0xc00 net/bluetooth/hci_sock.c:1712\n hci_sock_sendmsg+0x544/0xbb0 net/bluetooth/hci_sock.c:1832\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg net/socket.c:727 [inline]\n sock_write_iter+0x25c/0x378 net/socket.c:1131\n new_sync_write fs/read_write.c:591 [inline]\n vfs_write+0x62c/0x97c fs/read_write.c:684\n ksys_write+0x120/0x210 fs/read_write.c:736\n __do_sys_write fs/read_write.c:747 [inline]\n __se_sys_write fs/read_write.c:744 [inline]\n __arm64_sys_write+0x7c/0x90 fs/read_write.c:744\n __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49\n el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132\n do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151\n el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767\n el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786\n el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600\n\nAllocated by task 7037:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x40/0x78 mm/kasan/common.c:68\n kasan_save_alloc_info+0x44/0x54 mm/kasan/generic.c:562\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0x9c/0xb4 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __do_kmalloc_node mm/slub.c:4327 [inline]\n __kmalloc_noprof+0x2fc/0x4c8 mm/slub.c:4339\n kmalloc_noprof include/linux/slab.h:909 [inline]\n sk_prot_alloc+0xc4/0x1f0 net/core/sock.c:2198\n sk_alloc+0x44/0x3ac net/core/sock.c:2254\n bt_sock_alloc+0x4c/0x300 net/bluetooth/af_bluetooth.c:148\n hci_sock_create+0xa8/0x194 net/bluetooth/hci_sock.c:2202\n bt_sock_create+0x14c/0x24c net/bluetooth/af_bluetooth.c:132\n __sock_create+0x43c/0x91c net/socket.c:1541\n sock_create net/socket.c:1599 [inline]\n __sys_socket_create net/socket.c:1636 [inline]\n __sys_socket+0xd4/0x1c0 net/socket.c:1683\n __do_sys_socket net/socket.c:1697 [inline]\n __se_sys_socket net/socket.c:1695 [inline]\n __arm64_sys_socket+0x7c/0x94 net/socket.c:1695\n __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49\n el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132\n do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151\n el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767\n el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786\n el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600\n\nFreed by task 6607:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x40/0x78 mm/kasan/common.c:68\n kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:576\n poison_slab_object mm/kasan/common.c:247 [inline]\n __kasan_slab_free+0x68/0x88 mm/kasan/common.c:264\n kasan_slab_free include/linux/kasan.h:233 [inline\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:12:35.763Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/bdd56875c6926d8009914f427df71797693e90d4"
        },
        {
          "url": "https://git.kernel.org/stable/c/4e83f2dbb2bf677e614109df24426c4dded472d4"
        },
        {
          "url": "https://git.kernel.org/stable/c/d7882db79135c829a922daf3571f33ea1e056ae3"
        },
        {
          "url": "https://git.kernel.org/stable/c/6fe26f694c824b8a4dbf50c635bee1302e3f099c"
        }
      ],
      "title": "Bluetooth: MGMT: Protect mgmt_pending list with its own lock",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38117",
    "datePublished": "2025-07-03T08:35:25.060Z",
    "dateReserved": "2025-04-16T04:51:23.986Z",
    "dateUpdated": "2025-07-28T04:12:35.763Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21935 (GCVE-0-2025-21935)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:41 – Updated: 2025-11-03 19:39

Title

rapidio: add check for rio_add_net() in rio_scan_alloc_net()

Summary

In the Linux kernel, the following vulnerability has been resolved: rapidio: add check for rio_add_net() in rio_scan_alloc_net() The return value of rio_add_net() should be checked. If it fails, put_device() should be called to free the memory and give up the reference initialized in rio_add_net().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/6d22953c4a183d0b7…
	https://git.kernel.org/stable/c/4f3509cfcc02e9d75…
	https://git.kernel.org/stable/c/181d4daaefb3bceeb…
	https://git.kernel.org/stable/c/ad82be4298a89a9ae…
	https://git.kernel.org/stable/c/e6411c3b9512dba09…
	https://git.kernel.org/stable/c/c332f3e2df0fcae5a…
	https://git.kernel.org/stable/c/a0d069ccc475abaaa…
	https://git.kernel.org/stable/c/e842f9a1edf306bf3…

Impacted products

Vendor

Product

Version

Linux

Affected: e6b585ca6e81badeb3d42db3cc408174f2826034 , < 6d22953c4a183d0b7fdf34d68c5debd16da6edc5 (git)
Affected: e6b585ca6e81badeb3d42db3cc408174f2826034 , < 4f3509cfcc02e9d757f2714bb7dbbeec35de6fa7 (git)
Affected: e6b585ca6e81badeb3d42db3cc408174f2826034 , < 181d4daaefb3bceeb2f2635ba9f3781eeda9e550 (git)
Affected: e6b585ca6e81badeb3d42db3cc408174f2826034 , < ad82be4298a89a9ae46f07128bdf3d8614bce745 (git)
Affected: e6b585ca6e81badeb3d42db3cc408174f2826034 , < e6411c3b9512dba09af7d014d474516828c89706 (git)
Affected: e6b585ca6e81badeb3d42db3cc408174f2826034 , < c332f3e2df0fcae5a45fd55cc18902fb1e4825ca (git)
Affected: e6b585ca6e81badeb3d42db3cc408174f2826034 , < a0d069ccc475abaaa79c6368ee27fc0b5912bea8 (git)
Affected: e6b585ca6e81badeb3d42db3cc408174f2826034 , < e842f9a1edf306bf36fe2a4d847a0b0d458770de (git)

Linux

Affected: 4.6
Unaffected: 0 , < 4.6 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.131 , ≤ 6.1.* (semver)
Unaffected: 6.6.83 , ≤ 6.6.* (semver)
Unaffected: 6.12.19 , ≤ 6.12.* (semver)
Unaffected: 6.13.7 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:39:33.438Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/rapidio/rio-scan.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6d22953c4a183d0b7fdf34d68c5debd16da6edc5",
              "status": "affected",
              "version": "e6b585ca6e81badeb3d42db3cc408174f2826034",
              "versionType": "git"
            },
            {
              "lessThan": "4f3509cfcc02e9d757f2714bb7dbbeec35de6fa7",
              "status": "affected",
              "version": "e6b585ca6e81badeb3d42db3cc408174f2826034",
              "versionType": "git"
            },
            {
              "lessThan": "181d4daaefb3bceeb2f2635ba9f3781eeda9e550",
              "status": "affected",
              "version": "e6b585ca6e81badeb3d42db3cc408174f2826034",
              "versionType": "git"
            },
            {
              "lessThan": "ad82be4298a89a9ae46f07128bdf3d8614bce745",
              "status": "affected",
              "version": "e6b585ca6e81badeb3d42db3cc408174f2826034",
              "versionType": "git"
            },
            {
              "lessThan": "e6411c3b9512dba09af7d014d474516828c89706",
              "status": "affected",
              "version": "e6b585ca6e81badeb3d42db3cc408174f2826034",
              "versionType": "git"
            },
            {
              "lessThan": "c332f3e2df0fcae5a45fd55cc18902fb1e4825ca",
              "status": "affected",
              "version": "e6b585ca6e81badeb3d42db3cc408174f2826034",
              "versionType": "git"
            },
            {
              "lessThan": "a0d069ccc475abaaa79c6368ee27fc0b5912bea8",
              "status": "affected",
              "version": "e6b585ca6e81badeb3d42db3cc408174f2826034",
              "versionType": "git"
            },
            {
              "lessThan": "e842f9a1edf306bf36fe2a4d847a0b0d458770de",
              "status": "affected",
              "version": "e6b585ca6e81badeb3d42db3cc408174f2826034",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/rapidio/rio-scan.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.6"
            },
            {
              "lessThan": "4.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.131",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.131",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.83",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.19",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.7",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrapidio: add check for rio_add_net() in rio_scan_alloc_net()\n\nThe return value of rio_add_net() should be checked.  If it fails,\nput_device() should be called to free the memory and give up the reference\ninitialized in rio_add_net()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:25:00.311Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6d22953c4a183d0b7fdf34d68c5debd16da6edc5"
        },
        {
          "url": "https://git.kernel.org/stable/c/4f3509cfcc02e9d757f2714bb7dbbeec35de6fa7"
        },
        {
          "url": "https://git.kernel.org/stable/c/181d4daaefb3bceeb2f2635ba9f3781eeda9e550"
        },
        {
          "url": "https://git.kernel.org/stable/c/ad82be4298a89a9ae46f07128bdf3d8614bce745"
        },
        {
          "url": "https://git.kernel.org/stable/c/e6411c3b9512dba09af7d014d474516828c89706"
        },
        {
          "url": "https://git.kernel.org/stable/c/c332f3e2df0fcae5a45fd55cc18902fb1e4825ca"
        },
        {
          "url": "https://git.kernel.org/stable/c/a0d069ccc475abaaa79c6368ee27fc0b5912bea8"
        },
        {
          "url": "https://git.kernel.org/stable/c/e842f9a1edf306bf36fe2a4d847a0b0d458770de"
        }
      ],
      "title": "rapidio: add check for rio_add_net() in rio_scan_alloc_net()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21935",
    "datePublished": "2025-04-01T15:41:03.335Z",
    "dateReserved": "2024-12-29T08:45:45.789Z",
    "dateUpdated": "2025-11-03T19:39:33.438Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38420 (GCVE-0-2025-38420)

Vulnerability from cvelistv5 – Published: 2025-07-25 14:16 – Updated: 2025-11-03 17:37

Title

wifi: carl9170: do not ping device which has failed to load firmware

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: carl9170: do not ping device which has failed to load firmware Syzkaller reports [1, 2] crashes caused by an attempts to ping the device which has failed to load firmware. Since such a device doesn't pass 'ieee80211_register_hw()', an internal workqueue managed by 'ieee80211_queue_work()' is not yet created and an attempt to queue work on it causes null-ptr-deref. [1] https://syzkaller.appspot.com/bug?extid=9a4aec827829942045ff [2] https://syzkaller.appspot.com/bug?extid=0d8afba53e8fb2633217

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/0140d3d37f0f1759d…
	https://git.kernel.org/stable/c/8a3734a6f4c05fd24…
	https://git.kernel.org/stable/c/527fad1ae32ffa2d4…
	https://git.kernel.org/stable/c/bfeede26e97ce4a15…
	https://git.kernel.org/stable/c/4e9ab5c48ad5153cc…
	https://git.kernel.org/stable/c/301268dbaac8e9013…
	https://git.kernel.org/stable/c/11ef72b3312752c2f…
	https://git.kernel.org/stable/c/15d25307692312cec…

Impacted products

Vendor

Product

Version

Linux

Affected: e4a668c59080f862af3ecc28b359533027cbe434 , < 0140d3d37f0f1759d1fdedd854c7875a86e15f8d (git)
Affected: e4a668c59080f862af3ecc28b359533027cbe434 , < 8a3734a6f4c05fd24605148f21fb2066690d61b3 (git)
Affected: e4a668c59080f862af3ecc28b359533027cbe434 , < 527fad1ae32ffa2d4853a1425fe1c8dbb8c9744c (git)
Affected: e4a668c59080f862af3ecc28b359533027cbe434 , < bfeede26e97ce4a15a0b961118de4a0e28c9907a (git)
Affected: e4a668c59080f862af3ecc28b359533027cbe434 , < 4e9ab5c48ad5153cc908dd29abad0cd2a92951e4 (git)
Affected: e4a668c59080f862af3ecc28b359533027cbe434 , < 301268dbaac8e9013719e162a000202eac8054be (git)
Affected: e4a668c59080f862af3ecc28b359533027cbe434 , < 11ef72b3312752c2ff92f3c1e64912be3228ed36 (git)
Affected: e4a668c59080f862af3ecc28b359533027cbe434 , < 15d25307692312cec4b57052da73387f91a2e870 (git)

Linux

Affected: 2.6.38
Unaffected: 0 , < 2.6.38 (semver)
Unaffected: 5.4.295 , ≤ 5.4.* (semver)
Unaffected: 5.10.239 , ≤ 5.10.* (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.95 , ≤ 6.6.* (semver)
Unaffected: 6.12.35 , ≤ 6.12.* (semver)
Unaffected: 6.15.4 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:37:51.577Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/carl9170/usb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0140d3d37f0f1759d1fdedd854c7875a86e15f8d",
              "status": "affected",
              "version": "e4a668c59080f862af3ecc28b359533027cbe434",
              "versionType": "git"
            },
            {
              "lessThan": "8a3734a6f4c05fd24605148f21fb2066690d61b3",
              "status": "affected",
              "version": "e4a668c59080f862af3ecc28b359533027cbe434",
              "versionType": "git"
            },
            {
              "lessThan": "527fad1ae32ffa2d4853a1425fe1c8dbb8c9744c",
              "status": "affected",
              "version": "e4a668c59080f862af3ecc28b359533027cbe434",
              "versionType": "git"
            },
            {
              "lessThan": "bfeede26e97ce4a15a0b961118de4a0e28c9907a",
              "status": "affected",
              "version": "e4a668c59080f862af3ecc28b359533027cbe434",
              "versionType": "git"
            },
            {
              "lessThan": "4e9ab5c48ad5153cc908dd29abad0cd2a92951e4",
              "status": "affected",
              "version": "e4a668c59080f862af3ecc28b359533027cbe434",
              "versionType": "git"
            },
            {
              "lessThan": "301268dbaac8e9013719e162a000202eac8054be",
              "status": "affected",
              "version": "e4a668c59080f862af3ecc28b359533027cbe434",
              "versionType": "git"
            },
            {
              "lessThan": "11ef72b3312752c2ff92f3c1e64912be3228ed36",
              "status": "affected",
              "version": "e4a668c59080f862af3ecc28b359533027cbe434",
              "versionType": "git"
            },
            {
              "lessThan": "15d25307692312cec4b57052da73387f91a2e870",
              "status": "affected",
              "version": "e4a668c59080f862af3ecc28b359533027cbe434",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/carl9170/usb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.38"
            },
            {
              "lessThan": "2.6.38",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: carl9170: do not ping device which has failed to load firmware\n\nSyzkaller reports [1, 2] crashes caused by an attempts to ping\nthe device which has failed to load firmware. Since such a device\ndoesn\u0027t pass \u0027ieee80211_register_hw()\u0027, an internal workqueue\nmanaged by \u0027ieee80211_queue_work()\u0027 is not yet created and an\nattempt to queue work on it causes null-ptr-deref.\n\n[1] https://syzkaller.appspot.com/bug?extid=9a4aec827829942045ff\n[2] https://syzkaller.appspot.com/bug?extid=0d8afba53e8fb2633217"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:21:42.033Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0140d3d37f0f1759d1fdedd854c7875a86e15f8d"
        },
        {
          "url": "https://git.kernel.org/stable/c/8a3734a6f4c05fd24605148f21fb2066690d61b3"
        },
        {
          "url": "https://git.kernel.org/stable/c/527fad1ae32ffa2d4853a1425fe1c8dbb8c9744c"
        },
        {
          "url": "https://git.kernel.org/stable/c/bfeede26e97ce4a15a0b961118de4a0e28c9907a"
        },
        {
          "url": "https://git.kernel.org/stable/c/4e9ab5c48ad5153cc908dd29abad0cd2a92951e4"
        },
        {
          "url": "https://git.kernel.org/stable/c/301268dbaac8e9013719e162a000202eac8054be"
        },
        {
          "url": "https://git.kernel.org/stable/c/11ef72b3312752c2ff92f3c1e64912be3228ed36"
        },
        {
          "url": "https://git.kernel.org/stable/c/15d25307692312cec4b57052da73387f91a2e870"
        }
      ],
      "title": "wifi: carl9170: do not ping device which has failed to load firmware",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38420",
    "datePublished": "2025-07-25T14:16:41.479Z",
    "dateReserved": "2025-04-16T04:51:24.014Z",
    "dateUpdated": "2025-11-03T17:37:51.577Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21877 (GCVE-0-2025-21877)

Vulnerability from cvelistv5 – Published: 2025-03-27 14:57 – Updated: 2025-11-03 19:38

Title

usbnet: gl620a: fix endpoint checking in genelink_bind()

Summary

In the Linux kernel, the following vulnerability has been resolved: usbnet: gl620a: fix endpoint checking in genelink_bind() Syzbot reports [1] a warning in usb_submit_urb() triggered by inconsistencies between expected and actually present endpoints in gl620a driver. Since genelink_bind() does not properly verify whether specified eps are in fact provided by the device, in this case, an artificially manufactured one, one may get a mismatch. Fix the issue by resorting to a usbnet utility function usbnet_get_endpoints(), usually reserved for this very problem. Check for endpoints and return early before proceeding further if any are missing. [1] Syzbot report: usb 5-1: Manufacturer: syz usb 5-1: SerialNumber: syz usb 5-1: config 0 descriptor?? gl620a 5-1:0.23 usb0: register 'gl620a' at usb-dummy_hcd.0-1, ... ------------[ cut here ]------------ usb 5-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 2 PID: 1841 at drivers/usb/core/urb.c:503 usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503 Modules linked in: CPU: 2 UID: 0 PID: 1841 Comm: kworker/2:2 Not tainted 6.12.0-syzkaller-07834-g06afb0f36106 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: mld mld_ifc_work RIP: 0010:usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503 ... Call Trace: <TASK> usbnet_start_xmit+0x6be/0x2780 drivers/net/usb/usbnet.c:1467 __netdev_start_xmit include/linux/netdevice.h:5002 [inline] netdev_start_xmit include/linux/netdevice.h:5011 [inline] xmit_one net/core/dev.c:3590 [inline] dev_hard_start_xmit+0x9a/0x7b0 net/core/dev.c:3606 sch_direct_xmit+0x1ae/0xc30 net/sched/sch_generic.c:343 __dev_xmit_skb net/core/dev.c:3827 [inline] __dev_queue_xmit+0x13d4/0x43e0 net/core/dev.c:4400 dev_queue_xmit include/linux/netdevice.h:3168 [inline] neigh_resolve_output net/core/neighbour.c:1514 [inline] neigh_resolve_output+0x5bc/0x950 net/core/neighbour.c:1494 neigh_output include/net/neighbour.h:539 [inline] ip6_finish_output2+0xb1b/0x2070 net/ipv6/ip6_output.c:141 __ip6_finish_output net/ipv6/ip6_output.c:215 [inline] ip6_finish_output+0x3f9/0x1360 net/ipv6/ip6_output.c:226 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip6_output+0x1f8/0x540 net/ipv6/ip6_output.c:247 dst_output include/net/dst.h:450 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netfilter.h:308 [inline] mld_sendpack+0x9f0/0x11d0 net/ipv6/mcast.c:1819 mld_send_cr net/ipv6/mcast.c:2120 [inline] mld_ifc_work+0x740/0xca0 net/ipv6/mcast.c:2651 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK>

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/5f2dbabbce04b1ffc…
	https://git.kernel.org/stable/c/24dd971104057c882…
	https://git.kernel.org/stable/c/9bcb8cbc3e5d67eb2…
	https://git.kernel.org/stable/c/67ebc3391c8377738…
	https://git.kernel.org/stable/c/a2ee5e55b50a97d13…
	https://git.kernel.org/stable/c/4e8b8d43373bf837b…
	https://git.kernel.org/stable/c/ded25730c96949cb8…
	https://git.kernel.org/stable/c/1cf9631d836b289bd…

Impacted products

Vendor

Product

Version

Linux

Affected: 47ee3051c856cc2aa95d35d577a8cb37279d540f , < 5f2dbabbce04b1ffcd6d8d07564adb94db577536 (git)
Affected: 47ee3051c856cc2aa95d35d577a8cb37279d540f , < 24dd971104057c8828d420a48e0a5af6e6f30d3e (git)
Affected: 47ee3051c856cc2aa95d35d577a8cb37279d540f , < 9bcb8cbc3e5d67eb223bfb7e2291a270dbb699dc (git)
Affected: 47ee3051c856cc2aa95d35d577a8cb37279d540f , < 67ebc3391c8377738e97a43374054d9718fdb6e4 (git)
Affected: 47ee3051c856cc2aa95d35d577a8cb37279d540f , < a2ee5e55b50a97d13617c8653482c0ad4decff8c (git)
Affected: 47ee3051c856cc2aa95d35d577a8cb37279d540f , < 4e8b8d43373bf837be159366f0192502f97ec7a5 (git)
Affected: 47ee3051c856cc2aa95d35d577a8cb37279d540f , < ded25730c96949cb8b048b29c557e38569124943 (git)
Affected: 47ee3051c856cc2aa95d35d577a8cb37279d540f , < 1cf9631d836b289bd5490776551961c883ae8a4f (git)

Linux

Affected: 2.6.14
Unaffected: 0 , < 2.6.14 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.130 , ≤ 6.1.* (semver)
Unaffected: 6.6.81 , ≤ 6.6.* (semver)
Unaffected: 6.12.18 , ≤ 6.12.* (semver)
Unaffected: 6.13.6 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:38:34.566Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/usb/gl620a.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5f2dbabbce04b1ffcd6d8d07564adb94db577536",
              "status": "affected",
              "version": "47ee3051c856cc2aa95d35d577a8cb37279d540f",
              "versionType": "git"
            },
            {
              "lessThan": "24dd971104057c8828d420a48e0a5af6e6f30d3e",
              "status": "affected",
              "version": "47ee3051c856cc2aa95d35d577a8cb37279d540f",
              "versionType": "git"
            },
            {
              "lessThan": "9bcb8cbc3e5d67eb223bfb7e2291a270dbb699dc",
              "status": "affected",
              "version": "47ee3051c856cc2aa95d35d577a8cb37279d540f",
              "versionType": "git"
            },
            {
              "lessThan": "67ebc3391c8377738e97a43374054d9718fdb6e4",
              "status": "affected",
              "version": "47ee3051c856cc2aa95d35d577a8cb37279d540f",
              "versionType": "git"
            },
            {
              "lessThan": "a2ee5e55b50a97d13617c8653482c0ad4decff8c",
              "status": "affected",
              "version": "47ee3051c856cc2aa95d35d577a8cb37279d540f",
              "versionType": "git"
            },
            {
              "lessThan": "4e8b8d43373bf837be159366f0192502f97ec7a5",
              "status": "affected",
              "version": "47ee3051c856cc2aa95d35d577a8cb37279d540f",
              "versionType": "git"
            },
            {
              "lessThan": "ded25730c96949cb8b048b29c557e38569124943",
              "status": "affected",
              "version": "47ee3051c856cc2aa95d35d577a8cb37279d540f",
              "versionType": "git"
            },
            {
              "lessThan": "1cf9631d836b289bd5490776551961c883ae8a4f",
              "status": "affected",
              "version": "47ee3051c856cc2aa95d35d577a8cb37279d540f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/usb/gl620a.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.14"
            },
            {
              "lessThan": "2.6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.130",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.81",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.18",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.6",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: gl620a: fix endpoint checking in genelink_bind()\n\nSyzbot reports [1] a warning in usb_submit_urb() triggered by\ninconsistencies between expected and actually present endpoints\nin gl620a driver. Since genelink_bind() does not properly\nverify whether specified eps are in fact provided by the device,\nin this case, an artificially manufactured one, one may get a\nmismatch.\n\nFix the issue by resorting to a usbnet utility function\nusbnet_get_endpoints(), usually reserved for this very problem.\nCheck for endpoints and return early before proceeding further if\nany are missing.\n\n[1] Syzbot report:\nusb 5-1: Manufacturer: syz\nusb 5-1: SerialNumber: syz\nusb 5-1: config 0 descriptor??\ngl620a 5-1:0.23 usb0: register \u0027gl620a\u0027 at usb-dummy_hcd.0-1, ...\n------------[ cut here ]------------\nusb 5-1: BOGUS urb xfer, pipe 3 != type 1\nWARNING: CPU: 2 PID: 1841 at drivers/usb/core/urb.c:503 usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503\nModules linked in:\nCPU: 2 UID: 0 PID: 1841 Comm: kworker/2:2 Not tainted 6.12.0-syzkaller-07834-g06afb0f36106 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nWorkqueue: mld mld_ifc_work\nRIP: 0010:usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503\n...\nCall Trace:\n \u003cTASK\u003e\n usbnet_start_xmit+0x6be/0x2780 drivers/net/usb/usbnet.c:1467\n __netdev_start_xmit include/linux/netdevice.h:5002 [inline]\n netdev_start_xmit include/linux/netdevice.h:5011 [inline]\n xmit_one net/core/dev.c:3590 [inline]\n dev_hard_start_xmit+0x9a/0x7b0 net/core/dev.c:3606\n sch_direct_xmit+0x1ae/0xc30 net/sched/sch_generic.c:343\n __dev_xmit_skb net/core/dev.c:3827 [inline]\n __dev_queue_xmit+0x13d4/0x43e0 net/core/dev.c:4400\n dev_queue_xmit include/linux/netdevice.h:3168 [inline]\n neigh_resolve_output net/core/neighbour.c:1514 [inline]\n neigh_resolve_output+0x5bc/0x950 net/core/neighbour.c:1494\n neigh_output include/net/neighbour.h:539 [inline]\n ip6_finish_output2+0xb1b/0x2070 net/ipv6/ip6_output.c:141\n __ip6_finish_output net/ipv6/ip6_output.c:215 [inline]\n ip6_finish_output+0x3f9/0x1360 net/ipv6/ip6_output.c:226\n NF_HOOK_COND include/linux/netfilter.h:303 [inline]\n ip6_output+0x1f8/0x540 net/ipv6/ip6_output.c:247\n dst_output include/net/dst.h:450 [inline]\n NF_HOOK include/linux/netfilter.h:314 [inline]\n NF_HOOK include/linux/netfilter.h:308 [inline]\n mld_sendpack+0x9f0/0x11d0 net/ipv6/mcast.c:1819\n mld_send_cr net/ipv6/mcast.c:2120 [inline]\n mld_ifc_work+0x740/0xca0 net/ipv6/mcast.c:2651\n process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229\n process_scheduled_works kernel/workqueue.c:3310 [inline]\n worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391\n kthread+0x2c1/0x3a0 kernel/kthread.c:389\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n \u003c/TASK\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:23:09.089Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5f2dbabbce04b1ffcd6d8d07564adb94db577536"
        },
        {
          "url": "https://git.kernel.org/stable/c/24dd971104057c8828d420a48e0a5af6e6f30d3e"
        },
        {
          "url": "https://git.kernel.org/stable/c/9bcb8cbc3e5d67eb223bfb7e2291a270dbb699dc"
        },
        {
          "url": "https://git.kernel.org/stable/c/67ebc3391c8377738e97a43374054d9718fdb6e4"
        },
        {
          "url": "https://git.kernel.org/stable/c/a2ee5e55b50a97d13617c8653482c0ad4decff8c"
        },
        {
          "url": "https://git.kernel.org/stable/c/4e8b8d43373bf837be159366f0192502f97ec7a5"
        },
        {
          "url": "https://git.kernel.org/stable/c/ded25730c96949cb8b048b29c557e38569124943"
        },
        {
          "url": "https://git.kernel.org/stable/c/1cf9631d836b289bd5490776551961c883ae8a4f"
        }
      ],
      "title": "usbnet: gl620a: fix endpoint checking in genelink_bind()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21877",
    "datePublished": "2025-03-27T14:57:07.462Z",
    "dateReserved": "2024-12-29T08:45:45.781Z",
    "dateUpdated": "2025-11-03T19:38:34.566Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38344 (GCVE-0-2025-38344)

Vulnerability from cvelistv5 – Published: 2025-07-10 08:15 – Updated: 2026-01-02 15:30

Title

ACPICA: fix acpi parse and parseext cache leaks

Summary

In the Linux kernel, the following vulnerability has been resolved: ACPICA: fix acpi parse and parseext cache leaks ACPICA commit 8829e70e1360c81e7a5a901b5d4f48330e021ea5 I'm Seunghun Han, and I work for National Security Research Institute of South Korea. I have been doing a research on ACPI and found an ACPI cache leak in ACPI early abort cases. Boot log of ACPI cache leak is as follows: [ 0.352414] ACPI: Added _OSI(Module Device) [ 0.353182] ACPI: Added _OSI(Processor Device) [ 0.353182] ACPI: Added _OSI(3.0 _SCP Extensions) [ 0.353182] ACPI: Added _OSI(Processor Aggregator Device) [ 0.356028] ACPI: Unable to start the ACPI Interpreter [ 0.356799] ACPI Error: Could not remove SCI handler (20170303/evmisc-281) [ 0.360215] kmem_cache_destroy Acpi-State: Slab cache still has objects [ 0.360648] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G W 4.12.0-rc4-next-20170608+ #10 [ 0.361273] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006 [ 0.361873] Call Trace: [ 0.362243] ? dump_stack+0x5c/0x81 [ 0.362591] ? kmem_cache_destroy+0x1aa/0x1c0 [ 0.362944] ? acpi_sleep_proc_init+0x27/0x27 [ 0.363296] ? acpi_os_delete_cache+0xa/0x10 [ 0.363646] ? acpi_ut_delete_caches+0x6d/0x7b [ 0.364000] ? acpi_terminate+0xa/0x14 [ 0.364000] ? acpi_init+0x2af/0x34f [ 0.364000] ? __class_create+0x4c/0x80 [ 0.364000] ? video_setup+0x7f/0x7f [ 0.364000] ? acpi_sleep_proc_init+0x27/0x27 [ 0.364000] ? do_one_initcall+0x4e/0x1a0 [ 0.364000] ? kernel_init_freeable+0x189/0x20a [ 0.364000] ? rest_init+0xc0/0xc0 [ 0.364000] ? kernel_init+0xa/0x100 [ 0.364000] ? ret_from_fork+0x25/0x30 I analyzed this memory leak in detail. I found that “Acpi-State” cache and “Acpi-Parse” cache were merged because the size of cache objects was same slab cache size. I finally found “Acpi-Parse” cache and “Acpi-parse_ext” cache were leaked using SLAB_NEVER_MERGE flag in kmem_cache_create() function. Real ACPI cache leak point is as follows: [ 0.360101] ACPI: Added _OSI(Module Device) [ 0.360101] ACPI: Added _OSI(Processor Device) [ 0.360101] ACPI: Added _OSI(3.0 _SCP Extensions) [ 0.361043] ACPI: Added _OSI(Processor Aggregator Device) [ 0.364016] ACPI: Unable to start the ACPI Interpreter [ 0.365061] ACPI Error: Could not remove SCI handler (20170303/evmisc-281) [ 0.368174] kmem_cache_destroy Acpi-Parse: Slab cache still has objects [ 0.369332] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G W 4.12.0-rc4-next-20170608+ #8 [ 0.371256] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006 [ 0.372000] Call Trace: [ 0.372000] ? dump_stack+0x5c/0x81 [ 0.372000] ? kmem_cache_destroy+0x1aa/0x1c0 [ 0.372000] ? acpi_sleep_proc_init+0x27/0x27 [ 0.372000] ? acpi_os_delete_cache+0xa/0x10 [ 0.372000] ? acpi_ut_delete_caches+0x56/0x7b [ 0.372000] ? acpi_terminate+0xa/0x14 [ 0.372000] ? acpi_init+0x2af/0x34f [ 0.372000] ? __class_create+0x4c/0x80 [ 0.372000] ? video_setup+0x7f/0x7f [ 0.372000] ? acpi_sleep_proc_init+0x27/0x27 [ 0.372000] ? do_one_initcall+0x4e/0x1a0 [ 0.372000] ? kernel_init_freeable+0x189/0x20a [ 0.372000] ? rest_init+0xc0/0xc0 [ 0.372000] ? kernel_init+0xa/0x100 [ 0.372000] ? ret_from_fork+0x25/0x30 [ 0.388039] kmem_cache_destroy Acpi-parse_ext: Slab cache still has objects [ 0.389063] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G W 4.12.0-rc4-next-20170608+ #8 [ 0.390557] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006 [ 0.392000] Call Trace: [ 0.392000] ? dump_stack+0x5c/0x81 [ 0.392000] ? kmem_cache_destroy+0x1aa/0x1c0 [ 0.392000] ? acpi_sleep_proc_init+0x27/0x27 [ 0.392000] ? acpi_os_delete_cache+0xa/0x10 [ 0.392000] ? acpi_ut_delete_caches+0x6d/0x7b [ 0.392000] ? acpi_terminate+0xa/0x14 [ 0.392000] ? acpi_init+0x2af/0x3 ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/1e0e629e88b1f7751…
	https://git.kernel.org/stable/c/41afebc9a0762aafc…
	https://git.kernel.org/stable/c/960236150cd3f08e1…
	https://git.kernel.org/stable/c/0a119fdaed67566aa…
	https://git.kernel.org/stable/c/1fee4324b5660de08…
	https://git.kernel.org/stable/c/198c2dab022e5e94a…
	https://git.kernel.org/stable/c/3e0c59180ec83bdec…
	https://git.kernel.org/stable/c/bed18f0bdcd6737a9…

Impacted products

Vendor

Product

Version

Linux

Affected: 88ac00f5a841dcfc5c682000f4a6add0add8caac , < 1e0e629e88b1f7751ce69bf70cda6d1598d45271 (git)
Affected: 88ac00f5a841dcfc5c682000f4a6add0add8caac , < 41afebc9a0762aafc35d2df88f4e1b798155a940 (git)
Affected: 88ac00f5a841dcfc5c682000f4a6add0add8caac , < 960236150cd3f08e13b397dd5ae4ccf7a2986c00 (git)
Affected: 88ac00f5a841dcfc5c682000f4a6add0add8caac , < 0a119fdaed67566aa3e0b5222dced4d08bbce463 (git)
Affected: 88ac00f5a841dcfc5c682000f4a6add0add8caac , < 1fee4324b5660de080cefc3fc91c371543bdb8f6 (git)
Affected: 88ac00f5a841dcfc5c682000f4a6add0add8caac , < 198c2dab022e5e94a99fff267b669d693bc7bb49 (git)
Affected: 88ac00f5a841dcfc5c682000f4a6add0add8caac , < 3e0c59180ec83bdec43b3d3482cff23d86d380d0 (git)
Affected: 88ac00f5a841dcfc5c682000f4a6add0add8caac , < bed18f0bdcd6737a938264a59d67923688696fc4 (git)

Linux

Affected: 2.6.14
Unaffected: 0 , < 2.6.14 (semver)
Unaffected: 5.4.295 , ≤ 5.4.* (semver)
Unaffected: 5.10.239 , ≤ 5.10.* (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.95 , ≤ 6.6.* (semver)
Unaffected: 6.12.35 , ≤ 6.12.* (semver)
Unaffected: 6.15.4 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:36:51.372Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/acpi/acpica/psobject.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1e0e629e88b1f7751ce69bf70cda6d1598d45271",
              "status": "affected",
              "version": "88ac00f5a841dcfc5c682000f4a6add0add8caac",
              "versionType": "git"
            },
            {
              "lessThan": "41afebc9a0762aafc35d2df88f4e1b798155a940",
              "status": "affected",
              "version": "88ac00f5a841dcfc5c682000f4a6add0add8caac",
              "versionType": "git"
            },
            {
              "lessThan": "960236150cd3f08e13b397dd5ae4ccf7a2986c00",
              "status": "affected",
              "version": "88ac00f5a841dcfc5c682000f4a6add0add8caac",
              "versionType": "git"
            },
            {
              "lessThan": "0a119fdaed67566aa3e0b5222dced4d08bbce463",
              "status": "affected",
              "version": "88ac00f5a841dcfc5c682000f4a6add0add8caac",
              "versionType": "git"
            },
            {
              "lessThan": "1fee4324b5660de080cefc3fc91c371543bdb8f6",
              "status": "affected",
              "version": "88ac00f5a841dcfc5c682000f4a6add0add8caac",
              "versionType": "git"
            },
            {
              "lessThan": "198c2dab022e5e94a99fff267b669d693bc7bb49",
              "status": "affected",
              "version": "88ac00f5a841dcfc5c682000f4a6add0add8caac",
              "versionType": "git"
            },
            {
              "lessThan": "3e0c59180ec83bdec43b3d3482cff23d86d380d0",
              "status": "affected",
              "version": "88ac00f5a841dcfc5c682000f4a6add0add8caac",
              "versionType": "git"
            },
            {
              "lessThan": "bed18f0bdcd6737a938264a59d67923688696fc4",
              "status": "affected",
              "version": "88ac00f5a841dcfc5c682000f4a6add0add8caac",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/acpi/acpica/psobject.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.14"
            },
            {
              "lessThan": "2.6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: fix acpi parse and parseext cache leaks\n\nACPICA commit 8829e70e1360c81e7a5a901b5d4f48330e021ea5\n\nI\u0027m Seunghun Han, and I work for National Security Research Institute of\nSouth Korea.\n\nI have been doing a research on ACPI and found an ACPI cache leak in ACPI\nearly abort cases.\n\nBoot log of ACPI cache leak is as follows:\n[    0.352414] ACPI: Added _OSI(Module Device)\n[    0.353182] ACPI: Added _OSI(Processor Device)\n[    0.353182] ACPI: Added _OSI(3.0 _SCP Extensions)\n[    0.353182] ACPI: Added _OSI(Processor Aggregator Device)\n[    0.356028] ACPI: Unable to start the ACPI Interpreter\n[    0.356799] ACPI Error: Could not remove SCI handler (20170303/evmisc-281)\n[    0.360215] kmem_cache_destroy Acpi-State: Slab cache still has objects\n[    0.360648] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G        W\n4.12.0-rc4-next-20170608+ #10\n[    0.361273] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS\nvirtual_box 12/01/2006\n[    0.361873] Call Trace:\n[    0.362243]  ? dump_stack+0x5c/0x81\n[    0.362591]  ? kmem_cache_destroy+0x1aa/0x1c0\n[    0.362944]  ? acpi_sleep_proc_init+0x27/0x27\n[    0.363296]  ? acpi_os_delete_cache+0xa/0x10\n[    0.363646]  ? acpi_ut_delete_caches+0x6d/0x7b\n[    0.364000]  ? acpi_terminate+0xa/0x14\n[    0.364000]  ? acpi_init+0x2af/0x34f\n[    0.364000]  ? __class_create+0x4c/0x80\n[    0.364000]  ? video_setup+0x7f/0x7f\n[    0.364000]  ? acpi_sleep_proc_init+0x27/0x27\n[    0.364000]  ? do_one_initcall+0x4e/0x1a0\n[    0.364000]  ? kernel_init_freeable+0x189/0x20a\n[    0.364000]  ? rest_init+0xc0/0xc0\n[    0.364000]  ? kernel_init+0xa/0x100\n[    0.364000]  ? ret_from_fork+0x25/0x30\n\nI analyzed this memory leak in detail. I found that \u201cAcpi-State\u201d cache and\n\u201cAcpi-Parse\u201d cache were merged because the size of cache objects was same\nslab cache size.\n\nI finally found \u201cAcpi-Parse\u201d cache and \u201cAcpi-parse_ext\u201d cache were leaked\nusing SLAB_NEVER_MERGE flag in kmem_cache_create() function.\n\nReal ACPI cache leak point is as follows:\n[    0.360101] ACPI: Added _OSI(Module Device)\n[    0.360101] ACPI: Added _OSI(Processor Device)\n[    0.360101] ACPI: Added _OSI(3.0 _SCP Extensions)\n[    0.361043] ACPI: Added _OSI(Processor Aggregator Device)\n[    0.364016] ACPI: Unable to start the ACPI Interpreter\n[    0.365061] ACPI Error: Could not remove SCI handler (20170303/evmisc-281)\n[    0.368174] kmem_cache_destroy Acpi-Parse: Slab cache still has objects\n[    0.369332] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G        W\n4.12.0-rc4-next-20170608+ #8\n[    0.371256] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS\nvirtual_box 12/01/2006\n[    0.372000] Call Trace:\n[    0.372000]  ? dump_stack+0x5c/0x81\n[    0.372000]  ? kmem_cache_destroy+0x1aa/0x1c0\n[    0.372000]  ? acpi_sleep_proc_init+0x27/0x27\n[    0.372000]  ? acpi_os_delete_cache+0xa/0x10\n[    0.372000]  ? acpi_ut_delete_caches+0x56/0x7b\n[    0.372000]  ? acpi_terminate+0xa/0x14\n[    0.372000]  ? acpi_init+0x2af/0x34f\n[    0.372000]  ? __class_create+0x4c/0x80\n[    0.372000]  ? video_setup+0x7f/0x7f\n[    0.372000]  ? acpi_sleep_proc_init+0x27/0x27\n[    0.372000]  ? do_one_initcall+0x4e/0x1a0\n[    0.372000]  ? kernel_init_freeable+0x189/0x20a\n[    0.372000]  ? rest_init+0xc0/0xc0\n[    0.372000]  ? kernel_init+0xa/0x100\n[    0.372000]  ? ret_from_fork+0x25/0x30\n[    0.388039] kmem_cache_destroy Acpi-parse_ext: Slab cache still has objects\n[    0.389063] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G        W\n4.12.0-rc4-next-20170608+ #8\n[    0.390557] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS\nvirtual_box 12/01/2006\n[    0.392000] Call Trace:\n[    0.392000]  ? dump_stack+0x5c/0x81\n[    0.392000]  ? kmem_cache_destroy+0x1aa/0x1c0\n[    0.392000]  ? acpi_sleep_proc_init+0x27/0x27\n[    0.392000]  ? acpi_os_delete_cache+0xa/0x10\n[    0.392000]  ? acpi_ut_delete_caches+0x6d/0x7b\n[    0.392000]  ? acpi_terminate+0xa/0x14\n[    0.392000]  ? acpi_init+0x2af/0x3\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:30:26.520Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1e0e629e88b1f7751ce69bf70cda6d1598d45271"
        },
        {
          "url": "https://git.kernel.org/stable/c/41afebc9a0762aafc35d2df88f4e1b798155a940"
        },
        {
          "url": "https://git.kernel.org/stable/c/960236150cd3f08e13b397dd5ae4ccf7a2986c00"
        },
        {
          "url": "https://git.kernel.org/stable/c/0a119fdaed67566aa3e0b5222dced4d08bbce463"
        },
        {
          "url": "https://git.kernel.org/stable/c/1fee4324b5660de080cefc3fc91c371543bdb8f6"
        },
        {
          "url": "https://git.kernel.org/stable/c/198c2dab022e5e94a99fff267b669d693bc7bb49"
        },
        {
          "url": "https://git.kernel.org/stable/c/3e0c59180ec83bdec43b3d3482cff23d86d380d0"
        },
        {
          "url": "https://git.kernel.org/stable/c/bed18f0bdcd6737a938264a59d67923688696fc4"
        }
      ],
      "title": "ACPICA: fix acpi parse and parseext cache leaks",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38344",
    "datePublished": "2025-07-10T08:15:12.791Z",
    "dateReserved": "2025-04-16T04:51:24.006Z",
    "dateUpdated": "2026-01-02T15:30:26.520Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38031 (GCVE-0-2025-38031)

Vulnerability from cvelistv5 – Published: 2025-06-18 09:33 – Updated: 2025-11-03 17:33

Title

padata: do not leak refcount in reorder_work

Summary

In the Linux kernel, the following vulnerability has been resolved: padata: do not leak refcount in reorder_work A recent patch that addressed a UAF introduced a reference count leak: the parallel_data refcount is incremented unconditionally, regardless of the return value of queue_work(). If the work item is already queued, the incremented refcount is never decremented. Fix this by checking the return value of queue_work() and decrementing the refcount when necessary. Resolves: Unreferenced object 0xffff9d9f421e3d80 (size 192): comm "cryptomgr_probe", pid 157, jiffies 4294694003 hex dump (first 32 bytes): 80 8b cf 41 9f 9d ff ff b8 97 e0 89 ff ff ff ff ...A............ d0 97 e0 89 ff ff ff ff 19 00 00 00 1f 88 23 00 ..............#. backtrace (crc 838fb36): __kmalloc_cache_noprof+0x284/0x320 padata_alloc_pd+0x20/0x1e0 padata_alloc_shell+0x3b/0xa0 0xffffffffc040a54d cryptomgr_probe+0x43/0xc0 kthread+0xf6/0x1f0 ret_from_fork+0x2f/0x50 ret_from_fork_asm+0x1a/0x30

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b9ad8e50e8589607e…
	https://git.kernel.org/stable/c/1a426abdf1c86882c…
	https://git.kernel.org/stable/c/cceb15864e1612ebf…
	https://git.kernel.org/stable/c/584a729615fa92f4d…
	https://git.kernel.org/stable/c/5300e487487d7a2e3…
	https://git.kernel.org/stable/c/1c65ae49887147161…
	https://git.kernel.org/stable/c/d6ebcde6d4ecf34f8…

Impacted products

Vendor

Product

Version

Linux

Affected: f4f1b1169fc3694f9bc3e28c6c68dbbf4cc744c0 , < b9ad8e50e8589607e68e6c4cefa7f72bf35a2cb1 (git)
Affected: 4c6209efea2208597dbd3e52dc87a0d1a8f2dbe1 , < 1a426abdf1c86882c9203dd8182f3b8274b89938 (git)
Affected: 7000507bb0d2ceb545c0a690e0c707c897d102c2 , < cceb15864e1612ebfbc10ec4e4dcd19a10c0056c (git)
Affected: 6f45ef616775b0ce7889b0f6077fc8d681ab30bc , < 584a729615fa92f4de45480efb7e569d14be1516 (git)
Affected: 8ca38d0ca8c3d30dd18d311f1a7ec5cb56972cac , < 5300e487487d7a2e3e1e6e9d8f03ed9452e4019e (git)
Affected: dd7d37ccf6b11f3d95e797ebe4e9e886d0332600 , < 1c65ae4988714716101555fe2b9830e33136d6fb (git)
Affected: dd7d37ccf6b11f3d95e797ebe4e9e886d0332600 , < d6ebcde6d4ecf34f8495fb30516645db3aea8993 (git)
Affected: a54091c24220a4cd847d5b4f36d678edacddbaf0 (git)

Linux

Affected: 6.14
Unaffected: 0 , < 6.14 (semver)
Unaffected: 5.10.238 , ≤ 5.10.* (semver)
Unaffected: 5.15.185 , ≤ 5.15.* (semver)
Unaffected: 6.1.141 , ≤ 6.1.* (semver)
Unaffected: 6.6.93 , ≤ 6.6.* (semver)
Unaffected: 6.12.31 , ≤ 6.12.* (semver)
Unaffected: 6.14.9 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:33:10.591Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/padata.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b9ad8e50e8589607e68e6c4cefa7f72bf35a2cb1",
              "status": "affected",
              "version": "f4f1b1169fc3694f9bc3e28c6c68dbbf4cc744c0",
              "versionType": "git"
            },
            {
              "lessThan": "1a426abdf1c86882c9203dd8182f3b8274b89938",
              "status": "affected",
              "version": "4c6209efea2208597dbd3e52dc87a0d1a8f2dbe1",
              "versionType": "git"
            },
            {
              "lessThan": "cceb15864e1612ebfbc10ec4e4dcd19a10c0056c",
              "status": "affected",
              "version": "7000507bb0d2ceb545c0a690e0c707c897d102c2",
              "versionType": "git"
            },
            {
              "lessThan": "584a729615fa92f4de45480efb7e569d14be1516",
              "status": "affected",
              "version": "6f45ef616775b0ce7889b0f6077fc8d681ab30bc",
              "versionType": "git"
            },
            {
              "lessThan": "5300e487487d7a2e3e1e6e9d8f03ed9452e4019e",
              "status": "affected",
              "version": "8ca38d0ca8c3d30dd18d311f1a7ec5cb56972cac",
              "versionType": "git"
            },
            {
              "lessThan": "1c65ae4988714716101555fe2b9830e33136d6fb",
              "status": "affected",
              "version": "dd7d37ccf6b11f3d95e797ebe4e9e886d0332600",
              "versionType": "git"
            },
            {
              "lessThan": "d6ebcde6d4ecf34f8495fb30516645db3aea8993",
              "status": "affected",
              "version": "dd7d37ccf6b11f3d95e797ebe4e9e886d0332600",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "a54091c24220a4cd847d5b4f36d678edacddbaf0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/padata.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.14"
            },
            {
              "lessThan": "6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.238",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.185",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.93",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.238",
                  "versionStartIncluding": "5.10.235",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.185",
                  "versionStartIncluding": "5.15.179",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.141",
                  "versionStartIncluding": "6.1.129",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.93",
                  "versionStartIncluding": "6.6.76",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.31",
                  "versionStartIncluding": "6.12.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.13.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npadata: do not leak refcount in reorder_work\n\nA recent patch that addressed a UAF introduced a reference count leak:\nthe parallel_data refcount is incremented unconditionally, regardless\nof the return value of queue_work(). If the work item is already queued,\nthe incremented refcount is never decremented.\n\nFix this by checking the return value of queue_work() and decrementing\nthe refcount when necessary.\n\nResolves:\n\nUnreferenced object 0xffff9d9f421e3d80 (size 192):\n  comm \"cryptomgr_probe\", pid 157, jiffies 4294694003\n  hex dump (first 32 bytes):\n    80 8b cf 41 9f 9d ff ff b8 97 e0 89 ff ff ff ff  ...A............\n    d0 97 e0 89 ff ff ff ff 19 00 00 00 1f 88 23 00  ..............#.\n  backtrace (crc 838fb36):\n    __kmalloc_cache_noprof+0x284/0x320\n    padata_alloc_pd+0x20/0x1e0\n    padata_alloc_shell+0x3b/0xa0\n    0xffffffffc040a54d\n    cryptomgr_probe+0x43/0xc0\n    kthread+0xf6/0x1f0\n    ret_from_fork+0x2f/0x50\n    ret_from_fork_asm+0x1a/0x30"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-18T09:33:18.882Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b9ad8e50e8589607e68e6c4cefa7f72bf35a2cb1"
        },
        {
          "url": "https://git.kernel.org/stable/c/1a426abdf1c86882c9203dd8182f3b8274b89938"
        },
        {
          "url": "https://git.kernel.org/stable/c/cceb15864e1612ebfbc10ec4e4dcd19a10c0056c"
        },
        {
          "url": "https://git.kernel.org/stable/c/584a729615fa92f4de45480efb7e569d14be1516"
        },
        {
          "url": "https://git.kernel.org/stable/c/5300e487487d7a2e3e1e6e9d8f03ed9452e4019e"
        },
        {
          "url": "https://git.kernel.org/stable/c/1c65ae4988714716101555fe2b9830e33136d6fb"
        },
        {
          "url": "https://git.kernel.org/stable/c/d6ebcde6d4ecf34f8495fb30516645db3aea8993"
        }
      ],
      "title": "padata: do not leak refcount in reorder_work",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38031",
    "datePublished": "2025-06-18T09:33:18.882Z",
    "dateReserved": "2025-04-16T04:51:23.978Z",
    "dateUpdated": "2025-11-03T17:33:10.591Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38149 (GCVE-0-2025-38149)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:35 – Updated: 2025-07-28 04:13

Title

net: phy: clear phydev->devlink when the link is deleted

Summary

In the Linux kernel, the following vulnerability has been resolved: net: phy: clear phydev->devlink when the link is deleted There is a potential crash issue when disabling and re-enabling the network port. When disabling the network port, phy_detach() calls device_link_del() to remove the device link, but it does not clear phydev->devlink, so phydev->devlink is not a NULL pointer. Then the network port is re-enabled, but if phy_attach_direct() fails before calling device_link_add(), the code jumps to the "error" label and calls phy_detach(). Since phydev->devlink retains the old value from the previous attach/detach cycle, device_link_del() uses the old value, which accesses a NULL pointer and causes a crash. The simplified crash log is as follows. [ 24.702421] Call trace: [ 24.704856] device_link_put_kref+0x20/0x120 [ 24.709124] device_link_del+0x30/0x48 [ 24.712864] phy_detach+0x24/0x168 [ 24.716261] phy_attach_direct+0x168/0x3a4 [ 24.720352] phylink_fwnode_phy_connect+0xc8/0x14c [ 24.725140] phylink_of_phy_connect+0x1c/0x34 Therefore, phydev->devlink needs to be cleared when the device link is deleted.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/363fdf2777423ad34…
	https://git.kernel.org/stable/c/ddc654e89ace723b7…
	https://git.kernel.org/stable/c/034bc4a2a72dea2cf…
	https://git.kernel.org/stable/c/0795b05a59b1371b1…

Impacted products

Vendor

Product

Version

Linux

Affected: bc66fa87d4fda9053a8145e5718fc278c2b88253 , < 363fdf2777423ad346d781f09548cca14877f729 (git)
Affected: bc66fa87d4fda9053a8145e5718fc278c2b88253 , < ddc654e89ace723b78c34911c65243accbc9b75c (git)
Affected: bc66fa87d4fda9053a8145e5718fc278c2b88253 , < 034bc4a2a72dea2cfcaf24c6bae03c38ad5a0b87 (git)
Affected: bc66fa87d4fda9053a8145e5718fc278c2b88253 , < 0795b05a59b1371b18ffbf09d385296b12e9f5d5 (git)

Linux

Affected: 6.2
Unaffected: 0 , < 6.2 (semver)
Unaffected: 6.6.94 , ≤ 6.6.* (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/phy/phy_device.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "363fdf2777423ad346d781f09548cca14877f729",
              "status": "affected",
              "version": "bc66fa87d4fda9053a8145e5718fc278c2b88253",
              "versionType": "git"
            },
            {
              "lessThan": "ddc654e89ace723b78c34911c65243accbc9b75c",
              "status": "affected",
              "version": "bc66fa87d4fda9053a8145e5718fc278c2b88253",
              "versionType": "git"
            },
            {
              "lessThan": "034bc4a2a72dea2cfcaf24c6bae03c38ad5a0b87",
              "status": "affected",
              "version": "bc66fa87d4fda9053a8145e5718fc278c2b88253",
              "versionType": "git"
            },
            {
              "lessThan": "0795b05a59b1371b18ffbf09d385296b12e9f5d5",
              "status": "affected",
              "version": "bc66fa87d4fda9053a8145e5718fc278c2b88253",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/phy/phy_device.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: clear phydev-\u003edevlink when the link is deleted\n\nThere is a potential crash issue when disabling and re-enabling the\nnetwork port. When disabling the network port, phy_detach() calls\ndevice_link_del() to remove the device link, but it does not clear\nphydev-\u003edevlink, so phydev-\u003edevlink is not a NULL pointer. Then the\nnetwork port is re-enabled, but if phy_attach_direct() fails before\ncalling device_link_add(), the code jumps to the \"error\" label and\ncalls phy_detach(). Since phydev-\u003edevlink retains the old value from\nthe previous attach/detach cycle, device_link_del() uses the old value,\nwhich accesses a NULL pointer and causes a crash. The simplified crash\nlog is as follows.\n\n[   24.702421] Call trace:\n[   24.704856]  device_link_put_kref+0x20/0x120\n[   24.709124]  device_link_del+0x30/0x48\n[   24.712864]  phy_detach+0x24/0x168\n[   24.716261]  phy_attach_direct+0x168/0x3a4\n[   24.720352]  phylink_fwnode_phy_connect+0xc8/0x14c\n[   24.725140]  phylink_of_phy_connect+0x1c/0x34\n\nTherefore, phydev-\u003edevlink needs to be cleared when the device link is\ndeleted."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:13:37.893Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/363fdf2777423ad346d781f09548cca14877f729"
        },
        {
          "url": "https://git.kernel.org/stable/c/ddc654e89ace723b78c34911c65243accbc9b75c"
        },
        {
          "url": "https://git.kernel.org/stable/c/034bc4a2a72dea2cfcaf24c6bae03c38ad5a0b87"
        },
        {
          "url": "https://git.kernel.org/stable/c/0795b05a59b1371b18ffbf09d385296b12e9f5d5"
        }
      ],
      "title": "net: phy: clear phydev-\u003edevlink when the link is deleted",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38149",
    "datePublished": "2025-07-03T08:35:54.405Z",
    "dateReserved": "2025-04-16T04:51:23.988Z",
    "dateUpdated": "2025-07-28T04:13:37.893Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21967 (GCVE-0-2025-21967)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:47 – Updated: 2025-05-04 07:25

Title

ksmbd: fix use-after-free in ksmbd_free_work_struct

Summary

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ksmbd_free_work_struct ->interim_entry of ksmbd_work could be deleted after oplock is freed. We don't need to manage it with linked list. The interim request could be immediately sent whenever a oplock break wait is needed.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/fb776765bfc21d5e4…
	https://git.kernel.org/stable/c/62746ae3f5414244a…
	https://git.kernel.org/stable/c/eb51f6f59d19b92f6…
	https://git.kernel.org/stable/c/bb39ed47065455604…

Impacted products

Vendor

Product

Version

Linux

Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < fb776765bfc21d5e4ed03bb3d4406c2b86ff1ac3 (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 62746ae3f5414244a96293e3b017be637b641280 (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < eb51f6f59d19b92f6fe84d3873f958495ab32f0a (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < bb39ed47065455604729404729d9116868638d31 (git)

Linux

Affected: 5.15
Unaffected: 0 , < 5.15 (semver)
Unaffected: 6.6.84 , ≤ 6.6.* (semver)
Unaffected: 6.12.20 , ≤ 6.12.* (semver)
Unaffected: 6.13.8 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21967",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-16T13:14:51.011092Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-16T13:19:52.457Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/server/ksmbd_work.c",
            "fs/smb/server/ksmbd_work.h",
            "fs/smb/server/oplock.c",
            "fs/smb/server/oplock.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "fb776765bfc21d5e4ed03bb3d4406c2b86ff1ac3",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "62746ae3f5414244a96293e3b017be637b641280",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "eb51f6f59d19b92f6fe84d3873f958495ab32f0a",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "bb39ed47065455604729404729d9116868638d31",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/server/ksmbd_work.c",
            "fs/smb/server/ksmbd_work.h",
            "fs/smb/server/oplock.c",
            "fs/smb/server/oplock.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.84",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.84",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.20",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.8",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free in ksmbd_free_work_struct\n\n-\u003einterim_entry of ksmbd_work could be deleted after oplock is freed.\nWe don\u0027t need to manage it with linked list. The interim request could be\nimmediately sent whenever a oplock break wait is needed."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:25:58.206Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/fb776765bfc21d5e4ed03bb3d4406c2b86ff1ac3"
        },
        {
          "url": "https://git.kernel.org/stable/c/62746ae3f5414244a96293e3b017be637b641280"
        },
        {
          "url": "https://git.kernel.org/stable/c/eb51f6f59d19b92f6fe84d3873f958495ab32f0a"
        },
        {
          "url": "https://git.kernel.org/stable/c/bb39ed47065455604729404729d9116868638d31"
        }
      ],
      "title": "ksmbd: fix use-after-free in ksmbd_free_work_struct",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21967",
    "datePublished": "2025-04-01T15:47:02.364Z",
    "dateReserved": "2024-12-29T08:45:45.796Z",
    "dateUpdated": "2025-05-04T07:25:58.206Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21972 (GCVE-0-2025-21972)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:47 – Updated: 2025-05-04 07:26

Title

net: mctp: unshare packets when reassembling

Summary

In the Linux kernel, the following vulnerability has been resolved: net: mctp: unshare packets when reassembling Ensure that the frag_list used for reassembly isn't shared with other packets. This avoids incorrect reassembly when packets are cloned, and prevents a memory leak due to circular references between fragments and their skb_shared_info. The upcoming MCTP-over-USB driver uses skb_clone which can trigger the problem - other MCTP drivers don't share SKBs. A kunit test is added to reproduce the issue.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/5c47d5bfa7b096cf8…
	https://git.kernel.org/stable/c/f44fff3d3c6cd67b6…
	https://git.kernel.org/stable/c/f5d83cf0eeb90fade…

Impacted products

Vendor

Product

Version

Linux

Affected: 4a992bbd365094730a31bae1e12a6ca695336d57 , < 5c47d5bfa7b096cf8890afac32141c578583f8e0 (git)
Affected: 4a992bbd365094730a31bae1e12a6ca695336d57 , < f44fff3d3c6cd67b6f348b821d73c4d6888c7a6e (git)
Affected: 4a992bbd365094730a31bae1e12a6ca695336d57 , < f5d83cf0eeb90fade4d5c4d17d24b8bee9ceeecc (git)

Linux

Affected: 5.15
Unaffected: 0 , < 5.15 (semver)
Unaffected: 6.12.20 , ≤ 6.12.* (semver)
Unaffected: 6.13.8 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/mctp/route.c",
            "net/mctp/test/route-test.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5c47d5bfa7b096cf8890afac32141c578583f8e0",
              "status": "affected",
              "version": "4a992bbd365094730a31bae1e12a6ca695336d57",
              "versionType": "git"
            },
            {
              "lessThan": "f44fff3d3c6cd67b6f348b821d73c4d6888c7a6e",
              "status": "affected",
              "version": "4a992bbd365094730a31bae1e12a6ca695336d57",
              "versionType": "git"
            },
            {
              "lessThan": "f5d83cf0eeb90fade4d5c4d17d24b8bee9ceeecc",
              "status": "affected",
              "version": "4a992bbd365094730a31bae1e12a6ca695336d57",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/mctp/route.c",
            "net/mctp/test/route-test.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.20",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.8",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mctp: unshare packets when reassembling\n\nEnsure that the frag_list used for reassembly isn\u0027t shared with other\npackets. This avoids incorrect reassembly when packets are cloned, and\nprevents a memory leak due to circular references between fragments and\ntheir skb_shared_info.\n\nThe upcoming MCTP-over-USB driver uses skb_clone which can trigger the\nproblem - other MCTP drivers don\u0027t share SKBs.\n\nA kunit test is added to reproduce the issue."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:26:10.249Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5c47d5bfa7b096cf8890afac32141c578583f8e0"
        },
        {
          "url": "https://git.kernel.org/stable/c/f44fff3d3c6cd67b6f348b821d73c4d6888c7a6e"
        },
        {
          "url": "https://git.kernel.org/stable/c/f5d83cf0eeb90fade4d5c4d17d24b8bee9ceeecc"
        }
      ],
      "title": "net: mctp: unshare packets when reassembling",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21972",
    "datePublished": "2025-04-01T15:47:04.960Z",
    "dateReserved": "2024-12-29T08:45:45.797Z",
    "dateUpdated": "2025-05-04T07:26:10.249Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-37958 (GCVE-0-2025-37958)

Vulnerability from cvelistv5 – Published: 2025-05-20 16:01 – Updated: 2025-11-03 17:32

Title

mm/huge_memory: fix dereferencing invalid pmd migration entry

Summary

In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: fix dereferencing invalid pmd migration entry When migrating a THP, concurrent access to the PMD migration entry during a deferred split scan can lead to an invalid address access, as illustrated below. To prevent this invalid access, it is necessary to check the PMD migration entry and return early. In this context, there is no need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the equality of the target folio. Since the PMD migration entry is locked, it cannot be served as the target. Mailing list discussion and explanation from Hugh Dickins: "An anon_vma lookup points to a location which may contain the folio of interest, but might instead contain another folio: and weeding out those other folios is precisely what the "folio != pmd_folio((*pmd)" check (and the "risk of replacing the wrong folio" comment a few lines above it) is for." BUG: unable to handle page fault for address: ffffea60001db008 CPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60 Call Trace: <TASK> try_to_migrate_one+0x28c/0x3730 rmap_walk_anon+0x4f6/0x770 unmap_folio+0x196/0x1f0 split_huge_page_to_list_to_order+0x9f6/0x1560 deferred_split_scan+0xac5/0x12a0 shrinker_debugfs_scan_write+0x376/0x470 full_proxy_write+0x15c/0x220 vfs_write+0x2fc/0xcb0 ksys_write+0x146/0x250 do_syscall_64+0x6a/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e The bug is found by syzkaller on an internal kernel, then confirmed on upstream.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/753f142f7ff7d2223…
	https://git.kernel.org/stable/c/9468afbda3fbfcec2…
	https://git.kernel.org/stable/c/ef5706bed97e240b4…
	https://git.kernel.org/stable/c/22f6368768340260e…
	https://git.kernel.org/stable/c/3977946f61cdba87b…
	https://git.kernel.org/stable/c/6166c3cf405441f71…
	https://git.kernel.org/stable/c/fbab262b0c8226c69…
	https://git.kernel.org/stable/c/be6e843fc51a58467…

Impacted products

Vendor

Product

Version

Linux

Affected: 84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3 , < 753f142f7ff7d2223a47105b61e1efd91587d711 (git)
Affected: 84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3 , < 9468afbda3fbfcec21ac8132364dff3dab945faf (git)
Affected: 84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3 , < ef5706bed97e240b4abf4233ceb03da7336bc775 (git)
Affected: 84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3 , < 22f6368768340260e862f35151d2e1c55cb1dc75 (git)
Affected: 84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3 , < 3977946f61cdba87b6b5aaf7d7094e96089583a5 (git)
Affected: 84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3 , < 6166c3cf405441f7147b322980144feb3cefc617 (git)
Affected: 84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3 , < fbab262b0c8226c697af1851a424896ed47dedcc (git)
Affected: 84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3 , < be6e843fc51a584672dfd9c4a6a24c8cb81d5fb7 (git)

Linux

Affected: 4.14
Unaffected: 0 , < 4.14 (semver)
Unaffected: 5.4.295 , ≤ 5.4.* (semver)
Unaffected: 5.10.239 , ≤ 5.10.* (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.95 , ≤ 6.6.* (semver)
Unaffected: 6.12.29 , ≤ 6.12.* (semver)
Unaffected: 6.14.7 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:32:46.448Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/huge_memory.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "753f142f7ff7d2223a47105b61e1efd91587d711",
              "status": "affected",
              "version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
              "versionType": "git"
            },
            {
              "lessThan": "9468afbda3fbfcec21ac8132364dff3dab945faf",
              "status": "affected",
              "version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
              "versionType": "git"
            },
            {
              "lessThan": "ef5706bed97e240b4abf4233ceb03da7336bc775",
              "status": "affected",
              "version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
              "versionType": "git"
            },
            {
              "lessThan": "22f6368768340260e862f35151d2e1c55cb1dc75",
              "status": "affected",
              "version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
              "versionType": "git"
            },
            {
              "lessThan": "3977946f61cdba87b6b5aaf7d7094e96089583a5",
              "status": "affected",
              "version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
              "versionType": "git"
            },
            {
              "lessThan": "6166c3cf405441f7147b322980144feb3cefc617",
              "status": "affected",
              "version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
              "versionType": "git"
            },
            {
              "lessThan": "fbab262b0c8226c697af1851a424896ed47dedcc",
              "status": "affected",
              "version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
              "versionType": "git"
            },
            {
              "lessThan": "be6e843fc51a584672dfd9c4a6a24c8cb81d5fb7",
              "status": "affected",
              "version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/huge_memory.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.14"
            },
            {
              "lessThan": "4.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.29",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.29",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.7",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/huge_memory: fix dereferencing invalid pmd migration entry\n\nWhen migrating a THP, concurrent access to the PMD migration entry during\na deferred split scan can lead to an invalid address access, as\nillustrated below.  To prevent this invalid access, it is necessary to\ncheck the PMD migration entry and return early.  In this context, there is\nno need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the\nequality of the target folio.  Since the PMD migration entry is locked, it\ncannot be served as the target.\n\nMailing list discussion and explanation from Hugh Dickins: \"An anon_vma\nlookup points to a location which may contain the folio of interest, but\nmight instead contain another folio: and weeding out those other folios is\nprecisely what the \"folio != pmd_folio((*pmd)\" check (and the \"risk of\nreplacing the wrong folio\" comment a few lines above it) is for.\"\n\nBUG: unable to handle page fault for address: ffffea60001db008\nCPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nRIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60\nCall Trace:\n\u003cTASK\u003e\ntry_to_migrate_one+0x28c/0x3730\nrmap_walk_anon+0x4f6/0x770\nunmap_folio+0x196/0x1f0\nsplit_huge_page_to_list_to_order+0x9f6/0x1560\ndeferred_split_scan+0xac5/0x12a0\nshrinker_debugfs_scan_write+0x376/0x470\nfull_proxy_write+0x15c/0x220\nvfs_write+0x2fc/0xcb0\nksys_write+0x146/0x250\ndo_syscall_64+0x6a/0x120\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe bug is found by syzkaller on an internal kernel, then confirmed on\nupstream."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-27T10:21:21.641Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/753f142f7ff7d2223a47105b61e1efd91587d711"
        },
        {
          "url": "https://git.kernel.org/stable/c/9468afbda3fbfcec21ac8132364dff3dab945faf"
        },
        {
          "url": "https://git.kernel.org/stable/c/ef5706bed97e240b4abf4233ceb03da7336bc775"
        },
        {
          "url": "https://git.kernel.org/stable/c/22f6368768340260e862f35151d2e1c55cb1dc75"
        },
        {
          "url": "https://git.kernel.org/stable/c/3977946f61cdba87b6b5aaf7d7094e96089583a5"
        },
        {
          "url": "https://git.kernel.org/stable/c/6166c3cf405441f7147b322980144feb3cefc617"
        },
        {
          "url": "https://git.kernel.org/stable/c/fbab262b0c8226c697af1851a424896ed47dedcc"
        },
        {
          "url": "https://git.kernel.org/stable/c/be6e843fc51a584672dfd9c4a6a24c8cb81d5fb7"
        }
      ],
      "title": "mm/huge_memory: fix dereferencing invalid pmd migration entry",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37958",
    "datePublished": "2025-05-20T16:01:51.740Z",
    "dateReserved": "2025-04-16T04:51:23.974Z",
    "dateUpdated": "2025-11-03T17:32:46.448Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38418 (GCVE-0-2025-38418)

Vulnerability from cvelistv5 – Published: 2025-07-25 14:05 – Updated: 2025-11-03 17:37

Title

remoteproc: core: Release rproc->clean_table after rproc_attach() fails

Summary

In the Linux kernel, the following vulnerability has been resolved: remoteproc: core: Release rproc->clean_table after rproc_attach() fails When rproc->state = RPROC_DETACHED is attached to remote processor through rproc_attach(), if rproc_handle_resources() returns failure, then the clean table should be released, otherwise the following memory leak will occur. unreferenced object 0xffff000086a99800 (size 1024): comm "kworker/u12:3", pid 59, jiffies 4294893670 (age 121.140s) hex dump (first 32 bytes): 00 00 00 00 00 80 00 00 00 00 00 00 00 00 10 00 ............ 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 ............ backtrace: [<000000008bbe4ca8>] slab_post_alloc_hook+0x98/0x3fc [<000000003b8a272b>] __kmem_cache_alloc_node+0x13c/0x230 [<000000007a507c51>] __kmalloc_node_track_caller+0x5c/0x260 [<0000000037818dae>] kmemdup+0x34/0x60 [<00000000610f7f57>] rproc_boot+0x35c/0x56c [<0000000065f8871a>] rproc_add+0x124/0x17c [<00000000497416ee>] imx_rproc_probe+0x4ec/0x5d4 [<000000003bcaa37d>] platform_probe+0x68/0xd8 [<00000000771577f9>] really_probe+0x110/0x27c [<00000000531fea59>] __driver_probe_device+0x78/0x12c [<0000000080036a04>] driver_probe_device+0x3c/0x118 [<000000007e0bddcb>] __device_attach_driver+0xb8/0xf8 [<000000000cf1fa33>] bus_for_each_drv+0x84/0xe4 [<000000001a53b53e>] __device_attach+0xfc/0x18c [<00000000d1a2a32c>] device_initial_probe+0x14/0x20 [<00000000d8f8b7ae>] bus_probe_device+0xb0/0xb4 unreferenced object 0xffff0000864c9690 (size 16):

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/3562c09feeb8d8e9d…
	https://git.kernel.org/stable/c/bf876fd9dc2d0c9ff…
	https://git.kernel.org/stable/c/3ee979709e16a83b2…
	https://git.kernel.org/stable/c/f4ef928ca504c996f…
	https://git.kernel.org/stable/c/6fe9486d709e4a609…
	https://git.kernel.org/stable/c/bcd241230fdbc6005…

Impacted products

Vendor

Product

Version

Linux

Affected: 9dc9507f1880fb6225e3e058cb5219b152cbf198 , < 3562c09feeb8d8e9d102ce6840e8c7d57a7feb5c (git)
Affected: 9dc9507f1880fb6225e3e058cb5219b152cbf198 , < bf876fd9dc2d0c9fff96aef63d4346719f206fc1 (git)
Affected: 9dc9507f1880fb6225e3e058cb5219b152cbf198 , < 3ee979709e16a83b257bc9a544a7ff71fd445ea9 (git)
Affected: 9dc9507f1880fb6225e3e058cb5219b152cbf198 , < f4ef928ca504c996f9222eb2c59ac6d6eefd9c75 (git)
Affected: 9dc9507f1880fb6225e3e058cb5219b152cbf198 , < 6fe9486d709e4a60990843832501ef6556440ca7 (git)
Affected: 9dc9507f1880fb6225e3e058cb5219b152cbf198 , < bcd241230fdbc6005230f80a4f8646ff5a84f15b (git)

Linux

Affected: 5.13
Unaffected: 0 , < 5.13 (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.95 , ≤ 6.6.* (semver)
Unaffected: 6.12.35 , ≤ 6.12.* (semver)
Unaffected: 6.15.4 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:37:48.750Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/remoteproc/remoteproc_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3562c09feeb8d8e9d102ce6840e8c7d57a7feb5c",
              "status": "affected",
              "version": "9dc9507f1880fb6225e3e058cb5219b152cbf198",
              "versionType": "git"
            },
            {
              "lessThan": "bf876fd9dc2d0c9fff96aef63d4346719f206fc1",
              "status": "affected",
              "version": "9dc9507f1880fb6225e3e058cb5219b152cbf198",
              "versionType": "git"
            },
            {
              "lessThan": "3ee979709e16a83b257bc9a544a7ff71fd445ea9",
              "status": "affected",
              "version": "9dc9507f1880fb6225e3e058cb5219b152cbf198",
              "versionType": "git"
            },
            {
              "lessThan": "f4ef928ca504c996f9222eb2c59ac6d6eefd9c75",
              "status": "affected",
              "version": "9dc9507f1880fb6225e3e058cb5219b152cbf198",
              "versionType": "git"
            },
            {
              "lessThan": "6fe9486d709e4a60990843832501ef6556440ca7",
              "status": "affected",
              "version": "9dc9507f1880fb6225e3e058cb5219b152cbf198",
              "versionType": "git"
            },
            {
              "lessThan": "bcd241230fdbc6005230f80a4f8646ff5a84f15b",
              "status": "affected",
              "version": "9dc9507f1880fb6225e3e058cb5219b152cbf198",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/remoteproc/remoteproc_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.13"
            },
            {
              "lessThan": "5.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: core: Release rproc-\u003eclean_table after rproc_attach() fails\n\nWhen rproc-\u003estate = RPROC_DETACHED is attached to remote processor\nthrough rproc_attach(), if rproc_handle_resources() returns failure,\nthen the clean table should be released, otherwise the following\nmemory leak will occur.\n\nunreferenced object 0xffff000086a99800 (size 1024):\ncomm \"kworker/u12:3\", pid 59, jiffies 4294893670 (age 121.140s)\nhex dump (first 32 bytes):\n00 00 00 00 00 80 00 00 00 00 00 00 00 00 10 00 ............\n00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 ............\nbacktrace:\n [\u003c000000008bbe4ca8\u003e] slab_post_alloc_hook+0x98/0x3fc\n [\u003c000000003b8a272b\u003e] __kmem_cache_alloc_node+0x13c/0x230\n [\u003c000000007a507c51\u003e] __kmalloc_node_track_caller+0x5c/0x260\n [\u003c0000000037818dae\u003e] kmemdup+0x34/0x60\n [\u003c00000000610f7f57\u003e] rproc_boot+0x35c/0x56c\n [\u003c0000000065f8871a\u003e] rproc_add+0x124/0x17c\n [\u003c00000000497416ee\u003e] imx_rproc_probe+0x4ec/0x5d4\n [\u003c000000003bcaa37d\u003e] platform_probe+0x68/0xd8\n [\u003c00000000771577f9\u003e] really_probe+0x110/0x27c\n [\u003c00000000531fea59\u003e] __driver_probe_device+0x78/0x12c\n [\u003c0000000080036a04\u003e] driver_probe_device+0x3c/0x118\n [\u003c000000007e0bddcb\u003e] __device_attach_driver+0xb8/0xf8\n [\u003c000000000cf1fa33\u003e] bus_for_each_drv+0x84/0xe4\n [\u003c000000001a53b53e\u003e] __device_attach+0xfc/0x18c\n [\u003c00000000d1a2a32c\u003e] device_initial_probe+0x14/0x20\n [\u003c00000000d8f8b7ae\u003e] bus_probe_device+0xb0/0xb4\n unreferenced object 0xffff0000864c9690 (size 16):"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:21:39.075Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3562c09feeb8d8e9d102ce6840e8c7d57a7feb5c"
        },
        {
          "url": "https://git.kernel.org/stable/c/bf876fd9dc2d0c9fff96aef63d4346719f206fc1"
        },
        {
          "url": "https://git.kernel.org/stable/c/3ee979709e16a83b257bc9a544a7ff71fd445ea9"
        },
        {
          "url": "https://git.kernel.org/stable/c/f4ef928ca504c996f9222eb2c59ac6d6eefd9c75"
        },
        {
          "url": "https://git.kernel.org/stable/c/6fe9486d709e4a60990843832501ef6556440ca7"
        },
        {
          "url": "https://git.kernel.org/stable/c/bcd241230fdbc6005230f80a4f8646ff5a84f15b"
        }
      ],
      "title": "remoteproc: core: Release rproc-\u003eclean_table after rproc_attach() fails",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38418",
    "datePublished": "2025-07-25T14:05:42.836Z",
    "dateReserved": "2025-04-16T04:51:24.014Z",
    "dateUpdated": "2025-11-03T17:37:48.750Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38320 (GCVE-0-2025-38320)

Vulnerability from cvelistv5 – Published: 2025-07-10 08:14 – Updated: 2025-11-03 17:36

Title

arm64/ptrace: Fix stack-out-of-bounds read in regs_get_kernel_stack_nth()

Summary

In the Linux kernel, the following vulnerability has been resolved: arm64/ptrace: Fix stack-out-of-bounds read in regs_get_kernel_stack_nth() KASAN reports a stack-out-of-bounds read in regs_get_kernel_stack_nth(). Call Trace: [ 97.283505] BUG: KASAN: stack-out-of-bounds in regs_get_kernel_stack_nth+0xa8/0xc8 [ 97.284677] Read of size 8 at addr ffff800089277c10 by task 1.sh/2550 [ 97.285732] [ 97.286067] CPU: 7 PID: 2550 Comm: 1.sh Not tainted 6.6.0+ #11 [ 97.287032] Hardware name: linux,dummy-virt (DT) [ 97.287815] Call trace: [ 97.288279] dump_backtrace+0xa0/0x128 [ 97.288946] show_stack+0x20/0x38 [ 97.289551] dump_stack_lvl+0x78/0xc8 [ 97.290203] print_address_description.constprop.0+0x84/0x3c8 [ 97.291159] print_report+0xb0/0x280 [ 97.291792] kasan_report+0x84/0xd0 [ 97.292421] __asan_load8+0x9c/0xc0 [ 97.293042] regs_get_kernel_stack_nth+0xa8/0xc8 [ 97.293835] process_fetch_insn+0x770/0xa30 [ 97.294562] kprobe_trace_func+0x254/0x3b0 [ 97.295271] kprobe_dispatcher+0x98/0xe0 [ 97.295955] kprobe_breakpoint_handler+0x1b0/0x210 [ 97.296774] call_break_hook+0xc4/0x100 [ 97.297451] brk_handler+0x24/0x78 [ 97.298073] do_debug_exception+0xac/0x178 [ 97.298785] el1_dbg+0x70/0x90 [ 97.299344] el1h_64_sync_handler+0xcc/0xe8 [ 97.300066] el1h_64_sync+0x78/0x80 [ 97.300699] kernel_clone+0x0/0x500 [ 97.301331] __arm64_sys_clone+0x70/0x90 [ 97.302084] invoke_syscall+0x68/0x198 [ 97.302746] el0_svc_common.constprop.0+0x11c/0x150 [ 97.303569] do_el0_svc+0x38/0x50 [ 97.304164] el0_svc+0x44/0x1d8 [ 97.304749] el0t_64_sync_handler+0x100/0x130 [ 97.305500] el0t_64_sync+0x188/0x190 [ 97.306151] [ 97.306475] The buggy address belongs to stack of task 1.sh/2550 [ 97.307461] and is located at offset 0 in frame: [ 97.308257] __se_sys_clone+0x0/0x138 [ 97.308910] [ 97.309241] This frame has 1 object: [ 97.309873] [48, 184) 'args' [ 97.309876] [ 97.310749] The buggy address belongs to the virtual mapping at [ 97.310749] [ffff800089270000, ffff800089279000) created by: [ 97.310749] dup_task_struct+0xc0/0x2e8 [ 97.313347] [ 97.313674] The buggy address belongs to the physical page: [ 97.314604] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14f69a [ 97.315885] flags: 0x15ffffe00000000(node=1|zone=2|lastcpupid=0xfffff) [ 97.316957] raw: 015ffffe00000000 0000000000000000 dead000000000122 0000000000000000 [ 97.318207] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 97.319445] page dumped because: kasan: bad access detected [ 97.320371] [ 97.320694] Memory state around the buggy address: [ 97.321511] ffff800089277b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 97.322681] ffff800089277b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 97.323846] >ffff800089277c00: 00 00 f1 f1 f1 f1 f1 f1 00 00 00 00 00 00 00 00 [ 97.325023] ^ [ 97.325683] ffff800089277c80: 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3 [ 97.326856] ffff800089277d00: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 This issue seems to be related to the behavior of some gcc compilers and was also fixed on the s390 architecture before: commit d93a855c31b7 ("s390/ptrace: Avoid KASAN false positives in regs_get_kernel_stack_nth()") As described in that commit, regs_get_kernel_stack_nth() has confirmed that `addr` is on the stack, so reading the value at `*addr` should be allowed. Use READ_ONCE_NOCHECK() helper to silence the KASAN check for this case. [will: Use '*addr' as the argument to READ_ONCE_NOCHECK()]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/64773b3ea09235168…
	https://git.kernel.org/stable/c/67abac27d806e8f9d…
	https://git.kernel.org/stable/c/92750bfe7b0d8dbca…
	https://git.kernel.org/stable/c/01f91d415a8375d85…
	https://git.kernel.org/stable/c/21da6d3561f373898…
	https://git.kernel.org/stable/c/22f935bc86bdfbde0…
	https://git.kernel.org/stable/c/422e565b7889ebfd9…
	https://git.kernel.org/stable/c/39dfc971e42d886e7…

Impacted products

Vendor

Product

Version

Linux

Affected: 0a8ea52c3eb157dd65e224fc95b7c9c99fcba9f7 , < 64773b3ea09235168a549a195cba43bb867c4a17 (git)
Affected: 0a8ea52c3eb157dd65e224fc95b7c9c99fcba9f7 , < 67abac27d806e8f9d4226ec1528540cf73af673a (git)
Affected: 0a8ea52c3eb157dd65e224fc95b7c9c99fcba9f7 , < 92750bfe7b0d8dbcaf578c091a65eda1c5f9ad38 (git)
Affected: 0a8ea52c3eb157dd65e224fc95b7c9c99fcba9f7 , < 01f91d415a8375d85e0c7d3615cd4a168308bb7c (git)
Affected: 0a8ea52c3eb157dd65e224fc95b7c9c99fcba9f7 , < 21da6d3561f373898349ca7167c9811c020da695 (git)
Affected: 0a8ea52c3eb157dd65e224fc95b7c9c99fcba9f7 , < 22f935bc86bdfbde04009f05eee191d220cd8c89 (git)
Affected: 0a8ea52c3eb157dd65e224fc95b7c9c99fcba9f7 , < 422e565b7889ebfd9c8705a3fc786642afe61fca (git)
Affected: 0a8ea52c3eb157dd65e224fc95b7c9c99fcba9f7 , < 39dfc971e42d886e7df01371cd1bef505076d84c (git)

Linux

Affected: 4.8
Unaffected: 0 , < 4.8 (semver)
Unaffected: 5.4.295 , ≤ 5.4.* (semver)
Unaffected: 5.10.239 , ≤ 5.10.* (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.95 , ≤ 6.6.* (semver)
Unaffected: 6.12.35 , ≤ 6.12.* (semver)
Unaffected: 6.15.4 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:36:30.512Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/kernel/ptrace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "64773b3ea09235168a549a195cba43bb867c4a17",
              "status": "affected",
              "version": "0a8ea52c3eb157dd65e224fc95b7c9c99fcba9f7",
              "versionType": "git"
            },
            {
              "lessThan": "67abac27d806e8f9d4226ec1528540cf73af673a",
              "status": "affected",
              "version": "0a8ea52c3eb157dd65e224fc95b7c9c99fcba9f7",
              "versionType": "git"
            },
            {
              "lessThan": "92750bfe7b0d8dbcaf578c091a65eda1c5f9ad38",
              "status": "affected",
              "version": "0a8ea52c3eb157dd65e224fc95b7c9c99fcba9f7",
              "versionType": "git"
            },
            {
              "lessThan": "01f91d415a8375d85e0c7d3615cd4a168308bb7c",
              "status": "affected",
              "version": "0a8ea52c3eb157dd65e224fc95b7c9c99fcba9f7",
              "versionType": "git"
            },
            {
              "lessThan": "21da6d3561f373898349ca7167c9811c020da695",
              "status": "affected",
              "version": "0a8ea52c3eb157dd65e224fc95b7c9c99fcba9f7",
              "versionType": "git"
            },
            {
              "lessThan": "22f935bc86bdfbde04009f05eee191d220cd8c89",
              "status": "affected",
              "version": "0a8ea52c3eb157dd65e224fc95b7c9c99fcba9f7",
              "versionType": "git"
            },
            {
              "lessThan": "422e565b7889ebfd9c8705a3fc786642afe61fca",
              "status": "affected",
              "version": "0a8ea52c3eb157dd65e224fc95b7c9c99fcba9f7",
              "versionType": "git"
            },
            {
              "lessThan": "39dfc971e42d886e7df01371cd1bef505076d84c",
              "status": "affected",
              "version": "0a8ea52c3eb157dd65e224fc95b7c9c99fcba9f7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/kernel/ptrace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            },
            {
              "lessThan": "4.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64/ptrace: Fix stack-out-of-bounds read in regs_get_kernel_stack_nth()\n\nKASAN reports a stack-out-of-bounds read in regs_get_kernel_stack_nth().\n\nCall Trace:\n[   97.283505] BUG: KASAN: stack-out-of-bounds in regs_get_kernel_stack_nth+0xa8/0xc8\n[   97.284677] Read of size 8 at addr ffff800089277c10 by task 1.sh/2550\n[   97.285732]\n[   97.286067] CPU: 7 PID: 2550 Comm: 1.sh Not tainted 6.6.0+ #11\n[   97.287032] Hardware name: linux,dummy-virt (DT)\n[   97.287815] Call trace:\n[   97.288279]  dump_backtrace+0xa0/0x128\n[   97.288946]  show_stack+0x20/0x38\n[   97.289551]  dump_stack_lvl+0x78/0xc8\n[   97.290203]  print_address_description.constprop.0+0x84/0x3c8\n[   97.291159]  print_report+0xb0/0x280\n[   97.291792]  kasan_report+0x84/0xd0\n[   97.292421]  __asan_load8+0x9c/0xc0\n[   97.293042]  regs_get_kernel_stack_nth+0xa8/0xc8\n[   97.293835]  process_fetch_insn+0x770/0xa30\n[   97.294562]  kprobe_trace_func+0x254/0x3b0\n[   97.295271]  kprobe_dispatcher+0x98/0xe0\n[   97.295955]  kprobe_breakpoint_handler+0x1b0/0x210\n[   97.296774]  call_break_hook+0xc4/0x100\n[   97.297451]  brk_handler+0x24/0x78\n[   97.298073]  do_debug_exception+0xac/0x178\n[   97.298785]  el1_dbg+0x70/0x90\n[   97.299344]  el1h_64_sync_handler+0xcc/0xe8\n[   97.300066]  el1h_64_sync+0x78/0x80\n[   97.300699]  kernel_clone+0x0/0x500\n[   97.301331]  __arm64_sys_clone+0x70/0x90\n[   97.302084]  invoke_syscall+0x68/0x198\n[   97.302746]  el0_svc_common.constprop.0+0x11c/0x150\n[   97.303569]  do_el0_svc+0x38/0x50\n[   97.304164]  el0_svc+0x44/0x1d8\n[   97.304749]  el0t_64_sync_handler+0x100/0x130\n[   97.305500]  el0t_64_sync+0x188/0x190\n[   97.306151]\n[   97.306475] The buggy address belongs to stack of task 1.sh/2550\n[   97.307461]  and is located at offset 0 in frame:\n[   97.308257]  __se_sys_clone+0x0/0x138\n[   97.308910]\n[   97.309241] This frame has 1 object:\n[   97.309873]  [48, 184) \u0027args\u0027\n[   97.309876]\n[   97.310749] The buggy address belongs to the virtual mapping at\n[   97.310749]  [ffff800089270000, ffff800089279000) created by:\n[   97.310749]  dup_task_struct+0xc0/0x2e8\n[   97.313347]\n[   97.313674] The buggy address belongs to the physical page:\n[   97.314604] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14f69a\n[   97.315885] flags: 0x15ffffe00000000(node=1|zone=2|lastcpupid=0xfffff)\n[   97.316957] raw: 015ffffe00000000 0000000000000000 dead000000000122 0000000000000000\n[   97.318207] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000\n[   97.319445] page dumped because: kasan: bad access detected\n[   97.320371]\n[   97.320694] Memory state around the buggy address:\n[   97.321511]  ffff800089277b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[   97.322681]  ffff800089277b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[   97.323846] \u003effff800089277c00: 00 00 f1 f1 f1 f1 f1 f1 00 00 00 00 00 00 00 00\n[   97.325023]                          ^\n[   97.325683]  ffff800089277c80: 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3\n[   97.326856]  ffff800089277d00: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n\nThis issue seems to be related to the behavior of some gcc compilers and\nwas also fixed on the s390 architecture before:\n\n commit d93a855c31b7 (\"s390/ptrace: Avoid KASAN false positives in regs_get_kernel_stack_nth()\")\n\nAs described in that commit, regs_get_kernel_stack_nth() has confirmed that\n`addr` is on the stack, so reading the value at `*addr` should be allowed.\nUse READ_ONCE_NOCHECK() helper to silence the KASAN check for this case.\n\n[will: Use \u0027*addr\u0027 as the argument to READ_ONCE_NOCHECK()]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:18:33.267Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/64773b3ea09235168a549a195cba43bb867c4a17"
        },
        {
          "url": "https://git.kernel.org/stable/c/67abac27d806e8f9d4226ec1528540cf73af673a"
        },
        {
          "url": "https://git.kernel.org/stable/c/92750bfe7b0d8dbcaf578c091a65eda1c5f9ad38"
        },
        {
          "url": "https://git.kernel.org/stable/c/01f91d415a8375d85e0c7d3615cd4a168308bb7c"
        },
        {
          "url": "https://git.kernel.org/stable/c/21da6d3561f373898349ca7167c9811c020da695"
        },
        {
          "url": "https://git.kernel.org/stable/c/22f935bc86bdfbde04009f05eee191d220cd8c89"
        },
        {
          "url": "https://git.kernel.org/stable/c/422e565b7889ebfd9c8705a3fc786642afe61fca"
        },
        {
          "url": "https://git.kernel.org/stable/c/39dfc971e42d886e7df01371cd1bef505076d84c"
        }
      ],
      "title": "arm64/ptrace: Fix stack-out-of-bounds read in regs_get_kernel_stack_nth()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38320",
    "datePublished": "2025-07-10T08:14:56.398Z",
    "dateReserved": "2025-04-16T04:51:24.004Z",
    "dateUpdated": "2025-11-03T17:36:30.512Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-44939 (GCVE-0-2024-44939)

Vulnerability from cvelistv5 – Published: 2024-08-26 11:20 – Updated: 2026-01-05 10:52

Title

jfs: fix null ptr deref in dtInsertEntry

Summary

In the Linux kernel, the following vulnerability has been resolved: jfs: fix null ptr deref in dtInsertEntry [syzbot reported] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 0 PID: 5061 Comm: syz-executor404 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:dtInsertEntry+0xd0c/0x1780 fs/jfs/jfs_dtree.c:3713 ... [Analyze] In dtInsertEntry(), when the pointer h has the same value as p, after writing name in UniStrncpy_to_le(), p->header.flag will be cleared. This will cause the previously true judgment "p->header.flag & BT-LEAF" to change to no after writing the name operation, this leads to entering an incorrect branch and accessing the uninitialized object ih when judging this condition for the second time. [Fix] After got the page, check freelist first, if freelist == 0 then exit dtInsert() and return -EINVAL.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f98bf80b20f4a9305…
	https://git.kernel.org/stable/c/53023ab11836ac56f…
	https://git.kernel.org/stable/c/6ea10dbb1e6c58384…
	https://git.kernel.org/stable/c/9c2ac38530d1a3ee5…
	https://git.kernel.org/stable/c/ce6dede912f064a85…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f98bf80b20f4a930589cda48a35f751a64fe0dc2 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 53023ab11836ac56fd75f7a71ec1356e50920fa9 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6ea10dbb1e6c58384136e9adfd75f81951e423f6 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9c2ac38530d1a3ee558834dfa16c85a40fd0e702 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ce6dede912f064a855acf6f04a04cbb2c25b8c8c (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.15.189 , ≤ 5.15.* (semver)
Unaffected: 6.1.107 , ≤ 6.1.* (semver)
Unaffected: 6.6.47 , ≤ 6.6.* (semver)
Unaffected: 6.10.6 , ≤ 6.10.* (semver)
Unaffected: 6.11 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-44939",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T15:27:35.487089Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-12T17:33:06.654Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T22:13:44.114Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/jfs/jfs_dtree.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f98bf80b20f4a930589cda48a35f751a64fe0dc2",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "53023ab11836ac56fd75f7a71ec1356e50920fa9",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "6ea10dbb1e6c58384136e9adfd75f81951e423f6",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "9c2ac38530d1a3ee558834dfa16c85a40fd0e702",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ce6dede912f064a855acf6f04a04cbb2c25b8c8c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/jfs/jfs_dtree.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.189",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.107",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.47",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.10.*",
              "status": "unaffected",
              "version": "6.10.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.11",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.189",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.107",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.47",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10.6",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix null ptr deref in dtInsertEntry\n\n[syzbot reported]\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 0 PID: 5061 Comm: syz-executor404 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nRIP: 0010:dtInsertEntry+0xd0c/0x1780 fs/jfs/jfs_dtree.c:3713\n...\n[Analyze]\nIn dtInsertEntry(), when the pointer h has the same value as p, after writing\nname in UniStrncpy_to_le(), p-\u003eheader.flag will be cleared. This will cause the\npreviously true judgment \"p-\u003eheader.flag \u0026 BT-LEAF\" to change to no after writing\nthe name operation, this leads to entering an incorrect branch and accessing the\nuninitialized object ih when judging this condition for the second time.\n\n[Fix]\nAfter got the page, check freelist first, if freelist == 0 then exit dtInsert()\nand return -EINVAL."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-05T10:52:35.936Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f98bf80b20f4a930589cda48a35f751a64fe0dc2"
        },
        {
          "url": "https://git.kernel.org/stable/c/53023ab11836ac56fd75f7a71ec1356e50920fa9"
        },
        {
          "url": "https://git.kernel.org/stable/c/6ea10dbb1e6c58384136e9adfd75f81951e423f6"
        },
        {
          "url": "https://git.kernel.org/stable/c/9c2ac38530d1a3ee558834dfa16c85a40fd0e702"
        },
        {
          "url": "https://git.kernel.org/stable/c/ce6dede912f064a855acf6f04a04cbb2c25b8c8c"
        }
      ],
      "title": "jfs: fix null ptr deref in dtInsertEntry",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-44939",
    "datePublished": "2024-08-26T11:20:44.129Z",
    "dateReserved": "2024-08-21T05:34:56.664Z",
    "dateUpdated": "2026-01-05T10:52:35.936Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38036 (GCVE-0-2025-38036)

Vulnerability from cvelistv5 – Published: 2025-06-18 09:33 – Updated: 2025-06-19 13:10

Title

drm/xe/vf: Perform early GT MMIO initialization to read GMDID

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/xe/vf: Perform early GT MMIO initialization to read GMDID VFs need to communicate with the GuC to obtain the GMDID value and existing GuC functions used for that assume that the GT has it's MMIO members already setup. However, due to recent refactoring the gt->mmio is initialized later, and any attempt by the VF to use xe_mmio_read|write() from GuC functions will lead to NPD crash due to unset MMIO register address: [] xe 0000:00:02.1: [drm] Running in SR-IOV VF mode [] xe 0000:00:02.1: [drm] GT0: sending H2G MMIO 0x5507 [] BUG: unable to handle page fault for address: 0000000000190240 Since we are already tweaking the id and type of the primary GT to mimic it's a Media GT before initializing the GuC communication, we can also call xe_gt_mmio_init() to perform early setup of the gt->mmio which will make those GuC functions work again.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/ef6e950aea76a5009…
	https://git.kernel.org/stable/c/13265fe7426ec9ba5…

Impacted products

Vendor

Product

Version

Linux

Affected: dd08ebf6c3525a7ea2186e636df064ea47281987 , < ef6e950aea76a5009ccc79ebfa955ecc66cd85a2 (git)
Affected: dd08ebf6c3525a7ea2186e636df064ea47281987 , < 13265fe7426ec9ba5aa86baab913417ca361e8a4 (git)

Linux

Affected: 6.8
Unaffected: 0 , < 6.8 (semver)
Unaffected: 6.14.9 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/xe/xe_pci.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ef6e950aea76a5009ccc79ebfa955ecc66cd85a2",
              "status": "affected",
              "version": "dd08ebf6c3525a7ea2186e636df064ea47281987",
              "versionType": "git"
            },
            {
              "lessThan": "13265fe7426ec9ba5aa86baab913417ca361e8a4",
              "status": "affected",
              "version": "dd08ebf6c3525a7ea2186e636df064ea47281987",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/xe/xe_pci.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/vf: Perform early GT MMIO initialization to read GMDID\n\nVFs need to communicate with the GuC to obtain the GMDID value\nand existing GuC functions used for that assume that the GT has\nit\u0027s MMIO members already setup. However, due to recent refactoring\nthe gt-\u003emmio is initialized later, and any attempt by the VF to use\nxe_mmio_read|write() from GuC functions will lead to NPD crash due\nto unset MMIO register address:\n\n[] xe 0000:00:02.1: [drm] Running in SR-IOV VF mode\n[] xe 0000:00:02.1: [drm] GT0: sending H2G MMIO 0x5507\n[] BUG: unable to handle page fault for address: 0000000000190240\n\nSince we are already tweaking the id and type of the primary GT to\nmimic it\u0027s a Media GT before initializing the GuC communication,\nwe can also call xe_gt_mmio_init() to perform early setup of the\ngt-\u003emmio which will make those GuC functions work again."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-19T13:10:58.362Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ef6e950aea76a5009ccc79ebfa955ecc66cd85a2"
        },
        {
          "url": "https://git.kernel.org/stable/c/13265fe7426ec9ba5aa86baab913417ca361e8a4"
        }
      ],
      "title": "drm/xe/vf: Perform early GT MMIO initialization to read GMDID",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38036",
    "datePublished": "2025-06-18T09:33:22.928Z",
    "dateReserved": "2025-04-16T04:51:23.978Z",
    "dateUpdated": "2025-06-19T13:10:58.362Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38304 (GCVE-0-2025-38304)

Vulnerability from cvelistv5 – Published: 2025-07-10 07:42 – Updated: 2025-11-03 17:36

Title

Bluetooth: Fix NULL pointer deference on eir_get_service_data

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix NULL pointer deference on eir_get_service_data The len parameter is considered optional so it can be NULL so it cannot be used for skipping to next entry of EIR_SERVICE_DATA.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/497c9d2d7d3983826…
	https://git.kernel.org/stable/c/4bf29910570666e66…
	https://git.kernel.org/stable/c/842f7c3154d5b25ca…
	https://git.kernel.org/stable/c/7d99cc0f8e6fa0f35…
	https://git.kernel.org/stable/c/20a2aa01f5aeb6daa…

Impacted products

Vendor

Product

Version

Linux

Affected: 8f9ae5b3ae80f168a6224529e3787f4fb27f299a , < 497c9d2d7d3983826bb02c10fb4a5818be6550fb (git)
Affected: 8f9ae5b3ae80f168a6224529e3787f4fb27f299a , < 4bf29910570666e668a60d953f8da78e95bb7fa2 (git)
Affected: 8f9ae5b3ae80f168a6224529e3787f4fb27f299a , < 842f7c3154d5b25ca11753c02ee8cf6ee64c0142 (git)
Affected: 8f9ae5b3ae80f168a6224529e3787f4fb27f299a , < 7d99cc0f8e6fa0f35570887899f178122a61d44e (git)
Affected: 8f9ae5b3ae80f168a6224529e3787f4fb27f299a , < 20a2aa01f5aeb6daad9aeaa7c33dd512c58d81eb (git)

Linux

Affected: 5.19
Unaffected: 0 , < 5.19 (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.94 , ≤ 6.6.* (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:36:21.665Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/eir.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "497c9d2d7d3983826bb02c10fb4a5818be6550fb",
              "status": "affected",
              "version": "8f9ae5b3ae80f168a6224529e3787f4fb27f299a",
              "versionType": "git"
            },
            {
              "lessThan": "4bf29910570666e668a60d953f8da78e95bb7fa2",
              "status": "affected",
              "version": "8f9ae5b3ae80f168a6224529e3787f4fb27f299a",
              "versionType": "git"
            },
            {
              "lessThan": "842f7c3154d5b25ca11753c02ee8cf6ee64c0142",
              "status": "affected",
              "version": "8f9ae5b3ae80f168a6224529e3787f4fb27f299a",
              "versionType": "git"
            },
            {
              "lessThan": "7d99cc0f8e6fa0f35570887899f178122a61d44e",
              "status": "affected",
              "version": "8f9ae5b3ae80f168a6224529e3787f4fb27f299a",
              "versionType": "git"
            },
            {
              "lessThan": "20a2aa01f5aeb6daad9aeaa7c33dd512c58d81eb",
              "status": "affected",
              "version": "8f9ae5b3ae80f168a6224529e3787f4fb27f299a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/eir.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.19"
            },
            {
              "lessThan": "5.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix NULL pointer deference on eir_get_service_data\n\nThe len parameter is considered optional so it can be NULL so it cannot\nbe used for skipping to next entry of EIR_SERVICE_DATA."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:18:05.605Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/497c9d2d7d3983826bb02c10fb4a5818be6550fb"
        },
        {
          "url": "https://git.kernel.org/stable/c/4bf29910570666e668a60d953f8da78e95bb7fa2"
        },
        {
          "url": "https://git.kernel.org/stable/c/842f7c3154d5b25ca11753c02ee8cf6ee64c0142"
        },
        {
          "url": "https://git.kernel.org/stable/c/7d99cc0f8e6fa0f35570887899f178122a61d44e"
        },
        {
          "url": "https://git.kernel.org/stable/c/20a2aa01f5aeb6daad9aeaa7c33dd512c58d81eb"
        }
      ],
      "title": "Bluetooth: Fix NULL pointer deference on eir_get_service_data",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38304",
    "datePublished": "2025-07-10T07:42:15.466Z",
    "dateReserved": "2025-04-16T04:51:24.002Z",
    "dateUpdated": "2025-11-03T17:36:21.665Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38262 (GCVE-0-2025-38262)

Vulnerability from cvelistv5 – Published: 2025-07-09 10:42 – Updated: 2025-11-03 17:36

Title

tty: serial: uartlite: register uart driver in init

Summary

In the Linux kernel, the following vulnerability has been resolved: tty: serial: uartlite: register uart driver in init When two instances of uart devices are probing, a concurrency race can occur. If one thread calls uart_register_driver function, which first allocates and assigns memory to 'uart_state' member of uart_driver structure, the other instance can bypass uart driver registration and call ulite_assign. This calls uart_add_one_port, which expects the uart driver to be fully initialized. This leads to a kernel panic due to a null pointer dereference: [ 8.143581] BUG: kernel NULL pointer dereference, address: 00000000000002b8 [ 8.156982] #PF: supervisor write access in kernel mode [ 8.156984] #PF: error_code(0x0002) - not-present page [ 8.156986] PGD 0 P4D 0 ... [ 8.180668] RIP: 0010:mutex_lock+0x19/0x30 [ 8.188624] Call Trace: [ 8.188629] ? __die_body.cold+0x1a/0x1f [ 8.195260] ? page_fault_oops+0x15c/0x290 [ 8.209183] ? __irq_resolve_mapping+0x47/0x80 [ 8.209187] ? exc_page_fault+0x64/0x140 [ 8.209190] ? asm_exc_page_fault+0x22/0x30 [ 8.209196] ? mutex_lock+0x19/0x30 [ 8.223116] uart_add_one_port+0x60/0x440 [ 8.223122] ? proc_tty_register_driver+0x43/0x50 [ 8.223126] ? tty_register_driver+0x1ca/0x1e0 [ 8.246250] ulite_probe+0x357/0x4b0 [uartlite] To prevent it, move uart driver registration in to init function. This will ensure that uart_driver is always registered when probe function is called.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/5015eed450005bab6…
	https://git.kernel.org/stable/c/9c905fdbba68a6d73…
	https://git.kernel.org/stable/c/6db06aaea07bb7c8e…
	https://git.kernel.org/stable/c/8e958d10dd0ce5ae6…
	https://git.kernel.org/stable/c/685d29f2c5057b32c…
	https://git.kernel.org/stable/c/f5e4229d94792b40e…
	https://git.kernel.org/stable/c/6bd697b5fc39fd24e…

Impacted products

Vendor

Product

Version

Linux

Affected: 238b8721a554a33a451a3f13bdb5be8fe5cfc927 , < 5015eed450005bab6e5cb6810f7a62eab0434fc4 (git)
Affected: 238b8721a554a33a451a3f13bdb5be8fe5cfc927 , < 9c905fdbba68a6d73d39a6b7de9b9f0d6c46df87 (git)
Affected: 238b8721a554a33a451a3f13bdb5be8fe5cfc927 , < 6db06aaea07bb7c8e33a425cf7b98bf29ee6056e (git)
Affected: 238b8721a554a33a451a3f13bdb5be8fe5cfc927 , < 8e958d10dd0ce5ae674cce460db5c9ca3f25243b (git)
Affected: 238b8721a554a33a451a3f13bdb5be8fe5cfc927 , < 685d29f2c5057b32c7b1b46f2a7d303b926c8f72 (git)
Affected: 238b8721a554a33a451a3f13bdb5be8fe5cfc927 , < f5e4229d94792b40e750f30c92bcf7a3107c72ef (git)
Affected: 238b8721a554a33a451a3f13bdb5be8fe5cfc927 , < 6bd697b5fc39fd24e2aa418c7b7d14469f550a93 (git)

Linux

Affected: 2.6.20
Unaffected: 0 , < 2.6.20 (semver)
Unaffected: 5.4.296 , ≤ 5.4.* (semver)
Unaffected: 5.15.187 , ≤ 5.15.* (semver)
Unaffected: 6.1.143 , ≤ 6.1.* (semver)
Unaffected: 6.6.96 , ≤ 6.6.* (semver)
Unaffected: 6.12.36 , ≤ 6.12.* (semver)
Unaffected: 6.15.5 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:36:04.315Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/tty/serial/uartlite.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5015eed450005bab6e5cb6810f7a62eab0434fc4",
              "status": "affected",
              "version": "238b8721a554a33a451a3f13bdb5be8fe5cfc927",
              "versionType": "git"
            },
            {
              "lessThan": "9c905fdbba68a6d73d39a6b7de9b9f0d6c46df87",
              "status": "affected",
              "version": "238b8721a554a33a451a3f13bdb5be8fe5cfc927",
              "versionType": "git"
            },
            {
              "lessThan": "6db06aaea07bb7c8e33a425cf7b98bf29ee6056e",
              "status": "affected",
              "version": "238b8721a554a33a451a3f13bdb5be8fe5cfc927",
              "versionType": "git"
            },
            {
              "lessThan": "8e958d10dd0ce5ae674cce460db5c9ca3f25243b",
              "status": "affected",
              "version": "238b8721a554a33a451a3f13bdb5be8fe5cfc927",
              "versionType": "git"
            },
            {
              "lessThan": "685d29f2c5057b32c7b1b46f2a7d303b926c8f72",
              "status": "affected",
              "version": "238b8721a554a33a451a3f13bdb5be8fe5cfc927",
              "versionType": "git"
            },
            {
              "lessThan": "f5e4229d94792b40e750f30c92bcf7a3107c72ef",
              "status": "affected",
              "version": "238b8721a554a33a451a3f13bdb5be8fe5cfc927",
              "versionType": "git"
            },
            {
              "lessThan": "6bd697b5fc39fd24e2aa418c7b7d14469f550a93",
              "status": "affected",
              "version": "238b8721a554a33a451a3f13bdb5be8fe5cfc927",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/tty/serial/uartlite.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.20"
            },
            {
              "lessThan": "2.6.20",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.187",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.143",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.96",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.36",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.187",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.143",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.96",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.36",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.5",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: serial: uartlite: register uart driver in init\n\nWhen two instances of uart devices are probing, a concurrency race can\noccur. If one thread calls uart_register_driver function, which first\nallocates and assigns memory to \u0027uart_state\u0027 member of uart_driver\nstructure, the other instance can bypass uart driver registration and\ncall ulite_assign. This calls uart_add_one_port, which expects the uart\ndriver to be fully initialized. This leads to a kernel panic due to a\nnull pointer dereference:\n\n[    8.143581] BUG: kernel NULL pointer dereference, address: 00000000000002b8\n[    8.156982] #PF: supervisor write access in kernel mode\n[    8.156984] #PF: error_code(0x0002) - not-present page\n[    8.156986] PGD 0 P4D 0\n...\n[    8.180668] RIP: 0010:mutex_lock+0x19/0x30\n[    8.188624] Call Trace:\n[    8.188629]  ? __die_body.cold+0x1a/0x1f\n[    8.195260]  ? page_fault_oops+0x15c/0x290\n[    8.209183]  ? __irq_resolve_mapping+0x47/0x80\n[    8.209187]  ? exc_page_fault+0x64/0x140\n[    8.209190]  ? asm_exc_page_fault+0x22/0x30\n[    8.209196]  ? mutex_lock+0x19/0x30\n[    8.223116]  uart_add_one_port+0x60/0x440\n[    8.223122]  ? proc_tty_register_driver+0x43/0x50\n[    8.223126]  ? tty_register_driver+0x1ca/0x1e0\n[    8.246250]  ulite_probe+0x357/0x4b0 [uartlite]\n\nTo prevent it, move uart driver registration in to init function. This\nwill ensure that uart_driver is always registered when probe function\nis called."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:16:34.836Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5015eed450005bab6e5cb6810f7a62eab0434fc4"
        },
        {
          "url": "https://git.kernel.org/stable/c/9c905fdbba68a6d73d39a6b7de9b9f0d6c46df87"
        },
        {
          "url": "https://git.kernel.org/stable/c/6db06aaea07bb7c8e33a425cf7b98bf29ee6056e"
        },
        {
          "url": "https://git.kernel.org/stable/c/8e958d10dd0ce5ae674cce460db5c9ca3f25243b"
        },
        {
          "url": "https://git.kernel.org/stable/c/685d29f2c5057b32c7b1b46f2a7d303b926c8f72"
        },
        {
          "url": "https://git.kernel.org/stable/c/f5e4229d94792b40e750f30c92bcf7a3107c72ef"
        },
        {
          "url": "https://git.kernel.org/stable/c/6bd697b5fc39fd24e2aa418c7b7d14469f550a93"
        }
      ],
      "title": "tty: serial: uartlite: register uart driver in init",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38262",
    "datePublished": "2025-07-09T10:42:37.410Z",
    "dateReserved": "2025-04-16T04:51:23.997Z",
    "dateUpdated": "2025-11-03T17:36:04.315Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38345 (GCVE-0-2025-38345)

Vulnerability from cvelistv5 – Published: 2025-07-10 08:15 – Updated: 2026-01-02 15:30

Title

ACPICA: fix acpi operand cache leak in dswstate.c

Summary

In the Linux kernel, the following vulnerability has been resolved: ACPICA: fix acpi operand cache leak in dswstate.c ACPICA commit 987a3b5cf7175916e2a4b6ea5b8e70f830dfe732 I found an ACPI cache leak in ACPI early termination and boot continuing case. When early termination occurs due to malicious ACPI table, Linux kernel terminates ACPI function and continues to boot process. While kernel terminates ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak. Boot log of ACPI operand cache leak is as follows: >[ 0.585957] ACPI: Added _OSI(Module Device) >[ 0.587218] ACPI: Added _OSI(Processor Device) >[ 0.588530] ACPI: Added _OSI(3.0 _SCP Extensions) >[ 0.589790] ACPI: Added _OSI(Processor Aggregator Device) >[ 0.591534] ACPI Error: Illegal I/O port address/length above 64K: C806E00000004002/0x2 (20170303/hwvalid-155) >[ 0.594351] ACPI Exception: AE_LIMIT, Unable to initialize fixed events (20170303/evevent-88) >[ 0.597858] ACPI: Unable to start the ACPI Interpreter >[ 0.599162] ACPI Error: Could not remove SCI handler (20170303/evmisc-281) >[ 0.601836] kmem_cache_destroy Acpi-Operand: Slab cache still has objects >[ 0.603556] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26 >[ 0.605159] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006 >[ 0.609177] Call Trace: >[ 0.610063] ? dump_stack+0x5c/0x81 >[ 0.611118] ? kmem_cache_destroy+0x1aa/0x1c0 >[ 0.612632] ? acpi_sleep_proc_init+0x27/0x27 >[ 0.613906] ? acpi_os_delete_cache+0xa/0x10 >[ 0.617986] ? acpi_ut_delete_caches+0x3f/0x7b >[ 0.619293] ? acpi_terminate+0xa/0x14 >[ 0.620394] ? acpi_init+0x2af/0x34f >[ 0.621616] ? __class_create+0x4c/0x80 >[ 0.623412] ? video_setup+0x7f/0x7f >[ 0.624585] ? acpi_sleep_proc_init+0x27/0x27 >[ 0.625861] ? do_one_initcall+0x4e/0x1a0 >[ 0.627513] ? kernel_init_freeable+0x19e/0x21f >[ 0.628972] ? rest_init+0x80/0x80 >[ 0.630043] ? kernel_init+0xa/0x100 >[ 0.631084] ? ret_from_fork+0x25/0x30 >[ 0.633343] vgaarb: loaded >[ 0.635036] EDAC MC: Ver: 3.0.0 >[ 0.638601] PCI: Probing PCI hardware >[ 0.639833] PCI host bridge to bus 0000:00 >[ 0.641031] pci_bus 0000:00: root bus resource [io 0x0000-0xffff] > ... Continue to boot and log is omitted ... I analyzed this memory leak in detail and found acpi_ds_obj_stack_pop_and_ delete() function miscalculated the top of the stack. acpi_ds_obj_stack_push() function uses walk_state->operand_index for start position of the top, but acpi_ds_obj_stack_pop_and_delete() function considers index 0 for it. Therefore, this causes acpi operand memory leak. This cache leak causes a security threat because an old kernel (<= 4.9) shows memory locations of kernel functions in stack dump. Some malicious users could use this information to neutralize kernel ASLR. I made a patch to fix ACPI operand cache leak.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/4fa430a8bca708c77…
	https://git.kernel.org/stable/c/1c0d9115a001979cb…
	https://git.kernel.org/stable/c/5a68893b594ee6ce0…
	https://git.kernel.org/stable/c/64c4bcf0308dd1d75…
	https://git.kernel.org/stable/c/755a8006b76792922…
	https://git.kernel.org/stable/c/76d37168155880f2b…
	https://git.kernel.org/stable/c/e0783910ca4368b01…
	https://git.kernel.org/stable/c/156fd20a41e776bbf…

Impacted products

Vendor

Product

Version

Linux

Affected: 773069d48030e670cf2032a13ddf16a2e0034df3 , < 4fa430a8bca708c7776f6b9d001257f48b19a5b7 (git)
Affected: 773069d48030e670cf2032a13ddf16a2e0034df3 , < 1c0d9115a001979cb446ba5e8331dd1d29a10bbf (git)
Affected: 773069d48030e670cf2032a13ddf16a2e0034df3 , < 5a68893b594ee6ce0efce5f74c07e64e9dd0c2c4 (git)
Affected: 773069d48030e670cf2032a13ddf16a2e0034df3 , < 64c4bcf0308dd1d752ef31d560040b8725e29984 (git)
Affected: 773069d48030e670cf2032a13ddf16a2e0034df3 , < 755a8006b76792922ff7b1c9674d8897a476b5d7 (git)
Affected: 773069d48030e670cf2032a13ddf16a2e0034df3 , < 76d37168155880f2b04a0aad92ceb0f9d799950e (git)
Affected: 773069d48030e670cf2032a13ddf16a2e0034df3 , < e0783910ca4368b01466bc8dcdcc13c3e0b7db53 (git)
Affected: 773069d48030e670cf2032a13ddf16a2e0034df3 , < 156fd20a41e776bbf334bd5e45c4f78dfc90ce1c (git)

Linux

Affected: 2.6.26
Unaffected: 0 , < 2.6.26 (semver)
Unaffected: 5.4.295 , ≤ 5.4.* (semver)
Unaffected: 5.10.239 , ≤ 5.10.* (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.95 , ≤ 6.6.* (semver)
Unaffected: 6.12.35 , ≤ 6.12.* (semver)
Unaffected: 6.15.4 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:36:53.250Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/acpi/acpica/dsutils.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4fa430a8bca708c7776f6b9d001257f48b19a5b7",
              "status": "affected",
              "version": "773069d48030e670cf2032a13ddf16a2e0034df3",
              "versionType": "git"
            },
            {
              "lessThan": "1c0d9115a001979cb446ba5e8331dd1d29a10bbf",
              "status": "affected",
              "version": "773069d48030e670cf2032a13ddf16a2e0034df3",
              "versionType": "git"
            },
            {
              "lessThan": "5a68893b594ee6ce0efce5f74c07e64e9dd0c2c4",
              "status": "affected",
              "version": "773069d48030e670cf2032a13ddf16a2e0034df3",
              "versionType": "git"
            },
            {
              "lessThan": "64c4bcf0308dd1d752ef31d560040b8725e29984",
              "status": "affected",
              "version": "773069d48030e670cf2032a13ddf16a2e0034df3",
              "versionType": "git"
            },
            {
              "lessThan": "755a8006b76792922ff7b1c9674d8897a476b5d7",
              "status": "affected",
              "version": "773069d48030e670cf2032a13ddf16a2e0034df3",
              "versionType": "git"
            },
            {
              "lessThan": "76d37168155880f2b04a0aad92ceb0f9d799950e",
              "status": "affected",
              "version": "773069d48030e670cf2032a13ddf16a2e0034df3",
              "versionType": "git"
            },
            {
              "lessThan": "e0783910ca4368b01466bc8dcdcc13c3e0b7db53",
              "status": "affected",
              "version": "773069d48030e670cf2032a13ddf16a2e0034df3",
              "versionType": "git"
            },
            {
              "lessThan": "156fd20a41e776bbf334bd5e45c4f78dfc90ce1c",
              "status": "affected",
              "version": "773069d48030e670cf2032a13ddf16a2e0034df3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/acpi/acpica/dsutils.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.26"
            },
            {
              "lessThan": "2.6.26",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: fix acpi operand cache leak in dswstate.c\n\nACPICA commit 987a3b5cf7175916e2a4b6ea5b8e70f830dfe732\n\nI found an ACPI cache leak in ACPI early termination and boot continuing case.\n\nWhen early termination occurs due to malicious ACPI table, Linux kernel\nterminates ACPI function and continues to boot process. While kernel terminates\nACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak.\n\nBoot log of ACPI operand cache leak is as follows:\n\u003e[    0.585957] ACPI: Added _OSI(Module Device)\n\u003e[    0.587218] ACPI: Added _OSI(Processor Device)\n\u003e[    0.588530] ACPI: Added _OSI(3.0 _SCP Extensions)\n\u003e[    0.589790] ACPI: Added _OSI(Processor Aggregator Device)\n\u003e[    0.591534] ACPI Error: Illegal I/O port address/length above 64K: C806E00000004002/0x2 (20170303/hwvalid-155)\n\u003e[    0.594351] ACPI Exception: AE_LIMIT, Unable to initialize fixed events (20170303/evevent-88)\n\u003e[    0.597858] ACPI: Unable to start the ACPI Interpreter\n\u003e[    0.599162] ACPI Error: Could not remove SCI handler (20170303/evmisc-281)\n\u003e[    0.601836] kmem_cache_destroy Acpi-Operand: Slab cache still has objects\n\u003e[    0.603556] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26\n\u003e[    0.605159] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006\n\u003e[    0.609177] Call Trace:\n\u003e[    0.610063]  ? dump_stack+0x5c/0x81\n\u003e[    0.611118]  ? kmem_cache_destroy+0x1aa/0x1c0\n\u003e[    0.612632]  ? acpi_sleep_proc_init+0x27/0x27\n\u003e[    0.613906]  ? acpi_os_delete_cache+0xa/0x10\n\u003e[    0.617986]  ? acpi_ut_delete_caches+0x3f/0x7b\n\u003e[    0.619293]  ? acpi_terminate+0xa/0x14\n\u003e[    0.620394]  ? acpi_init+0x2af/0x34f\n\u003e[    0.621616]  ? __class_create+0x4c/0x80\n\u003e[    0.623412]  ? video_setup+0x7f/0x7f\n\u003e[    0.624585]  ? acpi_sleep_proc_init+0x27/0x27\n\u003e[    0.625861]  ? do_one_initcall+0x4e/0x1a0\n\u003e[    0.627513]  ? kernel_init_freeable+0x19e/0x21f\n\u003e[    0.628972]  ? rest_init+0x80/0x80\n\u003e[    0.630043]  ? kernel_init+0xa/0x100\n\u003e[    0.631084]  ? ret_from_fork+0x25/0x30\n\u003e[    0.633343] vgaarb: loaded\n\u003e[    0.635036] EDAC MC: Ver: 3.0.0\n\u003e[    0.638601] PCI: Probing PCI hardware\n\u003e[    0.639833] PCI host bridge to bus 0000:00\n\u003e[    0.641031] pci_bus 0000:00: root bus resource [io  0x0000-0xffff]\n\u003e ... Continue to boot and log is omitted ...\n\nI analyzed this memory leak in detail and found acpi_ds_obj_stack_pop_and_\ndelete() function miscalculated the top of the stack. acpi_ds_obj_stack_push()\nfunction uses walk_state-\u003eoperand_index for start position of the top, but\nacpi_ds_obj_stack_pop_and_delete() function considers index 0 for it.\nTherefore, this causes acpi operand memory leak.\n\nThis cache leak causes a security threat because an old kernel (\u003c= 4.9) shows\nmemory locations of kernel functions in stack dump. Some malicious users\ncould use this information to neutralize kernel ASLR.\n\nI made a patch to fix ACPI operand cache leak."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:30:28.081Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4fa430a8bca708c7776f6b9d001257f48b19a5b7"
        },
        {
          "url": "https://git.kernel.org/stable/c/1c0d9115a001979cb446ba5e8331dd1d29a10bbf"
        },
        {
          "url": "https://git.kernel.org/stable/c/5a68893b594ee6ce0efce5f74c07e64e9dd0c2c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/64c4bcf0308dd1d752ef31d560040b8725e29984"
        },
        {
          "url": "https://git.kernel.org/stable/c/755a8006b76792922ff7b1c9674d8897a476b5d7"
        },
        {
          "url": "https://git.kernel.org/stable/c/76d37168155880f2b04a0aad92ceb0f9d799950e"
        },
        {
          "url": "https://git.kernel.org/stable/c/e0783910ca4368b01466bc8dcdcc13c3e0b7db53"
        },
        {
          "url": "https://git.kernel.org/stable/c/156fd20a41e776bbf334bd5e45c4f78dfc90ce1c"
        }
      ],
      "title": "ACPICA: fix acpi operand cache leak in dswstate.c",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38345",
    "datePublished": "2025-07-10T08:15:13.652Z",
    "dateReserved": "2025-04-16T04:51:24.006Z",
    "dateUpdated": "2026-01-02T15:30:28.081Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38281 (GCVE-0-2025-38281)

Vulnerability from cvelistv5 – Published: 2025-07-10 07:41 – Updated: 2025-07-28 04:17

Title

wifi: mt76: mt7996: Add NULL check in mt7996_thermal_init

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: Add NULL check in mt7996_thermal_init devm_kasprintf() can return a NULL pointer on failure,but this returned value in mt7996_thermal_init() is not checked. Add NULL check in mt7996_thermal_init(), to handle kernel NULL pointer dereference error.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/8340cb173750c1ea9…
	https://git.kernel.org/stable/c/caf4b347c5dc40fdd…

Impacted products

Vendor

Product

Version

Linux

Affected: 69d54ce7491d046eaae05de7fb2493319a481991 , < 8340cb173750c1ea99cd643006b72f8b0e6c21f2 (git)
Affected: 69d54ce7491d046eaae05de7fb2493319a481991 , < caf4b347c5dc40fdd125793b5e82ba9fc4de5275 (git)

Linux

Affected: 6.14
Unaffected: 0 , < 6.14 (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/mediatek/mt76/mt7996/init.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8340cb173750c1ea99cd643006b72f8b0e6c21f2",
              "status": "affected",
              "version": "69d54ce7491d046eaae05de7fb2493319a481991",
              "versionType": "git"
            },
            {
              "lessThan": "caf4b347c5dc40fdd125793b5e82ba9fc4de5275",
              "status": "affected",
              "version": "69d54ce7491d046eaae05de7fb2493319a481991",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/mediatek/mt76/mt7996/init.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.14"
            },
            {
              "lessThan": "6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7996: Add NULL check in mt7996_thermal_init\n\ndevm_kasprintf() can return a NULL pointer on failure,but this\nreturned value in mt7996_thermal_init() is not checked.\nAdd NULL check in mt7996_thermal_init(), to handle kernel NULL\npointer dereference error."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:17:12.421Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8340cb173750c1ea99cd643006b72f8b0e6c21f2"
        },
        {
          "url": "https://git.kernel.org/stable/c/caf4b347c5dc40fdd125793b5e82ba9fc4de5275"
        }
      ],
      "title": "wifi: mt76: mt7996: Add NULL check in mt7996_thermal_init",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38281",
    "datePublished": "2025-07-10T07:41:59.518Z",
    "dateReserved": "2025-04-16T04:51:24.000Z",
    "dateUpdated": "2025-07-28T04:17:12.421Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38106 (GCVE-0-2025-38106)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:35 – Updated: 2025-07-28 04:12

Title

io_uring: fix use-after-free of sq->thread in __io_uring_show_fdinfo()

Summary

In the Linux kernel, the following vulnerability has been resolved: io_uring: fix use-after-free of sq->thread in __io_uring_show_fdinfo() syzbot reports: BUG: KASAN: slab-use-after-free in getrusage+0x1109/0x1a60 Read of size 8 at addr ffff88810de2d2c8 by task a.out/304 CPU: 0 UID: 0 PID: 304 Comm: a.out Not tainted 6.16.0-rc1 #1 PREEMPT(voluntary) Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x53/0x70 print_report+0xd0/0x670 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 ? getrusage+0x1109/0x1a60 kasan_report+0xce/0x100 ? getrusage+0x1109/0x1a60 getrusage+0x1109/0x1a60 ? __pfx_getrusage+0x10/0x10 __io_uring_show_fdinfo+0x9fe/0x1790 ? ksys_read+0xf7/0x1c0 ? do_syscall_64+0xa4/0x260 ? vsnprintf+0x591/0x1100 ? __pfx___io_uring_show_fdinfo+0x10/0x10 ? __pfx_vsnprintf+0x10/0x10 ? mutex_trylock+0xcf/0x130 ? __pfx_mutex_trylock+0x10/0x10 ? __pfx_show_fd_locks+0x10/0x10 ? io_uring_show_fdinfo+0x57/0x80 io_uring_show_fdinfo+0x57/0x80 seq_show+0x38c/0x690 seq_read_iter+0x3f7/0x1180 ? inode_set_ctime_current+0x160/0x4b0 seq_read+0x271/0x3e0 ? __pfx_seq_read+0x10/0x10 ? __pfx__raw_spin_lock+0x10/0x10 ? __mark_inode_dirty+0x402/0x810 ? selinux_file_permission+0x368/0x500 ? file_update_time+0x10f/0x160 vfs_read+0x177/0xa40 ? __pfx___handle_mm_fault+0x10/0x10 ? __pfx_vfs_read+0x10/0x10 ? mutex_lock+0x81/0xe0 ? __pfx_mutex_lock+0x10/0x10 ? fdget_pos+0x24d/0x4b0 ksys_read+0xf7/0x1c0 ? __pfx_ksys_read+0x10/0x10 ? do_user_addr_fault+0x43b/0x9c0 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f0f74170fc9 Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 8 RSP: 002b:00007fffece049e8 EFLAGS: 00000206 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0f74170fc9 RDX: 0000000000001000 RSI: 00007fffece049f0 RDI: 0000000000000004 RBP: 00007fffece05ad0 R08: 0000000000000000 R09: 00007fffece04d90 R10: 0000000000000000 R11: 0000000000000206 R12: 00005651720a1100 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 </TASK> Allocated by task 298: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_node_noprof+0xe8/0x330 copy_process+0x376/0x5e00 create_io_thread+0xab/0xf0 io_sq_offload_create+0x9ed/0xf20 io_uring_setup+0x12b0/0x1cc0 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 22: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x37/0x50 kmem_cache_free+0xc4/0x360 rcu_core+0x5ff/0x19f0 handle_softirqs+0x18c/0x530 run_ksoftirqd+0x20/0x30 smpboot_thread_fn+0x287/0x6c0 kthread+0x30d/0x630 ret_from_fork+0xef/0x1a0 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x33/0x60 kasan_record_aux_stack+0x8c/0xa0 __call_rcu_common.constprop.0+0x68/0x940 __schedule+0xff2/0x2930 __cond_resched+0x4c/0x80 mutex_lock+0x5c/0xe0 io_uring_del_tctx_node+0xe1/0x2b0 io_uring_clean_tctx+0xb7/0x160 io_uring_cancel_generic+0x34e/0x760 do_exit+0x240/0x2350 do_group_exit+0xab/0x220 __x64_sys_exit_group+0x39/0x40 x64_sys_call+0x1243/0x1840 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88810de2cb00 which belongs to the cache task_struct of size 3712 The buggy address is located 1992 bytes inside of freed 3712-byte region [ffff88810de2cb00, ffff88810de2d980) which is caused by the task_struct pointed to by sq->thread being released while it is being used in the function __io_uring_show_fdinfo(). Holding ctx->uring_lock does not prevent ehre relase or exit of sq->thread. Fix this by assigning and looking up ->thread under RCU, and grabbing a reference to the task_struct. This e ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/af8c13f9ee040b9a2…
	https://git.kernel.org/stable/c/d0932758a0a77b38b…
	https://git.kernel.org/stable/c/ac0b8b327a5677dc6…

Impacted products

Vendor

Product

Version

Linux

Affected: 3fcb9d17206e31630f802a3ab52081d1342b8ed9 , < af8c13f9ee040b9a287ba246cf0055f7c77b7cc8 (git)
Affected: 3fcb9d17206e31630f802a3ab52081d1342b8ed9 , < d0932758a0a77b38ba1b39564f3b7aba12407061 (git)
Affected: 3fcb9d17206e31630f802a3ab52081d1342b8ed9 , < ac0b8b327a5677dc6fecdf353d808161525b1ff0 (git)

Linux

Affected: 6.9
Unaffected: 0 , < 6.9 (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "io_uring/fdinfo.c",
            "io_uring/sqpoll.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "af8c13f9ee040b9a287ba246cf0055f7c77b7cc8",
              "status": "affected",
              "version": "3fcb9d17206e31630f802a3ab52081d1342b8ed9",
              "versionType": "git"
            },
            {
              "lessThan": "d0932758a0a77b38ba1b39564f3b7aba12407061",
              "status": "affected",
              "version": "3fcb9d17206e31630f802a3ab52081d1342b8ed9",
              "versionType": "git"
            },
            {
              "lessThan": "ac0b8b327a5677dc6fecdf353d808161525b1ff0",
              "status": "affected",
              "version": "3fcb9d17206e31630f802a3ab52081d1342b8ed9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "io_uring/fdinfo.c",
            "io_uring/sqpoll.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.9"
            },
            {
              "lessThan": "6.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix use-after-free of sq-\u003ethread in __io_uring_show_fdinfo()\n\nsyzbot reports:\n\nBUG: KASAN: slab-use-after-free in getrusage+0x1109/0x1a60\nRead of size 8 at addr ffff88810de2d2c8 by task a.out/304\n\nCPU: 0 UID: 0 PID: 304 Comm: a.out Not tainted 6.16.0-rc1 #1 PREEMPT(voluntary)\nHardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x53/0x70\n print_report+0xd0/0x670\n ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n ? getrusage+0x1109/0x1a60\n kasan_report+0xce/0x100\n ? getrusage+0x1109/0x1a60\n getrusage+0x1109/0x1a60\n ? __pfx_getrusage+0x10/0x10\n __io_uring_show_fdinfo+0x9fe/0x1790\n ? ksys_read+0xf7/0x1c0\n ? do_syscall_64+0xa4/0x260\n ? vsnprintf+0x591/0x1100\n ? __pfx___io_uring_show_fdinfo+0x10/0x10\n ? __pfx_vsnprintf+0x10/0x10\n ? mutex_trylock+0xcf/0x130\n ? __pfx_mutex_trylock+0x10/0x10\n ? __pfx_show_fd_locks+0x10/0x10\n ? io_uring_show_fdinfo+0x57/0x80\n io_uring_show_fdinfo+0x57/0x80\n seq_show+0x38c/0x690\n seq_read_iter+0x3f7/0x1180\n ? inode_set_ctime_current+0x160/0x4b0\n seq_read+0x271/0x3e0\n ? __pfx_seq_read+0x10/0x10\n ? __pfx__raw_spin_lock+0x10/0x10\n ? __mark_inode_dirty+0x402/0x810\n ? selinux_file_permission+0x368/0x500\n ? file_update_time+0x10f/0x160\n vfs_read+0x177/0xa40\n ? __pfx___handle_mm_fault+0x10/0x10\n ? __pfx_vfs_read+0x10/0x10\n ? mutex_lock+0x81/0xe0\n ? __pfx_mutex_lock+0x10/0x10\n ? fdget_pos+0x24d/0x4b0\n ksys_read+0xf7/0x1c0\n ? __pfx_ksys_read+0x10/0x10\n ? do_user_addr_fault+0x43b/0x9c0\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f0f74170fc9\nCode: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 8\nRSP: 002b:00007fffece049e8 EFLAGS: 00000206 ORIG_RAX: 0000000000000000\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0f74170fc9\nRDX: 0000000000001000 RSI: 00007fffece049f0 RDI: 0000000000000004\nRBP: 00007fffece05ad0 R08: 0000000000000000 R09: 00007fffece04d90\nR10: 0000000000000000 R11: 0000000000000206 R12: 00005651720a1100\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n \u003c/TASK\u003e\n\nAllocated by task 298:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n __kasan_slab_alloc+0x6e/0x70\n kmem_cache_alloc_node_noprof+0xe8/0x330\n copy_process+0x376/0x5e00\n create_io_thread+0xab/0xf0\n io_sq_offload_create+0x9ed/0xf20\n io_uring_setup+0x12b0/0x1cc0\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 22:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n __kasan_slab_free+0x37/0x50\n kmem_cache_free+0xc4/0x360\n rcu_core+0x5ff/0x19f0\n handle_softirqs+0x18c/0x530\n run_ksoftirqd+0x20/0x30\n smpboot_thread_fn+0x287/0x6c0\n kthread+0x30d/0x630\n ret_from_fork+0xef/0x1a0\n ret_from_fork_asm+0x1a/0x30\n\nLast potentially related work creation:\n kasan_save_stack+0x33/0x60\n kasan_record_aux_stack+0x8c/0xa0\n __call_rcu_common.constprop.0+0x68/0x940\n __schedule+0xff2/0x2930\n __cond_resched+0x4c/0x80\n mutex_lock+0x5c/0xe0\n io_uring_del_tctx_node+0xe1/0x2b0\n io_uring_clean_tctx+0xb7/0x160\n io_uring_cancel_generic+0x34e/0x760\n do_exit+0x240/0x2350\n do_group_exit+0xab/0x220\n __x64_sys_exit_group+0x39/0x40\n x64_sys_call+0x1243/0x1840\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe buggy address belongs to the object at ffff88810de2cb00\n which belongs to the cache task_struct of size 3712\nThe buggy address is located 1992 bytes inside of\n freed 3712-byte region [ffff88810de2cb00, ffff88810de2d980)\n\nwhich is caused by the task_struct pointed to by sq-\u003ethread being\nreleased while it is being used in the function\n__io_uring_show_fdinfo(). Holding ctx-\u003euring_lock does not prevent ehre\nrelase or exit of sq-\u003ethread.\n\nFix this by assigning and looking up -\u003ethread under RCU, and grabbing a\nreference to the task_struct. This e\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:12:21.273Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/af8c13f9ee040b9a287ba246cf0055f7c77b7cc8"
        },
        {
          "url": "https://git.kernel.org/stable/c/d0932758a0a77b38ba1b39564f3b7aba12407061"
        },
        {
          "url": "https://git.kernel.org/stable/c/ac0b8b327a5677dc6fecdf353d808161525b1ff0"
        }
      ],
      "title": "io_uring: fix use-after-free of sq-\u003ethread in __io_uring_show_fdinfo()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38106",
    "datePublished": "2025-07-03T08:35:16.215Z",
    "dateReserved": "2025-04-16T04:51:23.985Z",
    "dateUpdated": "2025-07-28T04:12:21.273Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38428 (GCVE-0-2025-38428)

Vulnerability from cvelistv5 – Published: 2025-07-25 14:16 – Updated: 2025-11-03 17:37

Title

Input: ims-pcu - check record size in ims_pcu_flash_firmware()

Summary

In the Linux kernel, the following vulnerability has been resolved: Input: ims-pcu - check record size in ims_pcu_flash_firmware() The "len" variable comes from the firmware and we generally do trust firmware, but it's always better to double check. If the "len" is too large it could result in memory corruption when we do "memcpy(fragment->data, rec->data, len);"

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c1b9d140b0807c6ae…
	https://git.kernel.org/stable/c/d63706d9f73846106…
	https://git.kernel.org/stable/c/e5a2481dc2a0b430f…
	https://git.kernel.org/stable/c/8e03f1c7d50343bf2…
	https://git.kernel.org/stable/c/17474a56acf708bf6…
	https://git.kernel.org/stable/c/5a8cd6ae8393e2eae…
	https://git.kernel.org/stable/c/74661516daee1eade…
	https://git.kernel.org/stable/c/a95ef0199e80f3384…

Impacted products

Vendor

Product

Version

Linux

Affected: 628329d52474323938a03826941e166bc7c8eff4 , < c1b9d140b0807c6aee4bb53e1bfa4e391e3dc204 (git)
Affected: 628329d52474323938a03826941e166bc7c8eff4 , < d63706d9f73846106fde28b284f08e01b92ce9f1 (git)
Affected: 628329d52474323938a03826941e166bc7c8eff4 , < e5a2481dc2a0b430f49276d7482793a8923631d6 (git)
Affected: 628329d52474323938a03826941e166bc7c8eff4 , < 8e03f1c7d50343bf21da54873301bc4fa647479f (git)
Affected: 628329d52474323938a03826941e166bc7c8eff4 , < 17474a56acf708bf6b2d174c06ed26abad0a9fd6 (git)
Affected: 628329d52474323938a03826941e166bc7c8eff4 , < 5a8cd6ae8393e2eaebf51d420d5374821ef2af87 (git)
Affected: 628329d52474323938a03826941e166bc7c8eff4 , < 74661516daee1eadebede8dc607b6830530096ec (git)
Affected: 628329d52474323938a03826941e166bc7c8eff4 , < a95ef0199e80f3384eb992889322957d26c00102 (git)

Linux

Affected: 3.10
Unaffected: 0 , < 3.10 (semver)
Unaffected: 5.4.295 , ≤ 5.4.* (semver)
Unaffected: 5.10.239 , ≤ 5.10.* (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.95 , ≤ 6.6.* (semver)
Unaffected: 6.12.35 , ≤ 6.12.* (semver)
Unaffected: 6.15.4 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:37:57.365Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/input/misc/ims-pcu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c1b9d140b0807c6aee4bb53e1bfa4e391e3dc204",
              "status": "affected",
              "version": "628329d52474323938a03826941e166bc7c8eff4",
              "versionType": "git"
            },
            {
              "lessThan": "d63706d9f73846106fde28b284f08e01b92ce9f1",
              "status": "affected",
              "version": "628329d52474323938a03826941e166bc7c8eff4",
              "versionType": "git"
            },
            {
              "lessThan": "e5a2481dc2a0b430f49276d7482793a8923631d6",
              "status": "affected",
              "version": "628329d52474323938a03826941e166bc7c8eff4",
              "versionType": "git"
            },
            {
              "lessThan": "8e03f1c7d50343bf21da54873301bc4fa647479f",
              "status": "affected",
              "version": "628329d52474323938a03826941e166bc7c8eff4",
              "versionType": "git"
            },
            {
              "lessThan": "17474a56acf708bf6b2d174c06ed26abad0a9fd6",
              "status": "affected",
              "version": "628329d52474323938a03826941e166bc7c8eff4",
              "versionType": "git"
            },
            {
              "lessThan": "5a8cd6ae8393e2eaebf51d420d5374821ef2af87",
              "status": "affected",
              "version": "628329d52474323938a03826941e166bc7c8eff4",
              "versionType": "git"
            },
            {
              "lessThan": "74661516daee1eadebede8dc607b6830530096ec",
              "status": "affected",
              "version": "628329d52474323938a03826941e166bc7c8eff4",
              "versionType": "git"
            },
            {
              "lessThan": "a95ef0199e80f3384eb992889322957d26c00102",
              "status": "affected",
              "version": "628329d52474323938a03826941e166bc7c8eff4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/input/misc/ims-pcu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.10"
            },
            {
              "lessThan": "3.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: ims-pcu - check record size in ims_pcu_flash_firmware()\n\nThe \"len\" variable comes from the firmware and we generally do\ntrust firmware, but it\u0027s always better to double check.  If the \"len\"\nis too large it could result in memory corruption when we do\n\"memcpy(fragment-\u003edata, rec-\u003edata, len);\""
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:21:53.615Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c1b9d140b0807c6aee4bb53e1bfa4e391e3dc204"
        },
        {
          "url": "https://git.kernel.org/stable/c/d63706d9f73846106fde28b284f08e01b92ce9f1"
        },
        {
          "url": "https://git.kernel.org/stable/c/e5a2481dc2a0b430f49276d7482793a8923631d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/8e03f1c7d50343bf21da54873301bc4fa647479f"
        },
        {
          "url": "https://git.kernel.org/stable/c/17474a56acf708bf6b2d174c06ed26abad0a9fd6"
        },
        {
          "url": "https://git.kernel.org/stable/c/5a8cd6ae8393e2eaebf51d420d5374821ef2af87"
        },
        {
          "url": "https://git.kernel.org/stable/c/74661516daee1eadebede8dc607b6830530096ec"
        },
        {
          "url": "https://git.kernel.org/stable/c/a95ef0199e80f3384eb992889322957d26c00102"
        }
      ],
      "title": "Input: ims-pcu - check record size in ims_pcu_flash_firmware()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38428",
    "datePublished": "2025-07-25T14:16:48.019Z",
    "dateReserved": "2025-04-16T04:51:24.015Z",
    "dateUpdated": "2025-11-03T17:37:57.365Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21889 (GCVE-0-2025-21889)

Vulnerability from cvelistv5 – Published: 2025-03-27 14:57 – Updated: 2025-05-04 07:23

Title

perf/core: Add RCU read lock protection to perf_iterate_ctx()

Summary

In the Linux kernel, the following vulnerability has been resolved: perf/core: Add RCU read lock protection to perf_iterate_ctx() The perf_iterate_ctx() function performs RCU list traversal but currently lacks RCU read lock protection. This causes lockdep warnings when running perf probe with unshare(1) under CONFIG_PROVE_RCU_LIST=y: WARNING: suspicious RCU usage kernel/events/core.c:8168 RCU-list traversed in non-reader section!! Call Trace: lockdep_rcu_suspicious ? perf_event_addr_filters_apply perf_iterate_ctx perf_event_exec begin_new_exec ? load_elf_phdrs load_elf_binary ? lock_acquire ? find_held_lock ? bprm_execve bprm_execve do_execveat_common.isra.0 __x64_sys_execve do_syscall_64 entry_SYSCALL_64_after_hwframe This protection was previously present but was removed in commit bd2756811766 ("perf: Rewrite core context handling"). Add back the necessary rcu_read_lock()/rcu_read_unlock() pair around perf_iterate_ctx() call in perf_event_exec(). [ mingo: Use scoped_guard() as suggested by Peter ]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f390c2eea571945f3…
	https://git.kernel.org/stable/c/a2475ccad6120546e…
	https://git.kernel.org/stable/c/dd536566dda9a551f…
	https://git.kernel.org/stable/c/0fe8813baf4b2e865…

Impacted products

Vendor

Product

Version

Linux

Affected: bd27568117664b8b3e259721393df420ed51f57b , < f390c2eea571945f357a2d3b9fcb1c015767132e (git)
Affected: bd27568117664b8b3e259721393df420ed51f57b , < a2475ccad6120546ea45dbcd6cd1f74dc565ef6b (git)
Affected: bd27568117664b8b3e259721393df420ed51f57b , < dd536566dda9a551fc2a2acfab5313a5bb13ed02 (git)
Affected: bd27568117664b8b3e259721393df420ed51f57b , < 0fe8813baf4b2e865d3b2c735ce1a15b86002c74 (git)

Linux

Affected: 6.2
Unaffected: 0 , < 6.2 (semver)
Unaffected: 6.6.81 , ≤ 6.6.* (semver)
Unaffected: 6.12.18 , ≤ 6.12.* (semver)
Unaffected: 6.13.6 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/events/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f390c2eea571945f357a2d3b9fcb1c015767132e",
              "status": "affected",
              "version": "bd27568117664b8b3e259721393df420ed51f57b",
              "versionType": "git"
            },
            {
              "lessThan": "a2475ccad6120546ea45dbcd6cd1f74dc565ef6b",
              "status": "affected",
              "version": "bd27568117664b8b3e259721393df420ed51f57b",
              "versionType": "git"
            },
            {
              "lessThan": "dd536566dda9a551fc2a2acfab5313a5bb13ed02",
              "status": "affected",
              "version": "bd27568117664b8b3e259721393df420ed51f57b",
              "versionType": "git"
            },
            {
              "lessThan": "0fe8813baf4b2e865d3b2c735ce1a15b86002c74",
              "status": "affected",
              "version": "bd27568117664b8b3e259721393df420ed51f57b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/events/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.81",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.18",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.6",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Add RCU read lock protection to perf_iterate_ctx()\n\nThe perf_iterate_ctx() function performs RCU list traversal but\ncurrently lacks RCU read lock protection. This causes lockdep warnings\nwhen running perf probe with unshare(1) under CONFIG_PROVE_RCU_LIST=y:\n\n\tWARNING: suspicious RCU usage\n\tkernel/events/core.c:8168 RCU-list traversed in non-reader section!!\n\n\t Call Trace:\n\t  lockdep_rcu_suspicious\n\t  ? perf_event_addr_filters_apply\n\t  perf_iterate_ctx\n\t  perf_event_exec\n\t  begin_new_exec\n\t  ? load_elf_phdrs\n\t  load_elf_binary\n\t  ? lock_acquire\n\t  ? find_held_lock\n\t  ? bprm_execve\n\t  bprm_execve\n\t  do_execveat_common.isra.0\n\t  __x64_sys_execve\n\t  do_syscall_64\n\t  entry_SYSCALL_64_after_hwframe\n\nThis protection was previously present but was removed in commit\nbd2756811766 (\"perf: Rewrite core context handling\"). Add back the\nnecessary rcu_read_lock()/rcu_read_unlock() pair around\nperf_iterate_ctx() call in perf_event_exec().\n\n[ mingo: Use scoped_guard() as suggested by Peter ]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:23:24.688Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f390c2eea571945f357a2d3b9fcb1c015767132e"
        },
        {
          "url": "https://git.kernel.org/stable/c/a2475ccad6120546ea45dbcd6cd1f74dc565ef6b"
        },
        {
          "url": "https://git.kernel.org/stable/c/dd536566dda9a551fc2a2acfab5313a5bb13ed02"
        },
        {
          "url": "https://git.kernel.org/stable/c/0fe8813baf4b2e865d3b2c735ce1a15b86002c74"
        }
      ],
      "title": "perf/core: Add RCU read lock protection to perf_iterate_ctx()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21889",
    "datePublished": "2025-03-27T14:57:15.897Z",
    "dateReserved": "2024-12-29T08:45:45.782Z",
    "dateUpdated": "2025-05-04T07:23:24.688Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38047 (GCVE-0-2025-38047)

Vulnerability from cvelistv5 – Published: 2025-06-18 09:33 – Updated: 2025-07-15 15:43

Title

x86/fred: Fix system hang during S4 resume with FRED enabled

Summary

In the Linux kernel, the following vulnerability has been resolved: x86/fred: Fix system hang during S4 resume with FRED enabled Upon a wakeup from S4, the restore kernel starts and initializes the FRED MSRs as needed from its perspective. It then loads a hibernation image, including the image kernel, and attempts to load image pages directly into their original page frames used before hibernation unless those frames are currently in use. Once all pages are moved to their original locations, it jumps to a "trampoline" page in the image kernel. At this point, the image kernel takes control, but the FRED MSRs still contain values set by the restore kernel, which may differ from those set by the image kernel before hibernation. Therefore, the image kernel must ensure the FRED MSRs have the same values as before hibernation. Since these values depend only on the location of the kernel text and data, they can be recomputed from scratch.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c42f740a07eea4807…
	https://git.kernel.org/stable/c/e7090fe75a2826363…
	https://git.kernel.org/stable/c/e5f1e8af9c9e151ec…

Impacted products

Vendor

Product

Version

Linux

Affected: ff45746fbf005f96e42bea466698e3fdbf926013 , < c42f740a07eea4807e98d2d8febc549c957a7b49 (git)
Affected: ff45746fbf005f96e42bea466698e3fdbf926013 , < e7090fe75a2826363c71ad1fb4e95e58141478df (git)
Affected: ff45746fbf005f96e42bea466698e3fdbf926013 , < e5f1e8af9c9e151ecd665f6d2e36fb25fec3b110 (git)

Linux

Affected: 6.9
Unaffected: 0 , < 6.9 (semver)
Unaffected: 6.12.31 , ≤ 6.12.* (semver)
Unaffected: 6.14.9 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/power/cpu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c42f740a07eea4807e98d2d8febc549c957a7b49",
              "status": "affected",
              "version": "ff45746fbf005f96e42bea466698e3fdbf926013",
              "versionType": "git"
            },
            {
              "lessThan": "e7090fe75a2826363c71ad1fb4e95e58141478df",
              "status": "affected",
              "version": "ff45746fbf005f96e42bea466698e3fdbf926013",
              "versionType": "git"
            },
            {
              "lessThan": "e5f1e8af9c9e151ecd665f6d2e36fb25fec3b110",
              "status": "affected",
              "version": "ff45746fbf005f96e42bea466698e3fdbf926013",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/power/cpu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.9"
            },
            {
              "lessThan": "6.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.31",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fred: Fix system hang during S4 resume with FRED enabled\n\nUpon a wakeup from S4, the restore kernel starts and initializes the\nFRED MSRs as needed from its perspective.  It then loads a hibernation\nimage, including the image kernel, and attempts to load image pages\ndirectly into their original page frames used before hibernation unless\nthose frames are currently in use.  Once all pages are moved to their\noriginal locations, it jumps to a \"trampoline\" page in the image kernel.\n\nAt this point, the image kernel takes control, but the FRED MSRs still\ncontain values set by the restore kernel, which may differ from those\nset by the image kernel before hibernation.  Therefore, the image kernel\nmust ensure the FRED MSRs have the same values as before hibernation.\nSince these values depend only on the location of the kernel text and\ndata, they can be recomputed from scratch."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-15T15:43:55.220Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c42f740a07eea4807e98d2d8febc549c957a7b49"
        },
        {
          "url": "https://git.kernel.org/stable/c/e7090fe75a2826363c71ad1fb4e95e58141478df"
        },
        {
          "url": "https://git.kernel.org/stable/c/e5f1e8af9c9e151ecd665f6d2e36fb25fec3b110"
        }
      ],
      "title": "x86/fred: Fix system hang during S4 resume with FRED enabled",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38047",
    "datePublished": "2025-06-18T09:33:30.742Z",
    "dateReserved": "2025-04-16T04:51:23.979Z",
    "dateUpdated": "2025-07-15T15:43:55.220Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38299 (GCVE-0-2025-38299)

Vulnerability from cvelistv5 – Published: 2025-07-10 07:42 – Updated: 2025-07-28 04:17

Title

ASoC: mediatek: mt8195: Set ETDM1/2 IN/OUT to COMP_DUMMY()

Summary

In the Linux kernel, the following vulnerability has been resolved: ASoC: mediatek: mt8195: Set ETDM1/2 IN/OUT to COMP_DUMMY() ETDM2_IN_BE and ETDM1_OUT_BE are defined as COMP_EMPTY(), in the case the codec dai_name will be null. Avoid a crash if the device tree is not assigning a codec to these links. [ 1.179936] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 1.181065] Mem abort info: [ 1.181420] ESR = 0x0000000096000004 [ 1.181892] EC = 0x25: DABT (current EL), IL = 32 bits [ 1.182576] SET = 0, FnV = 0 [ 1.182964] EA = 0, S1PTW = 0 [ 1.183367] FSC = 0x04: level 0 translation fault [ 1.183983] Data abort info: [ 1.184406] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 1.185097] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 1.185766] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 1.186439] [0000000000000000] user address but active_mm is swapper [ 1.187239] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 1.188029] Modules linked in: [ 1.188420] CPU: 7 UID: 0 PID: 70 Comm: kworker/u32:1 Not tainted 6.14.0-rc4-next-20250226+ #85 [ 1.189515] Hardware name: Radxa NIO 12L (DT) [ 1.190065] Workqueue: events_unbound deferred_probe_work_func [ 1.190808] pstate: 40400009 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 1.191683] pc : __pi_strcmp+0x24/0x140 [ 1.192170] lr : mt8195_mt6359_soc_card_probe+0x224/0x7b0 [ 1.192854] sp : ffff800083473970 [ 1.193271] x29: ffff800083473a10 x28: 0000000000001008 x27: 0000000000000002 [ 1.194168] x26: ffff800082408960 x25: ffff800082417db0 x24: ffff800082417d88 [ 1.195065] x23: 000000000000001e x22: ffff800082dbf480 x21: ffff800082dc07b8 [ 1.195961] x20: 0000000000000000 x19: 0000000000000013 x18: 00000000ffffffff [ 1.196858] x17: 000000040044ffff x16: 005000f2b5503510 x15: 0000000000000006 [ 1.197755] x14: ffff800082407af0 x13: 6e6f69737265766e x12: 692d6b636f6c6374 [ 1.198651] x11: 0000000000000002 x10: ffff80008240b920 x9 : 0000000000000018 [ 1.199547] x8 : 0101010101010101 x7 : 0000000000000000 x6 : 0000000000000000 [ 1.200443] x5 : 0000000000000000 x4 : 8080808080000000 x3 : 303933383978616d [ 1.201339] x2 : 0000000000000000 x1 : ffff80008240b920 x0 : 0000000000000000 [ 1.202236] Call trace: [ 1.202545] __pi_strcmp+0x24/0x140 (P) [ 1.203029] mtk_soundcard_common_probe+0x3bc/0x5b8 [ 1.203644] platform_probe+0x70/0xe8 [ 1.204106] really_probe+0xc8/0x3a0 [ 1.204556] __driver_probe_device+0x84/0x160 [ 1.205104] driver_probe_device+0x44/0x130 [ 1.205630] __device_attach_driver+0xc4/0x170 [ 1.206189] bus_for_each_drv+0x8c/0xf8 [ 1.206672] __device_attach+0xa8/0x1c8 [ 1.207155] device_initial_probe+0x1c/0x30 [ 1.207681] bus_probe_device+0xb0/0xc0 [ 1.208165] deferred_probe_work_func+0xa4/0x100 [ 1.208747] process_one_work+0x158/0x3e0 [ 1.209254] worker_thread+0x2c4/0x3e8 [ 1.209727] kthread+0x134/0x1f0 [ 1.210136] ret_from_fork+0x10/0x20 [ 1.210589] Code: 54000401 b50002c6 d503201f f86a6803 (f8408402) [ 1.211355] ---[ end trace 0000000000000000 ]---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/87dbfe2b392df9621…
	https://git.kernel.org/stable/c/183e7329d41d7a8e2…
	https://git.kernel.org/stable/c/7af317f7faaab09d5…

Impacted products

Vendor

Product

Version

Linux

Affected: e70b8dd26711704b1ff1f1b4eb3d048ba69e29da , < 87dbfe2b392df9621f6e522e5fa6fb8849ca92ab (git)
Affected: e70b8dd26711704b1ff1f1b4eb3d048ba69e29da , < 183e7329d41d7a8e298f48b6b0eb81102a8654de (git)
Affected: e70b8dd26711704b1ff1f1b4eb3d048ba69e29da , < 7af317f7faaab09d5a78f24605057d11f5955115 (git)

Linux

Affected: 6.8
Unaffected: 0 , < 6.8 (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/soc/mediatek/mt8195/mt8195-mt6359.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "87dbfe2b392df9621f6e522e5fa6fb8849ca92ab",
              "status": "affected",
              "version": "e70b8dd26711704b1ff1f1b4eb3d048ba69e29da",
              "versionType": "git"
            },
            {
              "lessThan": "183e7329d41d7a8e298f48b6b0eb81102a8654de",
              "status": "affected",
              "version": "e70b8dd26711704b1ff1f1b4eb3d048ba69e29da",
              "versionType": "git"
            },
            {
              "lessThan": "7af317f7faaab09d5a78f24605057d11f5955115",
              "status": "affected",
              "version": "e70b8dd26711704b1ff1f1b4eb3d048ba69e29da",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "sound/soc/mediatek/mt8195/mt8195-mt6359.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: mediatek: mt8195: Set ETDM1/2 IN/OUT to COMP_DUMMY()\n\nETDM2_IN_BE and ETDM1_OUT_BE are defined as COMP_EMPTY(),\nin the case the codec dai_name will be null.\n\nAvoid a crash if the device tree is not assigning a codec\nto these links.\n\n[    1.179936] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n[    1.181065] Mem abort info:\n[    1.181420]   ESR = 0x0000000096000004\n[    1.181892]   EC = 0x25: DABT (current EL), IL = 32 bits\n[    1.182576]   SET = 0, FnV = 0\n[    1.182964]   EA = 0, S1PTW = 0\n[    1.183367]   FSC = 0x04: level 0 translation fault\n[    1.183983] Data abort info:\n[    1.184406]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[    1.185097]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[    1.185766]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[    1.186439] [0000000000000000] user address but active_mm is swapper\n[    1.187239] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n[    1.188029] Modules linked in:\n[    1.188420] CPU: 7 UID: 0 PID: 70 Comm: kworker/u32:1 Not tainted 6.14.0-rc4-next-20250226+ #85\n[    1.189515] Hardware name: Radxa NIO 12L (DT)\n[    1.190065] Workqueue: events_unbound deferred_probe_work_func\n[    1.190808] pstate: 40400009 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[    1.191683] pc : __pi_strcmp+0x24/0x140\n[    1.192170] lr : mt8195_mt6359_soc_card_probe+0x224/0x7b0\n[    1.192854] sp : ffff800083473970\n[    1.193271] x29: ffff800083473a10 x28: 0000000000001008 x27: 0000000000000002\n[    1.194168] x26: ffff800082408960 x25: ffff800082417db0 x24: ffff800082417d88\n[    1.195065] x23: 000000000000001e x22: ffff800082dbf480 x21: ffff800082dc07b8\n[    1.195961] x20: 0000000000000000 x19: 0000000000000013 x18: 00000000ffffffff\n[    1.196858] x17: 000000040044ffff x16: 005000f2b5503510 x15: 0000000000000006\n[    1.197755] x14: ffff800082407af0 x13: 6e6f69737265766e x12: 692d6b636f6c6374\n[    1.198651] x11: 0000000000000002 x10: ffff80008240b920 x9 : 0000000000000018\n[    1.199547] x8 : 0101010101010101 x7 : 0000000000000000 x6 : 0000000000000000\n[    1.200443] x5 : 0000000000000000 x4 : 8080808080000000 x3 : 303933383978616d\n[    1.201339] x2 : 0000000000000000 x1 : ffff80008240b920 x0 : 0000000000000000\n[    1.202236] Call trace:\n[    1.202545]  __pi_strcmp+0x24/0x140 (P)\n[    1.203029]  mtk_soundcard_common_probe+0x3bc/0x5b8\n[    1.203644]  platform_probe+0x70/0xe8\n[    1.204106]  really_probe+0xc8/0x3a0\n[    1.204556]  __driver_probe_device+0x84/0x160\n[    1.205104]  driver_probe_device+0x44/0x130\n[    1.205630]  __device_attach_driver+0xc4/0x170\n[    1.206189]  bus_for_each_drv+0x8c/0xf8\n[    1.206672]  __device_attach+0xa8/0x1c8\n[    1.207155]  device_initial_probe+0x1c/0x30\n[    1.207681]  bus_probe_device+0xb0/0xc0\n[    1.208165]  deferred_probe_work_func+0xa4/0x100\n[    1.208747]  process_one_work+0x158/0x3e0\n[    1.209254]  worker_thread+0x2c4/0x3e8\n[    1.209727]  kthread+0x134/0x1f0\n[    1.210136]  ret_from_fork+0x10/0x20\n[    1.210589] Code: 54000401 b50002c6 d503201f f86a6803 (f8408402)\n[    1.211355] ---[ end trace 0000000000000000 ]---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:17:53.157Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/87dbfe2b392df9621f6e522e5fa6fb8849ca92ab"
        },
        {
          "url": "https://git.kernel.org/stable/c/183e7329d41d7a8e298f48b6b0eb81102a8654de"
        },
        {
          "url": "https://git.kernel.org/stable/c/7af317f7faaab09d5a78f24605057d11f5955115"
        }
      ],
      "title": "ASoC: mediatek: mt8195: Set ETDM1/2 IN/OUT to COMP_DUMMY()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38299",
    "datePublished": "2025-07-10T07:42:12.216Z",
    "dateReserved": "2025-04-16T04:51:24.002Z",
    "dateUpdated": "2025-07-28T04:17:53.157Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21994 (GCVE-0-2025-21994)

Vulnerability from cvelistv5 – Published: 2025-04-02 14:00 – Updated: 2025-11-03 19:40

Title

ksmbd: fix incorrect validation for num_aces field of smb_acl

Summary

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix incorrect validation for num_aces field of smb_acl parse_dcal() validate num_aces to allocate posix_ace_state_array. if (num_aces > ULONG_MAX / sizeof(struct smb_ace *)) It is an incorrect validation that we can create an array of size ULONG_MAX. smb_acl has ->size field to calculate actual number of aces in request buffer size. Use this to check invalid num_aces.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c3a3484d9d31b27a3…
	https://git.kernel.org/stable/c/9c4e202abff45f8ea…
	https://git.kernel.org/stable/c/d0f87370622a853b5…
	https://git.kernel.org/stable/c/a4cb17797a5d241f1…
	https://git.kernel.org/stable/c/f6a6721802ac2f12f…
	https://git.kernel.org/stable/c/1b8b67f3c5e516953…

Impacted products

Vendor

Product

Version

Linux

Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < c3a3484d9d31b27a3db0fab91fcf191132d65236 (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 9c4e202abff45f8eac17989e549fc7a75095f675 (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < d0f87370622a853b57e851f7d5a5452b72300f19 (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < a4cb17797a5d241f1e509cb5b46ed95a80c2f5fd (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < f6a6721802ac2f12f4c1bbe839a4c229b61866f2 (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 1b8b67f3c5e5169535e26efedd3e422172e2db64 (git)

Linux

Affected: 5.15
Unaffected: 0 , < 5.15 (semver)
Unaffected: 5.15.180 , ≤ 5.15.* (semver)
Unaffected: 6.1.132 , ≤ 6.1.* (semver)
Unaffected: 6.6.85 , ≤ 6.6.* (semver)
Unaffected: 6.12.21 , ≤ 6.12.* (semver)
Unaffected: 6.13.9 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:40:35.107Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/server/smbacl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c3a3484d9d31b27a3db0fab91fcf191132d65236",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "9c4e202abff45f8eac17989e549fc7a75095f675",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "d0f87370622a853b57e851f7d5a5452b72300f19",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "a4cb17797a5d241f1e509cb5b46ed95a80c2f5fd",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "f6a6721802ac2f12f4c1bbe839a4c229b61866f2",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "1b8b67f3c5e5169535e26efedd3e422172e2db64",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/server/smbacl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.180",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.132",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.85",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.21",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.180",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.132",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.85",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.21",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.9",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix incorrect validation for num_aces field of smb_acl\n\nparse_dcal() validate num_aces to allocate posix_ace_state_array.\n\nif (num_aces \u003e ULONG_MAX / sizeof(struct smb_ace *))\n\nIt is an incorrect validation that we can create an array of size ULONG_MAX.\nsmb_acl has -\u003esize field to calculate actual number of aces in request buffer\nsize. Use this to check invalid num_aces."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:27:00.353Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c3a3484d9d31b27a3db0fab91fcf191132d65236"
        },
        {
          "url": "https://git.kernel.org/stable/c/9c4e202abff45f8eac17989e549fc7a75095f675"
        },
        {
          "url": "https://git.kernel.org/stable/c/d0f87370622a853b57e851f7d5a5452b72300f19"
        },
        {
          "url": "https://git.kernel.org/stable/c/a4cb17797a5d241f1e509cb5b46ed95a80c2f5fd"
        },
        {
          "url": "https://git.kernel.org/stable/c/f6a6721802ac2f12f4c1bbe839a4c229b61866f2"
        },
        {
          "url": "https://git.kernel.org/stable/c/1b8b67f3c5e5169535e26efedd3e422172e2db64"
        }
      ],
      "title": "ksmbd: fix incorrect validation for num_aces field of smb_acl",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21994",
    "datePublished": "2025-04-02T14:00:37.407Z",
    "dateReserved": "2024-12-29T08:45:45.801Z",
    "dateUpdated": "2025-11-03T19:40:35.107Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38068 (GCVE-0-2025-38068)

Vulnerability from cvelistv5 – Published: 2025-06-18 09:33 – Updated: 2026-01-02 15:29

Title

crypto: lzo - Fix compression buffer overrun

Summary

In the Linux kernel, the following vulnerability has been resolved: crypto: lzo - Fix compression buffer overrun Unlike the decompression code, the compression code in LZO never checked for output overruns. It instead assumes that the caller always provides enough buffer space, disregarding the buffer length provided by the caller. Add a safe compression interface that checks for the end of buffer before each write. Use the safe interface in crypto/lzo.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/4b173bb2c4665c23f…
	https://git.kernel.org/stable/c/a98bd864e16f91c70…
	https://git.kernel.org/stable/c/0acdc4d6e679ba31d…
	https://git.kernel.org/stable/c/7caad075acb634a74…
	https://git.kernel.org/stable/c/167373d77c70c2b55…
	https://git.kernel.org/stable/c/cc47f07234f72cbd8…

Impacted products

Vendor

Product

Version

Linux

Affected: 64c70b1cf43de158282bc1675918d503e5b15cc1 , < 4b173bb2c4665c23f8fcf5241c7b06dfa6b5b111 (git)
Affected: 64c70b1cf43de158282bc1675918d503e5b15cc1 , < a98bd864e16f91c70b2469adf013d713d04d1d13 (git)
Affected: 64c70b1cf43de158282bc1675918d503e5b15cc1 , < 0acdc4d6e679ba31d01e3e7e2e4124b76d6d8e2a (git)
Affected: 64c70b1cf43de158282bc1675918d503e5b15cc1 , < 7caad075acb634a74911830d6386c50ea12566cd (git)
Affected: 64c70b1cf43de158282bc1675918d503e5b15cc1 , < 167373d77c70c2b558aae3e327b115249bb2652c (git)
Affected: 64c70b1cf43de158282bc1675918d503e5b15cc1 , < cc47f07234f72cbd8e2c973cdbf2a6730660a463 (git)

Linux

Affected: 2.6.23
Unaffected: 0 , < 2.6.23 (semver)
Unaffected: 5.15.185 , ≤ 5.15.* (semver)
Unaffected: 6.1.141 , ≤ 6.1.* (semver)
Unaffected: 6.6.93 , ≤ 6.6.* (semver)
Unaffected: 6.12.31 , ≤ 6.12.* (semver)
Unaffected: 6.14.9 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:33:37.495Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "crypto/lzo-rle.c",
            "crypto/lzo.c",
            "include/linux/lzo.h",
            "lib/lzo/Makefile",
            "lib/lzo/lzo1x_compress.c",
            "lib/lzo/lzo1x_compress_safe.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4b173bb2c4665c23f8fcf5241c7b06dfa6b5b111",
              "status": "affected",
              "version": "64c70b1cf43de158282bc1675918d503e5b15cc1",
              "versionType": "git"
            },
            {
              "lessThan": "a98bd864e16f91c70b2469adf013d713d04d1d13",
              "status": "affected",
              "version": "64c70b1cf43de158282bc1675918d503e5b15cc1",
              "versionType": "git"
            },
            {
              "lessThan": "0acdc4d6e679ba31d01e3e7e2e4124b76d6d8e2a",
              "status": "affected",
              "version": "64c70b1cf43de158282bc1675918d503e5b15cc1",
              "versionType": "git"
            },
            {
              "lessThan": "7caad075acb634a74911830d6386c50ea12566cd",
              "status": "affected",
              "version": "64c70b1cf43de158282bc1675918d503e5b15cc1",
              "versionType": "git"
            },
            {
              "lessThan": "167373d77c70c2b558aae3e327b115249bb2652c",
              "status": "affected",
              "version": "64c70b1cf43de158282bc1675918d503e5b15cc1",
              "versionType": "git"
            },
            {
              "lessThan": "cc47f07234f72cbd8e2c973cdbf2a6730660a463",
              "status": "affected",
              "version": "64c70b1cf43de158282bc1675918d503e5b15cc1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "crypto/lzo-rle.c",
            "crypto/lzo.c",
            "include/linux/lzo.h",
            "lib/lzo/Makefile",
            "lib/lzo/lzo1x_compress.c",
            "lib/lzo/lzo1x_compress_safe.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.23"
            },
            {
              "lessThan": "2.6.23",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.185",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.93",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.185",
                  "versionStartIncluding": "2.6.23",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.141",
                  "versionStartIncluding": "2.6.23",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.93",
                  "versionStartIncluding": "2.6.23",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.31",
                  "versionStartIncluding": "2.6.23",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "versionStartIncluding": "2.6.23",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "2.6.23",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: lzo - Fix compression buffer overrun\n\nUnlike the decompression code, the compression code in LZO never\nchecked for output overruns.  It instead assumes that the caller\nalways provides enough buffer space, disregarding the buffer length\nprovided by the caller.\n\nAdd a safe compression interface that checks for the end of buffer\nbefore each write.  Use the safe interface in crypto/lzo."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:29:57.023Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4b173bb2c4665c23f8fcf5241c7b06dfa6b5b111"
        },
        {
          "url": "https://git.kernel.org/stable/c/a98bd864e16f91c70b2469adf013d713d04d1d13"
        },
        {
          "url": "https://git.kernel.org/stable/c/0acdc4d6e679ba31d01e3e7e2e4124b76d6d8e2a"
        },
        {
          "url": "https://git.kernel.org/stable/c/7caad075acb634a74911830d6386c50ea12566cd"
        },
        {
          "url": "https://git.kernel.org/stable/c/167373d77c70c2b558aae3e327b115249bb2652c"
        },
        {
          "url": "https://git.kernel.org/stable/c/cc47f07234f72cbd8e2c973cdbf2a6730660a463"
        }
      ],
      "title": "crypto: lzo - Fix compression buffer overrun",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38068",
    "datePublished": "2025-06-18T09:33:46.125Z",
    "dateReserved": "2025-04-16T04:51:23.980Z",
    "dateUpdated": "2026-01-02T15:29:57.023Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38277 (GCVE-0-2025-38277)

Vulnerability from cvelistv5 – Published: 2025-07-10 07:41 – Updated: 2025-11-03 17:36

Title

mtd: nand: ecc-mxic: Fix use of uninitialized variable ret

Summary

In the Linux kernel, the following vulnerability has been resolved: mtd: nand: ecc-mxic: Fix use of uninitialized variable ret If ctx->steps is zero, the loop processing ECC steps is skipped, and the variable ret remains uninitialized. It is later checked and returned, which leads to undefined behavior and may cause unpredictable results in user space or kernel crashes. This scenario can be triggered in edge cases such as misconfigured geometry, ECC engine misuse, or if ctx->steps is not validated after initialization. Initialize ret to zero before the loop to ensure correct and safe behavior regardless of the ctx->steps value. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/4d9d6e4be09472aa7…
	https://git.kernel.org/stable/c/a0d9d9b5a4634e146…
	https://git.kernel.org/stable/c/7a23cc510ecaabab4…
	https://git.kernel.org/stable/c/49482f4a39620f6af…
	https://git.kernel.org/stable/c/d95846350aac72303…

Impacted products

Vendor

Product

Version

Linux

Affected: 48e6633a9fa2400b53a964358753769f291a7eb0 , < 4d9d6e4be09472aa72953caca3dbefdc27846170 (git)
Affected: 48e6633a9fa2400b53a964358753769f291a7eb0 , < a0d9d9b5a4634e146ae41cb25667322e5c7d74d2 (git)
Affected: 48e6633a9fa2400b53a964358753769f291a7eb0 , < 7a23cc510ecaabab4f6df7e9d910d16e279b72ad (git)
Affected: 48e6633a9fa2400b53a964358753769f291a7eb0 , < 49482f4a39620f6afedcd3f6aa9e0d558b6a460b (git)
Affected: 48e6633a9fa2400b53a964358753769f291a7eb0 , < d95846350aac72303036a70c4cdc69ae314aa26d (git)

Linux

Affected: 5.18
Unaffected: 0 , < 5.18 (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.94 , ≤ 6.6.* (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:36:09.980Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/mtd/nand/ecc-mxic.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4d9d6e4be09472aa72953caca3dbefdc27846170",
              "status": "affected",
              "version": "48e6633a9fa2400b53a964358753769f291a7eb0",
              "versionType": "git"
            },
            {
              "lessThan": "a0d9d9b5a4634e146ae41cb25667322e5c7d74d2",
              "status": "affected",
              "version": "48e6633a9fa2400b53a964358753769f291a7eb0",
              "versionType": "git"
            },
            {
              "lessThan": "7a23cc510ecaabab4f6df7e9d910d16e279b72ad",
              "status": "affected",
              "version": "48e6633a9fa2400b53a964358753769f291a7eb0",
              "versionType": "git"
            },
            {
              "lessThan": "49482f4a39620f6afedcd3f6aa9e0d558b6a460b",
              "status": "affected",
              "version": "48e6633a9fa2400b53a964358753769f291a7eb0",
              "versionType": "git"
            },
            {
              "lessThan": "d95846350aac72303036a70c4cdc69ae314aa26d",
              "status": "affected",
              "version": "48e6633a9fa2400b53a964358753769f291a7eb0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/mtd/nand/ecc-mxic.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.18"
            },
            {
              "lessThan": "5.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: nand: ecc-mxic: Fix use of uninitialized variable ret\n\nIf ctx-\u003esteps is zero, the loop processing ECC steps is skipped,\nand the variable ret remains uninitialized. It is later checked\nand returned, which leads to undefined behavior and may cause\nunpredictable results in user space or kernel crashes.\n\nThis scenario can be triggered in edge cases such as misconfigured\ngeometry, ECC engine misuse, or if ctx-\u003esteps is not validated\nafter initialization.\n\nInitialize ret to zero before the loop to ensure correct and safe\nbehavior regardless of the ctx-\u003esteps value.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:17:06.562Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4d9d6e4be09472aa72953caca3dbefdc27846170"
        },
        {
          "url": "https://git.kernel.org/stable/c/a0d9d9b5a4634e146ae41cb25667322e5c7d74d2"
        },
        {
          "url": "https://git.kernel.org/stable/c/7a23cc510ecaabab4f6df7e9d910d16e279b72ad"
        },
        {
          "url": "https://git.kernel.org/stable/c/49482f4a39620f6afedcd3f6aa9e0d558b6a460b"
        },
        {
          "url": "https://git.kernel.org/stable/c/d95846350aac72303036a70c4cdc69ae314aa26d"
        }
      ],
      "title": "mtd: nand: ecc-mxic: Fix use of uninitialized variable ret",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38277",
    "datePublished": "2025-07-10T07:41:56.916Z",
    "dateReserved": "2025-04-16T04:51:23.998Z",
    "dateUpdated": "2025-11-03T17:36:09.980Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21999 (GCVE-0-2025-21999)

Vulnerability from cvelistv5 – Published: 2025-04-03 07:19 – Updated: 2025-11-03 19:40

Title

proc: fix UAF in proc_get_inode()

Summary

In the Linux kernel, the following vulnerability has been resolved: proc: fix UAF in proc_get_inode() Fix race between rmmod and /proc/XXX's inode instantiation. The bug is that pde->proc_ops don't belong to /proc, it belongs to a module, therefore dereferencing it after /proc entry has been registered is a bug unless use_pde/unuse_pde() pair has been used. use_pde/unuse_pde can be avoided (2 atomic ops!) because pde->proc_ops never changes so information necessary for inode instantiation can be saved _before_ proc_register() in PDE itself and used later, avoiding pde->proc_ops->... dereference. rmmod lookup sys_delete_module proc_lookup_de pde_get(de); proc_get_inode(dir->i_sb, de); mod->exit() proc_remove remove_proc_subtree proc_entry_rundown(de); free_module(mod); if (S_ISREG(inode->i_mode)) if (de->proc_ops->proc_read_iter) --> As module is already freed, will trigger UAF BUG: unable to handle page fault for address: fffffbfff80a702b PGD 817fc4067 P4D 817fc4067 PUD 817fc0067 PMD 102ef4067 PTE 0 Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 26 UID: 0 PID: 2667 Comm: ls Tainted: G Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) RIP: 0010:proc_get_inode+0x302/0x6e0 RSP: 0018:ffff88811c837998 EFLAGS: 00010a06 RAX: dffffc0000000000 RBX: ffffffffc0538140 RCX: 0000000000000007 RDX: 1ffffffff80a702b RSI: 0000000000000001 RDI: ffffffffc0538158 RBP: ffff8881299a6000 R08: 0000000067bbe1e5 R09: 1ffff11023906f20 R10: ffffffffb560ca07 R11: ffffffffb2b43a58 R12: ffff888105bb78f0 R13: ffff888100518048 R14: ffff8881299a6004 R15: 0000000000000001 FS: 00007f95b9686840(0000) GS:ffff8883af100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: fffffbfff80a702b CR3: 0000000117dd2000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> proc_lookup_de+0x11f/0x2e0 __lookup_slow+0x188/0x350 walk_component+0x2ab/0x4f0 path_lookupat+0x120/0x660 filename_lookup+0x1ce/0x560 vfs_statx+0xac/0x150 __do_sys_newstat+0x96/0x110 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e [adobriyan@gmail.com: don't do 2 atomic ops on the common path]

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/eda279586e571b05d…
	https://git.kernel.org/stable/c/4b0b8445b6fd41e6f…
	https://git.kernel.org/stable/c/966f331403dc3ed04…
	https://git.kernel.org/stable/c/63b53198aff2e4e6c…
	https://git.kernel.org/stable/c/ede3e8ac90ae106f0…
	https://git.kernel.org/stable/c/64dc7c68e040251d9…
	https://git.kernel.org/stable/c/654b33ada4ab5e926…

Impacted products

Vendor

Product

Version

Linux

Affected: 97a32539b9568bb653683349e5a76d02ff3c3e2c , < eda279586e571b05dff44d48e05f8977ad05855d (git)
Affected: 97a32539b9568bb653683349e5a76d02ff3c3e2c , < 4b0b8445b6fd41e6f62ac90547a0ea9d348de3fa (git)
Affected: 97a32539b9568bb653683349e5a76d02ff3c3e2c , < 966f331403dc3ed04ff64eaf3930cf1267965e53 (git)
Affected: 97a32539b9568bb653683349e5a76d02ff3c3e2c , < 63b53198aff2e4e6c5866a4ff73c7891f958ffa4 (git)
Affected: 97a32539b9568bb653683349e5a76d02ff3c3e2c , < ede3e8ac90ae106f0b29cd759aadebc1568f1308 (git)
Affected: 97a32539b9568bb653683349e5a76d02ff3c3e2c , < 64dc7c68e040251d9ec6e989acb69f8f6ae4a10b (git)
Affected: 97a32539b9568bb653683349e5a76d02ff3c3e2c , < 654b33ada4ab5e926cd9c570196fefa7bec7c1df (git)

Linux

Affected: 5.6
Unaffected: 0 , < 5.6 (semver)
Unaffected: 5.10.236 , ≤ 5.10.* (semver)
Unaffected: 5.15.180 , ≤ 5.15.* (semver)
Unaffected: 6.1.132 , ≤ 6.1.* (semver)
Unaffected: 6.6.85 , ≤ 6.6.* (semver)
Unaffected: 6.12.21 , ≤ 6.12.* (semver)
Unaffected: 6.13.9 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21999",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-03T15:26:31.372538Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-03T15:27:39.157Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:40:42.019Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/proc/generic.c",
            "fs/proc/inode.c",
            "fs/proc/internal.h",
            "include/linux/proc_fs.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "eda279586e571b05dff44d48e05f8977ad05855d",
              "status": "affected",
              "version": "97a32539b9568bb653683349e5a76d02ff3c3e2c",
              "versionType": "git"
            },
            {
              "lessThan": "4b0b8445b6fd41e6f62ac90547a0ea9d348de3fa",
              "status": "affected",
              "version": "97a32539b9568bb653683349e5a76d02ff3c3e2c",
              "versionType": "git"
            },
            {
              "lessThan": "966f331403dc3ed04ff64eaf3930cf1267965e53",
              "status": "affected",
              "version": "97a32539b9568bb653683349e5a76d02ff3c3e2c",
              "versionType": "git"
            },
            {
              "lessThan": "63b53198aff2e4e6c5866a4ff73c7891f958ffa4",
              "status": "affected",
              "version": "97a32539b9568bb653683349e5a76d02ff3c3e2c",
              "versionType": "git"
            },
            {
              "lessThan": "ede3e8ac90ae106f0b29cd759aadebc1568f1308",
              "status": "affected",
              "version": "97a32539b9568bb653683349e5a76d02ff3c3e2c",
              "versionType": "git"
            },
            {
              "lessThan": "64dc7c68e040251d9ec6e989acb69f8f6ae4a10b",
              "status": "affected",
              "version": "97a32539b9568bb653683349e5a76d02ff3c3e2c",
              "versionType": "git"
            },
            {
              "lessThan": "654b33ada4ab5e926cd9c570196fefa7bec7c1df",
              "status": "affected",
              "version": "97a32539b9568bb653683349e5a76d02ff3c3e2c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/proc/generic.c",
            "fs/proc/inode.c",
            "fs/proc/internal.h",
            "include/linux/proc_fs.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.6"
            },
            {
              "lessThan": "5.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.236",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.180",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.132",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.85",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.21",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.236",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.180",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.132",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.85",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.21",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.9",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nproc: fix UAF in proc_get_inode()\n\nFix race between rmmod and /proc/XXX\u0027s inode instantiation.\n\nThe bug is that pde-\u003eproc_ops don\u0027t belong to /proc, it belongs to a\nmodule, therefore dereferencing it after /proc entry has been registered\nis a bug unless use_pde/unuse_pde() pair has been used.\n\nuse_pde/unuse_pde can be avoided (2 atomic ops!) because pde-\u003eproc_ops\nnever changes so information necessary for inode instantiation can be\nsaved _before_ proc_register() in PDE itself and used later, avoiding\npde-\u003eproc_ops-\u003e...  dereference.\n\n      rmmod                         lookup\nsys_delete_module\n                         proc_lookup_de\n\t\t\t   pde_get(de);\n\t\t\t   proc_get_inode(dir-\u003ei_sb, de);\n  mod-\u003eexit()\n    proc_remove\n      remove_proc_subtree\n       proc_entry_rundown(de);\n  free_module(mod);\n\n                               if (S_ISREG(inode-\u003ei_mode))\n\t                         if (de-\u003eproc_ops-\u003eproc_read_iter)\n                           --\u003e As module is already freed, will trigger UAF\n\nBUG: unable to handle page fault for address: fffffbfff80a702b\nPGD 817fc4067 P4D 817fc4067 PUD 817fc0067 PMD 102ef4067 PTE 0\nOops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 26 UID: 0 PID: 2667 Comm: ls Tainted: G\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996)\nRIP: 0010:proc_get_inode+0x302/0x6e0\nRSP: 0018:ffff88811c837998 EFLAGS: 00010a06\nRAX: dffffc0000000000 RBX: ffffffffc0538140 RCX: 0000000000000007\nRDX: 1ffffffff80a702b RSI: 0000000000000001 RDI: ffffffffc0538158\nRBP: ffff8881299a6000 R08: 0000000067bbe1e5 R09: 1ffff11023906f20\nR10: ffffffffb560ca07 R11: ffffffffb2b43a58 R12: ffff888105bb78f0\nR13: ffff888100518048 R14: ffff8881299a6004 R15: 0000000000000001\nFS:  00007f95b9686840(0000) GS:ffff8883af100000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: fffffbfff80a702b CR3: 0000000117dd2000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n proc_lookup_de+0x11f/0x2e0\n __lookup_slow+0x188/0x350\n walk_component+0x2ab/0x4f0\n path_lookupat+0x120/0x660\n filename_lookup+0x1ce/0x560\n vfs_statx+0xac/0x150\n __do_sys_newstat+0x96/0x110\n do_syscall_64+0x5f/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n[adobriyan@gmail.com: don\u0027t do 2 atomic ops on the common path]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-19T12:56:46.985Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/eda279586e571b05dff44d48e05f8977ad05855d"
        },
        {
          "url": "https://git.kernel.org/stable/c/4b0b8445b6fd41e6f62ac90547a0ea9d348de3fa"
        },
        {
          "url": "https://git.kernel.org/stable/c/966f331403dc3ed04ff64eaf3930cf1267965e53"
        },
        {
          "url": "https://git.kernel.org/stable/c/63b53198aff2e4e6c5866a4ff73c7891f958ffa4"
        },
        {
          "url": "https://git.kernel.org/stable/c/ede3e8ac90ae106f0b29cd759aadebc1568f1308"
        },
        {
          "url": "https://git.kernel.org/stable/c/64dc7c68e040251d9ec6e989acb69f8f6ae4a10b"
        },
        {
          "url": "https://git.kernel.org/stable/c/654b33ada4ab5e926cd9c570196fefa7bec7c1df"
        }
      ],
      "title": "proc: fix UAF in proc_get_inode()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21999",
    "datePublished": "2025-04-03T07:19:03.040Z",
    "dateReserved": "2024-12-29T08:45:45.801Z",
    "dateUpdated": "2025-11-03T19:40:42.019Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38441 (GCVE-0-2025-38441)

Vulnerability from cvelistv5 – Published: 2025-07-25 15:27 – Updated: 2025-11-03 17:38

Title

netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto()

Summary

In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() syzbot found a potential access to uninit-value in nf_flow_pppoe_proto() Blamed commit forgot the Ethernet header. BUG: KMSAN: uninit-value in nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27 nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27 nf_hook_entry_hookfn include/linux/netfilter.h:157 [inline] nf_hook_slow+0xe1/0x3d0 net/netfilter/core.c:623 nf_hook_ingress include/linux/netfilter_netdev.h:34 [inline] nf_ingress net/core/dev.c:5742 [inline] __netif_receive_skb_core+0x4aff/0x70c0 net/core/dev.c:5837 __netif_receive_skb_one_core net/core/dev.c:5975 [inline] __netif_receive_skb+0xcc/0xac0 net/core/dev.c:6090 netif_receive_skb_internal net/core/dev.c:6176 [inline] netif_receive_skb+0x57/0x630 net/core/dev.c:6235 tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485 tun_get_user+0x4ee0/0x6b40 drivers/net/tun.c:1938 tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1984 new_sync_write fs/read_write.c:593 [inline] vfs_write+0xb4b/0x1580 fs/read_write.c:686 ksys_write fs/read_write.c:738 [inline] __do_sys_write fs/read_write.c:749 [inline]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a3aea97d55964e70a…
	https://git.kernel.org/stable/c/eed8960b289327235…
	https://git.kernel.org/stable/c/9fbc49429a23b0259…
	https://git.kernel.org/stable/c/e0dd2e9729660f3f4…
	https://git.kernel.org/stable/c/cfbf0665969af2c69…
	https://git.kernel.org/stable/c/18cdb3d982da8976b…

Impacted products

Vendor

Product

Version

Linux

Affected: d06977b9a4109f8738bb276125eb6a0b772bc433 , < a3aea97d55964e70a1e6426aa4cafdc036e8a2dd (git)
Affected: 8bf7c76a2a207ca2b4cfda0a279192adf27678d7 , < eed8960b289327235185b7c32649c3470a3e969b (git)
Affected: a2471d271042ea18e8a6babc132a8716bb2f08b9 , < 9fbc49429a23b02595ba82536c5ea425fdabb221 (git)
Affected: 87b3593bed1868b2d9fe096c01bcdf0ea86cbebf , < e0dd2e9729660f3f4fcb16e0aef87342911528ef (git)
Affected: 87b3593bed1868b2d9fe096c01bcdf0ea86cbebf , < cfbf0665969af2c69d10c377d4c3d306e717efb4 (git)
Affected: 87b3593bed1868b2d9fe096c01bcdf0ea86cbebf , < 18cdb3d982da8976b28d57691eb256ec5688fad2 (git)
Affected: cf366ee3bc1b7d1c76a882640ba3b3f8f1039163 (git)

Linux

Affected: 6.9
Unaffected: 0 , < 6.9 (semver)
Unaffected: 5.15.189 , ≤ 5.15.* (semver)
Unaffected: 6.1.146 , ≤ 6.1.* (semver)
Unaffected: 6.6.99 , ≤ 6.6.* (semver)
Unaffected: 6.12.39 , ≤ 6.12.* (semver)
Unaffected: 6.15.7 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:38:03.697Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/net/netfilter/nf_flow_table.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a3aea97d55964e70a1e6426aa4cafdc036e8a2dd",
              "status": "affected",
              "version": "d06977b9a4109f8738bb276125eb6a0b772bc433",
              "versionType": "git"
            },
            {
              "lessThan": "eed8960b289327235185b7c32649c3470a3e969b",
              "status": "affected",
              "version": "8bf7c76a2a207ca2b4cfda0a279192adf27678d7",
              "versionType": "git"
            },
            {
              "lessThan": "9fbc49429a23b02595ba82536c5ea425fdabb221",
              "status": "affected",
              "version": "a2471d271042ea18e8a6babc132a8716bb2f08b9",
              "versionType": "git"
            },
            {
              "lessThan": "e0dd2e9729660f3f4fcb16e0aef87342911528ef",
              "status": "affected",
              "version": "87b3593bed1868b2d9fe096c01bcdf0ea86cbebf",
              "versionType": "git"
            },
            {
              "lessThan": "cfbf0665969af2c69d10c377d4c3d306e717efb4",
              "status": "affected",
              "version": "87b3593bed1868b2d9fe096c01bcdf0ea86cbebf",
              "versionType": "git"
            },
            {
              "lessThan": "18cdb3d982da8976b28d57691eb256ec5688fad2",
              "status": "affected",
              "version": "87b3593bed1868b2d9fe096c01bcdf0ea86cbebf",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "cf366ee3bc1b7d1c76a882640ba3b3f8f1039163",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/net/netfilter/nf_flow_table.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.9"
            },
            {
              "lessThan": "6.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.189",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.146",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.99",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.189",
                  "versionStartIncluding": "5.15.157",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.146",
                  "versionStartIncluding": "6.1.88",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.99",
                  "versionStartIncluding": "6.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.39",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.7",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.8.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto()\n\nsyzbot found a potential access to uninit-value in nf_flow_pppoe_proto()\n\nBlamed commit forgot the Ethernet header.\n\nBUG: KMSAN: uninit-value in nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27\n  nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27\n  nf_hook_entry_hookfn include/linux/netfilter.h:157 [inline]\n  nf_hook_slow+0xe1/0x3d0 net/netfilter/core.c:623\n  nf_hook_ingress include/linux/netfilter_netdev.h:34 [inline]\n  nf_ingress net/core/dev.c:5742 [inline]\n  __netif_receive_skb_core+0x4aff/0x70c0 net/core/dev.c:5837\n  __netif_receive_skb_one_core net/core/dev.c:5975 [inline]\n  __netif_receive_skb+0xcc/0xac0 net/core/dev.c:6090\n  netif_receive_skb_internal net/core/dev.c:6176 [inline]\n  netif_receive_skb+0x57/0x630 net/core/dev.c:6235\n  tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485\n  tun_get_user+0x4ee0/0x6b40 drivers/net/tun.c:1938\n  tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1984\n  new_sync_write fs/read_write.c:593 [inline]\n  vfs_write+0xb4b/0x1580 fs/read_write.c:686\n  ksys_write fs/read_write.c:738 [inline]\n  __do_sys_write fs/read_write.c:749 [inline]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:22:22.394Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a3aea97d55964e70a1e6426aa4cafdc036e8a2dd"
        },
        {
          "url": "https://git.kernel.org/stable/c/eed8960b289327235185b7c32649c3470a3e969b"
        },
        {
          "url": "https://git.kernel.org/stable/c/9fbc49429a23b02595ba82536c5ea425fdabb221"
        },
        {
          "url": "https://git.kernel.org/stable/c/e0dd2e9729660f3f4fcb16e0aef87342911528ef"
        },
        {
          "url": "https://git.kernel.org/stable/c/cfbf0665969af2c69d10c377d4c3d306e717efb4"
        },
        {
          "url": "https://git.kernel.org/stable/c/18cdb3d982da8976b28d57691eb256ec5688fad2"
        }
      ],
      "title": "netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38441",
    "datePublished": "2025-07-25T15:27:20.276Z",
    "dateReserved": "2025-04-16T04:51:24.016Z",
    "dateUpdated": "2025-11-03T17:38:03.697Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38161 (GCVE-0-2025-38161)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:36 – Updated: 2025-11-03 17:34

Title

RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction Upon RQ destruction if the firmware command fails which is the last resource to be destroyed some SW resources were already cleaned regardless of the failure. Now properly rollback the object to its original state upon such failure. In order to avoid a use-after free in case someone tries to destroy the object again, which results in the following kernel trace: refcount_t: underflow; use-after-free. WARNING: CPU: 0 PID: 37589 at lib/refcount.c:28 refcount_warn_saturate+0xf4/0x148 Modules linked in: rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) rfkill mlx5_core(OE) mlxdevm(OE) ib_uverbs(OE) ib_core(OE) psample mlxfw(OE) mlx_compat(OE) macsec tls pci_hyperv_intf sunrpc vfat fat virtio_net net_failover failover fuse loop nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs crct10dif_ce ghash_ce sha2_ce sha256_arm64 sha1_ce virtio_console virtio_gpu virtio_blk virtio_dma_buf virtio_mmio dm_mirror dm_region_hash dm_log dm_mod xpmem(OE) CPU: 0 UID: 0 PID: 37589 Comm: python3 Kdump: loaded Tainted: G OE ------- --- 6.12.0-54.el10.aarch64 #1 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : refcount_warn_saturate+0xf4/0x148 lr : refcount_warn_saturate+0xf4/0x148 sp : ffff80008b81b7e0 x29: ffff80008b81b7e0 x28: ffff000133d51600 x27: 0000000000000001 x26: 0000000000000000 x25: 00000000ffffffea x24: ffff00010ae80f00 x23: ffff00010ae80f80 x22: ffff0000c66e5d08 x21: 0000000000000000 x20: ffff0000c66e0000 x19: ffff00010ae80340 x18: 0000000000000006 x17: 0000000000000000 x16: 0000000000000020 x15: ffff80008b81b37f x14: 0000000000000000 x13: 2e656572662d7265 x12: ffff80008283ef78 x11: ffff80008257efd0 x10: ffff80008283efd0 x9 : ffff80008021ed90 x8 : 0000000000000001 x7 : 00000000000bffe8 x6 : c0000000ffff7fff x5 : ffff0001fb8e3408 x4 : 0000000000000000 x3 : ffff800179993000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000133d51600 Call trace: refcount_warn_saturate+0xf4/0x148 mlx5_core_put_rsc+0x88/0xa0 [mlx5_ib] mlx5_core_destroy_rq_tracked+0x64/0x98 [mlx5_ib] mlx5_ib_destroy_wq+0x34/0x80 [mlx5_ib] ib_destroy_wq_user+0x30/0xc0 [ib_core] uverbs_free_wq+0x28/0x58 [ib_uverbs] destroy_hw_idr_uobject+0x34/0x78 [ib_uverbs] uverbs_destroy_uobject+0x48/0x240 [ib_uverbs] __uverbs_cleanup_ufile+0xd4/0x1a8 [ib_uverbs] uverbs_destroy_ufile_hw+0x48/0x120 [ib_uverbs] ib_uverbs_close+0x2c/0x100 [ib_uverbs] __fput+0xd8/0x2f0 __fput_sync+0x50/0x70 __arm64_sys_close+0x40/0x90 invoke_syscall.constprop.0+0x74/0xd0 do_el0_svc+0x48/0xe8 el0_svc+0x44/0x1d0 el0t_64_sync_handler+0x120/0x130 el0t_64_sync+0x1a4/0x1a8

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/26d2f662d3a6655a8…
	https://git.kernel.org/stable/c/f9784da76ad7be662…
	https://git.kernel.org/stable/c/cf32affe6f3801cfb…
	https://git.kernel.org/stable/c/7c4c84cdcc19e89d4…
	https://git.kernel.org/stable/c/50ac361ff8914133e…
	https://git.kernel.org/stable/c/0a7790cbba654e925…
	https://git.kernel.org/stable/c/5d2ea5aebbb2f3ebd…

Impacted products

Vendor

Product

Version

Linux

Affected: e2013b212f9f201c71fc5826ce41f39ebece0852 , < 26d2f662d3a6655a82fd8a287e8b1ce471567f36 (git)
Affected: e2013b212f9f201c71fc5826ce41f39ebece0852 , < f9784da76ad7be66230e829e743bdf68a2c49e56 (git)
Affected: e2013b212f9f201c71fc5826ce41f39ebece0852 , < cf32affe6f3801cfb72a65e69c4bc7a8ee9be100 (git)
Affected: e2013b212f9f201c71fc5826ce41f39ebece0852 , < 7c4c84cdcc19e89d42f6bf117238e5471173423e (git)
Affected: e2013b212f9f201c71fc5826ce41f39ebece0852 , < 50ac361ff8914133e3cf6ef184bac90c22cb8d79 (git)
Affected: e2013b212f9f201c71fc5826ce41f39ebece0852 , < 0a7790cbba654e925243571cf2f24d61603d3ed3 (git)
Affected: e2013b212f9f201c71fc5826ce41f39ebece0852 , < 5d2ea5aebbb2f3ebde4403f9c55b2b057e5dd2d6 (git)

Linux

Affected: 4.5
Unaffected: 0 , < 4.5 (semver)
Unaffected: 5.10.239 , ≤ 5.10.* (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.94 , ≤ 6.6.* (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:52.048Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/mlx5/qpc.c",
            "include/linux/mlx5/driver.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "26d2f662d3a6655a82fd8a287e8b1ce471567f36",
              "status": "affected",
              "version": "e2013b212f9f201c71fc5826ce41f39ebece0852",
              "versionType": "git"
            },
            {
              "lessThan": "f9784da76ad7be66230e829e743bdf68a2c49e56",
              "status": "affected",
              "version": "e2013b212f9f201c71fc5826ce41f39ebece0852",
              "versionType": "git"
            },
            {
              "lessThan": "cf32affe6f3801cfb72a65e69c4bc7a8ee9be100",
              "status": "affected",
              "version": "e2013b212f9f201c71fc5826ce41f39ebece0852",
              "versionType": "git"
            },
            {
              "lessThan": "7c4c84cdcc19e89d42f6bf117238e5471173423e",
              "status": "affected",
              "version": "e2013b212f9f201c71fc5826ce41f39ebece0852",
              "versionType": "git"
            },
            {
              "lessThan": "50ac361ff8914133e3cf6ef184bac90c22cb8d79",
              "status": "affected",
              "version": "e2013b212f9f201c71fc5826ce41f39ebece0852",
              "versionType": "git"
            },
            {
              "lessThan": "0a7790cbba654e925243571cf2f24d61603d3ed3",
              "status": "affected",
              "version": "e2013b212f9f201c71fc5826ce41f39ebece0852",
              "versionType": "git"
            },
            {
              "lessThan": "5d2ea5aebbb2f3ebde4403f9c55b2b057e5dd2d6",
              "status": "affected",
              "version": "e2013b212f9f201c71fc5826ce41f39ebece0852",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/mlx5/qpc.c",
            "include/linux/mlx5/driver.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.5"
            },
            {
              "lessThan": "4.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix error flow upon firmware failure for RQ destruction\n\nUpon RQ destruction if the firmware command fails which is the\nlast resource to be destroyed some SW resources were already cleaned\nregardless of the failure.\n\nNow properly rollback the object to its original state upon such failure.\n\nIn order to avoid a use-after free in case someone tries to destroy the\nobject again, which results in the following kernel trace:\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 0 PID: 37589 at lib/refcount.c:28 refcount_warn_saturate+0xf4/0x148\nModules linked in: rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) rfkill mlx5_core(OE) mlxdevm(OE) ib_uverbs(OE) ib_core(OE) psample mlxfw(OE) mlx_compat(OE) macsec tls pci_hyperv_intf sunrpc vfat fat virtio_net net_failover failover fuse loop nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs crct10dif_ce ghash_ce sha2_ce sha256_arm64 sha1_ce virtio_console virtio_gpu virtio_blk virtio_dma_buf virtio_mmio dm_mirror dm_region_hash dm_log dm_mod xpmem(OE)\nCPU: 0 UID: 0 PID: 37589 Comm: python3 Kdump: loaded Tainted: G           OE     -------  ---  6.12.0-54.el10.aarch64 #1\nTainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\nHardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : refcount_warn_saturate+0xf4/0x148\nlr : refcount_warn_saturate+0xf4/0x148\nsp : ffff80008b81b7e0\nx29: ffff80008b81b7e0 x28: ffff000133d51600 x27: 0000000000000001\nx26: 0000000000000000 x25: 00000000ffffffea x24: ffff00010ae80f00\nx23: ffff00010ae80f80 x22: ffff0000c66e5d08 x21: 0000000000000000\nx20: ffff0000c66e0000 x19: ffff00010ae80340 x18: 0000000000000006\nx17: 0000000000000000 x16: 0000000000000020 x15: ffff80008b81b37f\nx14: 0000000000000000 x13: 2e656572662d7265 x12: ffff80008283ef78\nx11: ffff80008257efd0 x10: ffff80008283efd0 x9 : ffff80008021ed90\nx8 : 0000000000000001 x7 : 00000000000bffe8 x6 : c0000000ffff7fff\nx5 : ffff0001fb8e3408 x4 : 0000000000000000 x3 : ffff800179993000\nx2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000133d51600\nCall trace:\n refcount_warn_saturate+0xf4/0x148\n mlx5_core_put_rsc+0x88/0xa0 [mlx5_ib]\n mlx5_core_destroy_rq_tracked+0x64/0x98 [mlx5_ib]\n mlx5_ib_destroy_wq+0x34/0x80 [mlx5_ib]\n ib_destroy_wq_user+0x30/0xc0 [ib_core]\n uverbs_free_wq+0x28/0x58 [ib_uverbs]\n destroy_hw_idr_uobject+0x34/0x78 [ib_uverbs]\n uverbs_destroy_uobject+0x48/0x240 [ib_uverbs]\n __uverbs_cleanup_ufile+0xd4/0x1a8 [ib_uverbs]\n uverbs_destroy_ufile_hw+0x48/0x120 [ib_uverbs]\n ib_uverbs_close+0x2c/0x100 [ib_uverbs]\n __fput+0xd8/0x2f0\n __fput_sync+0x50/0x70\n __arm64_sys_close+0x40/0x90\n invoke_syscall.constprop.0+0x74/0xd0\n do_el0_svc+0x48/0xe8\n el0_svc+0x44/0x1d0\n el0t_64_sync_handler+0x120/0x130\n el0t_64_sync+0x1a4/0x1a8"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:13:53.781Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/26d2f662d3a6655a82fd8a287e8b1ce471567f36"
        },
        {
          "url": "https://git.kernel.org/stable/c/f9784da76ad7be66230e829e743bdf68a2c49e56"
        },
        {
          "url": "https://git.kernel.org/stable/c/cf32affe6f3801cfb72a65e69c4bc7a8ee9be100"
        },
        {
          "url": "https://git.kernel.org/stable/c/7c4c84cdcc19e89d42f6bf117238e5471173423e"
        },
        {
          "url": "https://git.kernel.org/stable/c/50ac361ff8914133e3cf6ef184bac90c22cb8d79"
        },
        {
          "url": "https://git.kernel.org/stable/c/0a7790cbba654e925243571cf2f24d61603d3ed3"
        },
        {
          "url": "https://git.kernel.org/stable/c/5d2ea5aebbb2f3ebde4403f9c55b2b057e5dd2d6"
        }
      ],
      "title": "RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38161",
    "datePublished": "2025-07-03T08:36:03.087Z",
    "dateReserved": "2025-04-16T04:51:23.990Z",
    "dateUpdated": "2025-11-03T17:34:52.048Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2021-47319 (GCVE-0-2021-47319)

Vulnerability from cvelistv5 – Published: 2024-05-21 14:35 – Updated: 2025-12-18 11:36

Title

virtio-blk: Fix memory leak among suspend/resume procedure

Summary

In the Linux kernel, the following vulnerability has been resolved: virtio-blk: Fix memory leak among suspend/resume procedure The vblk->vqs should be freed before we call init_vqs() in virtblk_restore().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/381bde79d11e59600…
	https://git.kernel.org/stable/c/102d6bc6475ab09ba…
	https://git.kernel.org/stable/c/863da837964c80c72…
	https://git.kernel.org/stable/c/600942d2fd49b90e4…
	https://git.kernel.org/stable/c/04c6e60b884cb5e94…
	https://git.kernel.org/stable/c/cd24da0db9f75ca11…
	https://git.kernel.org/stable/c/ca2b8ae93a6da9839…
	https://git.kernel.org/stable/c/29a2f4a3214aa14d6…
	https://git.kernel.org/stable/c/b71ba22e7c6c6b279…

Impacted products

Vendor

Product

Version

Linux

Affected: 6a27b656fc0210e976db362e1368c56db05c8f08 , < 381bde79d11e596002edfd914e6714291826967a (git)
Affected: 6a27b656fc0210e976db362e1368c56db05c8f08 , < 102d6bc6475ab09bab579c18704e6cf8d898e93c (git)
Affected: 6a27b656fc0210e976db362e1368c56db05c8f08 , < 863da837964c80c72e368a4f748c30d25daa1815 (git)
Affected: 6a27b656fc0210e976db362e1368c56db05c8f08 , < 600942d2fd49b90e44857d20c774b20d16f3130f (git)
Affected: 6a27b656fc0210e976db362e1368c56db05c8f08 , < 04c6e60b884cb5e94ff32af46867fb41d5848358 (git)
Affected: 6a27b656fc0210e976db362e1368c56db05c8f08 , < cd24da0db9f75ca11eaf6060f0ccb90e2f3be3b0 (git)
Affected: 6a27b656fc0210e976db362e1368c56db05c8f08 , < ca2b8ae93a6da9839dc7f9eb9199b18aa03c3dae (git)
Affected: 6a27b656fc0210e976db362e1368c56db05c8f08 , < 29a2f4a3214aa14d61cc9737c9f886dae9dbb710 (git)
Affected: 6a27b656fc0210e976db362e1368c56db05c8f08 , < b71ba22e7c6c6b279c66f53ee7818709774efa1f (git)

Linux

Affected: 3.17
Unaffected: 0 , < 3.17 (semver)
Unaffected: 4.4.276 , ≤ 4.4.* (semver)
Unaffected: 4.9.276 , ≤ 4.9.* (semver)
Unaffected: 4.14.240 , ≤ 4.14.* (semver)
Unaffected: 4.19.198 , ≤ 4.19.* (semver)
Unaffected: 5.4.134 , ≤ 5.4.* (semver)
Unaffected: 5.10.52 , ≤ 5.10.* (semver)
Unaffected: 5.12.19 , ≤ 5.12.* (semver)
Unaffected: 5.13.4 , ≤ 5.13.* (semver)
Unaffected: 5.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:32:08.453Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/381bde79d11e596002edfd914e6714291826967a"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/102d6bc6475ab09bab579c18704e6cf8d898e93c"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/863da837964c80c72e368a4f748c30d25daa1815"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/600942d2fd49b90e44857d20c774b20d16f3130f"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/04c6e60b884cb5e94ff32af46867fb41d5848358"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/cd24da0db9f75ca11eaf6060f0ccb90e2f3be3b0"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ca2b8ae93a6da9839dc7f9eb9199b18aa03c3dae"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/29a2f4a3214aa14d61cc9737c9f886dae9dbb710"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/b71ba22e7c6c6b279c66f53ee7818709774efa1f"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-47319",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T15:39:09.303825Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:33:52.675Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/block/virtio_blk.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "381bde79d11e596002edfd914e6714291826967a",
              "status": "affected",
              "version": "6a27b656fc0210e976db362e1368c56db05c8f08",
              "versionType": "git"
            },
            {
              "lessThan": "102d6bc6475ab09bab579c18704e6cf8d898e93c",
              "status": "affected",
              "version": "6a27b656fc0210e976db362e1368c56db05c8f08",
              "versionType": "git"
            },
            {
              "lessThan": "863da837964c80c72e368a4f748c30d25daa1815",
              "status": "affected",
              "version": "6a27b656fc0210e976db362e1368c56db05c8f08",
              "versionType": "git"
            },
            {
              "lessThan": "600942d2fd49b90e44857d20c774b20d16f3130f",
              "status": "affected",
              "version": "6a27b656fc0210e976db362e1368c56db05c8f08",
              "versionType": "git"
            },
            {
              "lessThan": "04c6e60b884cb5e94ff32af46867fb41d5848358",
              "status": "affected",
              "version": "6a27b656fc0210e976db362e1368c56db05c8f08",
              "versionType": "git"
            },
            {
              "lessThan": "cd24da0db9f75ca11eaf6060f0ccb90e2f3be3b0",
              "status": "affected",
              "version": "6a27b656fc0210e976db362e1368c56db05c8f08",
              "versionType": "git"
            },
            {
              "lessThan": "ca2b8ae93a6da9839dc7f9eb9199b18aa03c3dae",
              "status": "affected",
              "version": "6a27b656fc0210e976db362e1368c56db05c8f08",
              "versionType": "git"
            },
            {
              "lessThan": "29a2f4a3214aa14d61cc9737c9f886dae9dbb710",
              "status": "affected",
              "version": "6a27b656fc0210e976db362e1368c56db05c8f08",
              "versionType": "git"
            },
            {
              "lessThan": "b71ba22e7c6c6b279c66f53ee7818709774efa1f",
              "status": "affected",
              "version": "6a27b656fc0210e976db362e1368c56db05c8f08",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/block/virtio_blk.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.17"
            },
            {
              "lessThan": "3.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.4.*",
              "status": "unaffected",
              "version": "4.4.276",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.9.*",
              "status": "unaffected",
              "version": "4.9.276",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.198",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.134",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.52",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.12.*",
              "status": "unaffected",
              "version": "5.12.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.13.*",
              "status": "unaffected",
              "version": "5.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.4.276",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.9.276",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.240",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.198",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.134",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.52",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.12.19",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.13.4",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.14",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-blk: Fix memory leak among suspend/resume procedure\n\nThe vblk-\u003evqs should be freed before we call init_vqs()\nin virtblk_restore()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-18T11:36:35.392Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/381bde79d11e596002edfd914e6714291826967a"
        },
        {
          "url": "https://git.kernel.org/stable/c/102d6bc6475ab09bab579c18704e6cf8d898e93c"
        },
        {
          "url": "https://git.kernel.org/stable/c/863da837964c80c72e368a4f748c30d25daa1815"
        },
        {
          "url": "https://git.kernel.org/stable/c/600942d2fd49b90e44857d20c774b20d16f3130f"
        },
        {
          "url": "https://git.kernel.org/stable/c/04c6e60b884cb5e94ff32af46867fb41d5848358"
        },
        {
          "url": "https://git.kernel.org/stable/c/cd24da0db9f75ca11eaf6060f0ccb90e2f3be3b0"
        },
        {
          "url": "https://git.kernel.org/stable/c/ca2b8ae93a6da9839dc7f9eb9199b18aa03c3dae"
        },
        {
          "url": "https://git.kernel.org/stable/c/29a2f4a3214aa14d61cc9737c9f886dae9dbb710"
        },
        {
          "url": "https://git.kernel.org/stable/c/b71ba22e7c6c6b279c66f53ee7818709774efa1f"
        }
      ],
      "title": "virtio-blk: Fix memory leak among suspend/resume procedure",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-47319",
    "datePublished": "2024-05-21T14:35:34.541Z",
    "dateReserved": "2024-05-21T14:28:16.974Z",
    "dateUpdated": "2025-12-18T11:36:35.392Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37756 (GCVE-0-2025-37756)

Vulnerability from cvelistv5 – Published: 2025-05-01 12:56 – Updated: 2025-11-03 19:54

Title

net: tls: explicitly disallow disconnect

Summary

In the Linux kernel, the following vulnerability has been resolved: net: tls: explicitly disallow disconnect syzbot discovered that it can disconnect a TLS socket and then run into all sort of unexpected corner cases. I have a vague recollection of Eric pointing this out to us a long time ago. Supporting disconnect is really hard, for one thing if offload is enabled we'd need to wait for all packets to be _acked_. Disconnect is not commonly used, disallow it. The immediate problem syzbot run into is the warning in the strp, but that's just the easiest bug to trigger: WARNING: CPU: 0 PID: 5834 at net/tls/tls_strp.c:486 tls_strp_msg_load+0x72e/0xa80 net/tls/tls_strp.c:486 RIP: 0010:tls_strp_msg_load+0x72e/0xa80 net/tls/tls_strp.c:486 Call Trace: <TASK> tls_rx_rec_wait+0x280/0xa60 net/tls/tls_sw.c:1363 tls_sw_recvmsg+0x85c/0x1c30 net/tls/tls_sw.c:2043 inet6_recvmsg+0x2c9/0x730 net/ipv6/af_inet6.c:678 sock_recvmsg_nosec net/socket.c:1023 [inline] sock_recvmsg+0x109/0x280 net/socket.c:1045 __sys_recvfrom+0x202/0x380 net/socket.c:2237

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/7bdcf5bc35ae59fc4…
	https://git.kernel.org/stable/c/ac91c6125468be720…
	https://git.kernel.org/stable/c/f3ce4d3f874ab7919…
	https://git.kernel.org/stable/c/2bcad8fefcecdd5f0…
	https://git.kernel.org/stable/c/9fcbca0f801580cbb…
	https://git.kernel.org/stable/c/c665bef891e8972e1…
	https://git.kernel.org/stable/c/8513411ec321942bd…
	https://git.kernel.org/stable/c/5071a1e606b30c0c1…

Impacted products

Vendor

Product

Version

Linux

Affected: 3c4d7559159bfe1e3b94df3a657b2cda3a34e218 , < 7bdcf5bc35ae59fc4a0fa23276e84b4d1534a3cf (git)
Affected: 3c4d7559159bfe1e3b94df3a657b2cda3a34e218 , < ac91c6125468be720eafde9c973994cb45b61d44 (git)
Affected: 3c4d7559159bfe1e3b94df3a657b2cda3a34e218 , < f3ce4d3f874ab7919edca364c147ac735f9f1d04 (git)
Affected: 3c4d7559159bfe1e3b94df3a657b2cda3a34e218 , < 2bcad8fefcecdd5f005d8c550b25d703c063c34a (git)
Affected: 3c4d7559159bfe1e3b94df3a657b2cda3a34e218 , < 9fcbca0f801580cbb583e9cb274e2c7fbe766ca6 (git)
Affected: 3c4d7559159bfe1e3b94df3a657b2cda3a34e218 , < c665bef891e8972e1d3ce5bbc0d42a373346a2c3 (git)
Affected: 3c4d7559159bfe1e3b94df3a657b2cda3a34e218 , < 8513411ec321942bd3cfed53d5bb700665c67d86 (git)
Affected: 3c4d7559159bfe1e3b94df3a657b2cda3a34e218 , < 5071a1e606b30c0c11278d3c6620cd6a24724cf6 (git)

Linux

Affected: 4.13
Unaffected: 0 , < 4.13 (semver)
Unaffected: 5.10.237 , ≤ 5.10.* (semver)
Unaffected: 5.15.181 , ≤ 5.15.* (semver)
Unaffected: 6.1.135 , ≤ 6.1.* (semver)
Unaffected: 6.6.88 , ≤ 6.6.* (semver)
Unaffected: 6.12.24 , ≤ 6.12.* (semver)
Unaffected: 6.13.12 , ≤ 6.13.* (semver)
Unaffected: 6.14.3 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:54:29.034Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/tls/tls_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7bdcf5bc35ae59fc4a0fa23276e84b4d1534a3cf",
              "status": "affected",
              "version": "3c4d7559159bfe1e3b94df3a657b2cda3a34e218",
              "versionType": "git"
            },
            {
              "lessThan": "ac91c6125468be720eafde9c973994cb45b61d44",
              "status": "affected",
              "version": "3c4d7559159bfe1e3b94df3a657b2cda3a34e218",
              "versionType": "git"
            },
            {
              "lessThan": "f3ce4d3f874ab7919edca364c147ac735f9f1d04",
              "status": "affected",
              "version": "3c4d7559159bfe1e3b94df3a657b2cda3a34e218",
              "versionType": "git"
            },
            {
              "lessThan": "2bcad8fefcecdd5f005d8c550b25d703c063c34a",
              "status": "affected",
              "version": "3c4d7559159bfe1e3b94df3a657b2cda3a34e218",
              "versionType": "git"
            },
            {
              "lessThan": "9fcbca0f801580cbb583e9cb274e2c7fbe766ca6",
              "status": "affected",
              "version": "3c4d7559159bfe1e3b94df3a657b2cda3a34e218",
              "versionType": "git"
            },
            {
              "lessThan": "c665bef891e8972e1d3ce5bbc0d42a373346a2c3",
              "status": "affected",
              "version": "3c4d7559159bfe1e3b94df3a657b2cda3a34e218",
              "versionType": "git"
            },
            {
              "lessThan": "8513411ec321942bd3cfed53d5bb700665c67d86",
              "status": "affected",
              "version": "3c4d7559159bfe1e3b94df3a657b2cda3a34e218",
              "versionType": "git"
            },
            {
              "lessThan": "5071a1e606b30c0c11278d3c6620cd6a24724cf6",
              "status": "affected",
              "version": "3c4d7559159bfe1e3b94df3a657b2cda3a34e218",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/tls/tls_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.13"
            },
            {
              "lessThan": "4.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.237",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.24",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.12",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tls: explicitly disallow disconnect\n\nsyzbot discovered that it can disconnect a TLS socket and then\nrun into all sort of unexpected corner cases. I have a vague\nrecollection of Eric pointing this out to us a long time ago.\nSupporting disconnect is really hard, for one thing if offload\nis enabled we\u0027d need to wait for all packets to be _acked_.\nDisconnect is not commonly used, disallow it.\n\nThe immediate problem syzbot run into is the warning in the strp,\nbut that\u0027s just the easiest bug to trigger:\n\n  WARNING: CPU: 0 PID: 5834 at net/tls/tls_strp.c:486 tls_strp_msg_load+0x72e/0xa80 net/tls/tls_strp.c:486\n  RIP: 0010:tls_strp_msg_load+0x72e/0xa80 net/tls/tls_strp.c:486\n  Call Trace:\n   \u003cTASK\u003e\n   tls_rx_rec_wait+0x280/0xa60 net/tls/tls_sw.c:1363\n   tls_sw_recvmsg+0x85c/0x1c30 net/tls/tls_sw.c:2043\n   inet6_recvmsg+0x2c9/0x730 net/ipv6/af_inet6.c:678\n   sock_recvmsg_nosec net/socket.c:1023 [inline]\n   sock_recvmsg+0x109/0x280 net/socket.c:1045\n   __sys_recvfrom+0x202/0x380 net/socket.c:2237"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:20:11.963Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7bdcf5bc35ae59fc4a0fa23276e84b4d1534a3cf"
        },
        {
          "url": "https://git.kernel.org/stable/c/ac91c6125468be720eafde9c973994cb45b61d44"
        },
        {
          "url": "https://git.kernel.org/stable/c/f3ce4d3f874ab7919edca364c147ac735f9f1d04"
        },
        {
          "url": "https://git.kernel.org/stable/c/2bcad8fefcecdd5f005d8c550b25d703c063c34a"
        },
        {
          "url": "https://git.kernel.org/stable/c/9fcbca0f801580cbb583e9cb274e2c7fbe766ca6"
        },
        {
          "url": "https://git.kernel.org/stable/c/c665bef891e8972e1d3ce5bbc0d42a373346a2c3"
        },
        {
          "url": "https://git.kernel.org/stable/c/8513411ec321942bd3cfed53d5bb700665c67d86"
        },
        {
          "url": "https://git.kernel.org/stable/c/5071a1e606b30c0c11278d3c6620cd6a24724cf6"
        }
      ],
      "title": "net: tls: explicitly disallow disconnect",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37756",
    "datePublished": "2025-05-01T12:56:00.539Z",
    "dateReserved": "2025-04-16T04:51:23.938Z",
    "dateUpdated": "2025-11-03T19:54:29.034Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38263 (GCVE-0-2025-38263)

Vulnerability from cvelistv5 – Published: 2025-07-09 10:42 – Updated: 2025-11-03 17:36

Title

bcache: fix NULL pointer in cache_set_flush()

Summary

In the Linux kernel, the following vulnerability has been resolved: bcache: fix NULL pointer in cache_set_flush() 1. LINE#1794 - LINE#1887 is some codes about function of bch_cache_set_alloc(). 2. LINE#2078 - LINE#2142 is some codes about function of register_cache_set(). 3. register_cache_set() will call bch_cache_set_alloc() in LINE#2098. 1794 struct cache_set *bch_cache_set_alloc(struct cache_sb *sb) 1795 { ... 1860 if (!(c->devices = kcalloc(c->nr_uuids, sizeof(void *), GFP_KERNEL)) || 1861 mempool_init_slab_pool(&c->search, 32, bch_search_cache) || 1862 mempool_init_kmalloc_pool(&c->bio_meta, 2, 1863 sizeof(struct bbio) + sizeof(struct bio_vec) * 1864 bucket_pages(c)) || 1865 mempool_init_kmalloc_pool(&c->fill_iter, 1, iter_size) || 1866 bioset_init(&c->bio_split, 4, offsetof(struct bbio, bio), 1867 BIOSET_NEED_BVECS|BIOSET_NEED_RESCUER) || 1868 !(c->uuids = alloc_bucket_pages(GFP_KERNEL, c)) || 1869 !(c->moving_gc_wq = alloc_workqueue("bcache_gc", 1870 WQ_MEM_RECLAIM, 0)) || 1871 bch_journal_alloc(c) || 1872 bch_btree_cache_alloc(c) || 1873 bch_open_buckets_alloc(c) || 1874 bch_bset_sort_state_init(&c->sort, ilog2(c->btree_pages))) 1875 goto err; ^^^^^^^^ 1876 ... 1883 return c; 1884 err: 1885 bch_cache_set_unregister(c); ^^^^^^^^^^^^^^^^^^^^^^^^^^^ 1886 return NULL; 1887 } ... 2078 static const char *register_cache_set(struct cache *ca) 2079 { ... 2098 c = bch_cache_set_alloc(&ca->sb); 2099 if (!c) 2100 return err; ^^^^^^^^^^ ... 2128 ca->set = c; 2129 ca->set->cache[ca->sb.nr_this_dev] = ca; ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ... 2138 return NULL; 2139 err: 2140 bch_cache_set_unregister(c); 2141 return err; 2142 } (1) If LINE#1860 - LINE#1874 is true, then do 'goto err'(LINE#1875) and call bch_cache_set_unregister()(LINE#1885). (2) As (1) return NULL(LINE#1886), LINE#2098 - LINE#2100 would return. (3) As (2) has returned, LINE#2128 - LINE#2129 would do *not* give the value to c->cache[], it means that c->cache[] is NULL. LINE#1624 - LINE#1665 is some codes about function of cache_set_flush(). As (1), in LINE#1885 call bch_cache_set_unregister() ---> bch_cache_set_stop() ---> closure_queue() -.-> cache_set_flush() (as below LINE#1624) 1624 static void cache_set_flush(struct closure *cl) 1625 { ... 1654 for_each_cache(ca, c, i) 1655 if (ca->alloc_thread) ^^ 1656 kthread_stop(ca->alloc_thread); ... 1665 } (4) In LINE#1655 ca is NULL(see (3)) in cache_set_flush() then the kernel crash occurred as below: [ 846.712887] bcache: register_cache() error drbd6: cannot allocate memory [ 846.713242] bcache: register_bcache() error : failed to register device [ 846.713336] bcache: cache_set_free() Cache set 2f84bdc1-498a-4f2f-98a7-01946bf54287 unregistered [ 846.713768] BUG: unable to handle kernel NULL pointer dereference at 00000000000009f8 [ 846.714790] PGD 0 P4D 0 [ 846.715129] Oops: 0000 [#1] SMP PTI [ 846.715472] CPU: 19 PID: 5057 Comm: kworker/19:16 Kdump: loaded Tainted: G OE --------- - - 4.18.0-147.5.1.el8_1.5es.3.x86_64 #1 [ 846.716082] Hardware name: ESPAN GI-25212/X11DPL-i, BIOS 2.1 06/15/2018 [ 846.716451] Workqueue: events cache_set_flush [bcache] [ 846.716808] RIP: 0010:cache_set_flush+0xc9/0x1b0 [bcache] [ 846.717155] Code: 00 4c 89 a5 b0 03 00 00 48 8b 85 68 f6 ff ff a8 08 0f 84 88 00 00 00 31 db 66 83 bd 3c f7 ff ff 00 48 8b 85 48 ff ff ff 74 28 <48> 8b b8 f8 09 00 0 ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d54681938b777488e…
	https://git.kernel.org/stable/c/1f25f2d3fa2932532…
	https://git.kernel.org/stable/c/c4f5e7e417034b05f…
	https://git.kernel.org/stable/c/553f560e0a74a7008…
	https://git.kernel.org/stable/c/667c3f52373ff5354…
	https://git.kernel.org/stable/c/3f9e128186c99a117…
	https://git.kernel.org/stable/c/1e46ed947ec658f89…

Impacted products

Vendor

Product

Version

Linux

Affected: cafe563591446cf80bfbc2fe3bc72a2e36cf1060 , < d54681938b777488e5dfb781b566d16adad991de (git)
Affected: cafe563591446cf80bfbc2fe3bc72a2e36cf1060 , < 1f25f2d3fa29325320c19a30abf787e0bd5fc91b (git)
Affected: cafe563591446cf80bfbc2fe3bc72a2e36cf1060 , < c4f5e7e417034b05f5d2f5fa9a872db897da69bd (git)
Affected: cafe563591446cf80bfbc2fe3bc72a2e36cf1060 , < 553f560e0a74a7008ad9dba05c3fd05da296befb (git)
Affected: cafe563591446cf80bfbc2fe3bc72a2e36cf1060 , < 667c3f52373ff5354cb3543e27237eb7df7b2333 (git)
Affected: cafe563591446cf80bfbc2fe3bc72a2e36cf1060 , < 3f9e128186c99a117e304f1dce6d0b9e50c63cd8 (git)
Affected: cafe563591446cf80bfbc2fe3bc72a2e36cf1060 , < 1e46ed947ec658f89f1a910d880cd05e42d3763e (git)

Linux

Affected: 3.10
Unaffected: 0 , < 3.10 (semver)
Unaffected: 5.10.240 , ≤ 5.10.* (semver)
Unaffected: 5.15.187 , ≤ 5.15.* (semver)
Unaffected: 6.1.143 , ≤ 6.1.* (semver)
Unaffected: 6.6.96 , ≤ 6.6.* (semver)
Unaffected: 6.12.36 , ≤ 6.12.* (semver)
Unaffected: 6.15.5 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:36:06.203Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/bcache/super.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d54681938b777488e5dfb781b566d16adad991de",
              "status": "affected",
              "version": "cafe563591446cf80bfbc2fe3bc72a2e36cf1060",
              "versionType": "git"
            },
            {
              "lessThan": "1f25f2d3fa29325320c19a30abf787e0bd5fc91b",
              "status": "affected",
              "version": "cafe563591446cf80bfbc2fe3bc72a2e36cf1060",
              "versionType": "git"
            },
            {
              "lessThan": "c4f5e7e417034b05f5d2f5fa9a872db897da69bd",
              "status": "affected",
              "version": "cafe563591446cf80bfbc2fe3bc72a2e36cf1060",
              "versionType": "git"
            },
            {
              "lessThan": "553f560e0a74a7008ad9dba05c3fd05da296befb",
              "status": "affected",
              "version": "cafe563591446cf80bfbc2fe3bc72a2e36cf1060",
              "versionType": "git"
            },
            {
              "lessThan": "667c3f52373ff5354cb3543e27237eb7df7b2333",
              "status": "affected",
              "version": "cafe563591446cf80bfbc2fe3bc72a2e36cf1060",
              "versionType": "git"
            },
            {
              "lessThan": "3f9e128186c99a117e304f1dce6d0b9e50c63cd8",
              "status": "affected",
              "version": "cafe563591446cf80bfbc2fe3bc72a2e36cf1060",
              "versionType": "git"
            },
            {
              "lessThan": "1e46ed947ec658f89f1a910d880cd05e42d3763e",
              "status": "affected",
              "version": "cafe563591446cf80bfbc2fe3bc72a2e36cf1060",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/bcache/super.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.10"
            },
            {
              "lessThan": "3.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.187",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.143",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.96",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.36",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.187",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.143",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.96",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.36",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.5",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcache: fix NULL pointer in cache_set_flush()\n\n1. LINE#1794 - LINE#1887 is some codes about function of\n   bch_cache_set_alloc().\n2. LINE#2078 - LINE#2142 is some codes about function of\n   register_cache_set().\n3. register_cache_set() will call bch_cache_set_alloc() in LINE#2098.\n\n 1794 struct cache_set *bch_cache_set_alloc(struct cache_sb *sb)\n 1795 {\n ...\n 1860         if (!(c-\u003edevices = kcalloc(c-\u003enr_uuids, sizeof(void *), GFP_KERNEL)) ||\n 1861             mempool_init_slab_pool(\u0026c-\u003esearch, 32, bch_search_cache) ||\n 1862             mempool_init_kmalloc_pool(\u0026c-\u003ebio_meta, 2,\n 1863                                 sizeof(struct bbio) + sizeof(struct bio_vec) *\n 1864                                 bucket_pages(c)) ||\n 1865             mempool_init_kmalloc_pool(\u0026c-\u003efill_iter, 1, iter_size) ||\n 1866             bioset_init(\u0026c-\u003ebio_split, 4, offsetof(struct bbio, bio),\n 1867                         BIOSET_NEED_BVECS|BIOSET_NEED_RESCUER) ||\n 1868             !(c-\u003euuids = alloc_bucket_pages(GFP_KERNEL, c)) ||\n 1869             !(c-\u003emoving_gc_wq = alloc_workqueue(\"bcache_gc\",\n 1870                                                 WQ_MEM_RECLAIM, 0)) ||\n 1871             bch_journal_alloc(c) ||\n 1872             bch_btree_cache_alloc(c) ||\n 1873             bch_open_buckets_alloc(c) ||\n 1874             bch_bset_sort_state_init(\u0026c-\u003esort, ilog2(c-\u003ebtree_pages)))\n 1875                 goto err;\n                      ^^^^^^^^\n 1876\n ...\n 1883         return c;\n 1884 err:\n 1885         bch_cache_set_unregister(c);\n              ^^^^^^^^^^^^^^^^^^^^^^^^^^^\n 1886         return NULL;\n 1887 }\n ...\n 2078 static const char *register_cache_set(struct cache *ca)\n 2079 {\n ...\n 2098         c = bch_cache_set_alloc(\u0026ca-\u003esb);\n 2099         if (!c)\n 2100                 return err;\n                      ^^^^^^^^^^\n ...\n 2128         ca-\u003eset = c;\n 2129         ca-\u003eset-\u003ecache[ca-\u003esb.nr_this_dev] = ca;\n              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n ...\n 2138         return NULL;\n 2139 err:\n 2140         bch_cache_set_unregister(c);\n 2141         return err;\n 2142 }\n\n(1) If LINE#1860 - LINE#1874 is true, then do \u0027goto err\u0027(LINE#1875) and\n    call bch_cache_set_unregister()(LINE#1885).\n(2) As (1) return NULL(LINE#1886), LINE#2098 - LINE#2100 would return.\n(3) As (2) has returned, LINE#2128 - LINE#2129 would do *not* give the\n    value to c-\u003ecache[], it means that c-\u003ecache[] is NULL.\n\nLINE#1624 - LINE#1665 is some codes about function of cache_set_flush().\nAs (1), in LINE#1885 call\nbch_cache_set_unregister()\n---\u003e bch_cache_set_stop()\n     ---\u003e closure_queue()\n          -.-\u003e cache_set_flush() (as below LINE#1624)\n\n 1624 static void cache_set_flush(struct closure *cl)\n 1625 {\n ...\n 1654         for_each_cache(ca, c, i)\n 1655                 if (ca-\u003ealloc_thread)\n                          ^^\n 1656                         kthread_stop(ca-\u003ealloc_thread);\n ...\n 1665 }\n\n(4) In LINE#1655 ca is NULL(see (3)) in cache_set_flush() then the\n    kernel crash occurred as below:\n[  846.712887] bcache: register_cache() error drbd6: cannot allocate memory\n[  846.713242] bcache: register_bcache() error : failed to register device\n[  846.713336] bcache: cache_set_free() Cache set 2f84bdc1-498a-4f2f-98a7-01946bf54287 unregistered\n[  846.713768] BUG: unable to handle kernel NULL pointer dereference at 00000000000009f8\n[  846.714790] PGD 0 P4D 0\n[  846.715129] Oops: 0000 [#1] SMP PTI\n[  846.715472] CPU: 19 PID: 5057 Comm: kworker/19:16 Kdump: loaded Tainted: G           OE    --------- -  - 4.18.0-147.5.1.el8_1.5es.3.x86_64 #1\n[  846.716082] Hardware name: ESPAN GI-25212/X11DPL-i, BIOS 2.1 06/15/2018\n[  846.716451] Workqueue: events cache_set_flush [bcache]\n[  846.716808] RIP: 0010:cache_set_flush+0xc9/0x1b0 [bcache]\n[  846.717155] Code: 00 4c 89 a5 b0 03 00 00 48 8b 85 68 f6 ff ff a8 08 0f 84 88 00 00 00 31 db 66 83 bd 3c f7 ff ff 00 48 8b 85 48 ff ff ff 74 28 \u003c48\u003e 8b b8 f8 09 00 0\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:16:36.043Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d54681938b777488e5dfb781b566d16adad991de"
        },
        {
          "url": "https://git.kernel.org/stable/c/1f25f2d3fa29325320c19a30abf787e0bd5fc91b"
        },
        {
          "url": "https://git.kernel.org/stable/c/c4f5e7e417034b05f5d2f5fa9a872db897da69bd"
        },
        {
          "url": "https://git.kernel.org/stable/c/553f560e0a74a7008ad9dba05c3fd05da296befb"
        },
        {
          "url": "https://git.kernel.org/stable/c/667c3f52373ff5354cb3543e27237eb7df7b2333"
        },
        {
          "url": "https://git.kernel.org/stable/c/3f9e128186c99a117e304f1dce6d0b9e50c63cd8"
        },
        {
          "url": "https://git.kernel.org/stable/c/1e46ed947ec658f89f1a910d880cd05e42d3763e"
        }
      ],
      "title": "bcache: fix NULL pointer in cache_set_flush()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38263",
    "datePublished": "2025-07-09T10:42:37.990Z",
    "dateReserved": "2025-04-16T04:51:23.997Z",
    "dateUpdated": "2025-11-03T17:36:06.203Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38139 (GCVE-0-2025-38139)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:35 – Updated: 2025-07-28 04:13

Title

netfs: Fix oops in write-retry from mis-resetting the subreq iterator

Summary

In the Linux kernel, the following vulnerability has been resolved: netfs: Fix oops in write-retry from mis-resetting the subreq iterator Fix the resetting of the subrequest iterator in netfs_retry_write_stream() to use the iterator-reset function as the iterator may have been shortened by a previous retry. In such a case, the amount of data to be written by the subrequest is not "subreq->len" but "subreq->len - subreq->transferred". Without this, KASAN may see an error in iov_iter_revert(): BUG: KASAN: slab-out-of-bounds in iov_iter_revert lib/iov_iter.c:633 [inline] BUG: KASAN: slab-out-of-bounds in iov_iter_revert+0x443/0x5a0 lib/iov_iter.c:611 Read of size 4 at addr ffff88802912a0b8 by task kworker/u32:7/1147 CPU: 1 UID: 0 PID: 1147 Comm: kworker/u32:7 Not tainted 6.15.0-rc6-syzkaller-00052-g9f35e33144ae #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: events_unbound netfs_write_collection_worker Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 iov_iter_revert lib/iov_iter.c:633 [inline] iov_iter_revert+0x443/0x5a0 lib/iov_iter.c:611 netfs_retry_write_stream fs/netfs/write_retry.c:44 [inline] netfs_retry_writes+0x166d/0x1a50 fs/netfs/write_retry.c:231 netfs_collect_write_results fs/netfs/write_collect.c:352 [inline] netfs_write_collection_worker+0x23fd/0x3830 fs/netfs/write_collect.c:374 process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3319 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400 kthread+0x3c2/0x780 kernel/kthread.c:464 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK>

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e0fefe9bc07e6101f…
	https://git.kernel.org/stable/c/bd0edaf99a920b1a9…
	https://git.kernel.org/stable/c/4481f7f2b3df123ec…

Impacted products

Vendor

Product

Version

Linux

Affected: cd0277ed0c188dd40e7744e89299af7b78831ca4 , < e0fefe9bc07e6101fdc57abda3644f296c114e31 (git)
Affected: cd0277ed0c188dd40e7744e89299af7b78831ca4 , < bd0edaf99a920b1a9decd773179caacacb61d0fd (git)
Affected: cd0277ed0c188dd40e7744e89299af7b78831ca4 , < 4481f7f2b3df123ec77e828c849138f75cff2bf2 (git)

Linux

Affected: 6.12
Unaffected: 0 , < 6.12 (semver)
Unaffected: 6.12.37 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/netfs/write_retry.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e0fefe9bc07e6101fdc57abda3644f296c114e31",
              "status": "affected",
              "version": "cd0277ed0c188dd40e7744e89299af7b78831ca4",
              "versionType": "git"
            },
            {
              "lessThan": "bd0edaf99a920b1a9decd773179caacacb61d0fd",
              "status": "affected",
              "version": "cd0277ed0c188dd40e7744e89299af7b78831ca4",
              "versionType": "git"
            },
            {
              "lessThan": "4481f7f2b3df123ec77e828c849138f75cff2bf2",
              "status": "affected",
              "version": "cd0277ed0c188dd40e7744e89299af7b78831ca4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/netfs/write_retry.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.12"
            },
            {
              "lessThan": "6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.37",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.37",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Fix oops in write-retry from mis-resetting the subreq iterator\n\nFix the resetting of the subrequest iterator in netfs_retry_write_stream()\nto use the iterator-reset function as the iterator may have been shortened\nby a previous retry.  In such a case, the amount of data to be written by\nthe subrequest is not \"subreq-\u003elen\" but \"subreq-\u003elen -\nsubreq-\u003etransferred\".\n\nWithout this, KASAN may see an error in iov_iter_revert():\n\n   BUG: KASAN: slab-out-of-bounds in iov_iter_revert lib/iov_iter.c:633 [inline]\n   BUG: KASAN: slab-out-of-bounds in iov_iter_revert+0x443/0x5a0 lib/iov_iter.c:611\n   Read of size 4 at addr ffff88802912a0b8 by task kworker/u32:7/1147\n\n   CPU: 1 UID: 0 PID: 1147 Comm: kworker/u32:7 Not tainted 6.15.0-rc6-syzkaller-00052-g9f35e33144ae #0 PREEMPT(full)\n   Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n   Workqueue: events_unbound netfs_write_collection_worker\n   Call Trace:\n    \u003cTASK\u003e\n    __dump_stack lib/dump_stack.c:94 [inline]\n    dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n    print_address_description mm/kasan/report.c:408 [inline]\n    print_report+0xc3/0x670 mm/kasan/report.c:521\n    kasan_report+0xe0/0x110 mm/kasan/report.c:634\n    iov_iter_revert lib/iov_iter.c:633 [inline]\n    iov_iter_revert+0x443/0x5a0 lib/iov_iter.c:611\n    netfs_retry_write_stream fs/netfs/write_retry.c:44 [inline]\n    netfs_retry_writes+0x166d/0x1a50 fs/netfs/write_retry.c:231\n    netfs_collect_write_results fs/netfs/write_collect.c:352 [inline]\n    netfs_write_collection_worker+0x23fd/0x3830 fs/netfs/write_collect.c:374\n    process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3238\n    process_scheduled_works kernel/workqueue.c:3319 [inline]\n    worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400\n    kthread+0x3c2/0x780 kernel/kthread.c:464\n    ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153\n    ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n    \u003c/TASK\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:13:17.620Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e0fefe9bc07e6101fdc57abda3644f296c114e31"
        },
        {
          "url": "https://git.kernel.org/stable/c/bd0edaf99a920b1a9decd773179caacacb61d0fd"
        },
        {
          "url": "https://git.kernel.org/stable/c/4481f7f2b3df123ec77e828c849138f75cff2bf2"
        }
      ],
      "title": "netfs: Fix oops in write-retry from mis-resetting the subreq iterator",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38139",
    "datePublished": "2025-07-03T08:35:41.271Z",
    "dateReserved": "2025-04-16T04:51:23.987Z",
    "dateUpdated": "2025-07-28T04:13:17.620Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38290 (GCVE-0-2025-38290)

Vulnerability from cvelistv5 – Published: 2025-07-10 07:42 – Updated: 2025-07-28 04:17

Title

wifi: ath12k: fix node corruption in ar->arvifs list

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix node corruption in ar->arvifs list In current WLAN recovery code flow, ath12k_core_halt() only reinitializes the "arvifs" list head. This will cause the list node immediately following the list head to become an invalid list node. Because the prev of that node still points to the list head "arvifs", but the next of the list head "arvifs" no longer points to that list node. When a WLAN recovery occurs during the execution of a vif removal, and it happens before the spin_lock_bh(&ar->data_lock) in ath12k_mac_vdev_delete(), list_del() will detect the previously mentioned situation, thereby triggering a kernel panic. The fix is to remove and reinitialize all vif list nodes from the list head "arvifs" during WLAN halt. The reinitialization is to make the list nodes valid, ensuring that the list_del() in ath12k_mac_vdev_delete() can execute normally. Call trace: __list_del_entry_valid_or_report+0xd4/0x100 (P) ath12k_mac_remove_link_interface.isra.0+0xf8/0x2e4 [ath12k] ath12k_scan_vdev_clean_work+0x40/0x164 [ath12k] cfg80211_wiphy_work+0xfc/0x100 process_one_work+0x164/0x2d0 worker_thread+0x254/0x380 kthread+0xfc/0x100 ret_from_fork+0x10/0x20 The change is mostly copied from the ath11k patch: https://lore.kernel.org/all/20250320053145.3445187-1-quic_stonez@quicinc.com/ Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/be049199dec918960…
	https://git.kernel.org/stable/c/6285516170f9e2f04…
	https://git.kernel.org/stable/c/6bfe7ae9bbd973475…
	https://git.kernel.org/stable/c/823435bd23108d6f8…

Impacted products

Vendor

Product

Version

Linux

Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < be049199dec9189602bc06e2c70eda3aa0f2ea6e (git)
Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < 6285516170f9e2f04b9dbf1e5100e0d7cbac22b4 (git)
Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < 6bfe7ae9bbd9734751b853e2d2e1c13e8b46fd2d (git)
Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < 823435bd23108d6f8be89ea2d025c0e2e3769c51 (git)

Linux

Affected: 6.3
Unaffected: 0 , < 6.3 (semver)
Unaffected: 6.6.94 , ≤ 6.6.* (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath12k/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "be049199dec9189602bc06e2c70eda3aa0f2ea6e",
              "status": "affected",
              "version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
              "versionType": "git"
            },
            {
              "lessThan": "6285516170f9e2f04b9dbf1e5100e0d7cbac22b4",
              "status": "affected",
              "version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
              "versionType": "git"
            },
            {
              "lessThan": "6bfe7ae9bbd9734751b853e2d2e1c13e8b46fd2d",
              "status": "affected",
              "version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
              "versionType": "git"
            },
            {
              "lessThan": "823435bd23108d6f8be89ea2d025c0e2e3769c51",
              "status": "affected",
              "version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath12k/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.3"
            },
            {
              "lessThan": "6.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix node corruption in ar-\u003earvifs list\n\nIn current WLAN recovery code flow, ath12k_core_halt() only reinitializes\nthe \"arvifs\" list head. This will cause the list node immediately following\nthe list head to become an invalid list node. Because the prev of that node\nstill points to the list head \"arvifs\", but the next of the list head\n\"arvifs\" no longer points to that list node.\n\nWhen a WLAN recovery occurs during the execution of a vif removal, and it\nhappens before the spin_lock_bh(\u0026ar-\u003edata_lock) in\nath12k_mac_vdev_delete(), list_del() will detect the previously mentioned\nsituation, thereby triggering a kernel panic.\n\nThe fix is to remove and reinitialize all vif list nodes from the list head\n\"arvifs\" during WLAN halt. The reinitialization is to make the list nodes\nvalid, ensuring that the list_del() in ath12k_mac_vdev_delete() can execute\nnormally.\n\nCall trace:\n__list_del_entry_valid_or_report+0xd4/0x100 (P)\nath12k_mac_remove_link_interface.isra.0+0xf8/0x2e4 [ath12k]\nath12k_scan_vdev_clean_work+0x40/0x164 [ath12k]\ncfg80211_wiphy_work+0xfc/0x100\nprocess_one_work+0x164/0x2d0\nworker_thread+0x254/0x380\nkthread+0xfc/0x100\nret_from_fork+0x10/0x20\n\nThe change is mostly copied from the ath11k patch:\nhttps://lore.kernel.org/all/20250320053145.3445187-1-quic_stonez@quicinc.com/\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:17:39.754Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/be049199dec9189602bc06e2c70eda3aa0f2ea6e"
        },
        {
          "url": "https://git.kernel.org/stable/c/6285516170f9e2f04b9dbf1e5100e0d7cbac22b4"
        },
        {
          "url": "https://git.kernel.org/stable/c/6bfe7ae9bbd9734751b853e2d2e1c13e8b46fd2d"
        },
        {
          "url": "https://git.kernel.org/stable/c/823435bd23108d6f8be89ea2d025c0e2e3769c51"
        }
      ],
      "title": "wifi: ath12k: fix node corruption in ar-\u003earvifs list",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38290",
    "datePublished": "2025-07-10T07:42:06.259Z",
    "dateReserved": "2025-04-16T04:51:24.001Z",
    "dateUpdated": "2025-07-28T04:17:39.754Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38053 (GCVE-0-2025-38053)

Vulnerability from cvelistv5 – Published: 2025-06-18 09:33 – Updated: 2025-06-18 09:33

Title

idpf: fix null-ptr-deref in idpf_features_check

Summary

In the Linux kernel, the following vulnerability has been resolved: idpf: fix null-ptr-deref in idpf_features_check idpf_features_check is used to validate the TX packet. skb header length is compared with the hardware supported value received from the device control plane. The value is stored in the adapter structure and to access it, vport pointer is used. During reset all the vports are released and the vport pointer that the netdev private structure points to is NULL. To avoid null-ptr-deref, store the max header length value in netdev private structure. This also helps to cache the value and avoid accessing adapter pointer in hot path. BUG: kernel NULL pointer dereference, address: 0000000000000068 ... RIP: 0010:idpf_features_check+0x6d/0xe0 [idpf] Call Trace: <TASK> ? __die+0x23/0x70 ? page_fault_oops+0x154/0x520 ? exc_page_fault+0x76/0x190 ? asm_exc_page_fault+0x26/0x30 ? idpf_features_check+0x6d/0xe0 [idpf] netif_skb_features+0x88/0x310 validate_xmit_skb+0x2a/0x2b0 validate_xmit_skb_list+0x4c/0x70 sch_direct_xmit+0x19d/0x3a0 __dev_queue_xmit+0xb74/0xe70 ...

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f6f5e9c8cb680c3cb…
	https://git.kernel.org/stable/c/bf1e751c5a5611aa0…
	https://git.kernel.org/stable/c/2dabe349f7882ff14…

Impacted products

Vendor

Product

Version

Linux

Affected: a251eee62133774cf35ff829041377e721ef9c8c , < f6f5e9c8cb680c3cb9771fd9fa114319cbc4f514 (git)
Affected: a251eee62133774cf35ff829041377e721ef9c8c , < bf1e751c5a5611aa037ab44cca955c141eb68dcc (git)
Affected: a251eee62133774cf35ff829041377e721ef9c8c , < 2dabe349f7882ff1407a784d54d8541909329088 (git)

Linux

Affected: 6.7
Unaffected: 0 , < 6.7 (semver)
Unaffected: 6.12.31 , ≤ 6.12.* (semver)
Unaffected: 6.14.9 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/idpf/idpf.h",
            "drivers/net/ethernet/intel/idpf/idpf_lib.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f6f5e9c8cb680c3cb9771fd9fa114319cbc4f514",
              "status": "affected",
              "version": "a251eee62133774cf35ff829041377e721ef9c8c",
              "versionType": "git"
            },
            {
              "lessThan": "bf1e751c5a5611aa037ab44cca955c141eb68dcc",
              "status": "affected",
              "version": "a251eee62133774cf35ff829041377e721ef9c8c",
              "versionType": "git"
            },
            {
              "lessThan": "2dabe349f7882ff1407a784d54d8541909329088",
              "status": "affected",
              "version": "a251eee62133774cf35ff829041377e721ef9c8c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/idpf/idpf.h",
            "drivers/net/ethernet/intel/idpf/idpf_lib.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.31",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: fix null-ptr-deref in idpf_features_check\n\nidpf_features_check is used to validate the TX packet. skb header\nlength is compared with the hardware supported value received from\nthe device control plane. The value is stored in the adapter structure\nand to access it, vport pointer is used. During reset all the vports\nare released and the vport pointer that the netdev private structure\npoints to is NULL.\n\nTo avoid null-ptr-deref, store the max header length value in netdev\nprivate structure. This also helps to cache the value and avoid\naccessing adapter pointer in hot path.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000068\n...\nRIP: 0010:idpf_features_check+0x6d/0xe0 [idpf]\nCall Trace:\n \u003cTASK\u003e\n ? __die+0x23/0x70\n ? page_fault_oops+0x154/0x520\n ? exc_page_fault+0x76/0x190\n ? asm_exc_page_fault+0x26/0x30\n ? idpf_features_check+0x6d/0xe0 [idpf]\n netif_skb_features+0x88/0x310\n validate_xmit_skb+0x2a/0x2b0\n validate_xmit_skb_list+0x4c/0x70\n sch_direct_xmit+0x19d/0x3a0\n __dev_queue_xmit+0xb74/0xe70\n ..."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-18T09:33:34.060Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f6f5e9c8cb680c3cb9771fd9fa114319cbc4f514"
        },
        {
          "url": "https://git.kernel.org/stable/c/bf1e751c5a5611aa037ab44cca955c141eb68dcc"
        },
        {
          "url": "https://git.kernel.org/stable/c/2dabe349f7882ff1407a784d54d8541909329088"
        }
      ],
      "title": "idpf: fix null-ptr-deref in idpf_features_check",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38053",
    "datePublished": "2025-06-18T09:33:34.060Z",
    "dateReserved": "2025-04-16T04:51:23.979Z",
    "dateUpdated": "2025-06-18T09:33:34.060Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38459 (GCVE-0-2025-38459)

Vulnerability from cvelistv5 – Published: 2025-07-25 15:27 – Updated: 2025-11-03 17:38

Title

atm: clip: Fix infinite recursive call of clip_push().

Summary

In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix infinite recursive call of clip_push(). syzbot reported the splat below. [0] This happens if we call ioctl(ATMARP_MKIP) more than once. During the first call, clip_mkip() sets clip_push() to vcc->push(), and the second call copies it to clip_vcc->old_push(). Later, when the socket is close()d, vcc_destroy_socket() passes NULL skb to clip_push(), which calls clip_vcc->old_push(), triggering the infinite recursion. Let's prevent the second ioctl(ATMARP_MKIP) by checking vcc->user_back, which is allocated by the first call as clip_vcc. Note also that we use lock_sock() to prevent racy calls. [0]: BUG: TASK stack guard page was hit at ffffc9000d66fff8 (stack is ffffc9000d670000..ffffc9000d678000) Oops: stack guard page: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 5322 Comm: syz.0.0 Not tainted 6.16.0-rc4-syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:clip_push+0x5/0x720 net/atm/clip.c:191 Code: e0 8f aa 8c e8 1c ad 5b fa eb ae 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 <41> 57 41 56 41 55 41 54 53 48 83 ec 20 48 89 f3 49 89 fd 48 bd 00 RSP: 0018:ffffc9000d670000 EFLAGS: 00010246 RAX: 1ffff1100235a4a5 RBX: ffff888011ad2508 RCX: ffff8880003c0000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888037f01000 RBP: dffffc0000000000 R08: ffffffff8fa104f7 R09: 1ffffffff1f4209e R10: dffffc0000000000 R11: ffffffff8a99b300 R12: ffffffff8a99b300 R13: ffff888037f01000 R14: ffff888011ad2500 R15: ffff888037f01578 FS: 000055557ab6d500(0000) GS:ffff88808d250000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc9000d66fff8 CR3: 0000000043172000 CR4: 0000000000352ef0 Call Trace: <TASK> clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 ... clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 vcc_destroy_socket net/atm/common.c:183 [inline] vcc_release+0x157/0x460 net/atm/common.c:205 __sock_release net/socket.c:647 [inline] sock_close+0xc0/0x240 net/socket.c:1391 __fput+0x449/0xa70 fs/file_table.c:465 task_work_run+0x1d1/0x260 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xec/0x110 kernel/entry/common.c:114 exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline] do_syscall_64+0x2bd/0x3b0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff31c98e929 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fffb5aa1f78 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 RAX: 0000000000000000 RBX: 0000000000012747 RCX: 00007ff31c98e929 RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 RBP: 00007ff31cbb7ba0 R08: 0000000000000001 R09: 0000000db5aa226f R10: 00007ff31c7ff030 R11: 0000000000000246 R12: 00007ff31cbb608c R13: 00007ff31cbb6080 R14: ffffffffffffffff R15: 00007fffb5aa2090 </TASK> Modules linked in:

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f493f31a63847624f…
	https://git.kernel.org/stable/c/125166347d5676466…
	https://git.kernel.org/stable/c/5641019dfbaee5e85…
	https://git.kernel.org/stable/c/1579a2777cb914a24…
	https://git.kernel.org/stable/c/3f61b997fe014bbfc…
	https://git.kernel.org/stable/c/024876b247a882972…
	https://git.kernel.org/stable/c/df0312d8859763aa1…
	https://git.kernel.org/stable/c/c489f3283dbfc0f3c…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f493f31a63847624fd3199ac836a8bd8828e50e2 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 125166347d5676466d368aadc0bbc31ee7714352 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5641019dfbaee5e85fe093b590f0451c9dd4d6f8 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1579a2777cb914a249de22c789ba4d41b154509f (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3f61b997fe014bbfcc208a9fcbd363a1fe7e3a31 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 024876b247a882972095b22087734dcd23396a4e (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < df0312d8859763aa15b8b56ac151a1ea4a4e5b88 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c489f3283dbfc0f3c00c312149cae90d27552c45 (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.4.296 , ≤ 5.4.* (semver)
Unaffected: 5.10.240 , ≤ 5.10.* (semver)
Unaffected: 5.15.189 , ≤ 5.15.* (semver)
Unaffected: 6.1.146 , ≤ 6.1.* (semver)
Unaffected: 6.6.99 , ≤ 6.6.* (semver)
Unaffected: 6.12.39 , ≤ 6.12.* (semver)
Unaffected: 6.15.7 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:38:17.937Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/atm/clip.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f493f31a63847624fd3199ac836a8bd8828e50e2",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "125166347d5676466d368aadc0bbc31ee7714352",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "5641019dfbaee5e85fe093b590f0451c9dd4d6f8",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "1579a2777cb914a249de22c789ba4d41b154509f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "3f61b997fe014bbfcc208a9fcbd363a1fe7e3a31",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "024876b247a882972095b22087734dcd23396a4e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "df0312d8859763aa15b8b56ac151a1ea4a4e5b88",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "c489f3283dbfc0f3c00c312149cae90d27552c45",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/atm/clip.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.189",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.146",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.99",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.189",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.146",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.99",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.39",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.7",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: clip: Fix infinite recursive call of clip_push().\n\nsyzbot reported the splat below. [0]\n\nThis happens if we call ioctl(ATMARP_MKIP) more than once.\n\nDuring the first call, clip_mkip() sets clip_push() to vcc-\u003epush(),\nand the second call copies it to clip_vcc-\u003eold_push().\n\nLater, when the socket is close()d, vcc_destroy_socket() passes\nNULL skb to clip_push(), which calls clip_vcc-\u003eold_push(),\ntriggering the infinite recursion.\n\nLet\u0027s prevent the second ioctl(ATMARP_MKIP) by checking\nvcc-\u003euser_back, which is allocated by the first call as clip_vcc.\n\nNote also that we use lock_sock() to prevent racy calls.\n\n[0]:\nBUG: TASK stack guard page was hit at ffffc9000d66fff8 (stack is ffffc9000d670000..ffffc9000d678000)\nOops: stack guard page: 0000 [#1] SMP KASAN NOPTI\nCPU: 0 UID: 0 PID: 5322 Comm: syz.0.0 Not tainted 6.16.0-rc4-syzkaller #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nRIP: 0010:clip_push+0x5/0x720 net/atm/clip.c:191\nCode: e0 8f aa 8c e8 1c ad 5b fa eb ae 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 \u003c41\u003e 57 41 56 41 55 41 54 53 48 83 ec 20 48 89 f3 49 89 fd 48 bd 00\nRSP: 0018:ffffc9000d670000 EFLAGS: 00010246\nRAX: 1ffff1100235a4a5 RBX: ffff888011ad2508 RCX: ffff8880003c0000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888037f01000\nRBP: dffffc0000000000 R08: ffffffff8fa104f7 R09: 1ffffffff1f4209e\nR10: dffffc0000000000 R11: ffffffff8a99b300 R12: ffffffff8a99b300\nR13: ffff888037f01000 R14: ffff888011ad2500 R15: ffff888037f01578\nFS:  000055557ab6d500(0000) GS:ffff88808d250000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffc9000d66fff8 CR3: 0000000043172000 CR4: 0000000000352ef0\nCall Trace:\n \u003cTASK\u003e\n clip_push+0x6dc/0x720 net/atm/clip.c:200\n clip_push+0x6dc/0x720 net/atm/clip.c:200\n clip_push+0x6dc/0x720 net/atm/clip.c:200\n...\n clip_push+0x6dc/0x720 net/atm/clip.c:200\n clip_push+0x6dc/0x720 net/atm/clip.c:200\n clip_push+0x6dc/0x720 net/atm/clip.c:200\n vcc_destroy_socket net/atm/common.c:183 [inline]\n vcc_release+0x157/0x460 net/atm/common.c:205\n __sock_release net/socket.c:647 [inline]\n sock_close+0xc0/0x240 net/socket.c:1391\n __fput+0x449/0xa70 fs/file_table.c:465\n task_work_run+0x1d1/0x260 kernel/task_work.c:227\n resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]\n exit_to_user_mode_loop+0xec/0x110 kernel/entry/common.c:114\n exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline]\n syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline]\n syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline]\n do_syscall_64+0x2bd/0x3b0 arch/x86/entry/syscall_64.c:100\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7ff31c98e929\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fffb5aa1f78 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4\nRAX: 0000000000000000 RBX: 0000000000012747 RCX: 00007ff31c98e929\nRDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003\nRBP: 00007ff31cbb7ba0 R08: 0000000000000001 R09: 0000000db5aa226f\nR10: 00007ff31c7ff030 R11: 0000000000000246 R12: 00007ff31cbb608c\nR13: 00007ff31cbb6080 R14: ffffffffffffffff R15: 00007fffb5aa2090\n \u003c/TASK\u003e\nModules linked in:"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:22:59.776Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f493f31a63847624fd3199ac836a8bd8828e50e2"
        },
        {
          "url": "https://git.kernel.org/stable/c/125166347d5676466d368aadc0bbc31ee7714352"
        },
        {
          "url": "https://git.kernel.org/stable/c/5641019dfbaee5e85fe093b590f0451c9dd4d6f8"
        },
        {
          "url": "https://git.kernel.org/stable/c/1579a2777cb914a249de22c789ba4d41b154509f"
        },
        {
          "url": "https://git.kernel.org/stable/c/3f61b997fe014bbfcc208a9fcbd363a1fe7e3a31"
        },
        {
          "url": "https://git.kernel.org/stable/c/024876b247a882972095b22087734dcd23396a4e"
        },
        {
          "url": "https://git.kernel.org/stable/c/df0312d8859763aa15b8b56ac151a1ea4a4e5b88"
        },
        {
          "url": "https://git.kernel.org/stable/c/c489f3283dbfc0f3c00c312149cae90d27552c45"
        }
      ],
      "title": "atm: clip: Fix infinite recursive call of clip_push().",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38459",
    "datePublished": "2025-07-25T15:27:37.893Z",
    "dateReserved": "2025-04-16T04:51:24.019Z",
    "dateUpdated": "2025-11-03T17:38:17.937Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21796 (GCVE-0-2025-21796)

Vulnerability from cvelistv5 – Published: 2025-02-27 02:18 – Updated: 2025-11-03 20:59

Title

nfsd: clear acl_access/acl_default after releasing them

Summary

In the Linux kernel, the following vulnerability has been resolved: nfsd: clear acl_access/acl_default after releasing them If getting acl_default fails, acl_access and acl_default will be released simultaneously. However, acl_access will still retain a pointer pointing to the released posix_acl, which will trigger a WARNING in nfs3svc_release_getacl like this: ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 26 PID: 3199 at lib/refcount.c:28 refcount_warn_saturate+0xb5/0x170 Modules linked in: CPU: 26 UID: 0 PID: 3199 Comm: nfsd Not tainted 6.12.0-rc6-00079-g04ae226af01f-dirty #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 RIP: 0010:refcount_warn_saturate+0xb5/0x170 Code: cc cc 0f b6 1d b3 20 a5 03 80 fb 01 0f 87 65 48 d8 00 83 e3 01 75 e4 48 c7 c7 c0 3b 9b 85 c6 05 97 20 a5 03 01 e8 fb 3e 30 ff <0f> 0b eb cd 0f b6 1d 8a3 RSP: 0018:ffffc90008637cd8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff83904fde RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88871ed36380 RBP: ffff888158beeb40 R08: 0000000000000001 R09: fffff520010c6f56 R10: ffffc90008637ab7 R11: 0000000000000001 R12: 0000000000000001 R13: ffff888140e77400 R14: ffff888140e77408 R15: ffffffff858b42c0 FS: 0000000000000000(0000) GS:ffff88871ed00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000562384d32158 CR3: 000000055cc6a000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? refcount_warn_saturate+0xb5/0x170 ? __warn+0xa5/0x140 ? refcount_warn_saturate+0xb5/0x170 ? report_bug+0x1b1/0x1e0 ? handle_bug+0x53/0xa0 ? exc_invalid_op+0x17/0x40 ? asm_exc_invalid_op+0x1a/0x20 ? tick_nohz_tick_stopped+0x1e/0x40 ? refcount_warn_saturate+0xb5/0x170 ? refcount_warn_saturate+0xb5/0x170 nfs3svc_release_getacl+0xc9/0xe0 svc_process_common+0x5db/0xb60 ? __pfx_svc_process_common+0x10/0x10 ? __rcu_read_unlock+0x69/0xa0 ? __pfx_nfsd_dispatch+0x10/0x10 ? svc_xprt_received+0xa1/0x120 ? xdr_init_decode+0x11d/0x190 svc_process+0x2a7/0x330 svc_handle_xprt+0x69d/0x940 svc_recv+0x180/0x2d0 nfsd+0x168/0x200 ? __pfx_nfsd+0x10/0x10 kthread+0x1a2/0x1e0 ? kthread+0xf4/0x1e0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x60 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Kernel panic - not syncing: kernel: panic_on_warn set ... Clear acl_access/acl_default after posix_acl_release is called to prevent UAF from being triggered.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/8a1737ae42c928384…
	https://git.kernel.org/stable/c/6f7cfee1a31689189…
	https://git.kernel.org/stable/c/2e59b2b6878251956…
	https://git.kernel.org/stable/c/55d947315fb5f67a3…
	https://git.kernel.org/stable/c/f8d871523142f7895…
	https://git.kernel.org/stable/c/1fd94884174bd20be…
	https://git.kernel.org/stable/c/7faf14a7b0366f153…

Impacted products

Vendor

Product

Version

Linux

Affected: a257cdd0e2179630d3201c32ba14d7fcb3c3a055 , < 8a1737ae42c928384ab6447f6ee1a882510e85fa (git)
Affected: a257cdd0e2179630d3201c32ba14d7fcb3c3a055 , < 6f7cfee1a316891890c505563aa54f3476db52fd (git)
Affected: a257cdd0e2179630d3201c32ba14d7fcb3c3a055 , < 2e59b2b68782519560b3d6a41dd66a3d01a01cd3 (git)
Affected: a257cdd0e2179630d3201c32ba14d7fcb3c3a055 , < 55d947315fb5f67a35e4e1d3e01bb886b9c6decf (git)
Affected: a257cdd0e2179630d3201c32ba14d7fcb3c3a055 , < f8d871523142f7895f250a856f8c4a4181614510 (git)
Affected: a257cdd0e2179630d3201c32ba14d7fcb3c3a055 , < 1fd94884174bd20beb1773990fd3b1aa877688d9 (git)
Affected: a257cdd0e2179630d3201c32ba14d7fcb3c3a055 , < 7faf14a7b0366f153284db0ad3347c457ea70136 (git)

Linux

Affected: 2.6.13
Unaffected: 0 , < 2.6.13 (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.129 , ≤ 6.1.* (semver)
Unaffected: 6.6.79 , ≤ 6.6.* (semver)
Unaffected: 6.12.16 , ≤ 6.12.* (semver)
Unaffected: 6.13.4 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21796",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T17:57:11.080279Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T18:02:26.612Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:59:40.254Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/nfsd/nfs2acl.c",
            "fs/nfsd/nfs3acl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8a1737ae42c928384ab6447f6ee1a882510e85fa",
              "status": "affected",
              "version": "a257cdd0e2179630d3201c32ba14d7fcb3c3a055",
              "versionType": "git"
            },
            {
              "lessThan": "6f7cfee1a316891890c505563aa54f3476db52fd",
              "status": "affected",
              "version": "a257cdd0e2179630d3201c32ba14d7fcb3c3a055",
              "versionType": "git"
            },
            {
              "lessThan": "2e59b2b68782519560b3d6a41dd66a3d01a01cd3",
              "status": "affected",
              "version": "a257cdd0e2179630d3201c32ba14d7fcb3c3a055",
              "versionType": "git"
            },
            {
              "lessThan": "55d947315fb5f67a35e4e1d3e01bb886b9c6decf",
              "status": "affected",
              "version": "a257cdd0e2179630d3201c32ba14d7fcb3c3a055",
              "versionType": "git"
            },
            {
              "lessThan": "f8d871523142f7895f250a856f8c4a4181614510",
              "status": "affected",
              "version": "a257cdd0e2179630d3201c32ba14d7fcb3c3a055",
              "versionType": "git"
            },
            {
              "lessThan": "1fd94884174bd20beb1773990fd3b1aa877688d9",
              "status": "affected",
              "version": "a257cdd0e2179630d3201c32ba14d7fcb3c3a055",
              "versionType": "git"
            },
            {
              "lessThan": "7faf14a7b0366f153284db0ad3347c457ea70136",
              "status": "affected",
              "version": "a257cdd0e2179630d3201c32ba14d7fcb3c3a055",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/nfsd/nfs2acl.c",
            "fs/nfsd/nfs3acl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.13"
            },
            {
              "lessThan": "2.6.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: clear acl_access/acl_default after releasing them\n\nIf getting acl_default fails, acl_access and acl_default will be released\nsimultaneously. However, acl_access will still retain a pointer pointing\nto the released posix_acl, which will trigger a WARNING in\nnfs3svc_release_getacl like this:\n\n------------[ cut here ]------------\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 26 PID: 3199 at lib/refcount.c:28\nrefcount_warn_saturate+0xb5/0x170\nModules linked in:\nCPU: 26 UID: 0 PID: 3199 Comm: nfsd Not tainted\n6.12.0-rc6-00079-g04ae226af01f-dirty #8\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.16.1-2.fc37 04/01/2014\nRIP: 0010:refcount_warn_saturate+0xb5/0x170\nCode: cc cc 0f b6 1d b3 20 a5 03 80 fb 01 0f 87 65 48 d8 00 83 e3 01 75\ne4 48 c7 c7 c0 3b 9b 85 c6 05 97 20 a5 03 01 e8 fb 3e 30 ff \u003c0f\u003e 0b eb\ncd 0f b6 1d 8a3\nRSP: 0018:ffffc90008637cd8 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff83904fde\nRDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88871ed36380\nRBP: ffff888158beeb40 R08: 0000000000000001 R09: fffff520010c6f56\nR10: ffffc90008637ab7 R11: 0000000000000001 R12: 0000000000000001\nR13: ffff888140e77400 R14: ffff888140e77408 R15: ffffffff858b42c0\nFS:  0000000000000000(0000) GS:ffff88871ed00000(0000)\nknlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000562384d32158 CR3: 000000055cc6a000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n ? refcount_warn_saturate+0xb5/0x170\n ? __warn+0xa5/0x140\n ? refcount_warn_saturate+0xb5/0x170\n ? report_bug+0x1b1/0x1e0\n ? handle_bug+0x53/0xa0\n ? exc_invalid_op+0x17/0x40\n ? asm_exc_invalid_op+0x1a/0x20\n ? tick_nohz_tick_stopped+0x1e/0x40\n ? refcount_warn_saturate+0xb5/0x170\n ? refcount_warn_saturate+0xb5/0x170\n nfs3svc_release_getacl+0xc9/0xe0\n svc_process_common+0x5db/0xb60\n ? __pfx_svc_process_common+0x10/0x10\n ? __rcu_read_unlock+0x69/0xa0\n ? __pfx_nfsd_dispatch+0x10/0x10\n ? svc_xprt_received+0xa1/0x120\n ? xdr_init_decode+0x11d/0x190\n svc_process+0x2a7/0x330\n svc_handle_xprt+0x69d/0x940\n svc_recv+0x180/0x2d0\n nfsd+0x168/0x200\n ? __pfx_nfsd+0x10/0x10\n kthread+0x1a2/0x1e0\n ? kthread+0xf4/0x1e0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x60\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\nKernel panic - not syncing: kernel: panic_on_warn set ...\n\nClear acl_access/acl_default after posix_acl_release is called to prevent\nUAF from being triggered."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:21:24.933Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8a1737ae42c928384ab6447f6ee1a882510e85fa"
        },
        {
          "url": "https://git.kernel.org/stable/c/6f7cfee1a316891890c505563aa54f3476db52fd"
        },
        {
          "url": "https://git.kernel.org/stable/c/2e59b2b68782519560b3d6a41dd66a3d01a01cd3"
        },
        {
          "url": "https://git.kernel.org/stable/c/55d947315fb5f67a35e4e1d3e01bb886b9c6decf"
        },
        {
          "url": "https://git.kernel.org/stable/c/f8d871523142f7895f250a856f8c4a4181614510"
        },
        {
          "url": "https://git.kernel.org/stable/c/1fd94884174bd20beb1773990fd3b1aa877688d9"
        },
        {
          "url": "https://git.kernel.org/stable/c/7faf14a7b0366f153284db0ad3347c457ea70136"
        }
      ],
      "title": "nfsd: clear acl_access/acl_default after releasing them",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21796",
    "datePublished": "2025-02-27T02:18:32.191Z",
    "dateReserved": "2024-12-29T08:45:45.768Z",
    "dateUpdated": "2025-11-03T20:59:40.254Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38346 (GCVE-0-2025-38346)

Vulnerability from cvelistv5 – Published: 2025-07-10 08:15 – Updated: 2025-11-03 17:36

Title

ftrace: Fix UAF when lookup kallsym after ftrace disabled

Summary

In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix UAF when lookup kallsym after ftrace disabled The following issue happens with a buggy module: BUG: unable to handle page fault for address: ffffffffc05d0218 PGD 1bd66f067 P4D 1bd66f067 PUD 1bd671067 PMD 101808067 PTE 0 Oops: Oops: 0000 [#1] SMP KASAN PTI Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS RIP: 0010:sized_strscpy+0x81/0x2f0 RSP: 0018:ffff88812d76fa08 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffffffffc0601010 RCX: dffffc0000000000 RDX: 0000000000000038 RSI: dffffc0000000000 RDI: ffff88812608da2d RBP: 8080808080808080 R08: ffff88812608da2d R09: ffff88812608da68 R10: ffff88812608d82d R11: ffff88812608d810 R12: 0000000000000038 R13: ffff88812608da2d R14: ffffffffc05d0218 R15: fefefefefefefeff FS: 00007fef552de740(0000) GS:ffff8884251c7000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffc05d0218 CR3: 00000001146f0000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ftrace_mod_get_kallsym+0x1ac/0x590 update_iter_mod+0x239/0x5b0 s_next+0x5b/0xa0 seq_read_iter+0x8c9/0x1070 seq_read+0x249/0x3b0 proc_reg_read+0x1b0/0x280 vfs_read+0x17f/0x920 ksys_read+0xf3/0x1c0 do_syscall_64+0x5f/0x2e0 entry_SYSCALL_64_after_hwframe+0x76/0x7e The above issue may happen as follows: (1) Add kprobe tracepoint; (2) insmod test.ko; (3) Module triggers ftrace disabled; (4) rmmod test.ko; (5) cat /proc/kallsyms; --> Will trigger UAF as test.ko already removed; ftrace_mod_get_kallsym() ... strscpy(module_name, mod_map->mod->name, MODULE_NAME_LEN); ... The problem is when a module triggers an issue with ftrace and sets ftrace_disable. The ftrace_disable is set when an anomaly is discovered and to prevent any more damage, ftrace stops all text modification. The issue that happened was that the ftrace_disable stops more than just the text modification. When a module is loaded, its init functions can also be traced. Because kallsyms deletes the init functions after a module has loaded, ftrace saves them when the module is loaded and function tracing is enabled. This allows the output of the function trace to show the init function names instead of just their raw memory addresses. When a module is removed, ftrace_release_mod() is called, and if ftrace_disable is set, it just returns without doing anything more. The problem here is that it leaves the mod_list still around and if kallsyms is called, it will call into this code and access the module memory that has already been freed as it will return: strscpy(module_name, mod_map->mod->name, MODULE_NAME_LEN); Where the "mod" no longer exists and triggers a UAF bug.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d064c68781c19f378…
	https://git.kernel.org/stable/c/8690cd3258455bbae…
	https://git.kernel.org/stable/c/6805582abb720681d…
	https://git.kernel.org/stable/c/03a162933c4a03b9f…
	https://git.kernel.org/stable/c/83a692a9792aa8624…
	https://git.kernel.org/stable/c/8e89c17dc8970c5f7…
	https://git.kernel.org/stable/c/f78a786ad9a5443a2…
	https://git.kernel.org/stable/c/f914b52c379c12288…

Impacted products

Vendor

Product

Version

Linux

Affected: aba4b5c22cbac296f4081a0476d0c55828f135b4 , < d064c68781c19f378af1ae741d9132d35d24b2bb (git)
Affected: aba4b5c22cbac296f4081a0476d0c55828f135b4 , < 8690cd3258455bbae64f809e1d3ee0f043661c71 (git)
Affected: aba4b5c22cbac296f4081a0476d0c55828f135b4 , < 6805582abb720681dd1c87ff677f155dcf4e86c9 (git)
Affected: aba4b5c22cbac296f4081a0476d0c55828f135b4 , < 03a162933c4a03b9f1a84f7d8482903c7e1e11bb (git)
Affected: aba4b5c22cbac296f4081a0476d0c55828f135b4 , < 83a692a9792aa86249d68a8ac0b9d55ecdd255fa (git)
Affected: aba4b5c22cbac296f4081a0476d0c55828f135b4 , < 8e89c17dc8970c5f71a3a991f5724d4c8de42d8c (git)
Affected: aba4b5c22cbac296f4081a0476d0c55828f135b4 , < f78a786ad9a5443a29eef4dae60cde85b7375129 (git)
Affected: aba4b5c22cbac296f4081a0476d0c55828f135b4 , < f914b52c379c12288b7623bb814d0508dbe7481d (git)

Linux

Affected: 4.15
Unaffected: 0 , < 4.15 (semver)
Unaffected: 5.4.295 , ≤ 5.4.* (semver)
Unaffected: 5.10.239 , ≤ 5.10.* (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.95 , ≤ 6.6.* (semver)
Unaffected: 6.12.35 , ≤ 6.12.* (semver)
Unaffected: 6.15.4 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:36:55.187Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/ftrace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d064c68781c19f378af1ae741d9132d35d24b2bb",
              "status": "affected",
              "version": "aba4b5c22cbac296f4081a0476d0c55828f135b4",
              "versionType": "git"
            },
            {
              "lessThan": "8690cd3258455bbae64f809e1d3ee0f043661c71",
              "status": "affected",
              "version": "aba4b5c22cbac296f4081a0476d0c55828f135b4",
              "versionType": "git"
            },
            {
              "lessThan": "6805582abb720681dd1c87ff677f155dcf4e86c9",
              "status": "affected",
              "version": "aba4b5c22cbac296f4081a0476d0c55828f135b4",
              "versionType": "git"
            },
            {
              "lessThan": "03a162933c4a03b9f1a84f7d8482903c7e1e11bb",
              "status": "affected",
              "version": "aba4b5c22cbac296f4081a0476d0c55828f135b4",
              "versionType": "git"
            },
            {
              "lessThan": "83a692a9792aa86249d68a8ac0b9d55ecdd255fa",
              "status": "affected",
              "version": "aba4b5c22cbac296f4081a0476d0c55828f135b4",
              "versionType": "git"
            },
            {
              "lessThan": "8e89c17dc8970c5f71a3a991f5724d4c8de42d8c",
              "status": "affected",
              "version": "aba4b5c22cbac296f4081a0476d0c55828f135b4",
              "versionType": "git"
            },
            {
              "lessThan": "f78a786ad9a5443a29eef4dae60cde85b7375129",
              "status": "affected",
              "version": "aba4b5c22cbac296f4081a0476d0c55828f135b4",
              "versionType": "git"
            },
            {
              "lessThan": "f914b52c379c12288b7623bb814d0508dbe7481d",
              "status": "affected",
              "version": "aba4b5c22cbac296f4081a0476d0c55828f135b4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/ftrace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.15"
            },
            {
              "lessThan": "4.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Fix UAF when lookup kallsym after ftrace disabled\n\nThe following issue happens with a buggy module:\n\nBUG: unable to handle page fault for address: ffffffffc05d0218\nPGD 1bd66f067 P4D 1bd66f067 PUD 1bd671067 PMD 101808067 PTE 0\nOops: Oops: 0000 [#1] SMP KASAN PTI\nTainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nRIP: 0010:sized_strscpy+0x81/0x2f0\nRSP: 0018:ffff88812d76fa08 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffffffffc0601010 RCX: dffffc0000000000\nRDX: 0000000000000038 RSI: dffffc0000000000 RDI: ffff88812608da2d\nRBP: 8080808080808080 R08: ffff88812608da2d R09: ffff88812608da68\nR10: ffff88812608d82d R11: ffff88812608d810 R12: 0000000000000038\nR13: ffff88812608da2d R14: ffffffffc05d0218 R15: fefefefefefefeff\nFS:  00007fef552de740(0000) GS:ffff8884251c7000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffffffc05d0218 CR3: 00000001146f0000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n ftrace_mod_get_kallsym+0x1ac/0x590\n update_iter_mod+0x239/0x5b0\n s_next+0x5b/0xa0\n seq_read_iter+0x8c9/0x1070\n seq_read+0x249/0x3b0\n proc_reg_read+0x1b0/0x280\n vfs_read+0x17f/0x920\n ksys_read+0xf3/0x1c0\n do_syscall_64+0x5f/0x2e0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe above issue may happen as follows:\n(1) Add kprobe tracepoint;\n(2) insmod test.ko;\n(3)  Module triggers ftrace disabled;\n(4) rmmod test.ko;\n(5) cat /proc/kallsyms; --\u003e Will trigger UAF as test.ko already removed;\nftrace_mod_get_kallsym()\n...\nstrscpy(module_name, mod_map-\u003emod-\u003ename, MODULE_NAME_LEN);\n...\n\nThe problem is when a module triggers an issue with ftrace and\nsets ftrace_disable. The ftrace_disable is set when an anomaly is\ndiscovered and to prevent any more damage, ftrace stops all text\nmodification. The issue that happened was that the ftrace_disable stops\nmore than just the text modification.\n\nWhen a module is loaded, its init functions can also be traced. Because\nkallsyms deletes the init functions after a module has loaded, ftrace\nsaves them when the module is loaded and function tracing is enabled. This\nallows the output of the function trace to show the init function names\ninstead of just their raw memory addresses.\n\nWhen a module is removed, ftrace_release_mod() is called, and if\nftrace_disable is set, it just returns without doing anything more. The\nproblem here is that it leaves the mod_list still around and if kallsyms\nis called, it will call into this code and access the module memory that\nhas already been freed as it will return:\n\n  strscpy(module_name, mod_map-\u003emod-\u003ename, MODULE_NAME_LEN);\n\nWhere the \"mod\" no longer exists and triggers a UAF bug."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:19:31.988Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d064c68781c19f378af1ae741d9132d35d24b2bb"
        },
        {
          "url": "https://git.kernel.org/stable/c/8690cd3258455bbae64f809e1d3ee0f043661c71"
        },
        {
          "url": "https://git.kernel.org/stable/c/6805582abb720681dd1c87ff677f155dcf4e86c9"
        },
        {
          "url": "https://git.kernel.org/stable/c/03a162933c4a03b9f1a84f7d8482903c7e1e11bb"
        },
        {
          "url": "https://git.kernel.org/stable/c/83a692a9792aa86249d68a8ac0b9d55ecdd255fa"
        },
        {
          "url": "https://git.kernel.org/stable/c/8e89c17dc8970c5f71a3a991f5724d4c8de42d8c"
        },
        {
          "url": "https://git.kernel.org/stable/c/f78a786ad9a5443a29eef4dae60cde85b7375129"
        },
        {
          "url": "https://git.kernel.org/stable/c/f914b52c379c12288b7623bb814d0508dbe7481d"
        }
      ],
      "title": "ftrace: Fix UAF when lookup kallsym after ftrace disabled",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38346",
    "datePublished": "2025-07-10T08:15:14.290Z",
    "dateReserved": "2025-04-16T04:51:24.006Z",
    "dateUpdated": "2025-11-03T17:36:55.187Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21936 (GCVE-0-2025-21936)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:41 – Updated: 2025-11-03 19:39

Title

Bluetooth: Add check for mgmt_alloc_skb() in mgmt_device_connected()

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Add check for mgmt_alloc_skb() in mgmt_device_connected() Add check for the return value of mgmt_alloc_skb() in mgmt_device_connected() to prevent null pointer dereference.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/dc516e66fb28c61b2…
	https://git.kernel.org/stable/c/bdb1805c248e9694d…
	https://git.kernel.org/stable/c/7841180342c9a0fd9…
	https://git.kernel.org/stable/c/7d39387886ffe2203…
	https://git.kernel.org/stable/c/d8df010f72b8a32aa…

Impacted products

Vendor

Product

Version

Linux

Affected: e96741437ef0a5d18144e790ac894397efda0924 , < dc516e66fb28c61b248b393e2ddd63bd7f104969 (git)
Affected: e96741437ef0a5d18144e790ac894397efda0924 , < bdb1805c248e9694dbb3ffa8867cef2e52cf7261 (git)
Affected: e96741437ef0a5d18144e790ac894397efda0924 , < 7841180342c9a0fd97d54f3e62c7369309b5cd84 (git)
Affected: e96741437ef0a5d18144e790ac894397efda0924 , < 7d39387886ffe220323cbed5c155233c3276926b (git)
Affected: e96741437ef0a5d18144e790ac894397efda0924 , < d8df010f72b8a32aaea393e36121738bb53ed905 (git)

Linux

Affected: 5.17
Unaffected: 0 , < 5.17 (semver)
Unaffected: 6.1.131 , ≤ 6.1.* (semver)
Unaffected: 6.6.83 , ≤ 6.6.* (semver)
Unaffected: 6.12.19 , ≤ 6.12.* (semver)
Unaffected: 6.13.7 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21936",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:22:13.050547Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:26:32.951Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:39:34.824Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/mgmt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "dc516e66fb28c61b248b393e2ddd63bd7f104969",
              "status": "affected",
              "version": "e96741437ef0a5d18144e790ac894397efda0924",
              "versionType": "git"
            },
            {
              "lessThan": "bdb1805c248e9694dbb3ffa8867cef2e52cf7261",
              "status": "affected",
              "version": "e96741437ef0a5d18144e790ac894397efda0924",
              "versionType": "git"
            },
            {
              "lessThan": "7841180342c9a0fd97d54f3e62c7369309b5cd84",
              "status": "affected",
              "version": "e96741437ef0a5d18144e790ac894397efda0924",
              "versionType": "git"
            },
            {
              "lessThan": "7d39387886ffe220323cbed5c155233c3276926b",
              "status": "affected",
              "version": "e96741437ef0a5d18144e790ac894397efda0924",
              "versionType": "git"
            },
            {
              "lessThan": "d8df010f72b8a32aaea393e36121738bb53ed905",
              "status": "affected",
              "version": "e96741437ef0a5d18144e790ac894397efda0924",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/mgmt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.17"
            },
            {
              "lessThan": "5.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.131",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.131",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.83",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.19",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.7",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Add check for mgmt_alloc_skb() in mgmt_device_connected()\n\nAdd check for the return value of mgmt_alloc_skb() in\nmgmt_device_connected() to prevent null pointer dereference."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:25:01.798Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/dc516e66fb28c61b248b393e2ddd63bd7f104969"
        },
        {
          "url": "https://git.kernel.org/stable/c/bdb1805c248e9694dbb3ffa8867cef2e52cf7261"
        },
        {
          "url": "https://git.kernel.org/stable/c/7841180342c9a0fd97d54f3e62c7369309b5cd84"
        },
        {
          "url": "https://git.kernel.org/stable/c/7d39387886ffe220323cbed5c155233c3276926b"
        },
        {
          "url": "https://git.kernel.org/stable/c/d8df010f72b8a32aaea393e36121738bb53ed905"
        }
      ],
      "title": "Bluetooth: Add check for mgmt_alloc_skb() in mgmt_device_connected()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21936",
    "datePublished": "2025-04-01T15:41:03.845Z",
    "dateReserved": "2024-12-29T08:45:45.789Z",
    "dateUpdated": "2025-11-03T19:39:34.824Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21980 (GCVE-0-2025-21980)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:47 – Updated: 2025-11-03 19:40

Title

sched: address a potential NULL pointer dereference in the GRED scheduler.

Summary

In the Linux kernel, the following vulnerability has been resolved: sched: address a potential NULL pointer dereference in the GRED scheduler. If kzalloc in gred_init returns a NULL pointer, the code follows the error handling path, invoking gred_destroy. This, in turn, calls gred_offload, where memset could receive a NULL pointer as input, potentially leading to a kernel crash. When table->opt is NULL in gred_init(), gred_change_table_def() is not called yet, so it is not necessary to call ->ndo_setup_tc() in gred_offload().

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d02c9acd68950a444…
	https://git.kernel.org/stable/c/0f0a152957d64ce45…
	https://git.kernel.org/stable/c/68896dd50180b38ea…
	https://git.kernel.org/stable/c/5f996b4f80c2cef1f…
	https://git.kernel.org/stable/c/115ef44a98220fddf…

Impacted products

Vendor

Product

Version

Linux

Affected: f25c0515c521375154c62c72447869f40218c861 , < d02c9acd68950a444acda18d514e2b41f846cb7f (git)
Affected: f25c0515c521375154c62c72447869f40218c861 , < 0f0a152957d64ce45b4c27c687e7d087e8f45079 (git)
Affected: f25c0515c521375154c62c72447869f40218c861 , < 68896dd50180b38ea552e49a6a00b685321e5769 (git)
Affected: f25c0515c521375154c62c72447869f40218c861 , < 5f996b4f80c2cef1f9c77275055e7fcba44c9199 (git)
Affected: f25c0515c521375154c62c72447869f40218c861 , < 115ef44a98220fddfab37a39a19370497cd718b9 (git)

Linux

Affected: 5.16
Unaffected: 0 , < 5.16 (semver)
Unaffected: 6.1.132 , ≤ 6.1.* (semver)
Unaffected: 6.6.84 , ≤ 6.6.* (semver)
Unaffected: 6.12.20 , ≤ 6.12.* (semver)
Unaffected: 6.13.8 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21980",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T17:15:04.741694Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T17:15:08.011Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:40:21.123Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_gred.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d02c9acd68950a444acda18d514e2b41f846cb7f",
              "status": "affected",
              "version": "f25c0515c521375154c62c72447869f40218c861",
              "versionType": "git"
            },
            {
              "lessThan": "0f0a152957d64ce45b4c27c687e7d087e8f45079",
              "status": "affected",
              "version": "f25c0515c521375154c62c72447869f40218c861",
              "versionType": "git"
            },
            {
              "lessThan": "68896dd50180b38ea552e49a6a00b685321e5769",
              "status": "affected",
              "version": "f25c0515c521375154c62c72447869f40218c861",
              "versionType": "git"
            },
            {
              "lessThan": "5f996b4f80c2cef1f9c77275055e7fcba44c9199",
              "status": "affected",
              "version": "f25c0515c521375154c62c72447869f40218c861",
              "versionType": "git"
            },
            {
              "lessThan": "115ef44a98220fddfab37a39a19370497cd718b9",
              "status": "affected",
              "version": "f25c0515c521375154c62c72447869f40218c861",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_gred.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.16"
            },
            {
              "lessThan": "5.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.132",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.84",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.132",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.84",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.20",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.8",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched: address a potential NULL pointer dereference in the GRED scheduler.\n\nIf kzalloc in gred_init returns a NULL pointer, the code follows the\nerror handling path, invoking gred_destroy. This, in turn, calls\ngred_offload, where memset could receive a NULL pointer as input,\npotentially leading to a kernel crash.\n\nWhen table-\u003eopt is NULL in gred_init(), gred_change_table_def()\nis not called yet, so it is not necessary to call -\u003endo_setup_tc()\nin gred_offload()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:26:30.555Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d02c9acd68950a444acda18d514e2b41f846cb7f"
        },
        {
          "url": "https://git.kernel.org/stable/c/0f0a152957d64ce45b4c27c687e7d087e8f45079"
        },
        {
          "url": "https://git.kernel.org/stable/c/68896dd50180b38ea552e49a6a00b685321e5769"
        },
        {
          "url": "https://git.kernel.org/stable/c/5f996b4f80c2cef1f9c77275055e7fcba44c9199"
        },
        {
          "url": "https://git.kernel.org/stable/c/115ef44a98220fddfab37a39a19370497cd718b9"
        }
      ],
      "title": "sched: address a potential NULL pointer dereference in the GRED scheduler.",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21980",
    "datePublished": "2025-04-01T15:47:09.232Z",
    "dateReserved": "2024-12-29T08:45:45.799Z",
    "dateUpdated": "2025-11-03T19:40:21.123Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21883 (GCVE-0-2025-21883)

Vulnerability from cvelistv5 – Published: 2025-03-27 14:57 – Updated: 2025-05-04 07:23

Title

ice: Fix deinitializing VF in error path

Summary

In the Linux kernel, the following vulnerability has been resolved: ice: Fix deinitializing VF in error path If ice_ena_vfs() fails after calling ice_create_vf_entries(), it frees all VFs without removing them from snapshot PF-VF mailbox list, leading to list corruption. Reproducer: devlink dev eswitch set $PF1_PCI mode switchdev ip l s $PF1 up ip l s $PF1 promisc on sleep 1 echo 1 > /sys/class/net/$PF1/device/sriov_numvfs sleep 1 echo 1 > /sys/class/net/$PF1/device/sriov_numvfs Trace (minimized): list_add corruption. next->prev should be prev (ffff8882e241c6f0), but was 0000000000000000. (next=ffff888455da1330). kernel BUG at lib/list_debug.c:29! RIP: 0010:__list_add_valid_or_report+0xa6/0x100 ice_mbx_init_vf_info+0xa7/0x180 [ice] ice_initialize_vf_entry+0x1fa/0x250 [ice] ice_sriov_configure+0x8d7/0x1520 [ice] ? __percpu_ref_switch_mode+0x1b1/0x5d0 ? __pfx_ice_sriov_configure+0x10/0x10 [ice] Sometimes a KASAN report can be seen instead with a similar stack trace: BUG: KASAN: use-after-free in __list_add_valid_or_report+0xf1/0x100 VFs are added to this list in ice_mbx_init_vf_info(), but only removed in ice_free_vfs(). Move the removing to ice_free_vf_entries(), which is also being called in other places where VFs are being removed (including ice_free_vfs() itself).

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/3c01102bec9592928…
	https://git.kernel.org/stable/c/a4880583f88deba63…
	https://git.kernel.org/stable/c/34393fd78d7183a00…
	https://git.kernel.org/stable/c/79990cf5e7aded76d…

Impacted products

Vendor

Product

Version

Linux

Affected: 8cd8a6b17d275a45e3722d0215f6115b687c8c3e , < 3c01102bec9592928e6b155da41cfcd5d25a2066 (git)
Affected: 8cd8a6b17d275a45e3722d0215f6115b687c8c3e , < a4880583f88deba63504ce1c8287a70d39c01378 (git)
Affected: 8cd8a6b17d275a45e3722d0215f6115b687c8c3e , < 34393fd78d7183a007eaf0090966ebedcc29bd57 (git)
Affected: 8cd8a6b17d275a45e3722d0215f6115b687c8c3e , < 79990cf5e7aded76d0c092c9f5ed31eb1c75e02c (git)

Linux

Affected: 6.4
Unaffected: 0 , < 6.4 (semver)
Unaffected: 6.6.81 , ≤ 6.6.* (semver)
Unaffected: 6.12.18 , ≤ 6.12.* (semver)
Unaffected: 6.13.6 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/ice/ice_sriov.c",
            "drivers/net/ethernet/intel/ice/ice_vf_lib.c",
            "drivers/net/ethernet/intel/ice/ice_vf_lib_private.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3c01102bec9592928e6b155da41cfcd5d25a2066",
              "status": "affected",
              "version": "8cd8a6b17d275a45e3722d0215f6115b687c8c3e",
              "versionType": "git"
            },
            {
              "lessThan": "a4880583f88deba63504ce1c8287a70d39c01378",
              "status": "affected",
              "version": "8cd8a6b17d275a45e3722d0215f6115b687c8c3e",
              "versionType": "git"
            },
            {
              "lessThan": "34393fd78d7183a007eaf0090966ebedcc29bd57",
              "status": "affected",
              "version": "8cd8a6b17d275a45e3722d0215f6115b687c8c3e",
              "versionType": "git"
            },
            {
              "lessThan": "79990cf5e7aded76d0c092c9f5ed31eb1c75e02c",
              "status": "affected",
              "version": "8cd8a6b17d275a45e3722d0215f6115b687c8c3e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/ice/ice_sriov.c",
            "drivers/net/ethernet/intel/ice/ice_vf_lib.c",
            "drivers/net/ethernet/intel/ice/ice_vf_lib_private.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.81",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.18",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.6",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix deinitializing VF in error path\n\nIf ice_ena_vfs() fails after calling ice_create_vf_entries(), it frees\nall VFs without removing them from snapshot PF-VF mailbox list, leading\nto list corruption.\n\nReproducer:\n  devlink dev eswitch set $PF1_PCI mode switchdev\n  ip l s $PF1 up\n  ip l s $PF1 promisc on\n  sleep 1\n  echo 1 \u003e /sys/class/net/$PF1/device/sriov_numvfs\n  sleep 1\n  echo 1 \u003e /sys/class/net/$PF1/device/sriov_numvfs\n\nTrace (minimized):\n  list_add corruption. next-\u003eprev should be prev (ffff8882e241c6f0), but was 0000000000000000. (next=ffff888455da1330).\n  kernel BUG at lib/list_debug.c:29!\n  RIP: 0010:__list_add_valid_or_report+0xa6/0x100\n   ice_mbx_init_vf_info+0xa7/0x180 [ice]\n   ice_initialize_vf_entry+0x1fa/0x250 [ice]\n   ice_sriov_configure+0x8d7/0x1520 [ice]\n   ? __percpu_ref_switch_mode+0x1b1/0x5d0\n   ? __pfx_ice_sriov_configure+0x10/0x10 [ice]\n\nSometimes a KASAN report can be seen instead with a similar stack trace:\n  BUG: KASAN: use-after-free in __list_add_valid_or_report+0xf1/0x100\n\nVFs are added to this list in ice_mbx_init_vf_info(), but only removed\nin ice_free_vfs(). Move the removing to ice_free_vf_entries(), which is\nalso being called in other places where VFs are being removed (including\nice_free_vfs() itself)."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:23:16.768Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3c01102bec9592928e6b155da41cfcd5d25a2066"
        },
        {
          "url": "https://git.kernel.org/stable/c/a4880583f88deba63504ce1c8287a70d39c01378"
        },
        {
          "url": "https://git.kernel.org/stable/c/34393fd78d7183a007eaf0090966ebedcc29bd57"
        },
        {
          "url": "https://git.kernel.org/stable/c/79990cf5e7aded76d0c092c9f5ed31eb1c75e02c"
        }
      ],
      "title": "ice: Fix deinitializing VF in error path",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21883",
    "datePublished": "2025-03-27T14:57:11.766Z",
    "dateReserved": "2024-12-29T08:45:45.782Z",
    "dateUpdated": "2025-05-04T07:23:16.768Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38540 (GCVE-0-2025-38540)

Vulnerability from cvelistv5 – Published: 2025-08-16 11:22 – Updated: 2026-01-02 15:30

Title

HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras

Summary

In the Linux kernel, the following vulnerability has been resolved: HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras The Chicony Electronics HP 5MP Cameras (USB ID 04F2:B824 & 04F2:B82C) report a HID sensor interface that is not actually implemented. Attempting to access this non-functional sensor via iio_info causes system hangs as runtime PM tries to wake up an unresponsive sensor. Add these 2 devices to the HID ignore list since the sensor interface is non-functional by design and should not be exposed to userspace.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/35f1a5360ac68d962…
	https://git.kernel.org/stable/c/7ac00f019698f614a…
	https://git.kernel.org/stable/c/1b297ab6f38ca60a4…
	https://git.kernel.org/stable/c/2b0931eee48208c25…
	https://git.kernel.org/stable/c/3ce1d87d1f5d80322…
	https://git.kernel.org/stable/c/c72536350e82b53a1…
	https://git.kernel.org/stable/c/a2a91abd19c574b59…
	https://git.kernel.org/stable/c/54bae4c17c1168833…

Impacted products

Vendor

Product

Version

Linux

Affected: 83499b52c61f50292f0aae36499de8a8fc3e37c3 , < 35f1a5360ac68d9629abbb3930a0a07901cba296 (git)
Affected: 83499b52c61f50292f0aae36499de8a8fc3e37c3 , < 7ac00f019698f614a49cce34c198d0568ab0e1c2 (git)
Affected: 83499b52c61f50292f0aae36499de8a8fc3e37c3 , < 1b297ab6f38ca60a4ca7298b297944ec6043b2f4 (git)
Affected: 83499b52c61f50292f0aae36499de8a8fc3e37c3 , < 2b0931eee48208c25bb77486946dea8e96aa6a36 (git)
Affected: 83499b52c61f50292f0aae36499de8a8fc3e37c3 , < 3ce1d87d1f5d80322757aa917182deb7370963b9 (git)
Affected: 83499b52c61f50292f0aae36499de8a8fc3e37c3 , < c72536350e82b53a1be0f3bfdf1511bba2827102 (git)
Affected: 83499b52c61f50292f0aae36499de8a8fc3e37c3 , < a2a91abd19c574b598b1c69ad76ad9c7eedaf062 (git)
Affected: 83499b52c61f50292f0aae36499de8a8fc3e37c3 , < 54bae4c17c11688339eb73a04fd24203bb6e7494 (git)

Linux

Affected: 3.8
Unaffected: 0 , < 3.8 (semver)
Unaffected: 5.4.296 , ≤ 5.4.* (semver)
Unaffected: 5.10.240 , ≤ 5.10.* (semver)
Unaffected: 5.15.189 , ≤ 5.15.* (semver)
Unaffected: 6.1.146 , ≤ 6.1.* (semver)
Unaffected: 6.6.99 , ≤ 6.6.* (semver)
Unaffected: 6.12.39 , ≤ 6.12.* (semver)
Unaffected: 6.15.7 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:39:36.320Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-ids.h",
            "drivers/hid/hid-quirks.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "35f1a5360ac68d9629abbb3930a0a07901cba296",
              "status": "affected",
              "version": "83499b52c61f50292f0aae36499de8a8fc3e37c3",
              "versionType": "git"
            },
            {
              "lessThan": "7ac00f019698f614a49cce34c198d0568ab0e1c2",
              "status": "affected",
              "version": "83499b52c61f50292f0aae36499de8a8fc3e37c3",
              "versionType": "git"
            },
            {
              "lessThan": "1b297ab6f38ca60a4ca7298b297944ec6043b2f4",
              "status": "affected",
              "version": "83499b52c61f50292f0aae36499de8a8fc3e37c3",
              "versionType": "git"
            },
            {
              "lessThan": "2b0931eee48208c25bb77486946dea8e96aa6a36",
              "status": "affected",
              "version": "83499b52c61f50292f0aae36499de8a8fc3e37c3",
              "versionType": "git"
            },
            {
              "lessThan": "3ce1d87d1f5d80322757aa917182deb7370963b9",
              "status": "affected",
              "version": "83499b52c61f50292f0aae36499de8a8fc3e37c3",
              "versionType": "git"
            },
            {
              "lessThan": "c72536350e82b53a1be0f3bfdf1511bba2827102",
              "status": "affected",
              "version": "83499b52c61f50292f0aae36499de8a8fc3e37c3",
              "versionType": "git"
            },
            {
              "lessThan": "a2a91abd19c574b598b1c69ad76ad9c7eedaf062",
              "status": "affected",
              "version": "83499b52c61f50292f0aae36499de8a8fc3e37c3",
              "versionType": "git"
            },
            {
              "lessThan": "54bae4c17c11688339eb73a04fd24203bb6e7494",
              "status": "affected",
              "version": "83499b52c61f50292f0aae36499de8a8fc3e37c3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-ids.h",
            "drivers/hid/hid-quirks.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.8"
            },
            {
              "lessThan": "3.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.189",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.146",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.99",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.189",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.146",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.99",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.39",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.7",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras\n\nThe Chicony Electronics HP 5MP Cameras (USB ID 04F2:B824 \u0026 04F2:B82C)\nreport a HID sensor interface that is not actually implemented.\nAttempting to access this non-functional sensor via iio_info causes\nsystem hangs as runtime PM tries to wake up an unresponsive sensor.\n\nAdd these 2 devices to the HID ignore list since the sensor interface is\nnon-functional by design and should not be exposed to userspace."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:30:49.767Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/35f1a5360ac68d9629abbb3930a0a07901cba296"
        },
        {
          "url": "https://git.kernel.org/stable/c/7ac00f019698f614a49cce34c198d0568ab0e1c2"
        },
        {
          "url": "https://git.kernel.org/stable/c/1b297ab6f38ca60a4ca7298b297944ec6043b2f4"
        },
        {
          "url": "https://git.kernel.org/stable/c/2b0931eee48208c25bb77486946dea8e96aa6a36"
        },
        {
          "url": "https://git.kernel.org/stable/c/3ce1d87d1f5d80322757aa917182deb7370963b9"
        },
        {
          "url": "https://git.kernel.org/stable/c/c72536350e82b53a1be0f3bfdf1511bba2827102"
        },
        {
          "url": "https://git.kernel.org/stable/c/a2a91abd19c574b598b1c69ad76ad9c7eedaf062"
        },
        {
          "url": "https://git.kernel.org/stable/c/54bae4c17c11688339eb73a04fd24203bb6e7494"
        }
      ],
      "title": "HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38540",
    "datePublished": "2025-08-16T11:22:14.773Z",
    "dateReserved": "2025-04-16T04:51:24.024Z",
    "dateUpdated": "2026-01-02T15:30:49.767Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38131 (GCVE-0-2025-38131)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:35 – Updated: 2025-11-03 17:34

Title

coresight: prevent deactivate active config while enabling the config

Summary

In the Linux kernel, the following vulnerability has been resolved: coresight: prevent deactivate active config while enabling the config While enable active config via cscfg_csdev_enable_active_config(), active config could be deactivated via configfs' sysfs interface. This could make UAF issue in below scenario: CPU0 CPU1 (sysfs enable) load module cscfg_load_config_sets() activate config. // sysfs (sys_active_cnt == 1) ... cscfg_csdev_enable_active_config() lock(csdev->cscfg_csdev_lock) // here load config activate by CPU1 unlock(csdev->cscfg_csdev_lock) deactivate config // sysfs (sys_activec_cnt == 0) cscfg_unload_config_sets() unload module // access to config_desc which freed // while unloading module. cscfg_csdev_enable_config To address this, use cscfg_config_desc's active_cnt as a reference count which will be holded when - activate the config. - enable the activated config. and put the module reference when config_active_cnt == 0.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/dfe8224c9c7a43d35…
	https://git.kernel.org/stable/c/b3b4efa2e623aecae…
	https://git.kernel.org/stable/c/31028812724cef7bd…
	https://git.kernel.org/stable/c/ed42ee1ed05ff2f4c…
	https://git.kernel.org/stable/c/408c97c4a5e0b634d…

Impacted products

Vendor

Product

Version

Linux

Affected: f8cce2ff3c04361b8843d8489620fda8880f668b , < dfe8224c9c7a43d356eb9f74b06868aa05f90223 (git)
Affected: f8cce2ff3c04361b8843d8489620fda8880f668b , < b3b4efa2e623aecaebd7c9b9e4171f5c659e9724 (git)
Affected: f8cce2ff3c04361b8843d8489620fda8880f668b , < 31028812724cef7bd57a51525ce58a32a6d73b22 (git)
Affected: f8cce2ff3c04361b8843d8489620fda8880f668b , < ed42ee1ed05ff2f4c36938379057413a40c56680 (git)
Affected: f8cce2ff3c04361b8843d8489620fda8880f668b , < 408c97c4a5e0b634dcd15bf8b8808b382e888164 (git)

Linux

Affected: 5.15
Unaffected: 0 , < 5.15 (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.94 , ≤ 6.6.* (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:25.127Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/hwtracing/coresight/coresight-config.h",
            "drivers/hwtracing/coresight/coresight-syscfg.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "dfe8224c9c7a43d356eb9f74b06868aa05f90223",
              "status": "affected",
              "version": "f8cce2ff3c04361b8843d8489620fda8880f668b",
              "versionType": "git"
            },
            {
              "lessThan": "b3b4efa2e623aecaebd7c9b9e4171f5c659e9724",
              "status": "affected",
              "version": "f8cce2ff3c04361b8843d8489620fda8880f668b",
              "versionType": "git"
            },
            {
              "lessThan": "31028812724cef7bd57a51525ce58a32a6d73b22",
              "status": "affected",
              "version": "f8cce2ff3c04361b8843d8489620fda8880f668b",
              "versionType": "git"
            },
            {
              "lessThan": "ed42ee1ed05ff2f4c36938379057413a40c56680",
              "status": "affected",
              "version": "f8cce2ff3c04361b8843d8489620fda8880f668b",
              "versionType": "git"
            },
            {
              "lessThan": "408c97c4a5e0b634dcd15bf8b8808b382e888164",
              "status": "affected",
              "version": "f8cce2ff3c04361b8843d8489620fda8880f668b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/hwtracing/coresight/coresight-config.h",
            "drivers/hwtracing/coresight/coresight-syscfg.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncoresight: prevent deactivate active config while enabling the config\n\nWhile enable active config via cscfg_csdev_enable_active_config(),\nactive config could be deactivated via configfs\u0027 sysfs interface.\nThis could make UAF issue in below scenario:\n\nCPU0                                          CPU1\n(sysfs enable)                                load module\n                                              cscfg_load_config_sets()\n                                              activate config. // sysfs\n                                              (sys_active_cnt == 1)\n...\ncscfg_csdev_enable_active_config()\nlock(csdev-\u003ecscfg_csdev_lock)\n// here load config activate by CPU1\nunlock(csdev-\u003ecscfg_csdev_lock)\n\n                                              deactivate config // sysfs\n                                              (sys_activec_cnt == 0)\n                                              cscfg_unload_config_sets()\n                                              unload module\n\n// access to config_desc which freed\n// while unloading module.\ncscfg_csdev_enable_config\n\nTo address this, use cscfg_config_desc\u0027s active_cnt as a reference count\n which will be holded when\n    - activate the config.\n    - enable the activated config.\nand put the module reference when config_active_cnt == 0."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:13:00.836Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/dfe8224c9c7a43d356eb9f74b06868aa05f90223"
        },
        {
          "url": "https://git.kernel.org/stable/c/b3b4efa2e623aecaebd7c9b9e4171f5c659e9724"
        },
        {
          "url": "https://git.kernel.org/stable/c/31028812724cef7bd57a51525ce58a32a6d73b22"
        },
        {
          "url": "https://git.kernel.org/stable/c/ed42ee1ed05ff2f4c36938379057413a40c56680"
        },
        {
          "url": "https://git.kernel.org/stable/c/408c97c4a5e0b634dcd15bf8b8808b382e888164"
        }
      ],
      "title": "coresight: prevent deactivate active config while enabling the config",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38131",
    "datePublished": "2025-07-03T08:35:35.036Z",
    "dateReserved": "2025-04-16T04:51:23.987Z",
    "dateUpdated": "2025-11-03T17:34:25.127Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38040 (GCVE-0-2025-38040)

Vulnerability from cvelistv5 – Published: 2025-06-18 09:33 – Updated: 2026-01-02 15:29

Title

serial: mctrl_gpio: split disable_ms into sync and no_sync APIs

Summary

In the Linux kernel, the following vulnerability has been resolved: serial: mctrl_gpio: split disable_ms into sync and no_sync APIs The following splat has been observed on a SAMA5D27 platform using atmel_serial: BUG: sleeping function called from invalid context at kernel/irq/manage.c:738 in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 27, name: kworker/u5:0 preempt_count: 1, expected: 0 INFO: lockdep is turned off. irq event stamp: 0 hardirqs last enabled at (0): [<00000000>] 0x0 hardirqs last disabled at (0): [<c01588f0>] copy_process+0x1c4c/0x7bec softirqs last enabled at (0): [<c0158944>] copy_process+0x1ca0/0x7bec softirqs last disabled at (0): [<00000000>] 0x0 CPU: 0 UID: 0 PID: 27 Comm: kworker/u5:0 Not tainted 6.13.0-rc7+ #74 Hardware name: Atmel SAMA5 Workqueue: hci0 hci_power_on [bluetooth] Call trace: unwind_backtrace from show_stack+0x18/0x1c show_stack from dump_stack_lvl+0x44/0x70 dump_stack_lvl from __might_resched+0x38c/0x598 __might_resched from disable_irq+0x1c/0x48 disable_irq from mctrl_gpio_disable_ms+0x74/0xc0 mctrl_gpio_disable_ms from atmel_disable_ms.part.0+0x80/0x1f4 atmel_disable_ms.part.0 from atmel_set_termios+0x764/0x11e8 atmel_set_termios from uart_change_line_settings+0x15c/0x994 uart_change_line_settings from uart_set_termios+0x2b0/0x668 uart_set_termios from tty_set_termios+0x600/0x8ec tty_set_termios from ttyport_set_flow_control+0x188/0x1e0 ttyport_set_flow_control from wilc_setup+0xd0/0x524 [hci_wilc] wilc_setup [hci_wilc] from hci_dev_open_sync+0x330/0x203c [bluetooth] hci_dev_open_sync [bluetooth] from hci_dev_do_open+0x40/0xb0 [bluetooth] hci_dev_do_open [bluetooth] from hci_power_on+0x12c/0x664 [bluetooth] hci_power_on [bluetooth] from process_one_work+0x998/0x1a38 process_one_work from worker_thread+0x6e0/0xfb4 worker_thread from kthread+0x3d4/0x484 kthread from ret_from_fork+0x14/0x28 This warning is emitted when trying to toggle, at the highest level, some flow control (with serdev_device_set_flow_control) in a device driver. At the lowest level, the atmel_serial driver is using serial_mctrl_gpio lib to enable/disable the corresponding IRQs accordingly. The warning emitted by CONFIG_DEBUG_ATOMIC_SLEEP is due to disable_irq (called in mctrl_gpio_disable_ms) being possibly called in some atomic context (some tty drivers perform modem lines configuration in regions protected by port lock). Split mctrl_gpio_disable_ms into two differents APIs, a non-blocking one and a blocking one. Replace mctrl_gpio_disable_ms calls with the relevant version depending on whether the call is protected by some port lock.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/68435c1fa3db696db…
	https://git.kernel.org/stable/c/c504c11b94d6e4ad8…
	https://git.kernel.org/stable/c/e6a46719a2369eb51…
	https://git.kernel.org/stable/c/7187ec6b0b9ff22eb…
	https://git.kernel.org/stable/c/1bd2aad57da95f7f2…

Impacted products

Vendor

Product

Version

Linux

Affected: ce59e48fdbad2aa6609ceb87e1306ec69e577e05 , < 68435c1fa3db696db4f480385db9e50e26691d0d (git)
Affected: ce59e48fdbad2aa6609ceb87e1306ec69e577e05 , < c504c11b94d6e4ad818ca5578dffa8ff29ad0f20 (git)
Affected: ce59e48fdbad2aa6609ceb87e1306ec69e577e05 , < e6a46719a2369eb5186d4f7e6c0478720ca1ec3d (git)
Affected: ce59e48fdbad2aa6609ceb87e1306ec69e577e05 , < 7187ec6b0b9ff22ebac2c3bb4178b7dbbdc0a55a (git)
Affected: ce59e48fdbad2aa6609ceb87e1306ec69e577e05 , < 1bd2aad57da95f7f2d2bb52f7ad15c0f4993a685 (git)

Linux

Affected: 4.4
Unaffected: 0 , < 4.4 (semver)
Unaffected: 6.1.141 , ≤ 6.1.* (semver)
Unaffected: 6.6.93 , ≤ 6.6.* (semver)
Unaffected: 6.12.31 , ≤ 6.12.* (semver)
Unaffected: 6.14.9 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:33:17.475Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "Documentation/driver-api/serial/driver.rst",
            "drivers/tty/serial/8250/8250_port.c",
            "drivers/tty/serial/atmel_serial.c",
            "drivers/tty/serial/imx.c",
            "drivers/tty/serial/serial_mctrl_gpio.c",
            "drivers/tty/serial/serial_mctrl_gpio.h",
            "drivers/tty/serial/sh-sci.c",
            "drivers/tty/serial/stm32-usart.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "68435c1fa3db696db4f480385db9e50e26691d0d",
              "status": "affected",
              "version": "ce59e48fdbad2aa6609ceb87e1306ec69e577e05",
              "versionType": "git"
            },
            {
              "lessThan": "c504c11b94d6e4ad818ca5578dffa8ff29ad0f20",
              "status": "affected",
              "version": "ce59e48fdbad2aa6609ceb87e1306ec69e577e05",
              "versionType": "git"
            },
            {
              "lessThan": "e6a46719a2369eb5186d4f7e6c0478720ca1ec3d",
              "status": "affected",
              "version": "ce59e48fdbad2aa6609ceb87e1306ec69e577e05",
              "versionType": "git"
            },
            {
              "lessThan": "7187ec6b0b9ff22ebac2c3bb4178b7dbbdc0a55a",
              "status": "affected",
              "version": "ce59e48fdbad2aa6609ceb87e1306ec69e577e05",
              "versionType": "git"
            },
            {
              "lessThan": "1bd2aad57da95f7f2d2bb52f7ad15c0f4993a685",
              "status": "affected",
              "version": "ce59e48fdbad2aa6609ceb87e1306ec69e577e05",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "Documentation/driver-api/serial/driver.rst",
            "drivers/tty/serial/8250/8250_port.c",
            "drivers/tty/serial/atmel_serial.c",
            "drivers/tty/serial/imx.c",
            "drivers/tty/serial/serial_mctrl_gpio.c",
            "drivers/tty/serial/serial_mctrl_gpio.h",
            "drivers/tty/serial/sh-sci.c",
            "drivers/tty/serial/stm32-usart.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.4"
            },
            {
              "lessThan": "4.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.93",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.141",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.93",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.31",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: mctrl_gpio: split disable_ms into sync and no_sync APIs\n\nThe following splat has been observed on a SAMA5D27 platform using\natmel_serial:\n\nBUG: sleeping function called from invalid context at kernel/irq/manage.c:738\nin_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 27, name: kworker/u5:0\npreempt_count: 1, expected: 0\nINFO: lockdep is turned off.\nirq event stamp: 0\nhardirqs last  enabled at (0): [\u003c00000000\u003e] 0x0\nhardirqs last disabled at (0): [\u003cc01588f0\u003e] copy_process+0x1c4c/0x7bec\nsoftirqs last  enabled at (0): [\u003cc0158944\u003e] copy_process+0x1ca0/0x7bec\nsoftirqs last disabled at (0): [\u003c00000000\u003e] 0x0\nCPU: 0 UID: 0 PID: 27 Comm: kworker/u5:0 Not tainted 6.13.0-rc7+ #74\nHardware name: Atmel SAMA5\nWorkqueue: hci0 hci_power_on [bluetooth]\nCall trace:\n  unwind_backtrace from show_stack+0x18/0x1c\n  show_stack from dump_stack_lvl+0x44/0x70\n  dump_stack_lvl from __might_resched+0x38c/0x598\n  __might_resched from disable_irq+0x1c/0x48\n  disable_irq from mctrl_gpio_disable_ms+0x74/0xc0\n  mctrl_gpio_disable_ms from atmel_disable_ms.part.0+0x80/0x1f4\n  atmel_disable_ms.part.0 from atmel_set_termios+0x764/0x11e8\n  atmel_set_termios from uart_change_line_settings+0x15c/0x994\n  uart_change_line_settings from uart_set_termios+0x2b0/0x668\n  uart_set_termios from tty_set_termios+0x600/0x8ec\n  tty_set_termios from ttyport_set_flow_control+0x188/0x1e0\n  ttyport_set_flow_control from wilc_setup+0xd0/0x524 [hci_wilc]\n  wilc_setup [hci_wilc] from hci_dev_open_sync+0x330/0x203c [bluetooth]\n  hci_dev_open_sync [bluetooth] from hci_dev_do_open+0x40/0xb0 [bluetooth]\n  hci_dev_do_open [bluetooth] from hci_power_on+0x12c/0x664 [bluetooth]\n  hci_power_on [bluetooth] from process_one_work+0x998/0x1a38\n  process_one_work from worker_thread+0x6e0/0xfb4\n  worker_thread from kthread+0x3d4/0x484\n  kthread from ret_from_fork+0x14/0x28\n\nThis warning is emitted when trying to toggle, at the highest level,\nsome flow control (with serdev_device_set_flow_control) in a device\ndriver. At the lowest level, the atmel_serial driver is using\nserial_mctrl_gpio lib to enable/disable the corresponding IRQs\naccordingly.  The warning emitted by CONFIG_DEBUG_ATOMIC_SLEEP is due to\ndisable_irq (called in mctrl_gpio_disable_ms) being possibly called in\nsome atomic context (some tty drivers perform modem lines configuration\nin regions protected by port lock).\n\nSplit mctrl_gpio_disable_ms into two differents APIs, a non-blocking one\nand a blocking one. Replace mctrl_gpio_disable_ms calls with the\nrelevant version depending on whether the call is protected by some port\nlock."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:29:42.103Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/68435c1fa3db696db4f480385db9e50e26691d0d"
        },
        {
          "url": "https://git.kernel.org/stable/c/c504c11b94d6e4ad818ca5578dffa8ff29ad0f20"
        },
        {
          "url": "https://git.kernel.org/stable/c/e6a46719a2369eb5186d4f7e6c0478720ca1ec3d"
        },
        {
          "url": "https://git.kernel.org/stable/c/7187ec6b0b9ff22ebac2c3bb4178b7dbbdc0a55a"
        },
        {
          "url": "https://git.kernel.org/stable/c/1bd2aad57da95f7f2d2bb52f7ad15c0f4993a685"
        }
      ],
      "title": "serial: mctrl_gpio: split disable_ms into sync and no_sync APIs",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38040",
    "datePublished": "2025-06-18T09:33:25.720Z",
    "dateReserved": "2025-04-16T04:51:23.978Z",
    "dateUpdated": "2026-01-02T15:29:42.103Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38306 (GCVE-0-2025-38306)

Vulnerability from cvelistv5 – Published: 2025-07-10 07:42 – Updated: 2025-09-09 17:06

Title

fs/fhandle.c: fix a race in call of has_locked_children()

Summary

In the Linux kernel, the following vulnerability has been resolved: fs/fhandle.c: fix a race in call of has_locked_children() may_decode_fh() is calling has_locked_children() while holding no locks. That's an oopsable race... The rest of the callers are safe since they are holding namespace_sem and are guaranteed a positive refcount on the mount in question. Rename the current has_locked_children() to __has_locked_children(), make it static and switch the fs/namespace.c users to it. Make has_locked_children() a wrapper for __has_locked_children(), calling the latter under read_seqlock_excl(&mount_lock).

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/6482c3dccbfb8d20e…
	https://git.kernel.org/stable/c/287c7d34eedd37af1…
	https://git.kernel.org/stable/c/1f282cdc1d219c4a5…

Impacted products

Vendor

Product

Version

Linux

Affected: 620c266f394932e5decc4b34683a75dfc59dc2f4 , < 6482c3dccbfb8d20e2856ce67c75856859930b3f (git)
Affected: 620c266f394932e5decc4b34683a75dfc59dc2f4 , < 287c7d34eedd37af1272dfb3b6e8656f4f026424 (git)
Affected: 620c266f394932e5decc4b34683a75dfc59dc2f4 , < 1f282cdc1d219c4a557f7009e81bc792820d9d9a (git)

Linux

Affected: 6.11
Unaffected: 0 , < 6.11 (semver)
Unaffected: 6.12.46 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/namespace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6482c3dccbfb8d20e2856ce67c75856859930b3f",
              "status": "affected",
              "version": "620c266f394932e5decc4b34683a75dfc59dc2f4",
              "versionType": "git"
            },
            {
              "lessThan": "287c7d34eedd37af1272dfb3b6e8656f4f026424",
              "status": "affected",
              "version": "620c266f394932e5decc4b34683a75dfc59dc2f4",
              "versionType": "git"
            },
            {
              "lessThan": "1f282cdc1d219c4a557f7009e81bc792820d9d9a",
              "status": "affected",
              "version": "620c266f394932e5decc4b34683a75dfc59dc2f4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/namespace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.46",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.46",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/fhandle.c: fix a race in call of has_locked_children()\n\nmay_decode_fh() is calling has_locked_children() while holding no locks.\nThat\u0027s an oopsable race...\n\nThe rest of the callers are safe since they are holding namespace_sem and\nare guaranteed a positive refcount on the mount in question.\n\nRename the current has_locked_children() to __has_locked_children(), make\nit static and switch the fs/namespace.c users to it.\n\nMake has_locked_children() a wrapper for __has_locked_children(), calling\nthe latter under read_seqlock_excl(\u0026mount_lock)."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-09T17:06:11.491Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6482c3dccbfb8d20e2856ce67c75856859930b3f"
        },
        {
          "url": "https://git.kernel.org/stable/c/287c7d34eedd37af1272dfb3b6e8656f4f026424"
        },
        {
          "url": "https://git.kernel.org/stable/c/1f282cdc1d219c4a557f7009e81bc792820d9d9a"
        }
      ],
      "title": "fs/fhandle.c: fix a race in call of has_locked_children()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38306",
    "datePublished": "2025-07-10T07:42:16.806Z",
    "dateReserved": "2025-04-16T04:51:24.002Z",
    "dateUpdated": "2025-09-09T17:06:11.491Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21918 (GCVE-0-2025-21918)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:40 – Updated: 2025-11-03 19:39

Title

usb: typec: ucsi: Fix NULL pointer access

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: Fix NULL pointer access Resources should be released only after all threads that utilize them have been destroyed. This commit ensures that resources are not released prematurely by waiting for the associated workqueue to complete before deallocating them.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/7a735a8a46f6ebf89…
	https://git.kernel.org/stable/c/46fba7be161bb8906…
	https://git.kernel.org/stable/c/079a3e52f3e751bb8…
	https://git.kernel.org/stable/c/592a0327d026a122e…
	https://git.kernel.org/stable/c/b13abcb7ddd8d38de…

Impacted products

Vendor

Product

Version

Linux

Affected: b9aa02ca39a49740926c2c450a1505a4a0f8954a , < 7a735a8a46f6ebf898bbefd96659ca5da798bce0 (git)
Affected: b9aa02ca39a49740926c2c450a1505a4a0f8954a , < 46fba7be161bb89068958138ea64ec33c0b446d4 (git)
Affected: b9aa02ca39a49740926c2c450a1505a4a0f8954a , < 079a3e52f3e751bb8f5937195bdf25c5d14fdff0 (git)
Affected: b9aa02ca39a49740926c2c450a1505a4a0f8954a , < 592a0327d026a122e97e8e8bb7c60cbbe7697344 (git)
Affected: b9aa02ca39a49740926c2c450a1505a4a0f8954a , < b13abcb7ddd8d38de769486db5bd917537b32ab1 (git)

Linux

Affected: 5.16
Unaffected: 0 , < 5.16 (semver)
Unaffected: 6.1.133 , ≤ 6.1.* (semver)
Unaffected: 6.6.83 , ≤ 6.6.* (semver)
Unaffected: 6.12.19 , ≤ 6.12.* (semver)
Unaffected: 6.13.7 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21918",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:24:04.279275Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:26:33.991Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:39:09.717Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/typec/ucsi/ucsi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7a735a8a46f6ebf898bbefd96659ca5da798bce0",
              "status": "affected",
              "version": "b9aa02ca39a49740926c2c450a1505a4a0f8954a",
              "versionType": "git"
            },
            {
              "lessThan": "46fba7be161bb89068958138ea64ec33c0b446d4",
              "status": "affected",
              "version": "b9aa02ca39a49740926c2c450a1505a4a0f8954a",
              "versionType": "git"
            },
            {
              "lessThan": "079a3e52f3e751bb8f5937195bdf25c5d14fdff0",
              "status": "affected",
              "version": "b9aa02ca39a49740926c2c450a1505a4a0f8954a",
              "versionType": "git"
            },
            {
              "lessThan": "592a0327d026a122e97e8e8bb7c60cbbe7697344",
              "status": "affected",
              "version": "b9aa02ca39a49740926c2c450a1505a4a0f8954a",
              "versionType": "git"
            },
            {
              "lessThan": "b13abcb7ddd8d38de769486db5bd917537b32ab1",
              "status": "affected",
              "version": "b9aa02ca39a49740926c2c450a1505a4a0f8954a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/typec/ucsi/ucsi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.16"
            },
            {
              "lessThan": "5.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.133",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.133",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.83",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.19",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.7",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: Fix NULL pointer access\n\nResources should be released only after all threads that utilize them\nhave been destroyed.\nThis commit ensures that resources are not released prematurely by waiting\nfor the associated workqueue to complete before deallocating them."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:24:32.290Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7a735a8a46f6ebf898bbefd96659ca5da798bce0"
        },
        {
          "url": "https://git.kernel.org/stable/c/46fba7be161bb89068958138ea64ec33c0b446d4"
        },
        {
          "url": "https://git.kernel.org/stable/c/079a3e52f3e751bb8f5937195bdf25c5d14fdff0"
        },
        {
          "url": "https://git.kernel.org/stable/c/592a0327d026a122e97e8e8bb7c60cbbe7697344"
        },
        {
          "url": "https://git.kernel.org/stable/c/b13abcb7ddd8d38de769486db5bd917537b32ab1"
        }
      ],
      "title": "usb: typec: ucsi: Fix NULL pointer access",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21918",
    "datePublished": "2025-04-01T15:40:53.561Z",
    "dateReserved": "2024-12-29T08:45:45.787Z",
    "dateUpdated": "2025-11-03T19:39:09.717Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38222 (GCVE-0-2025-38222)

Vulnerability from cvelistv5 – Published: 2025-07-04 13:37 – Updated: 2025-11-03 17:35

Title

ext4: inline: fix len overflow in ext4_prepare_inline_data

Summary

In the Linux kernel, the following vulnerability has been resolved: ext4: inline: fix len overflow in ext4_prepare_inline_data When running the following code on an ext4 filesystem with inline_data feature enabled, it will lead to the bug below. fd = open("file1", O_RDWR | O_CREAT | O_TRUNC, 0666); ftruncate(fd, 30); pwrite(fd, "a", 1, (1UL << 40) + 5UL); That happens because write_begin will succeed as when ext4_generic_write_inline_data calls ext4_prepare_inline_data, pos + len will be truncated, leading to ext4_prepare_inline_data parameter to be 6 instead of 0x10000000006. Then, later when write_end is called, we hit: BUG_ON(pos + len > EXT4_I(inode)->i_inline_size); at ext4_write_inline_data. Fix it by using a loff_t type for the len parameter in ext4_prepare_inline_data instead of an unsigned int. [ 44.545164] ------------[ cut here ]------------ [ 44.545530] kernel BUG at fs/ext4/inline.c:240! [ 44.545834] Oops: invalid opcode: 0000 [#1] SMP NOPTI [ 44.546172] CPU: 3 UID: 0 PID: 343 Comm: test Not tainted 6.15.0-rc2-00003-g9080916f4863 #45 PREEMPT(full) 112853fcebfdb93254270a7959841d2c6aa2c8bb [ 44.546523] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 44.546523] RIP: 0010:ext4_write_inline_data+0xfe/0x100 [ 44.546523] Code: 3c 0e 48 83 c7 48 48 89 de 5b 41 5c 41 5d 41 5e 41 5f 5d e9 e4 fa 43 01 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc 0f 0b <0f> 0b 0f 1f 44 00 00 55 41 57 41 56 41 55 41 54 53 48 83 ec 20 49 [ 44.546523] RSP: 0018:ffffb342008b79a8 EFLAGS: 00010216 [ 44.546523] RAX: 0000000000000001 RBX: ffff9329c579c000 RCX: 0000010000000006 [ 44.546523] RDX: 000000000000003c RSI: ffffb342008b79f0 RDI: ffff9329c158e738 [ 44.546523] RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000 [ 44.546523] R10: 00007ffffffff000 R11: ffffffff9bd0d910 R12: 0000006210000000 [ 44.546523] R13: fffffc7e4015e700 R14: 0000010000000005 R15: ffff9329c158e738 [ 44.546523] FS: 00007f4299934740(0000) GS:ffff932a60179000(0000) knlGS:0000000000000000 [ 44.546523] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 44.546523] CR2: 00007f4299a1ec90 CR3: 0000000002886002 CR4: 0000000000770eb0 [ 44.546523] PKRU: 55555554 [ 44.546523] Call Trace: [ 44.546523] <TASK> [ 44.546523] ext4_write_inline_data_end+0x126/0x2d0 [ 44.546523] generic_perform_write+0x17e/0x270 [ 44.546523] ext4_buffered_write_iter+0xc8/0x170 [ 44.546523] vfs_write+0x2be/0x3e0 [ 44.546523] __x64_sys_pwrite64+0x6d/0xc0 [ 44.546523] do_syscall_64+0x6a/0xf0 [ 44.546523] ? __wake_up+0x89/0xb0 [ 44.546523] ? xas_find+0x72/0x1c0 [ 44.546523] ? next_uptodate_folio+0x317/0x330 [ 44.546523] ? set_pte_range+0x1a6/0x270 [ 44.546523] ? filemap_map_pages+0x6ee/0x840 [ 44.546523] ? ext4_setattr+0x2fa/0x750 [ 44.546523] ? do_pte_missing+0x128/0xf70 [ 44.546523] ? security_inode_post_setattr+0x3e/0xd0 [ 44.546523] ? ___pte_offset_map+0x19/0x100 [ 44.546523] ? handle_mm_fault+0x721/0xa10 [ 44.546523] ? do_user_addr_fault+0x197/0x730 [ 44.546523] ? do_syscall_64+0x76/0xf0 [ 44.546523] ? arch_exit_to_user_mode_prepare+0x1e/0x60 [ 44.546523] ? irqentry_exit_to_user_mode+0x79/0x90 [ 44.546523] entry_SYSCALL_64_after_hwframe+0x55/0x5d [ 44.546523] RIP: 0033:0x7f42999c6687 [ 44.546523] Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff [ 44.546523] RSP: 002b:00007ffeae4a7930 EFLAGS: 00000202 ORIG_RAX: 0000000000000012 [ 44.546523] RAX: ffffffffffffffda RBX: 00007f4299934740 RCX: 00007f42999c6687 [ 44.546523] RDX: 0000000000000001 RSI: 000055ea6149200f RDI: 0000000000000003 [ 44.546523] RBP: 00007ffeae4a79a0 R08: 0000000000000000 R09: 0000000000000000 [ 44.546523] R10: 0000010000000005 R11: 0000000000000202 R12: 0000 ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d3dfc60efd145df53…
	https://git.kernel.org/stable/c/717414a8c083c376d…
	https://git.kernel.org/stable/c/9d1d1c5bf4fc1af76…
	https://git.kernel.org/stable/c/cf5f319a2d8ab8238…
	https://git.kernel.org/stable/c/26e09d18599da0adc…
	https://git.kernel.org/stable/c/5766da2237e539f25…
	https://git.kernel.org/stable/c/e80ee0263d88d77f2…
	https://git.kernel.org/stable/c/227cb4ca5a6502164…

Impacted products

Vendor

Product

Version

Linux

Affected: f19d5870cbf72d4cb2a8e1f749dff97af99b071e , < d3dfc60efd145df5324b99a244b0b05505cde29b (git)
Affected: f19d5870cbf72d4cb2a8e1f749dff97af99b071e , < 717414a8c083c376d4a8940a1230fe0c6ed4ee00 (git)
Affected: f19d5870cbf72d4cb2a8e1f749dff97af99b071e , < 9d1d1c5bf4fc1af76be154d3afb2acdbd89ec7d8 (git)
Affected: f19d5870cbf72d4cb2a8e1f749dff97af99b071e , < cf5f319a2d8ab8238f8cf3a19463b9bff6420934 (git)
Affected: f19d5870cbf72d4cb2a8e1f749dff97af99b071e , < 26e09d18599da0adc543eabd300080daaeda6869 (git)
Affected: f19d5870cbf72d4cb2a8e1f749dff97af99b071e , < 5766da2237e539f259aa0e5f3639ae37b44ca458 (git)
Affected: f19d5870cbf72d4cb2a8e1f749dff97af99b071e , < e80ee0263d88d77f2fd1927f915003a7066cbb50 (git)
Affected: f19d5870cbf72d4cb2a8e1f749dff97af99b071e , < 227cb4ca5a6502164f850d22aec3104d7888b270 (git)

Linux

Affected: 3.8
Unaffected: 0 , < 3.8 (semver)
Unaffected: 5.4.295 , ≤ 5.4.* (semver)
Unaffected: 5.10.239 , ≤ 5.10.* (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.95 , ≤ 6.6.* (semver)
Unaffected: 6.12.35 , ≤ 6.12.* (semver)
Unaffected: 6.15.4 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:35:40.178Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/inline.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d3dfc60efd145df5324b99a244b0b05505cde29b",
              "status": "affected",
              "version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
              "versionType": "git"
            },
            {
              "lessThan": "717414a8c083c376d4a8940a1230fe0c6ed4ee00",
              "status": "affected",
              "version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
              "versionType": "git"
            },
            {
              "lessThan": "9d1d1c5bf4fc1af76be154d3afb2acdbd89ec7d8",
              "status": "affected",
              "version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
              "versionType": "git"
            },
            {
              "lessThan": "cf5f319a2d8ab8238f8cf3a19463b9bff6420934",
              "status": "affected",
              "version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
              "versionType": "git"
            },
            {
              "lessThan": "26e09d18599da0adc543eabd300080daaeda6869",
              "status": "affected",
              "version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
              "versionType": "git"
            },
            {
              "lessThan": "5766da2237e539f259aa0e5f3639ae37b44ca458",
              "status": "affected",
              "version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
              "versionType": "git"
            },
            {
              "lessThan": "e80ee0263d88d77f2fd1927f915003a7066cbb50",
              "status": "affected",
              "version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
              "versionType": "git"
            },
            {
              "lessThan": "227cb4ca5a6502164f850d22aec3104d7888b270",
              "status": "affected",
              "version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/inline.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.8"
            },
            {
              "lessThan": "3.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: inline: fix len overflow in ext4_prepare_inline_data\n\nWhen running the following code on an ext4 filesystem with inline_data\nfeature enabled, it will lead to the bug below.\n\n        fd = open(\"file1\", O_RDWR | O_CREAT | O_TRUNC, 0666);\n        ftruncate(fd, 30);\n        pwrite(fd, \"a\", 1, (1UL \u003c\u003c 40) + 5UL);\n\nThat happens because write_begin will succeed as when\next4_generic_write_inline_data calls ext4_prepare_inline_data, pos + len\nwill be truncated, leading to ext4_prepare_inline_data parameter to be 6\ninstead of 0x10000000006.\n\nThen, later when write_end is called, we hit:\n\n        BUG_ON(pos + len \u003e EXT4_I(inode)-\u003ei_inline_size);\n\nat ext4_write_inline_data.\n\nFix it by using a loff_t type for the len parameter in\next4_prepare_inline_data instead of an unsigned int.\n\n[   44.545164] ------------[ cut here ]------------\n[   44.545530] kernel BUG at fs/ext4/inline.c:240!\n[   44.545834] Oops: invalid opcode: 0000 [#1] SMP NOPTI\n[   44.546172] CPU: 3 UID: 0 PID: 343 Comm: test Not tainted 6.15.0-rc2-00003-g9080916f4863 #45 PREEMPT(full)  112853fcebfdb93254270a7959841d2c6aa2c8bb\n[   44.546523] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[   44.546523] RIP: 0010:ext4_write_inline_data+0xfe/0x100\n[   44.546523] Code: 3c 0e 48 83 c7 48 48 89 de 5b 41 5c 41 5d 41 5e 41 5f 5d e9 e4 fa 43 01 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc 0f 0b \u003c0f\u003e 0b 0f 1f 44 00 00 55 41 57 41 56 41 55 41 54 53 48 83 ec 20 49\n[   44.546523] RSP: 0018:ffffb342008b79a8 EFLAGS: 00010216\n[   44.546523] RAX: 0000000000000001 RBX: ffff9329c579c000 RCX: 0000010000000006\n[   44.546523] RDX: 000000000000003c RSI: ffffb342008b79f0 RDI: ffff9329c158e738\n[   44.546523] RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000\n[   44.546523] R10: 00007ffffffff000 R11: ffffffff9bd0d910 R12: 0000006210000000\n[   44.546523] R13: fffffc7e4015e700 R14: 0000010000000005 R15: ffff9329c158e738\n[   44.546523] FS:  00007f4299934740(0000) GS:ffff932a60179000(0000) knlGS:0000000000000000\n[   44.546523] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[   44.546523] CR2: 00007f4299a1ec90 CR3: 0000000002886002 CR4: 0000000000770eb0\n[   44.546523] PKRU: 55555554\n[   44.546523] Call Trace:\n[   44.546523]  \u003cTASK\u003e\n[   44.546523]  ext4_write_inline_data_end+0x126/0x2d0\n[   44.546523]  generic_perform_write+0x17e/0x270\n[   44.546523]  ext4_buffered_write_iter+0xc8/0x170\n[   44.546523]  vfs_write+0x2be/0x3e0\n[   44.546523]  __x64_sys_pwrite64+0x6d/0xc0\n[   44.546523]  do_syscall_64+0x6a/0xf0\n[   44.546523]  ? __wake_up+0x89/0xb0\n[   44.546523]  ? xas_find+0x72/0x1c0\n[   44.546523]  ? next_uptodate_folio+0x317/0x330\n[   44.546523]  ? set_pte_range+0x1a6/0x270\n[   44.546523]  ? filemap_map_pages+0x6ee/0x840\n[   44.546523]  ? ext4_setattr+0x2fa/0x750\n[   44.546523]  ? do_pte_missing+0x128/0xf70\n[   44.546523]  ? security_inode_post_setattr+0x3e/0xd0\n[   44.546523]  ? ___pte_offset_map+0x19/0x100\n[   44.546523]  ? handle_mm_fault+0x721/0xa10\n[   44.546523]  ? do_user_addr_fault+0x197/0x730\n[   44.546523]  ? do_syscall_64+0x76/0xf0\n[   44.546523]  ? arch_exit_to_user_mode_prepare+0x1e/0x60\n[   44.546523]  ? irqentry_exit_to_user_mode+0x79/0x90\n[   44.546523]  entry_SYSCALL_64_after_hwframe+0x55/0x5d\n[   44.546523] RIP: 0033:0x7f42999c6687\n[   44.546523] Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 \u003c5b\u003e c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff\n[   44.546523] RSP: 002b:00007ffeae4a7930 EFLAGS: 00000202 ORIG_RAX: 0000000000000012\n[   44.546523] RAX: ffffffffffffffda RBX: 00007f4299934740 RCX: 00007f42999c6687\n[   44.546523] RDX: 0000000000000001 RSI: 000055ea6149200f RDI: 0000000000000003\n[   44.546523] RBP: 00007ffeae4a79a0 R08: 0000000000000000 R09: 0000000000000000\n[   44.546523] R10: 0000010000000005 R11: 0000000000000202 R12: 0000\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:15:34.040Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d3dfc60efd145df5324b99a244b0b05505cde29b"
        },
        {
          "url": "https://git.kernel.org/stable/c/717414a8c083c376d4a8940a1230fe0c6ed4ee00"
        },
        {
          "url": "https://git.kernel.org/stable/c/9d1d1c5bf4fc1af76be154d3afb2acdbd89ec7d8"
        },
        {
          "url": "https://git.kernel.org/stable/c/cf5f319a2d8ab8238f8cf3a19463b9bff6420934"
        },
        {
          "url": "https://git.kernel.org/stable/c/26e09d18599da0adc543eabd300080daaeda6869"
        },
        {
          "url": "https://git.kernel.org/stable/c/5766da2237e539f259aa0e5f3639ae37b44ca458"
        },
        {
          "url": "https://git.kernel.org/stable/c/e80ee0263d88d77f2fd1927f915003a7066cbb50"
        },
        {
          "url": "https://git.kernel.org/stable/c/227cb4ca5a6502164f850d22aec3104d7888b270"
        }
      ],
      "title": "ext4: inline: fix len overflow in ext4_prepare_inline_data",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38222",
    "datePublished": "2025-07-04T13:37:37.879Z",
    "dateReserved": "2025-04-16T04:51:23.995Z",
    "dateUpdated": "2025-11-03T17:35:40.178Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38513 (GCVE-0-2025-38513)

Vulnerability from cvelistv5 – Published: 2025-08-16 10:55 – Updated: 2025-11-03 17:39

Title

wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev()

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() There is a potential NULL pointer dereference in zd_mac_tx_to_dev(). For example, the following is possible: T0 T1 zd_mac_tx_to_dev() /* len == skb_queue_len(q) */ while (len > ZD_MAC_MAX_ACK_WAITERS) { filter_ack() spin_lock_irqsave(&q->lock, flags); /* position == skb_queue_len(q) */ for (i=1; i<position; i++) skb = __skb_dequeue(q) if (mac->type == NL80211_IFTYPE_AP) skb = __skb_dequeue(q); spin_unlock_irqrestore(&q->lock, flags); skb_dequeue() -> NULL Since there is a small gap between checking skb queue length and skb being unconditionally dequeued in zd_mac_tx_to_dev(), skb_dequeue() can return NULL. Then the pointer is passed to zd_mac_tx_status() where it is dereferenced. In order to avoid potential NULL pointer dereference due to situations like above, check if skb is not NULL before passing it to zd_mac_tx_status(). Found by Linux Verification Center (linuxtesting.org) with SVACE.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c1958270de947604c…
	https://git.kernel.org/stable/c/014c34dc132015c4f…
	https://git.kernel.org/stable/c/b24f65c184540dfb9…
	https://git.kernel.org/stable/c/adf08c96b963c7cd7…
	https://git.kernel.org/stable/c/5420de65efbeb6503…
	https://git.kernel.org/stable/c/fcd9c923b58e86501…
	https://git.kernel.org/stable/c/602b4eb2f25668de1…
	https://git.kernel.org/stable/c/74b1ec9f5d627d2bd…

Impacted products

Vendor

Product

Version

Linux

Affected: 459c51ad6e1fc19e91a53798358433d3c08cd09d , < c1958270de947604cc6de05fc96dbba256b49cf0 (git)
Affected: 459c51ad6e1fc19e91a53798358433d3c08cd09d , < 014c34dc132015c4f918ada4982e952947ac1047 (git)
Affected: 459c51ad6e1fc19e91a53798358433d3c08cd09d , < b24f65c184540dfb967479320ecf7e8c2e9220dc (git)
Affected: 459c51ad6e1fc19e91a53798358433d3c08cd09d , < adf08c96b963c7cd7ec1ee1c0c556228d9bedaae (git)
Affected: 459c51ad6e1fc19e91a53798358433d3c08cd09d , < 5420de65efbeb6503bcf1d43451c9df67ad60298 (git)
Affected: 459c51ad6e1fc19e91a53798358433d3c08cd09d , < fcd9c923b58e86501450b9b442ccc7ce4a8d0fda (git)
Affected: 459c51ad6e1fc19e91a53798358433d3c08cd09d , < 602b4eb2f25668de15de69860ec99caf65b3684d (git)
Affected: 459c51ad6e1fc19e91a53798358433d3c08cd09d , < 74b1ec9f5d627d2bdd5e5b6f3f81c23317657023 (git)

Linux

Affected: 2.6.25
Unaffected: 0 , < 2.6.25 (semver)
Unaffected: 5.4.296 , ≤ 5.4.* (semver)
Unaffected: 5.10.240 , ≤ 5.10.* (semver)
Unaffected: 5.15.189 , ≤ 5.15.* (semver)
Unaffected: 6.1.146 , ≤ 6.1.* (semver)
Unaffected: 6.6.99 , ≤ 6.6.* (semver)
Unaffected: 6.12.39 , ≤ 6.12.* (semver)
Unaffected: 6.15.7 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:39:16.277Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/zydas/zd1211rw/zd_mac.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c1958270de947604cc6de05fc96dbba256b49cf0",
              "status": "affected",
              "version": "459c51ad6e1fc19e91a53798358433d3c08cd09d",
              "versionType": "git"
            },
            {
              "lessThan": "014c34dc132015c4f918ada4982e952947ac1047",
              "status": "affected",
              "version": "459c51ad6e1fc19e91a53798358433d3c08cd09d",
              "versionType": "git"
            },
            {
              "lessThan": "b24f65c184540dfb967479320ecf7e8c2e9220dc",
              "status": "affected",
              "version": "459c51ad6e1fc19e91a53798358433d3c08cd09d",
              "versionType": "git"
            },
            {
              "lessThan": "adf08c96b963c7cd7ec1ee1c0c556228d9bedaae",
              "status": "affected",
              "version": "459c51ad6e1fc19e91a53798358433d3c08cd09d",
              "versionType": "git"
            },
            {
              "lessThan": "5420de65efbeb6503bcf1d43451c9df67ad60298",
              "status": "affected",
              "version": "459c51ad6e1fc19e91a53798358433d3c08cd09d",
              "versionType": "git"
            },
            {
              "lessThan": "fcd9c923b58e86501450b9b442ccc7ce4a8d0fda",
              "status": "affected",
              "version": "459c51ad6e1fc19e91a53798358433d3c08cd09d",
              "versionType": "git"
            },
            {
              "lessThan": "602b4eb2f25668de15de69860ec99caf65b3684d",
              "status": "affected",
              "version": "459c51ad6e1fc19e91a53798358433d3c08cd09d",
              "versionType": "git"
            },
            {
              "lessThan": "74b1ec9f5d627d2bdd5e5b6f3f81c23317657023",
              "status": "affected",
              "version": "459c51ad6e1fc19e91a53798358433d3c08cd09d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/zydas/zd1211rw/zd_mac.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.25"
            },
            {
              "lessThan": "2.6.25",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.189",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.146",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.99",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.189",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.146",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.99",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.39",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.7",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev()\n\nThere is a potential NULL pointer dereference in zd_mac_tx_to_dev(). For\nexample, the following is possible:\n\n    \tT0\t\t\t    \t\tT1\nzd_mac_tx_to_dev()\n  /* len == skb_queue_len(q) */\n  while (len \u003e ZD_MAC_MAX_ACK_WAITERS) {\n\n\t\t\t\t\t  filter_ack()\n\t\t\t\t\t    spin_lock_irqsave(\u0026q-\u003elock, flags);\n\t\t\t\t\t    /* position == skb_queue_len(q) */\n\t\t\t\t\t    for (i=1; i\u003cposition; i++)\n\t\t\t\t    \t      skb = __skb_dequeue(q)\n\n\t\t\t\t\t    if (mac-\u003etype == NL80211_IFTYPE_AP)\n\t\t\t\t\t      skb = __skb_dequeue(q);\n\t\t\t\t\t    spin_unlock_irqrestore(\u0026q-\u003elock, flags);\n\n    skb_dequeue() -\u003e NULL\n\nSince there is a small gap between checking skb queue length and skb being\nunconditionally dequeued in zd_mac_tx_to_dev(), skb_dequeue() can return NULL.\nThen the pointer is passed to zd_mac_tx_status() where it is dereferenced.\n\nIn order to avoid potential NULL pointer dereference due to situations like\nabove, check if skb is not NULL before passing it to zd_mac_tx_status().\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-16T10:55:00.254Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c1958270de947604cc6de05fc96dbba256b49cf0"
        },
        {
          "url": "https://git.kernel.org/stable/c/014c34dc132015c4f918ada4982e952947ac1047"
        },
        {
          "url": "https://git.kernel.org/stable/c/b24f65c184540dfb967479320ecf7e8c2e9220dc"
        },
        {
          "url": "https://git.kernel.org/stable/c/adf08c96b963c7cd7ec1ee1c0c556228d9bedaae"
        },
        {
          "url": "https://git.kernel.org/stable/c/5420de65efbeb6503bcf1d43451c9df67ad60298"
        },
        {
          "url": "https://git.kernel.org/stable/c/fcd9c923b58e86501450b9b442ccc7ce4a8d0fda"
        },
        {
          "url": "https://git.kernel.org/stable/c/602b4eb2f25668de15de69860ec99caf65b3684d"
        },
        {
          "url": "https://git.kernel.org/stable/c/74b1ec9f5d627d2bdd5e5b6f3f81c23317657023"
        }
      ],
      "title": "wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38513",
    "datePublished": "2025-08-16T10:55:00.254Z",
    "dateReserved": "2025-04-16T04:51:24.023Z",
    "dateUpdated": "2025-11-03T17:39:16.277Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21970 (GCVE-0-2025-21970)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:47 – Updated: 2025-11-03 19:40

Title

net/mlx5: Bridge, fix the crash caused by LAG state check

Summary

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Bridge, fix the crash caused by LAG state check When removing LAG device from bridge, NETDEV_CHANGEUPPER event is triggered. Driver finds the lower devices (PFs) to flush all the offloaded entries. And mlx5_lag_is_shared_fdb is checked, it returns false if one of PF is unloaded. In such case, mlx5_esw_bridge_lag_rep_get() and its caller return NULL, instead of the alive PF, and the flush is skipped. Besides, the bridge fdb entry's lastuse is updated in mlx5 bridge event handler. But this SWITCHDEV_FDB_ADD_TO_BRIDGE event can be ignored in this case because the upper interface for bond is deleted, and the entry will never be aged because lastuse is never updated. To make things worse, as the entry is alive, mlx5 bridge workqueue keeps sending that event, which is then handled by kernel bridge notifier. It causes the following crash when accessing the passed bond netdev which is already destroyed. To fix this issue, remove such checks. LAG state is already checked in commit 15f8f168952f ("net/mlx5: Bridge, verify LAG state when adding bond to bridge"), driver still need to skip offload if LAG becomes invalid state after initialization. Oops: stack segment: 0000 [#1] SMP CPU: 3 UID: 0 PID: 23695 Comm: kworker/u40:3 Tainted: G OE 6.11.0_mlnx #1 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Workqueue: mlx5_bridge_wq mlx5_esw_bridge_update_work [mlx5_core] RIP: 0010:br_switchdev_event+0x2c/0x110 [bridge] Code: 44 00 00 48 8b 02 48 f7 00 00 02 00 00 74 69 41 54 55 53 48 83 ec 08 48 8b a8 08 01 00 00 48 85 ed 74 4a 48 83 fe 02 48 89 d3 <4c> 8b 65 00 74 23 76 49 48 83 fe 05 74 7e 48 83 fe 06 75 2f 0f b7 RSP: 0018:ffffc900092cfda0 EFLAGS: 00010297 RAX: ffff888123bfe000 RBX: ffffc900092cfe08 RCX: 00000000ffffffff RDX: ffffc900092cfe08 RSI: 0000000000000001 RDI: ffffffffa0c585f0 RBP: 6669746f6e690a30 R08: 0000000000000000 R09: ffff888123ae92c8 R10: 0000000000000000 R11: fefefefefefefeff R12: ffff888123ae9c60 R13: 0000000000000001 R14: ffffc900092cfe08 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88852c980000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f15914c8734 CR3: 0000000002830005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? __die_body+0x1a/0x60 ? die+0x38/0x60 ? do_trap+0x10b/0x120 ? do_error_trap+0x64/0xa0 ? exc_stack_segment+0x33/0x50 ? asm_exc_stack_segment+0x22/0x30 ? br_switchdev_event+0x2c/0x110 [bridge] ? sched_balance_newidle.isra.149+0x248/0x390 notifier_call_chain+0x4b/0xa0 atomic_notifier_call_chain+0x16/0x20 mlx5_esw_bridge_update+0xec/0x170 [mlx5_core] mlx5_esw_bridge_update_work+0x19/0x40 [mlx5_core] process_scheduled_works+0x81/0x390 worker_thread+0x106/0x250 ? bh_worker+0x110/0x110 kthread+0xb7/0xe0 ? kthread_park+0x80/0x80 ret_from_fork+0x2d/0x50 ? kthread_park+0x80/0x80 ret_from_fork_asm+0x11/0x20 </TASK>

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f90c4d6572488e2ba…
	https://git.kernel.org/stable/c/86ff45f5f61ae1d0d…
	https://git.kernel.org/stable/c/bd7e3a42800743a77…
	https://git.kernel.org/stable/c/f7bf259a04271165a…
	https://git.kernel.org/stable/c/5dd8bf6ab1d6db40f…
	https://git.kernel.org/stable/c/4b8eeed4fb105770c…

Impacted products

Vendor

Product

Version

Linux

Affected: ff9b7521468bc2909293c1cda66a245a49688f6f , < f90c4d6572488e2bad38cca00f1c59174a538a1a (git)
Affected: ff9b7521468bc2909293c1cda66a245a49688f6f , < 86ff45f5f61ae1d0d17f0f6d8797b052eacfd8f1 (git)
Affected: ff9b7521468bc2909293c1cda66a245a49688f6f , < bd7e3a42800743a7748c83243e4cafc1b995d4c4 (git)
Affected: ff9b7521468bc2909293c1cda66a245a49688f6f , < f7bf259a04271165ae667ad21cfc60c6413f25ca (git)
Affected: ff9b7521468bc2909293c1cda66a245a49688f6f , < 5dd8bf6ab1d6db40f5d09603759fa88caec19e7f (git)
Affected: ff9b7521468bc2909293c1cda66a245a49688f6f , < 4b8eeed4fb105770ce6dc84a2c6ef953c7b71cbb (git)

Linux

Affected: 5.15
Unaffected: 0 , < 5.15 (semver)
Unaffected: 5.15.180 , ≤ 5.15.* (semver)
Unaffected: 6.1.132 , ≤ 6.1.* (semver)
Unaffected: 6.6.84 , ≤ 6.6.* (semver)
Unaffected: 6.12.20 , ≤ 6.12.* (semver)
Unaffected: 6.13.8 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:40:11.287Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/en/rep/bridge.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f90c4d6572488e2bad38cca00f1c59174a538a1a",
              "status": "affected",
              "version": "ff9b7521468bc2909293c1cda66a245a49688f6f",
              "versionType": "git"
            },
            {
              "lessThan": "86ff45f5f61ae1d0d17f0f6d8797b052eacfd8f1",
              "status": "affected",
              "version": "ff9b7521468bc2909293c1cda66a245a49688f6f",
              "versionType": "git"
            },
            {
              "lessThan": "bd7e3a42800743a7748c83243e4cafc1b995d4c4",
              "status": "affected",
              "version": "ff9b7521468bc2909293c1cda66a245a49688f6f",
              "versionType": "git"
            },
            {
              "lessThan": "f7bf259a04271165ae667ad21cfc60c6413f25ca",
              "status": "affected",
              "version": "ff9b7521468bc2909293c1cda66a245a49688f6f",
              "versionType": "git"
            },
            {
              "lessThan": "5dd8bf6ab1d6db40f5d09603759fa88caec19e7f",
              "status": "affected",
              "version": "ff9b7521468bc2909293c1cda66a245a49688f6f",
              "versionType": "git"
            },
            {
              "lessThan": "4b8eeed4fb105770ce6dc84a2c6ef953c7b71cbb",
              "status": "affected",
              "version": "ff9b7521468bc2909293c1cda66a245a49688f6f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/en/rep/bridge.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.180",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.132",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.84",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.180",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.132",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.84",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.20",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.8",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Bridge, fix the crash caused by LAG state check\n\nWhen removing LAG device from bridge, NETDEV_CHANGEUPPER event is\ntriggered. Driver finds the lower devices (PFs) to flush all the\noffloaded entries. And mlx5_lag_is_shared_fdb is checked, it returns\nfalse if one of PF is unloaded. In such case,\nmlx5_esw_bridge_lag_rep_get() and its caller return NULL, instead of\nthe alive PF, and the flush is skipped.\n\nBesides, the bridge fdb entry\u0027s lastuse is updated in mlx5 bridge\nevent handler. But this SWITCHDEV_FDB_ADD_TO_BRIDGE event can be\nignored in this case because the upper interface for bond is deleted,\nand the entry will never be aged because lastuse is never updated.\n\nTo make things worse, as the entry is alive, mlx5 bridge workqueue\nkeeps sending that event, which is then handled by kernel bridge\nnotifier. It causes the following crash when accessing the passed bond\nnetdev which is already destroyed.\n\nTo fix this issue, remove such checks. LAG state is already checked in\ncommit 15f8f168952f (\"net/mlx5: Bridge, verify LAG state when adding\nbond to bridge\"), driver still need to skip offload if LAG becomes\ninvalid state after initialization.\n\n Oops: stack segment: 0000 [#1] SMP\n CPU: 3 UID: 0 PID: 23695 Comm: kworker/u40:3 Tainted: G           OE      6.11.0_mlnx #1\n Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n Workqueue: mlx5_bridge_wq mlx5_esw_bridge_update_work [mlx5_core]\n RIP: 0010:br_switchdev_event+0x2c/0x110 [bridge]\n Code: 44 00 00 48 8b 02 48 f7 00 00 02 00 00 74 69 41 54 55 53 48 83 ec 08 48 8b a8 08 01 00 00 48 85 ed 74 4a 48 83 fe 02 48 89 d3 \u003c4c\u003e 8b 65 00 74 23 76 49 48 83 fe 05 74 7e 48 83 fe 06 75 2f 0f b7\n RSP: 0018:ffffc900092cfda0 EFLAGS: 00010297\n RAX: ffff888123bfe000 RBX: ffffc900092cfe08 RCX: 00000000ffffffff\n RDX: ffffc900092cfe08 RSI: 0000000000000001 RDI: ffffffffa0c585f0\n RBP: 6669746f6e690a30 R08: 0000000000000000 R09: ffff888123ae92c8\n R10: 0000000000000000 R11: fefefefefefefeff R12: ffff888123ae9c60\n R13: 0000000000000001 R14: ffffc900092cfe08 R15: 0000000000000000\n FS:  0000000000000000(0000) GS:ffff88852c980000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f15914c8734 CR3: 0000000002830005 CR4: 0000000000770ef0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n  \u003cTASK\u003e\n  ? __die_body+0x1a/0x60\n  ? die+0x38/0x60\n  ? do_trap+0x10b/0x120\n  ? do_error_trap+0x64/0xa0\n  ? exc_stack_segment+0x33/0x50\n  ? asm_exc_stack_segment+0x22/0x30\n  ? br_switchdev_event+0x2c/0x110 [bridge]\n  ? sched_balance_newidle.isra.149+0x248/0x390\n  notifier_call_chain+0x4b/0xa0\n  atomic_notifier_call_chain+0x16/0x20\n  mlx5_esw_bridge_update+0xec/0x170 [mlx5_core]\n  mlx5_esw_bridge_update_work+0x19/0x40 [mlx5_core]\n  process_scheduled_works+0x81/0x390\n  worker_thread+0x106/0x250\n  ? bh_worker+0x110/0x110\n  kthread+0xb7/0xe0\n  ? kthread_park+0x80/0x80\n  ret_from_fork+0x2d/0x50\n  ? kthread_park+0x80/0x80\n  ret_from_fork_asm+0x11/0x20\n  \u003c/TASK\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:26:02.649Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f90c4d6572488e2bad38cca00f1c59174a538a1a"
        },
        {
          "url": "https://git.kernel.org/stable/c/86ff45f5f61ae1d0d17f0f6d8797b052eacfd8f1"
        },
        {
          "url": "https://git.kernel.org/stable/c/bd7e3a42800743a7748c83243e4cafc1b995d4c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/f7bf259a04271165ae667ad21cfc60c6413f25ca"
        },
        {
          "url": "https://git.kernel.org/stable/c/5dd8bf6ab1d6db40f5d09603759fa88caec19e7f"
        },
        {
          "url": "https://git.kernel.org/stable/c/4b8eeed4fb105770ce6dc84a2c6ef953c7b71cbb"
        }
      ],
      "title": "net/mlx5: Bridge, fix the crash caused by LAG state check",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21970",
    "datePublished": "2025-04-01T15:47:03.912Z",
    "dateReserved": "2024-12-29T08:45:45.797Z",
    "dateUpdated": "2025-11-03T19:40:11.287Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38292 (GCVE-0-2025-38292)

Vulnerability from cvelistv5 – Published: 2025-07-10 07:42 – Updated: 2025-07-28 04:17

Title

wifi: ath12k: fix invalid access to memory

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix invalid access to memory In ath12k_dp_rx_msdu_coalesce(), rxcb is fetched from skb and boolean is_continuation is part of rxcb. Currently, after freeing the skb, the rxcb->is_continuation accessed again which is wrong since the memory is already freed. This might lead use-after-free error. Hence, fix by locally defining bool is_continuation from rxcb, so that after freeing skb, is_continuation can be used. Compile tested only.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/371b340affa52f280…
	https://git.kernel.org/stable/c/5f09d16cd57764c95…
	https://git.kernel.org/stable/c/9f17747fbda6fca93…

Impacted products

Vendor

Product

Version

Linux

Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < 371b340affa52f280f6eadfd25fbd43f09f0d5c0 (git)
Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < 5f09d16cd57764c95c8548fe5b70672c9ac01127 (git)
Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < 9f17747fbda6fca934854463873c4abf8061491d (git)

Linux

Affected: 6.3
Unaffected: 0 , < 6.3 (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath12k/dp_rx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "371b340affa52f280f6eadfd25fbd43f09f0d5c0",
              "status": "affected",
              "version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
              "versionType": "git"
            },
            {
              "lessThan": "5f09d16cd57764c95c8548fe5b70672c9ac01127",
              "status": "affected",
              "version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
              "versionType": "git"
            },
            {
              "lessThan": "9f17747fbda6fca934854463873c4abf8061491d",
              "status": "affected",
              "version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath12k/dp_rx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.3"
            },
            {
              "lessThan": "6.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix invalid access to memory\n\nIn ath12k_dp_rx_msdu_coalesce(), rxcb is fetched from skb and boolean\nis_continuation is part of rxcb.\nCurrently, after freeing the skb, the rxcb-\u003eis_continuation accessed\nagain which is wrong since the memory is already freed.\nThis might lead use-after-free error.\n\nHence, fix by locally defining bool is_continuation from rxcb,\nso that after freeing skb, is_continuation can be used.\n\nCompile tested only."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:17:42.735Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/371b340affa52f280f6eadfd25fbd43f09f0d5c0"
        },
        {
          "url": "https://git.kernel.org/stable/c/5f09d16cd57764c95c8548fe5b70672c9ac01127"
        },
        {
          "url": "https://git.kernel.org/stable/c/9f17747fbda6fca934854463873c4abf8061491d"
        }
      ],
      "title": "wifi: ath12k: fix invalid access to memory",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38292",
    "datePublished": "2025-07-10T07:42:07.506Z",
    "dateReserved": "2025-04-16T04:51:24.001Z",
    "dateUpdated": "2025-07-28T04:17:42.735Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-37963 (GCVE-0-2025-37963)

Vulnerability from cvelistv5 – Published: 2025-05-20 16:01 – Updated: 2025-12-20 08:51

Title

arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users

Summary

In the Linux kernel, the following vulnerability has been resolved: arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users Support for eBPF programs loaded by unprivileged users is typically disabled. This means only cBPF programs need to be mitigated for BHB. In addition, only mitigate cBPF programs that were loaded by an unprivileged user. Privileged users can also load the same program via eBPF, making the mitigation pointless.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/038866e01ea5e5a3d…
	https://git.kernel.org/stable/c/df53d418709205450…
	https://git.kernel.org/stable/c/6e52d043f7dbf1839…
	https://git.kernel.org/stable/c/80251f62028f1ab2e…
	https://git.kernel.org/stable/c/e5f5100f1c64ac6c7…
	https://git.kernel.org/stable/c/477481c4348268136…
	https://git.kernel.org/stable/c/f300769ead032513a…

Impacted products

Vendor

Product

Version

Linux

Affected: 0be7320a635c2e434e8b67e0e9474a85ceb421c4 , < 038866e01ea5e5a3d948898ac216e531e7848669 (git)
Affected: 0be7320a635c2e434e8b67e0e9474a85ceb421c4 , < df53d418709205450a02bb4d71cbfb4ff86f2c1e (git)
Affected: 0be7320a635c2e434e8b67e0e9474a85ceb421c4 , < 6e52d043f7dbf1839a24a3fab2b12b0d3839de7a (git)
Affected: 0be7320a635c2e434e8b67e0e9474a85ceb421c4 , < 80251f62028f1ab2e09be5ca3123f84e8b00389a (git)
Affected: 0be7320a635c2e434e8b67e0e9474a85ceb421c4 , < e5f5100f1c64ac6c72671b2cf6b46542fce93706 (git)
Affected: 0be7320a635c2e434e8b67e0e9474a85ceb421c4 , < 477481c4348268136227348984b6699d6370b685 (git)
Affected: 0be7320a635c2e434e8b67e0e9474a85ceb421c4 , < f300769ead032513a68e4a02e806393402e626f8 (git)

Linux

Affected: 3.7
Unaffected: 0 , < 3.7 (semver)
Unaffected: 5.10.239 , ≤ 5.10.* (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.1.139 , ≤ 6.1.* (semver)
Unaffected: 6.6.91 , ≤ 6.6.* (semver)
Unaffected: 6.12.29 , ≤ 6.12.* (semver)
Unaffected: 6.14.7 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:57:48.402Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/net/bpf_jit_comp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "038866e01ea5e5a3d948898ac216e531e7848669",
              "status": "affected",
              "version": "0be7320a635c2e434e8b67e0e9474a85ceb421c4",
              "versionType": "git"
            },
            {
              "lessThan": "df53d418709205450a02bb4d71cbfb4ff86f2c1e",
              "status": "affected",
              "version": "0be7320a635c2e434e8b67e0e9474a85ceb421c4",
              "versionType": "git"
            },
            {
              "lessThan": "6e52d043f7dbf1839a24a3fab2b12b0d3839de7a",
              "status": "affected",
              "version": "0be7320a635c2e434e8b67e0e9474a85ceb421c4",
              "versionType": "git"
            },
            {
              "lessThan": "80251f62028f1ab2e09be5ca3123f84e8b00389a",
              "status": "affected",
              "version": "0be7320a635c2e434e8b67e0e9474a85ceb421c4",
              "versionType": "git"
            },
            {
              "lessThan": "e5f5100f1c64ac6c72671b2cf6b46542fce93706",
              "status": "affected",
              "version": "0be7320a635c2e434e8b67e0e9474a85ceb421c4",
              "versionType": "git"
            },
            {
              "lessThan": "477481c4348268136227348984b6699d6370b685",
              "status": "affected",
              "version": "0be7320a635c2e434e8b67e0e9474a85ceb421c4",
              "versionType": "git"
            },
            {
              "lessThan": "f300769ead032513a68e4a02e806393402e626f8",
              "status": "affected",
              "version": "0be7320a635c2e434e8b67e0e9474a85ceb421c4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/net/bpf_jit_comp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.7"
            },
            {
              "lessThan": "3.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.139",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.91",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.29",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "3.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "3.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.139",
                  "versionStartIncluding": "3.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.91",
                  "versionStartIncluding": "3.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.29",
                  "versionStartIncluding": "3.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.7",
                  "versionStartIncluding": "3.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "3.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: bpf: Only mitigate cBPF programs loaded by unprivileged users\n\nSupport for eBPF programs loaded by unprivileged users is typically\ndisabled. This means only cBPF programs need to be mitigated for BHB.\n\nIn addition, only mitigate cBPF programs that were loaded by an\nunprivileged user. Privileged users can also load the same program\nvia eBPF, making the mitigation pointless."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-20T08:51:45.879Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/038866e01ea5e5a3d948898ac216e531e7848669"
        },
        {
          "url": "https://git.kernel.org/stable/c/df53d418709205450a02bb4d71cbfb4ff86f2c1e"
        },
        {
          "url": "https://git.kernel.org/stable/c/6e52d043f7dbf1839a24a3fab2b12b0d3839de7a"
        },
        {
          "url": "https://git.kernel.org/stable/c/80251f62028f1ab2e09be5ca3123f84e8b00389a"
        },
        {
          "url": "https://git.kernel.org/stable/c/e5f5100f1c64ac6c72671b2cf6b46542fce93706"
        },
        {
          "url": "https://git.kernel.org/stable/c/477481c4348268136227348984b6699d6370b685"
        },
        {
          "url": "https://git.kernel.org/stable/c/f300769ead032513a68e4a02e806393402e626f8"
        }
      ],
      "title": "arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37963",
    "datePublished": "2025-05-20T16:01:55.322Z",
    "dateReserved": "2025-04-16T04:51:23.974Z",
    "dateUpdated": "2025-12-20T08:51:45.879Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-26775 (GCVE-0-2024-26775)

Vulnerability from cvelistv5 – Published: 2024-04-03 17:01 – Updated: 2026-01-05 10:34

Title

aoe: avoid potential deadlock at set_capacity

Summary

In the Linux kernel, the following vulnerability has been resolved: aoe: avoid potential deadlock at set_capacity Move set_capacity() outside of the section procected by (&d->lock). To avoid possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- [1] lock(&bdev->bd_size_lock); local_irq_disable(); [2] lock(&d->lock); [3] lock(&bdev->bd_size_lock); <Interrupt> [4] lock(&d->lock); *** DEADLOCK *** Where [1](&bdev->bd_size_lock) hold by zram_add()->set_capacity(). [2]lock(&d->lock) hold by aoeblk_gdalloc(). And aoeblk_gdalloc() is trying to acquire [3](&bdev->bd_size_lock) at set_capacity() call. In this situation an attempt to acquire [4]lock(&d->lock) from aoecmd_cfg_rsp() will lead to deadlock. So the simplest solution is breaking lock dependency [2](&d->lock) -> [3](&bdev->bd_size_lock) by moving set_capacity() outside.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/2499fa286fb010ceb…
	https://git.kernel.org/stable/c/2d623c94fbba3554f…
	https://git.kernel.org/stable/c/673629018ba049068…
	https://git.kernel.org/stable/c/19a77b27163820f79…
	https://git.kernel.org/stable/c/e169bd4fb2b36c4b2…

Impacted products

Vendor

Product

Version

Linux

Affected: a782483cc1f875355690625d8253a232f2581418 , < 2499fa286fb010ceb289950050199f33c26667b9 (git)
Affected: a782483cc1f875355690625d8253a232f2581418 , < 2d623c94fbba3554f4446ba6f3c764994e8b0d26 (git)
Affected: a782483cc1f875355690625d8253a232f2581418 , < 673629018ba04906899dcb631beec34d871f709c (git)
Affected: a782483cc1f875355690625d8253a232f2581418 , < 19a77b27163820f793b4d022979ffdca8f659b77 (git)
Affected: a782483cc1f875355690625d8253a232f2581418 , < e169bd4fb2b36c4b2bee63c35c740c85daeb2e86 (git)

Linux

Affected: 5.11
Unaffected: 0 , < 5.11 (semver)
Unaffected: 5.15.189 , ≤ 5.15.* (semver)
Unaffected: 6.1.80 , ≤ 6.1.* (semver)
Unaffected: 6.6.19 , ≤ 6.6.* (semver)
Unaffected: 6.7.7 , ≤ 6.7.* (semver)
Unaffected: 6.8 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:14:13.394Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/2d623c94fbba3554f4446ba6f3c764994e8b0d26"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/673629018ba04906899dcb631beec34d871f709c"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/19a77b27163820f793b4d022979ffdca8f659b77"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/e169bd4fb2b36c4b2bee63c35c740c85daeb2e86"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26775",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T15:51:17.891108Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:33:55.155Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/block/aoe/aoeblk.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2499fa286fb010ceb289950050199f33c26667b9",
              "status": "affected",
              "version": "a782483cc1f875355690625d8253a232f2581418",
              "versionType": "git"
            },
            {
              "lessThan": "2d623c94fbba3554f4446ba6f3c764994e8b0d26",
              "status": "affected",
              "version": "a782483cc1f875355690625d8253a232f2581418",
              "versionType": "git"
            },
            {
              "lessThan": "673629018ba04906899dcb631beec34d871f709c",
              "status": "affected",
              "version": "a782483cc1f875355690625d8253a232f2581418",
              "versionType": "git"
            },
            {
              "lessThan": "19a77b27163820f793b4d022979ffdca8f659b77",
              "status": "affected",
              "version": "a782483cc1f875355690625d8253a232f2581418",
              "versionType": "git"
            },
            {
              "lessThan": "e169bd4fb2b36c4b2bee63c35c740c85daeb2e86",
              "status": "affected",
              "version": "a782483cc1f875355690625d8253a232f2581418",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/block/aoe/aoeblk.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.11"
            },
            {
              "lessThan": "5.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.189",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.80",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.189",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.80",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.19",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.7.7",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naoe: avoid potential deadlock at set_capacity\n\nMove set_capacity() outside of the section procected by (\u0026d-\u003elock).\nTo avoid possible interrupt unsafe locking scenario:\n\n        CPU0                    CPU1\n        ----                    ----\n[1] lock(\u0026bdev-\u003ebd_size_lock);\n                                local_irq_disable();\n                            [2] lock(\u0026d-\u003elock);\n                            [3] lock(\u0026bdev-\u003ebd_size_lock);\n   \u003cInterrupt\u003e\n[4]  lock(\u0026d-\u003elock);\n\n  *** DEADLOCK ***\n\nWhere [1](\u0026bdev-\u003ebd_size_lock) hold by zram_add()-\u003eset_capacity().\n[2]lock(\u0026d-\u003elock) hold by aoeblk_gdalloc(). And aoeblk_gdalloc()\nis trying to acquire [3](\u0026bdev-\u003ebd_size_lock) at set_capacity() call.\nIn this situation an attempt to acquire [4]lock(\u0026d-\u003elock) from\naoecmd_cfg_rsp() will lead to deadlock.\n\nSo the simplest solution is breaking lock dependency\n[2](\u0026d-\u003elock) -\u003e [3](\u0026bdev-\u003ebd_size_lock) by moving set_capacity()\noutside."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-05T10:34:29.672Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2499fa286fb010ceb289950050199f33c26667b9"
        },
        {
          "url": "https://git.kernel.org/stable/c/2d623c94fbba3554f4446ba6f3c764994e8b0d26"
        },
        {
          "url": "https://git.kernel.org/stable/c/673629018ba04906899dcb631beec34d871f709c"
        },
        {
          "url": "https://git.kernel.org/stable/c/19a77b27163820f793b4d022979ffdca8f659b77"
        },
        {
          "url": "https://git.kernel.org/stable/c/e169bd4fb2b36c4b2bee63c35c740c85daeb2e86"
        }
      ],
      "title": "aoe: avoid potential deadlock at set_capacity",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26775",
    "datePublished": "2024-04-03T17:01:01.299Z",
    "dateReserved": "2024-02-19T14:20:24.176Z",
    "dateUpdated": "2026-01-05T10:34:29.672Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38350 (GCVE-0-2025-38350)

Vulnerability from cvelistv5 – Published: 2025-07-19 06:46 – Updated: 2025-11-03 17:37

Title

net/sched: Always pass notifications when child class becomes empty

Summary

In the Linux kernel, the following vulnerability has been resolved: net/sched: Always pass notifications when child class becomes empty Certain classful qdiscs may invoke their classes' dequeue handler on an enqueue operation. This may unexpectedly empty the child qdisc and thus make an in-flight class passive via qlen_notify(). Most qdiscs do not expect such behaviour at this point in time and may re-activate the class eventually anyways which will lead to a use-after-free. The referenced fix commit attempted to fix this behavior for the HFSC case by moving the backlog accounting around, though this turned out to be incomplete since the parent's parent may run into the issue too. The following reproducer demonstrates this use-after-free: tc qdisc add dev lo root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo parent 1: classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1 tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0 tc qdisc add dev lo parent 2:1 handle 3: netem tc qdisc add dev lo parent 3:1 handle 4: blackhole echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 tc class delete dev lo classid 1:1 echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 Since backlog accounting issues leading to a use-after-frees on stale class pointers is a recurring pattern at this point, this patch takes a different approach. Instead of trying to fix the accounting, the patch ensures that qdisc_tree_reduce_backlog always calls qlen_notify when the child qdisc is empty. This solves the problem because deletion of qdiscs always involves a call to qdisc_reset() and / or qdisc_purge_queue() which ultimately resets its qlen to 0 thus causing the following qdisc_tree_reduce_backlog() to report to the parent. Note that this may call qlen_notify on passive classes multiple times. This is not a problem after the recent patch series that made all the classful qdiscs qlen_notify() handlers idempotent.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/3b290923ad2b23596…
	https://git.kernel.org/stable/c/e9921b57dca05ac5f…
	https://git.kernel.org/stable/c/e269f29e9395527bc…
	https://git.kernel.org/stable/c/7874c9c132e906a52…
	https://git.kernel.org/stable/c/f680a4643c6f71e75…
	https://git.kernel.org/stable/c/a553afd91f55ff39b…
	https://git.kernel.org/stable/c/a44acdd9e84a21198…
	https://git.kernel.org/stable/c/103406b38c600fec1…

Impacted products

Vendor

Product

Version

Linux

Affected: 1034e3310752e8675e313f7271b348914008719a , < 3b290923ad2b23596208c1e29520badef4356a43 (git)
Affected: f9f593e34d2fb67644372c8f7b033bdc622ad228 , < e9921b57dca05ac5f4fa1fa8e993d4f0ee52e2b7 (git)
Affected: 89c301e929a0db14ebd94b4d97764ce1d6981653 , < e269f29e9395527bc00c213c6b15da04ebb35070 (git)
Affected: f1dde3eb17dc1b8bd07aed00004b1e05fc87a3d4 , < 7874c9c132e906a52a187d045995b115973c93fb (git)
Affected: 93c276942e75de0e5bc91576300d292e968f5a02 , < f680a4643c6f71e758d8fe0431a958e9a6a4f59d (git)
Affected: 49b21795b8e5654a7df3d910a12e1060da4c04cf , < a553afd91f55ff39b1e8a1c4989a29394c9e0472 (git)
Affected: 3f981138109f63232a5fb7165938d4c945cc1b9d , < a44acdd9e84a211989ff4b9b92bf3545d8456ad5 (git)
Affected: 3f981138109f63232a5fb7165938d4c945cc1b9d , < 103406b38c600fec1fe375a77b27d87e314aea09 (git)
Affected: 3f3a22eebbc32b4fa8ce9c1d5f9db214b45b9335 (git)

Linux

Affected: 6.15
Unaffected: 0 , < 6.15 (semver)
Unaffected: 5.4.296 , ≤ 5.4.* (semver)
Unaffected: 5.10.240 , ≤ 5.10.* (semver)
Unaffected: 5.15.187 , ≤ 5.15.* (semver)
Unaffected: 6.1.144 , ≤ 6.1.* (semver)
Unaffected: 6.6.97 , ≤ 6.6.* (semver)
Unaffected: 6.12.37 , ≤ 6.12.* (semver)
Unaffected: 6.15.6 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:37:00.889Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_api.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3b290923ad2b23596208c1e29520badef4356a43",
              "status": "affected",
              "version": "1034e3310752e8675e313f7271b348914008719a",
              "versionType": "git"
            },
            {
              "lessThan": "e9921b57dca05ac5f4fa1fa8e993d4f0ee52e2b7",
              "status": "affected",
              "version": "f9f593e34d2fb67644372c8f7b033bdc622ad228",
              "versionType": "git"
            },
            {
              "lessThan": "e269f29e9395527bc00c213c6b15da04ebb35070",
              "status": "affected",
              "version": "89c301e929a0db14ebd94b4d97764ce1d6981653",
              "versionType": "git"
            },
            {
              "lessThan": "7874c9c132e906a52a187d045995b115973c93fb",
              "status": "affected",
              "version": "f1dde3eb17dc1b8bd07aed00004b1e05fc87a3d4",
              "versionType": "git"
            },
            {
              "lessThan": "f680a4643c6f71e758d8fe0431a958e9a6a4f59d",
              "status": "affected",
              "version": "93c276942e75de0e5bc91576300d292e968f5a02",
              "versionType": "git"
            },
            {
              "lessThan": "a553afd91f55ff39b1e8a1c4989a29394c9e0472",
              "status": "affected",
              "version": "49b21795b8e5654a7df3d910a12e1060da4c04cf",
              "versionType": "git"
            },
            {
              "lessThan": "a44acdd9e84a211989ff4b9b92bf3545d8456ad5",
              "status": "affected",
              "version": "3f981138109f63232a5fb7165938d4c945cc1b9d",
              "versionType": "git"
            },
            {
              "lessThan": "103406b38c600fec1fe375a77b27d87e314aea09",
              "status": "affected",
              "version": "3f981138109f63232a5fb7165938d4c945cc1b9d",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "3f3a22eebbc32b4fa8ce9c1d5f9db214b45b9335",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_api.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.15"
            },
            {
              "lessThan": "6.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.187",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.144",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.97",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.37",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "5.4.294",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "5.10.238",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.187",
                  "versionStartIncluding": "5.15.185",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.144",
                  "versionStartIncluding": "6.1.141",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.97",
                  "versionStartIncluding": "6.6.93",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.37",
                  "versionStartIncluding": "6.12.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.6",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.14.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Always pass notifications when child class becomes empty\n\nCertain classful qdiscs may invoke their classes\u0027 dequeue handler on an\nenqueue operation. This may unexpectedly empty the child qdisc and thus\nmake an in-flight class passive via qlen_notify(). Most qdiscs do not\nexpect such behaviour at this point in time and may re-activate the\nclass eventually anyways which will lead to a use-after-free.\n\nThe referenced fix commit attempted to fix this behavior for the HFSC\ncase by moving the backlog accounting around, though this turned out to\nbe incomplete since the parent\u0027s parent may run into the issue too.\nThe following reproducer demonstrates this use-after-free:\n\n    tc qdisc add dev lo root handle 1: drr\n    tc filter add dev lo parent 1: basic classid 1:1\n    tc class add dev lo parent 1: classid 1:1 drr\n    tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1\n    tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0\n    tc qdisc add dev lo parent 2:1 handle 3: netem\n    tc qdisc add dev lo parent 3:1 handle 4: blackhole\n\n    echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888\n    tc class delete dev lo classid 1:1\n    echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888\n\nSince backlog accounting issues leading to a use-after-frees on stale\nclass pointers is a recurring pattern at this point, this patch takes\na different approach. Instead of trying to fix the accounting, the patch\nensures that qdisc_tree_reduce_backlog always calls qlen_notify when\nthe child qdisc is empty. This solves the problem because deletion of\nqdiscs always involves a call to qdisc_reset() and / or\nqdisc_purge_queue() which ultimately resets its qlen to 0 thus causing\nthe following qdisc_tree_reduce_backlog() to report to the parent. Note\nthat this may call qlen_notify on passive classes multiple times. This\nis not a problem after the recent patch series that made all the\nclassful qdiscs qlen_notify() handlers idempotent."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:19:38.148Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3b290923ad2b23596208c1e29520badef4356a43"
        },
        {
          "url": "https://git.kernel.org/stable/c/e9921b57dca05ac5f4fa1fa8e993d4f0ee52e2b7"
        },
        {
          "url": "https://git.kernel.org/stable/c/e269f29e9395527bc00c213c6b15da04ebb35070"
        },
        {
          "url": "https://git.kernel.org/stable/c/7874c9c132e906a52a187d045995b115973c93fb"
        },
        {
          "url": "https://git.kernel.org/stable/c/f680a4643c6f71e758d8fe0431a958e9a6a4f59d"
        },
        {
          "url": "https://git.kernel.org/stable/c/a553afd91f55ff39b1e8a1c4989a29394c9e0472"
        },
        {
          "url": "https://git.kernel.org/stable/c/a44acdd9e84a211989ff4b9b92bf3545d8456ad5"
        },
        {
          "url": "https://git.kernel.org/stable/c/103406b38c600fec1fe375a77b27d87e314aea09"
        }
      ],
      "title": "net/sched: Always pass notifications when child class becomes empty",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38350",
    "datePublished": "2025-07-19T06:46:29.849Z",
    "dateReserved": "2025-04-16T04:51:24.006Z",
    "dateUpdated": "2025-11-03T17:37:00.889Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21909 (GCVE-0-2025-21909)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:40 – Updated: 2025-11-03 19:38

Title

wifi: nl80211: reject cooked mode if it is set along with other flags

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: reject cooked mode if it is set along with other flags It is possible to set both MONITOR_FLAG_COOK_FRAMES and MONITOR_FLAG_ACTIVE flags simultaneously on the same monitor interface from the userspace. This causes a sub-interface to be created with no IEEE80211_SDATA_IN_DRIVER bit set because the monitor interface is in the cooked state and it takes precedence over all other states. When the interface is then being deleted the kernel calls WARN_ONCE() from check_sdata_in_driver() because of missing that bit. Fix this by rejecting MONITOR_FLAG_COOK_FRAMES if it is set along with other flags. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/5ea856d93794c4afa…
	https://git.kernel.org/stable/c/351eb7ac53ff1cd94…
	https://git.kernel.org/stable/c/cd1bdcb77fdc03c25…
	https://git.kernel.org/stable/c/236f41ca728f23210…
	https://git.kernel.org/stable/c/ebebbb0eded2ed9a1…
	https://git.kernel.org/stable/c/521e55c2b0d602886…
	https://git.kernel.org/stable/c/ac4860141300581d3…
	https://git.kernel.org/stable/c/49f27f29446a5bfe6…

Impacted products

Vendor

Product

Version

Linux

Affected: 66f7ac50ed7cc5c19a62bc97e8f6e7891004a03a , < 5ea856d93794c4afa5542defd8c61f2708dc245a (git)
Affected: 66f7ac50ed7cc5c19a62bc97e8f6e7891004a03a , < 351eb7ac53ff1cd94d893c0c4534ced2f36ae7d7 (git)
Affected: 66f7ac50ed7cc5c19a62bc97e8f6e7891004a03a , < cd1bdcb77fdc03c253137e55bae10551b3481461 (git)
Affected: 66f7ac50ed7cc5c19a62bc97e8f6e7891004a03a , < 236f41ca728f23210b31ed2d1d8a6df575a4b2d6 (git)
Affected: 66f7ac50ed7cc5c19a62bc97e8f6e7891004a03a , < ebebbb0eded2ed9a1abfa31962f6fb699e6abce7 (git)
Affected: 66f7ac50ed7cc5c19a62bc97e8f6e7891004a03a , < 521e55c2b0d6028861ac0a2d06aa57bb0e3ac486 (git)
Affected: 66f7ac50ed7cc5c19a62bc97e8f6e7891004a03a , < ac4860141300581d3e2f6c6dafa37220f7ea9f65 (git)
Affected: 66f7ac50ed7cc5c19a62bc97e8f6e7891004a03a , < 49f27f29446a5bfe633dd2cc0cfebd48a1a5e77f (git)

Linux

Affected: 2.6.26
Unaffected: 0 , < 2.6.26 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.131 , ≤ 6.1.* (semver)
Unaffected: 6.6.83 , ≤ 6.6.* (semver)
Unaffected: 6.12.19 , ≤ 6.12.* (semver)
Unaffected: 6.13.7 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:38:54.220Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/wireless/nl80211.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5ea856d93794c4afa5542defd8c61f2708dc245a",
              "status": "affected",
              "version": "66f7ac50ed7cc5c19a62bc97e8f6e7891004a03a",
              "versionType": "git"
            },
            {
              "lessThan": "351eb7ac53ff1cd94d893c0c4534ced2f36ae7d7",
              "status": "affected",
              "version": "66f7ac50ed7cc5c19a62bc97e8f6e7891004a03a",
              "versionType": "git"
            },
            {
              "lessThan": "cd1bdcb77fdc03c253137e55bae10551b3481461",
              "status": "affected",
              "version": "66f7ac50ed7cc5c19a62bc97e8f6e7891004a03a",
              "versionType": "git"
            },
            {
              "lessThan": "236f41ca728f23210b31ed2d1d8a6df575a4b2d6",
              "status": "affected",
              "version": "66f7ac50ed7cc5c19a62bc97e8f6e7891004a03a",
              "versionType": "git"
            },
            {
              "lessThan": "ebebbb0eded2ed9a1abfa31962f6fb699e6abce7",
              "status": "affected",
              "version": "66f7ac50ed7cc5c19a62bc97e8f6e7891004a03a",
              "versionType": "git"
            },
            {
              "lessThan": "521e55c2b0d6028861ac0a2d06aa57bb0e3ac486",
              "status": "affected",
              "version": "66f7ac50ed7cc5c19a62bc97e8f6e7891004a03a",
              "versionType": "git"
            },
            {
              "lessThan": "ac4860141300581d3e2f6c6dafa37220f7ea9f65",
              "status": "affected",
              "version": "66f7ac50ed7cc5c19a62bc97e8f6e7891004a03a",
              "versionType": "git"
            },
            {
              "lessThan": "49f27f29446a5bfe633dd2cc0cfebd48a1a5e77f",
              "status": "affected",
              "version": "66f7ac50ed7cc5c19a62bc97e8f6e7891004a03a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/wireless/nl80211.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.26"
            },
            {
              "lessThan": "2.6.26",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.131",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.131",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.83",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.19",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.7",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: nl80211: reject cooked mode if it is set along with other flags\n\nIt is possible to set both MONITOR_FLAG_COOK_FRAMES and MONITOR_FLAG_ACTIVE\nflags simultaneously on the same monitor interface from the userspace. This\ncauses a sub-interface to be created with no IEEE80211_SDATA_IN_DRIVER bit\nset because the monitor interface is in the cooked state and it takes\nprecedence over all other states. When the interface is then being deleted\nthe kernel calls WARN_ONCE() from check_sdata_in_driver() because of missing\nthat bit.\n\nFix this by rejecting MONITOR_FLAG_COOK_FRAMES if it is set along with\nother flags.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:24:10.345Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5ea856d93794c4afa5542defd8c61f2708dc245a"
        },
        {
          "url": "https://git.kernel.org/stable/c/351eb7ac53ff1cd94d893c0c4534ced2f36ae7d7"
        },
        {
          "url": "https://git.kernel.org/stable/c/cd1bdcb77fdc03c253137e55bae10551b3481461"
        },
        {
          "url": "https://git.kernel.org/stable/c/236f41ca728f23210b31ed2d1d8a6df575a4b2d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/ebebbb0eded2ed9a1abfa31962f6fb699e6abce7"
        },
        {
          "url": "https://git.kernel.org/stable/c/521e55c2b0d6028861ac0a2d06aa57bb0e3ac486"
        },
        {
          "url": "https://git.kernel.org/stable/c/ac4860141300581d3e2f6c6dafa37220f7ea9f65"
        },
        {
          "url": "https://git.kernel.org/stable/c/49f27f29446a5bfe633dd2cc0cfebd48a1a5e77f"
        }
      ],
      "title": "wifi: nl80211: reject cooked mode if it is set along with other flags",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21909",
    "datePublished": "2025-04-01T15:40:48.680Z",
    "dateReserved": "2024-12-29T08:45:45.786Z",
    "dateUpdated": "2025-11-03T19:38:54.220Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38173 (GCVE-0-2025-38173)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:36 – Updated: 2025-11-03 17:34

Title

crypto: marvell/cesa - Handle zero-length skcipher requests

Summary

In the Linux kernel, the following vulnerability has been resolved: crypto: marvell/cesa - Handle zero-length skcipher requests Do not access random memory for zero-length skcipher requests. Just return 0.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/32d3e8049a8b60f18…
	https://git.kernel.org/stable/c/c064ae2881d839709…
	https://git.kernel.org/stable/c/e1cc69da619588b14…
	https://git.kernel.org/stable/c/78ea1ff6cb413a03f…
	https://git.kernel.org/stable/c/5e9666ac8b94c9786…
	https://git.kernel.org/stable/c/7894694b5d5b2ecfd…
	https://git.kernel.org/stable/c/c9610dda42bd382a9…
	https://git.kernel.org/stable/c/8a4e047c6cc07676f…

Impacted products

Vendor

Product

Version

Linux

Affected: f63601fd616ab370774fa00ea10bcaaa9e48e84c , < 32d3e8049a8b60f18c5c39f5931bfb1130ac11c9 (git)
Affected: f63601fd616ab370774fa00ea10bcaaa9e48e84c , < c064ae2881d839709bd72d484d5f2af157f46024 (git)
Affected: f63601fd616ab370774fa00ea10bcaaa9e48e84c , < e1cc69da619588b1488689fe3535a0ba75a2b0e7 (git)
Affected: f63601fd616ab370774fa00ea10bcaaa9e48e84c , < 78ea1ff6cb413a03ff6f7af4e28e24b4461a0965 (git)
Affected: f63601fd616ab370774fa00ea10bcaaa9e48e84c , < 5e9666ac8b94c978690f937d59170c5237bd2c45 (git)
Affected: f63601fd616ab370774fa00ea10bcaaa9e48e84c , < 7894694b5d5b2ecfd7fb081d6f60b9e169ab4d13 (git)
Affected: f63601fd616ab370774fa00ea10bcaaa9e48e84c , < c9610dda42bd382a96f97e68825cb5f66cd9e1dc (git)
Affected: f63601fd616ab370774fa00ea10bcaaa9e48e84c , < 8a4e047c6cc07676f637608a9dd675349b5de0a7 (git)

Linux

Affected: 4.2
Unaffected: 0 , < 4.2 (semver)
Unaffected: 5.4.295 , ≤ 5.4.* (semver)
Unaffected: 5.10.239 , ≤ 5.10.* (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.94 , ≤ 6.6.* (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:59.620Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/crypto/marvell/cesa/cipher.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "32d3e8049a8b60f18c5c39f5931bfb1130ac11c9",
              "status": "affected",
              "version": "f63601fd616ab370774fa00ea10bcaaa9e48e84c",
              "versionType": "git"
            },
            {
              "lessThan": "c064ae2881d839709bd72d484d5f2af157f46024",
              "status": "affected",
              "version": "f63601fd616ab370774fa00ea10bcaaa9e48e84c",
              "versionType": "git"
            },
            {
              "lessThan": "e1cc69da619588b1488689fe3535a0ba75a2b0e7",
              "status": "affected",
              "version": "f63601fd616ab370774fa00ea10bcaaa9e48e84c",
              "versionType": "git"
            },
            {
              "lessThan": "78ea1ff6cb413a03ff6f7af4e28e24b4461a0965",
              "status": "affected",
              "version": "f63601fd616ab370774fa00ea10bcaaa9e48e84c",
              "versionType": "git"
            },
            {
              "lessThan": "5e9666ac8b94c978690f937d59170c5237bd2c45",
              "status": "affected",
              "version": "f63601fd616ab370774fa00ea10bcaaa9e48e84c",
              "versionType": "git"
            },
            {
              "lessThan": "7894694b5d5b2ecfd7fb081d6f60b9e169ab4d13",
              "status": "affected",
              "version": "f63601fd616ab370774fa00ea10bcaaa9e48e84c",
              "versionType": "git"
            },
            {
              "lessThan": "c9610dda42bd382a96f97e68825cb5f66cd9e1dc",
              "status": "affected",
              "version": "f63601fd616ab370774fa00ea10bcaaa9e48e84c",
              "versionType": "git"
            },
            {
              "lessThan": "8a4e047c6cc07676f637608a9dd675349b5de0a7",
              "status": "affected",
              "version": "f63601fd616ab370774fa00ea10bcaaa9e48e84c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/crypto/marvell/cesa/cipher.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.2"
            },
            {
              "lessThan": "4.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: marvell/cesa - Handle zero-length skcipher requests\n\nDo not access random memory for zero-length skcipher requests.\nJust return 0."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:14:15.078Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/32d3e8049a8b60f18c5c39f5931bfb1130ac11c9"
        },
        {
          "url": "https://git.kernel.org/stable/c/c064ae2881d839709bd72d484d5f2af157f46024"
        },
        {
          "url": "https://git.kernel.org/stable/c/e1cc69da619588b1488689fe3535a0ba75a2b0e7"
        },
        {
          "url": "https://git.kernel.org/stable/c/78ea1ff6cb413a03ff6f7af4e28e24b4461a0965"
        },
        {
          "url": "https://git.kernel.org/stable/c/5e9666ac8b94c978690f937d59170c5237bd2c45"
        },
        {
          "url": "https://git.kernel.org/stable/c/7894694b5d5b2ecfd7fb081d6f60b9e169ab4d13"
        },
        {
          "url": "https://git.kernel.org/stable/c/c9610dda42bd382a96f97e68825cb5f66cd9e1dc"
        },
        {
          "url": "https://git.kernel.org/stable/c/8a4e047c6cc07676f637608a9dd675349b5de0a7"
        }
      ],
      "title": "crypto: marvell/cesa - Handle zero-length skcipher requests",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38173",
    "datePublished": "2025-07-03T08:36:10.969Z",
    "dateReserved": "2025-04-16T04:51:23.991Z",
    "dateUpdated": "2025-11-03T17:34:59.620Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21873 (GCVE-0-2025-21873)

Vulnerability from cvelistv5 – Published: 2025-03-27 14:57 – Updated: 2025-05-04 07:22

Title

scsi: ufs: core: bsg: Fix crash when arpmb command fails

Summary

In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: bsg: Fix crash when arpmb command fails If the device doesn't support arpmb we'll crash due to copying user data in bsg_transport_sg_io_fn(). In the case where ufs_bsg_exec_advanced_rpmb_req() returns an error, do not set the job's reply_len. Memory crash backtrace: 3,1290,531166405,-;ufshcd 0000:00:12.5: ARPMB OP failed: error code -22 4,1308,531166555,-;Call Trace: 4,1309,531166559,-; <TASK> 4,1310,531166565,-; ? show_regs+0x6d/0x80 4,1311,531166575,-; ? die+0x37/0xa0 4,1312,531166583,-; ? do_trap+0xd4/0xf0 4,1313,531166593,-; ? do_error_trap+0x71/0xb0 4,1314,531166601,-; ? usercopy_abort+0x6c/0x80 4,1315,531166610,-; ? exc_invalid_op+0x52/0x80 4,1316,531166622,-; ? usercopy_abort+0x6c/0x80 4,1317,531166630,-; ? asm_exc_invalid_op+0x1b/0x20 4,1318,531166643,-; ? usercopy_abort+0x6c/0x80 4,1319,531166652,-; __check_heap_object+0xe3/0x120 4,1320,531166661,-; check_heap_object+0x185/0x1d0 4,1321,531166670,-; __check_object_size.part.0+0x72/0x150 4,1322,531166679,-; __check_object_size+0x23/0x30 4,1323,531166688,-; bsg_transport_sg_io_fn+0x314/0x3b0

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/32fb5ec825f6f76bc…
	https://git.kernel.org/stable/c/59455f968c1004ed8…
	https://git.kernel.org/stable/c/7e3c96ff5c5f32069…
	https://git.kernel.org/stable/c/f27a95845b01e86d6…

Impacted products

Vendor

Product

Version

Linux

Affected: 6ff265fc5ef660499e0edc4641647e99eed3f519 , < 32fb5ec825f6f76bc28902181c65429a904a07fe (git)
Affected: 6ff265fc5ef660499e0edc4641647e99eed3f519 , < 59455f968c1004ed897ba873237657745d81ce0f (git)
Affected: 6ff265fc5ef660499e0edc4641647e99eed3f519 , < 7e3c96ff5c5f3206984ed077b2aa8c9b7c4e0327 (git)
Affected: 6ff265fc5ef660499e0edc4641647e99eed3f519 , < f27a95845b01e86d67c8b014b4f41bd3327daa63 (git)

Linux

Affected: 6.3
Unaffected: 0 , < 6.3 (semver)
Unaffected: 6.6.81 , ≤ 6.6.* (semver)
Unaffected: 6.12.18 , ≤ 6.12.* (semver)
Unaffected: 6.13.6 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/ufs/core/ufs_bsg.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "32fb5ec825f6f76bc28902181c65429a904a07fe",
              "status": "affected",
              "version": "6ff265fc5ef660499e0edc4641647e99eed3f519",
              "versionType": "git"
            },
            {
              "lessThan": "59455f968c1004ed897ba873237657745d81ce0f",
              "status": "affected",
              "version": "6ff265fc5ef660499e0edc4641647e99eed3f519",
              "versionType": "git"
            },
            {
              "lessThan": "7e3c96ff5c5f3206984ed077b2aa8c9b7c4e0327",
              "status": "affected",
              "version": "6ff265fc5ef660499e0edc4641647e99eed3f519",
              "versionType": "git"
            },
            {
              "lessThan": "f27a95845b01e86d67c8b014b4f41bd3327daa63",
              "status": "affected",
              "version": "6ff265fc5ef660499e0edc4641647e99eed3f519",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/ufs/core/ufs_bsg.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.3"
            },
            {
              "lessThan": "6.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.81",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.18",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.6",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: bsg: Fix crash when arpmb command fails\n\nIf the device doesn\u0027t support arpmb we\u0027ll crash due to copying user data in\nbsg_transport_sg_io_fn().\n\nIn the case where ufs_bsg_exec_advanced_rpmb_req() returns an error, do not\nset the job\u0027s reply_len.\n\nMemory crash backtrace:\n3,1290,531166405,-;ufshcd 0000:00:12.5: ARPMB OP failed: error code -22\n\n4,1308,531166555,-;Call Trace:\n\n4,1309,531166559,-; \u003cTASK\u003e\n\n4,1310,531166565,-; ? show_regs+0x6d/0x80\n\n4,1311,531166575,-; ? die+0x37/0xa0\n\n4,1312,531166583,-; ? do_trap+0xd4/0xf0\n\n4,1313,531166593,-; ? do_error_trap+0x71/0xb0\n\n4,1314,531166601,-; ? usercopy_abort+0x6c/0x80\n\n4,1315,531166610,-; ? exc_invalid_op+0x52/0x80\n\n4,1316,531166622,-; ? usercopy_abort+0x6c/0x80\n\n4,1317,531166630,-; ? asm_exc_invalid_op+0x1b/0x20\n\n4,1318,531166643,-; ? usercopy_abort+0x6c/0x80\n\n4,1319,531166652,-; __check_heap_object+0xe3/0x120\n\n4,1320,531166661,-; check_heap_object+0x185/0x1d0\n\n4,1321,531166670,-; __check_object_size.part.0+0x72/0x150\n\n4,1322,531166679,-; __check_object_size+0x23/0x30\n\n4,1323,531166688,-; bsg_transport_sg_io_fn+0x314/0x3b0"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:22:58.528Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/32fb5ec825f6f76bc28902181c65429a904a07fe"
        },
        {
          "url": "https://git.kernel.org/stable/c/59455f968c1004ed897ba873237657745d81ce0f"
        },
        {
          "url": "https://git.kernel.org/stable/c/7e3c96ff5c5f3206984ed077b2aa8c9b7c4e0327"
        },
        {
          "url": "https://git.kernel.org/stable/c/f27a95845b01e86d67c8b014b4f41bd3327daa63"
        }
      ],
      "title": "scsi: ufs: core: bsg: Fix crash when arpmb command fails",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21873",
    "datePublished": "2025-03-27T14:57:04.835Z",
    "dateReserved": "2024-12-29T08:45:45.781Z",
    "dateUpdated": "2025-05-04T07:22:58.528Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38059 (GCVE-0-2025-38059)

Vulnerability from cvelistv5 – Published: 2025-06-18 09:33 – Updated: 2025-09-03 12:59

Title

btrfs: avoid NULL pointer dereference if no valid csum tree

Summary

In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid NULL pointer dereference if no valid csum tree [BUG] When trying read-only scrub on a btrfs with rescue=idatacsums mount option, it will crash with the following call trace: BUG: kernel NULL pointer dereference, address: 0000000000000208 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page CPU: 1 UID: 0 PID: 835 Comm: btrfs Tainted: G O 6.15.0-rc3-custom+ #236 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022 RIP: 0010:btrfs_lookup_csums_bitmap+0x49/0x480 [btrfs] Call Trace: <TASK> scrub_find_fill_first_stripe+0x35b/0x3d0 [btrfs] scrub_simple_mirror+0x175/0x290 [btrfs] scrub_stripe+0x5f7/0x6f0 [btrfs] scrub_chunk+0x9a/0x150 [btrfs] scrub_enumerate_chunks+0x333/0x660 [btrfs] btrfs_scrub_dev+0x23e/0x600 [btrfs] btrfs_ioctl+0x1dcf/0x2f80 [btrfs] __x64_sys_ioctl+0x97/0xc0 do_syscall_64+0x4f/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e [CAUSE] Mount option "rescue=idatacsums" will completely skip loading the csum tree, so that any data read will not find any data csum thus we will ignore data checksum verification. Normally call sites utilizing csum tree will check the fs state flag NO_DATA_CSUMS bit, but unfortunately scrub does not check that bit at all. This results in scrub to call btrfs_search_slot() on a NULL pointer and triggered above crash. [FIX] Check both extent and csum tree root before doing any tree search.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/50d0de59f66cbe6d5…
	https://git.kernel.org/stable/c/6e9770de024964b10…
	https://git.kernel.org/stable/c/d35bed14b0bc95c68…
	https://git.kernel.org/stable/c/f95d186255b319c48…

Impacted products

Vendor

Product

Version

Linux

Affected: 74ef00185eb864252156022ff129b01549504175 , < 50d0de59f66cbe6d597481e099bf1c70fd07e0a9 (git)
Affected: 74ef00185eb864252156022ff129b01549504175 , < 6e9770de024964b1017f99ee94f71967bd6edaeb (git)
Affected: 74ef00185eb864252156022ff129b01549504175 , < d35bed14b0bc95c6845863a3744ecd10b888c830 (git)
Affected: 74ef00185eb864252156022ff129b01549504175 , < f95d186255b319c48a365d47b69bd997fecb674e (git)

Linux

Affected: 5.9
Unaffected: 0 , < 5.9 (semver)
Unaffected: 6.6.93 , ≤ 6.6.* (semver)
Unaffected: 6.12.31 , ≤ 6.12.* (semver)
Unaffected: 6.14.9 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/scrub.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "50d0de59f66cbe6d597481e099bf1c70fd07e0a9",
              "status": "affected",
              "version": "74ef00185eb864252156022ff129b01549504175",
              "versionType": "git"
            },
            {
              "lessThan": "6e9770de024964b1017f99ee94f71967bd6edaeb",
              "status": "affected",
              "version": "74ef00185eb864252156022ff129b01549504175",
              "versionType": "git"
            },
            {
              "lessThan": "d35bed14b0bc95c6845863a3744ecd10b888c830",
              "status": "affected",
              "version": "74ef00185eb864252156022ff129b01549504175",
              "versionType": "git"
            },
            {
              "lessThan": "f95d186255b319c48a365d47b69bd997fecb674e",
              "status": "affected",
              "version": "74ef00185eb864252156022ff129b01549504175",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/scrub.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.9"
            },
            {
              "lessThan": "5.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.93",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.93",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.31",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: avoid NULL pointer dereference if no valid csum tree\n\n[BUG]\nWhen trying read-only scrub on a btrfs with rescue=idatacsums mount\noption, it will crash with the following call trace:\n\n  BUG: kernel NULL pointer dereference, address: 0000000000000208\n  #PF: supervisor read access in kernel mode\n  #PF: error_code(0x0000) - not-present page\n  CPU: 1 UID: 0 PID: 835 Comm: btrfs Tainted: G           O        6.15.0-rc3-custom+ #236 PREEMPT(full)\n  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022\n  RIP: 0010:btrfs_lookup_csums_bitmap+0x49/0x480 [btrfs]\n  Call Trace:\n   \u003cTASK\u003e\n   scrub_find_fill_first_stripe+0x35b/0x3d0 [btrfs]\n   scrub_simple_mirror+0x175/0x290 [btrfs]\n   scrub_stripe+0x5f7/0x6f0 [btrfs]\n   scrub_chunk+0x9a/0x150 [btrfs]\n   scrub_enumerate_chunks+0x333/0x660 [btrfs]\n   btrfs_scrub_dev+0x23e/0x600 [btrfs]\n   btrfs_ioctl+0x1dcf/0x2f80 [btrfs]\n   __x64_sys_ioctl+0x97/0xc0\n   do_syscall_64+0x4f/0x120\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n[CAUSE]\nMount option \"rescue=idatacsums\" will completely skip loading the csum\ntree, so that any data read will not find any data csum thus we will\nignore data checksum verification.\n\nNormally call sites utilizing csum tree will check the fs state flag\nNO_DATA_CSUMS bit, but unfortunately scrub does not check that bit at all.\n\nThis results in scrub to call btrfs_search_slot() on a NULL pointer\nand triggered above crash.\n\n[FIX]\nCheck both extent and csum tree root before doing any tree search."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-03T12:59:30.306Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/50d0de59f66cbe6d597481e099bf1c70fd07e0a9"
        },
        {
          "url": "https://git.kernel.org/stable/c/6e9770de024964b1017f99ee94f71967bd6edaeb"
        },
        {
          "url": "https://git.kernel.org/stable/c/d35bed14b0bc95c6845863a3744ecd10b888c830"
        },
        {
          "url": "https://git.kernel.org/stable/c/f95d186255b319c48a365d47b69bd997fecb674e"
        }
      ],
      "title": "btrfs: avoid NULL pointer dereference if no valid csum tree",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38059",
    "datePublished": "2025-06-18T09:33:38.943Z",
    "dateReserved": "2025-04-16T04:51:23.979Z",
    "dateUpdated": "2025-09-03T12:59:30.306Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38168 (GCVE-0-2025-38168)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:36 – Updated: 2025-07-28 04:14

Title

perf: arm-ni: Unregister PMUs on probe failure

Summary

In the Linux kernel, the following vulnerability has been resolved: perf: arm-ni: Unregister PMUs on probe failure When a resource allocation fails in one clock domain of an NI device, we need to properly roll back all previously registered perf PMUs in other clock domains of the same device. Otherwise, it can lead to kernel panics. Calling arm_ni_init+0x0/0xff8 [arm_ni] @ 2374 arm-ni ARMHCB70:00: Failed to request PMU region 0x1f3c13000 arm-ni ARMHCB70:00: probe with driver arm-ni failed with error -16 list_add corruption: next->prev should be prev (fffffd01e9698a18), but was 0000000000000000. (next=ffff10001a0decc8). pstate: 6340009 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : list_add_valid_or_report+0x7c/0xb8 lr : list_add_valid_or_report+0x7c/0xb8 Call trace: __list_add_valid_or_report+0x7c/0xb8 perf_pmu_register+0x22c/0x3a0 arm_ni_probe+0x554/0x70c [arm_ni] platform_probe+0x70/0xe8 really_probe+0xc6/0x4d8 driver_probe_device+0x48/0x170 __driver_attach+0x8e/0x1c0 bus_for_each_dev+0x64/0xf0 driver_add+0x138/0x260 bus_add_driver+0x68/0x138 __platform_driver_register+0x2c/0x40 arm_ni_init+0x14/0x2a [arm_ni] do_init_module+0x36/0x298 ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: Oops - BUG: Fatal exception SMP: stopping secondary CPUs

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/7e958e116e3be05a1…
	https://git.kernel.org/stable/c/72caf9886e9c1731c…
	https://git.kernel.org/stable/c/7f57afde6a44d9e04…

Impacted products

Vendor

Product

Version

Linux

Affected: 4d5a7680f2b4d0c2955e1d9f9a594b050d637436 , < 7e958e116e3be05a1f869b5a885fc5d674c7725f (git)
Affected: 4d5a7680f2b4d0c2955e1d9f9a594b050d637436 , < 72caf9886e9c1731cf7bfe3eabc308b9268b21d6 (git)
Affected: 4d5a7680f2b4d0c2955e1d9f9a594b050d637436 , < 7f57afde6a44d9e044885e1125034edd4fda02e8 (git)

Linux

Affected: 6.12
Unaffected: 0 , < 6.12 (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/perf/arm-ni.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7e958e116e3be05a1f869b5a885fc5d674c7725f",
              "status": "affected",
              "version": "4d5a7680f2b4d0c2955e1d9f9a594b050d637436",
              "versionType": "git"
            },
            {
              "lessThan": "72caf9886e9c1731cf7bfe3eabc308b9268b21d6",
              "status": "affected",
              "version": "4d5a7680f2b4d0c2955e1d9f9a594b050d637436",
              "versionType": "git"
            },
            {
              "lessThan": "7f57afde6a44d9e044885e1125034edd4fda02e8",
              "status": "affected",
              "version": "4d5a7680f2b4d0c2955e1d9f9a594b050d637436",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/perf/arm-ni.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.12"
            },
            {
              "lessThan": "6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: arm-ni: Unregister PMUs on probe failure\n\nWhen a resource allocation fails in one clock domain of an NI device,\nwe need to properly roll back all previously registered perf PMUs in\nother clock domains of the same device.\n\nOtherwise, it can lead to kernel panics.\n\nCalling arm_ni_init+0x0/0xff8 [arm_ni] @ 2374\narm-ni ARMHCB70:00: Failed to request PMU region 0x1f3c13000\narm-ni ARMHCB70:00: probe with driver arm-ni failed with error -16\nlist_add corruption: next-\u003eprev should be prev (fffffd01e9698a18),\nbut was 0000000000000000. (next=ffff10001a0decc8).\npstate: 6340009 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\npc : list_add_valid_or_report+0x7c/0xb8\nlr : list_add_valid_or_report+0x7c/0xb8\nCall trace:\n __list_add_valid_or_report+0x7c/0xb8\n perf_pmu_register+0x22c/0x3a0\n arm_ni_probe+0x554/0x70c [arm_ni]\n platform_probe+0x70/0xe8\n really_probe+0xc6/0x4d8\n driver_probe_device+0x48/0x170\n __driver_attach+0x8e/0x1c0\n bus_for_each_dev+0x64/0xf0\n driver_add+0x138/0x260\n bus_add_driver+0x68/0x138\n __platform_driver_register+0x2c/0x40\n arm_ni_init+0x14/0x2a [arm_ni]\n do_init_module+0x36/0x298\n---[ end trace 0000000000000000 ]---\nKernel panic - not syncing: Oops - BUG: Fatal exception\nSMP: stopping secondary CPUs"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:14:03.385Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7e958e116e3be05a1f869b5a885fc5d674c7725f"
        },
        {
          "url": "https://git.kernel.org/stable/c/72caf9886e9c1731cf7bfe3eabc308b9268b21d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/7f57afde6a44d9e044885e1125034edd4fda02e8"
        }
      ],
      "title": "perf: arm-ni: Unregister PMUs on probe failure",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38168",
    "datePublished": "2025-07-03T08:36:07.620Z",
    "dateReserved": "2025-04-16T04:51:23.991Z",
    "dateUpdated": "2025-07-28T04:14:03.385Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21925 (GCVE-0-2025-21925)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:40 – Updated: 2025-11-03 19:39

Title

llc: do not use skb_get() before dev_queue_xmit()

Summary

In the Linux kernel, the following vulnerability has been resolved: llc: do not use skb_get() before dev_queue_xmit() syzbot is able to crash hosts [1], using llc and devices not supporting IFF_TX_SKB_SHARING. In this case, e1000 driver calls eth_skb_pad(), while the skb is shared. Simply replace skb_get() by skb_clone() in net/llc/llc_s_ac.c Note that e1000 driver might have an issue with pktgen, because it does not clear IFF_TX_SKB_SHARING, this is an orthogonal change. We need to audit other skb_get() uses in net/llc. [1] kernel BUG at net/core/skbuff.c:2178 ! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 0 UID: 0 PID: 16371 Comm: syz.2.2764 Not tainted 6.14.0-rc4-syzkaller-00052-gac9c34d1e45a #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:pskb_expand_head+0x6ce/0x1240 net/core/skbuff.c:2178 Call Trace: <TASK> __skb_pad+0x18a/0x610 net/core/skbuff.c:2466 __skb_put_padto include/linux/skbuff.h:3843 [inline] skb_put_padto include/linux/skbuff.h:3862 [inline] eth_skb_pad include/linux/etherdevice.h:656 [inline] e1000_xmit_frame+0x2d99/0x5800 drivers/net/ethernet/intel/e1000/e1000_main.c:3128 __netdev_start_xmit include/linux/netdevice.h:5151 [inline] netdev_start_xmit include/linux/netdevice.h:5160 [inline] xmit_one net/core/dev.c:3806 [inline] dev_hard_start_xmit+0x9a/0x7b0 net/core/dev.c:3822 sch_direct_xmit+0x1ae/0xc30 net/sched/sch_generic.c:343 __dev_xmit_skb net/core/dev.c:4045 [inline] __dev_queue_xmit+0x13d4/0x43e0 net/core/dev.c:4621 dev_queue_xmit include/linux/netdevice.h:3313 [inline] llc_sap_action_send_test_c+0x268/0x320 net/llc/llc_s_ac.c:144 llc_exec_sap_trans_actions net/llc/llc_sap.c:153 [inline] llc_sap_next_state net/llc/llc_sap.c:182 [inline] llc_sap_state_process+0x239/0x510 net/llc/llc_sap.c:209 llc_ui_sendmsg+0xd0d/0x14e0 net/llc/af_llc.c:993 sock_sendmsg_nosec net/socket.c:718 [inline]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/cd1c44327bbbd50fc…
	https://git.kernel.org/stable/c/13f3f872627f0f27c…
	https://git.kernel.org/stable/c/9b6f083db141ece00…
	https://git.kernel.org/stable/c/17f86e25431ebc15a…
	https://git.kernel.org/stable/c/416e8b4c20c639804…
	https://git.kernel.org/stable/c/0f764208dc24ea043…
	https://git.kernel.org/stable/c/056e8a46d79e22983…
	https://git.kernel.org/stable/c/64e6a754d33d31aa8…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < cd1c44327bbbd50fc24f2b38892f5f328b784d0f (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 13f3f872627f0f27c31245524fc11367756240ad (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9b6f083db141ece0024be01526aa05aa978811cb (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 17f86e25431ebc15aa9245ff156414fdad47822d (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 416e8b4c20c6398044e93008deefd563289f477d (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0f764208dc24ea043c3e20194d32aebf94f8459c (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 056e8a46d79e22983bae4267e0d9c52927076f46 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 64e6a754d33d31aa844b3ee66fb93ac84ca1565e (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.131 , ≤ 6.1.* (semver)
Unaffected: 6.6.83 , ≤ 6.6.* (semver)
Unaffected: 6.12.19 , ≤ 6.12.* (semver)
Unaffected: 6.13.7 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:39:20.756Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/llc/llc_s_ac.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "cd1c44327bbbd50fc24f2b38892f5f328b784d0f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "13f3f872627f0f27c31245524fc11367756240ad",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "9b6f083db141ece0024be01526aa05aa978811cb",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "17f86e25431ebc15aa9245ff156414fdad47822d",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "416e8b4c20c6398044e93008deefd563289f477d",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "0f764208dc24ea043c3e20194d32aebf94f8459c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "056e8a46d79e22983bae4267e0d9c52927076f46",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "64e6a754d33d31aa844b3ee66fb93ac84ca1565e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/llc/llc_s_ac.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.131",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.131",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.83",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.19",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.7",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nllc: do not use skb_get() before dev_queue_xmit()\n\nsyzbot is able to crash hosts [1], using llc and devices\nnot supporting IFF_TX_SKB_SHARING.\n\nIn this case, e1000 driver calls eth_skb_pad(), while\nthe skb is shared.\n\nSimply replace skb_get() by skb_clone() in net/llc/llc_s_ac.c\n\nNote that e1000 driver might have an issue with pktgen,\nbecause it does not clear IFF_TX_SKB_SHARING, this is an\northogonal change.\n\nWe need to audit other skb_get() uses in net/llc.\n\n[1]\n\nkernel BUG at net/core/skbuff.c:2178 !\nOops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 0 UID: 0 PID: 16371 Comm: syz.2.2764 Not tainted 6.14.0-rc4-syzkaller-00052-gac9c34d1e45a #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n RIP: 0010:pskb_expand_head+0x6ce/0x1240 net/core/skbuff.c:2178\nCall Trace:\n \u003cTASK\u003e\n  __skb_pad+0x18a/0x610 net/core/skbuff.c:2466\n  __skb_put_padto include/linux/skbuff.h:3843 [inline]\n  skb_put_padto include/linux/skbuff.h:3862 [inline]\n  eth_skb_pad include/linux/etherdevice.h:656 [inline]\n  e1000_xmit_frame+0x2d99/0x5800 drivers/net/ethernet/intel/e1000/e1000_main.c:3128\n  __netdev_start_xmit include/linux/netdevice.h:5151 [inline]\n  netdev_start_xmit include/linux/netdevice.h:5160 [inline]\n  xmit_one net/core/dev.c:3806 [inline]\n  dev_hard_start_xmit+0x9a/0x7b0 net/core/dev.c:3822\n  sch_direct_xmit+0x1ae/0xc30 net/sched/sch_generic.c:343\n  __dev_xmit_skb net/core/dev.c:4045 [inline]\n  __dev_queue_xmit+0x13d4/0x43e0 net/core/dev.c:4621\n  dev_queue_xmit include/linux/netdevice.h:3313 [inline]\n  llc_sap_action_send_test_c+0x268/0x320 net/llc/llc_s_ac.c:144\n  llc_exec_sap_trans_actions net/llc/llc_sap.c:153 [inline]\n  llc_sap_next_state net/llc/llc_sap.c:182 [inline]\n  llc_sap_state_process+0x239/0x510 net/llc/llc_sap.c:209\n  llc_ui_sendmsg+0xd0d/0x14e0 net/llc/af_llc.c:993\n  sock_sendmsg_nosec net/socket.c:718 [inline]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:24:41.978Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/cd1c44327bbbd50fc24f2b38892f5f328b784d0f"
        },
        {
          "url": "https://git.kernel.org/stable/c/13f3f872627f0f27c31245524fc11367756240ad"
        },
        {
          "url": "https://git.kernel.org/stable/c/9b6f083db141ece0024be01526aa05aa978811cb"
        },
        {
          "url": "https://git.kernel.org/stable/c/17f86e25431ebc15aa9245ff156414fdad47822d"
        },
        {
          "url": "https://git.kernel.org/stable/c/416e8b4c20c6398044e93008deefd563289f477d"
        },
        {
          "url": "https://git.kernel.org/stable/c/0f764208dc24ea043c3e20194d32aebf94f8459c"
        },
        {
          "url": "https://git.kernel.org/stable/c/056e8a46d79e22983bae4267e0d9c52927076f46"
        },
        {
          "url": "https://git.kernel.org/stable/c/64e6a754d33d31aa844b3ee66fb93ac84ca1565e"
        }
      ],
      "title": "llc: do not use skb_get() before dev_queue_xmit()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21925",
    "datePublished": "2025-04-01T15:40:57.355Z",
    "dateReserved": "2024-12-29T08:45:45.788Z",
    "dateUpdated": "2025-11-03T19:39:20.756Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21956 (GCVE-0-2025-21956)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:46 – Updated: 2025-11-03 19:39

Title

drm/amd/display: Assign normalized_pix_clk when color depth = 14

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Assign normalized_pix_clk when color depth = 14 [WHY & HOW] A warning message "WARNING: CPU: 4 PID: 459 at ... /dc_resource.c:3397 calculate_phy_pix_clks+0xef/0x100 [amdgpu]" occurs because the display_color_depth == COLOR_DEPTH_141414 is not handled. This is observed in Radeon RX 6600 XT. It is fixed by assigning pix_clk * (14 * 3) / 24 - same as the rests. Also fixes the indentation in get_norm_pix_clk. (cherry picked from commit 274a87eb389f58eddcbc5659ab0b180b37e92775)

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/cca3ab74f90176099…
	https://git.kernel.org/stable/c/0174a2e5770efee9d…
	https://git.kernel.org/stable/c/0c0016712e5dc23ce…
	https://git.kernel.org/stable/c/dc831b38680c47d07…
	https://git.kernel.org/stable/c/a8f77e1658d78e4a8…
	https://git.kernel.org/stable/c/04f90b505ad3a6eed…
	https://git.kernel.org/stable/c/27df30106690969f7…
	https://git.kernel.org/stable/c/79e31396fdd7037c5…

Impacted products

Vendor

Product

Version

Linux

Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < cca3ab74f90176099b6392e8e894b52b27b3d080 (git)
Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 0174a2e5770efee9dbd4b58963ed4d939298ff5e (git)
Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 0c0016712e5dc23ce4a7e673cbebc24a535d8c8a (git)
Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < dc831b38680c47d07e425871a9852109183895cf (git)
Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < a8f77e1658d78e4a8bb227a83bcee67de97f7634 (git)
Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 04f90b505ad3a6eed474bbaa03167095fef5203a (git)
Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 27df30106690969f7d63604f0d49ed8e9bffa2cb (git)
Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 79e31396fdd7037c503e6add15af7cb00633ea92 (git)

Linux

Affected: 4.15
Unaffected: 0 , < 4.15 (semver)
Unaffected: 5.4.292 , ≤ 5.4.* (semver)
Unaffected: 5.10.236 , ≤ 5.10.* (semver)
Unaffected: 5.15.180 , ≤ 5.15.* (semver)
Unaffected: 6.1.132 , ≤ 6.1.* (semver)
Unaffected: 6.6.84 , ≤ 6.6.* (semver)
Unaffected: 6.12.20 , ≤ 6.12.* (semver)
Unaffected: 6.13.8 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:39:55.636Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/display/dc/core/dc_resource.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "cca3ab74f90176099b6392e8e894b52b27b3d080",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            },
            {
              "lessThan": "0174a2e5770efee9dbd4b58963ed4d939298ff5e",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            },
            {
              "lessThan": "0c0016712e5dc23ce4a7e673cbebc24a535d8c8a",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            },
            {
              "lessThan": "dc831b38680c47d07e425871a9852109183895cf",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            },
            {
              "lessThan": "a8f77e1658d78e4a8bb227a83bcee67de97f7634",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            },
            {
              "lessThan": "04f90b505ad3a6eed474bbaa03167095fef5203a",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            },
            {
              "lessThan": "27df30106690969f7d63604f0d49ed8e9bffa2cb",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            },
            {
              "lessThan": "79e31396fdd7037c503e6add15af7cb00633ea92",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/display/dc/core/dc_resource.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.15"
            },
            {
              "lessThan": "4.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.292",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.236",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.180",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.132",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.84",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.292",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.236",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.180",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.132",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.84",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.20",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.8",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Assign normalized_pix_clk when color depth = 14\n\n[WHY \u0026 HOW]\nA warning message \"WARNING: CPU: 4 PID: 459 at ... /dc_resource.c:3397\ncalculate_phy_pix_clks+0xef/0x100 [amdgpu]\" occurs because the\ndisplay_color_depth == COLOR_DEPTH_141414 is not handled. This is\nobserved in Radeon RX 6600 XT.\n\nIt is fixed by assigning pix_clk * (14 * 3) / 24 - same as the rests.\n\nAlso fixes the indentation in get_norm_pix_clk.\n\n(cherry picked from commit 274a87eb389f58eddcbc5659ab0b180b37e92775)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-11T17:21:38.773Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/cca3ab74f90176099b6392e8e894b52b27b3d080"
        },
        {
          "url": "https://git.kernel.org/stable/c/0174a2e5770efee9dbd4b58963ed4d939298ff5e"
        },
        {
          "url": "https://git.kernel.org/stable/c/0c0016712e5dc23ce4a7e673cbebc24a535d8c8a"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc831b38680c47d07e425871a9852109183895cf"
        },
        {
          "url": "https://git.kernel.org/stable/c/a8f77e1658d78e4a8bb227a83bcee67de97f7634"
        },
        {
          "url": "https://git.kernel.org/stable/c/04f90b505ad3a6eed474bbaa03167095fef5203a"
        },
        {
          "url": "https://git.kernel.org/stable/c/27df30106690969f7d63604f0d49ed8e9bffa2cb"
        },
        {
          "url": "https://git.kernel.org/stable/c/79e31396fdd7037c503e6add15af7cb00633ea92"
        }
      ],
      "title": "drm/amd/display: Assign normalized_pix_clk when color depth = 14",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21956",
    "datePublished": "2025-04-01T15:46:56.219Z",
    "dateReserved": "2024-12-29T08:45:45.790Z",
    "dateUpdated": "2025-11-03T19:39:55.636Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38084 (GCVE-0-2025-38084)

Vulnerability from cvelistv5 – Published: 2025-06-28 07:44 – Updated: 2025-11-03 17:33

Title

mm/hugetlb: unshare page tables during VMA split, not before

Summary

In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: unshare page tables during VMA split, not before Currently, __split_vma() triggers hugetlb page table unsharing through vm_ops->may_split(). This happens before the VMA lock and rmap locks are taken - which is too early, it allows racing VMA-locked page faults in our process and racing rmap walks from other processes to cause page tables to be shared again before we actually perform the split. Fix it by explicitly calling into the hugetlb unshare logic from __split_vma() in the same place where THP splitting also happens. At that point, both the VMA and the rmap(s) are write-locked. An annoying detail is that we can now call into the helper hugetlb_unshare_pmds() from two different locking contexts: 1. from hugetlb_split(), holding: - mmap lock (exclusively) - VMA lock - file rmap lock (exclusively) 2. hugetlb_unshare_all_pmds(), which I think is designed to be able to call us with only the mmap lock held (in shared mode), but currently only runs while holding mmap lock (exclusively) and VMA lock Backporting note: This commit fixes a racy protection that was introduced in commit b30c14cd6102 ("hugetlb: unshare some PMDs when splitting VMAs"); that commit claimed to fix an issue introduced in 5.13, but it should actually also go all the way back. [jannh@google.com: v2]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e8847d18cd9fff1ed…
	https://git.kernel.org/stable/c/366298f2b04d2bf1f…
	https://git.kernel.org/stable/c/2511ac64bc1617ca7…
	https://git.kernel.org/stable/c/af6cfcd0efb7f051a…
	https://git.kernel.org/stable/c/9cf5b2a3b72c23fb7…
	https://git.kernel.org/stable/c/8a21d5584826f4880…
	https://git.kernel.org/stable/c/081056dc00a27bccb…
	https://project-zero.issues.chromium.org/issues/4…

Impacted products

Vendor

Product

Version

Linux

Affected: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa , < e8847d18cd9fff1edbb45e963d9141273c3b539c (git)
Affected: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa , < 366298f2b04d2bf1f2f2b7078405bdf9df9bd5d0 (git)
Affected: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa , < 2511ac64bc1617ca716d3ba8464e481a647c1902 (git)
Affected: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa , < af6cfcd0efb7f051af221c418ec8b37a10211947 (git)
Affected: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa , < 9cf5b2a3b72c23fb7b84736d5d19ee6ea718762b (git)
Affected: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa , < 8a21d5584826f4880f45bbf8f72375f4e6c0ff2a (git)
Affected: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa , < 081056dc00a27bccb55ccc3c6f230a3d5fd3f7e0 (git)

Linux

Affected: 2.6.20
Unaffected: 0 , < 2.6.20 (semver)
Unaffected: 5.10.239 , ≤ 5.10.* (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.95 , ≤ 6.6.* (semver)
Unaffected: 6.12.35 , ≤ 6.12.* (semver)
Unaffected: 6.15.4 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:33:52.441Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/hugetlb.h",
            "mm/hugetlb.c",
            "mm/vma.c",
            "tools/testing/vma/vma_internal.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e8847d18cd9fff1edbb45e963d9141273c3b539c",
              "status": "affected",
              "version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
              "versionType": "git"
            },
            {
              "lessThan": "366298f2b04d2bf1f2f2b7078405bdf9df9bd5d0",
              "status": "affected",
              "version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
              "versionType": "git"
            },
            {
              "lessThan": "2511ac64bc1617ca716d3ba8464e481a647c1902",
              "status": "affected",
              "version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
              "versionType": "git"
            },
            {
              "lessThan": "af6cfcd0efb7f051af221c418ec8b37a10211947",
              "status": "affected",
              "version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
              "versionType": "git"
            },
            {
              "lessThan": "9cf5b2a3b72c23fb7b84736d5d19ee6ea718762b",
              "status": "affected",
              "version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
              "versionType": "git"
            },
            {
              "lessThan": "8a21d5584826f4880f45bbf8f72375f4e6c0ff2a",
              "status": "affected",
              "version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
              "versionType": "git"
            },
            {
              "lessThan": "081056dc00a27bccb55ccc3c6f230a3d5fd3f7e0",
              "status": "affected",
              "version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/hugetlb.h",
            "mm/hugetlb.c",
            "mm/vma.c",
            "tools/testing/vma/vma_internal.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.20"
            },
            {
              "lessThan": "2.6.20",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: unshare page tables during VMA split, not before\n\nCurrently, __split_vma() triggers hugetlb page table unsharing through\nvm_ops-\u003emay_split().  This happens before the VMA lock and rmap locks are\ntaken - which is too early, it allows racing VMA-locked page faults in our\nprocess and racing rmap walks from other processes to cause page tables to\nbe shared again before we actually perform the split.\n\nFix it by explicitly calling into the hugetlb unshare logic from\n__split_vma() in the same place where THP splitting also happens.  At that\npoint, both the VMA and the rmap(s) are write-locked.\n\nAn annoying detail is that we can now call into the helper\nhugetlb_unshare_pmds() from two different locking contexts:\n\n1. from hugetlb_split(), holding:\n    - mmap lock (exclusively)\n    - VMA lock\n    - file rmap lock (exclusively)\n2. hugetlb_unshare_all_pmds(), which I think is designed to be able to\n   call us with only the mmap lock held (in shared mode), but currently\n   only runs while holding mmap lock (exclusively) and VMA lock\n\nBackporting note:\nThis commit fixes a racy protection that was introduced in commit\nb30c14cd6102 (\"hugetlb: unshare some PMDs when splitting VMAs\"); that\ncommit claimed to fix an issue introduced in 5.13, but it should actually\nalso go all the way back.\n\n[jannh@google.com: v2]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-30T05:58:56.193Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e8847d18cd9fff1edbb45e963d9141273c3b539c"
        },
        {
          "url": "https://git.kernel.org/stable/c/366298f2b04d2bf1f2f2b7078405bdf9df9bd5d0"
        },
        {
          "url": "https://git.kernel.org/stable/c/2511ac64bc1617ca716d3ba8464e481a647c1902"
        },
        {
          "url": "https://git.kernel.org/stable/c/af6cfcd0efb7f051af221c418ec8b37a10211947"
        },
        {
          "url": "https://git.kernel.org/stable/c/9cf5b2a3b72c23fb7b84736d5d19ee6ea718762b"
        },
        {
          "url": "https://git.kernel.org/stable/c/8a21d5584826f4880f45bbf8f72375f4e6c0ff2a"
        },
        {
          "url": "https://git.kernel.org/stable/c/081056dc00a27bccb55ccc3c6f230a3d5fd3f7e0"
        },
        {
          "url": "https://project-zero.issues.chromium.org/issues/420715744"
        }
      ],
      "title": "mm/hugetlb: unshare page tables during VMA split, not before",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38084",
    "datePublished": "2025-06-28T07:44:25.379Z",
    "dateReserved": "2025-04-16T04:51:23.981Z",
    "dateUpdated": "2025-11-03T17:33:52.441Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38116 (GCVE-0-2025-38116)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:35 – Updated: 2025-07-28 04:12

Title

wifi: ath12k: fix uaf in ath12k_core_init()

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix uaf in ath12k_core_init() When the execution of ath12k_core_hw_group_assign() or ath12k_core_hw_group_create() fails, the registered notifier chain is not unregistered properly. Its memory is freed after rmmod, which may trigger to a use-after-free (UAF) issue if there is a subsequent access to this notifier chain. Fixes the issue by calling ath12k_core_panic_notifier_unregister() in failure cases. Call trace: notifier_chain_register+0x4c/0x1f0 (P) atomic_notifier_chain_register+0x38/0x68 ath12k_core_init+0x50/0x4e8 [ath12k] ath12k_pci_probe+0x5f8/0xc28 [ath12k] pci_device_probe+0xbc/0x1a8 really_probe+0xc8/0x3a0 __driver_probe_device+0x84/0x1b0 driver_probe_device+0x44/0x130 __driver_attach+0xcc/0x208 bus_for_each_dev+0x84/0x100 driver_attach+0x2c/0x40 bus_add_driver+0x130/0x260 driver_register+0x70/0x138 __pci_register_driver+0x68/0x80 ath12k_pci_init+0x30/0x68 [ath12k] ath12k_init+0x28/0x78 [ath12k] Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/65e1b3404c211dcfa…
	https://git.kernel.org/stable/c/f3fe49dbddd73f015…

Impacted products

Vendor

Product

Version

Linux

Affected: 6f245ea0ec6c29b90c8fa4fdf6e178c646125d7e , < 65e1b3404c211dcfaea02698539cdcd26647130f (git)
Affected: 6f245ea0ec6c29b90c8fa4fdf6e178c646125d7e , < f3fe49dbddd73f0155a8935af47cb63693069dbe (git)

Linux

Affected: 6.14
Unaffected: 0 , < 6.14 (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath12k/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "65e1b3404c211dcfaea02698539cdcd26647130f",
              "status": "affected",
              "version": "6f245ea0ec6c29b90c8fa4fdf6e178c646125d7e",
              "versionType": "git"
            },
            {
              "lessThan": "f3fe49dbddd73f0155a8935af47cb63693069dbe",
              "status": "affected",
              "version": "6f245ea0ec6c29b90c8fa4fdf6e178c646125d7e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath12k/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.14"
            },
            {
              "lessThan": "6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix uaf in ath12k_core_init()\n\nWhen the execution of ath12k_core_hw_group_assign() or\nath12k_core_hw_group_create() fails, the registered notifier chain is not\nunregistered properly. Its memory is freed after rmmod, which may trigger\nto a use-after-free (UAF) issue if there is a subsequent access to this\nnotifier chain.\n\nFixes the issue by calling ath12k_core_panic_notifier_unregister() in\nfailure cases.\n\nCall trace:\n notifier_chain_register+0x4c/0x1f0 (P)\n atomic_notifier_chain_register+0x38/0x68\n ath12k_core_init+0x50/0x4e8 [ath12k]\n ath12k_pci_probe+0x5f8/0xc28 [ath12k]\n pci_device_probe+0xbc/0x1a8\n really_probe+0xc8/0x3a0\n __driver_probe_device+0x84/0x1b0\n driver_probe_device+0x44/0x130\n __driver_attach+0xcc/0x208\n bus_for_each_dev+0x84/0x100\n driver_attach+0x2c/0x40\n bus_add_driver+0x130/0x260\n driver_register+0x70/0x138\n __pci_register_driver+0x68/0x80\n ath12k_pci_init+0x30/0x68 [ath12k]\n ath12k_init+0x28/0x78 [ath12k]\n\nTested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:12:34.607Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/65e1b3404c211dcfaea02698539cdcd26647130f"
        },
        {
          "url": "https://git.kernel.org/stable/c/f3fe49dbddd73f0155a8935af47cb63693069dbe"
        }
      ],
      "title": "wifi: ath12k: fix uaf in ath12k_core_init()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38116",
    "datePublished": "2025-07-03T08:35:24.413Z",
    "dateReserved": "2025-04-16T04:51:23.986Z",
    "dateUpdated": "2025-07-28T04:12:34.607Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38132 (GCVE-0-2025-38132)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:35 – Updated: 2025-07-28 04:13

Title

coresight: holding cscfg_csdev_lock while removing cscfg from csdev

Summary

In the Linux kernel, the following vulnerability has been resolved: coresight: holding cscfg_csdev_lock while removing cscfg from csdev There'll be possible race scenario for coresight config: CPU0 CPU1 (perf enable) load module cscfg_load_config_sets() activate config. // sysfs (sys_active_cnt == 1) ... cscfg_csdev_enable_active_config() lock(csdev->cscfg_csdev_lock) deactivate config // sysfs (sys_activec_cnt == 0) cscfg_unload_config_sets() <iterating config_csdev_list> cscfg_remove_owned_csdev_configs() // here load config activate by CPU1 unlock(csdev->cscfg_csdev_lock) iterating config_csdev_list could be raced with config_csdev_list's entry delete. To resolve this race , hold csdev->cscfg_csdev_lock() while cscfg_remove_owned_csdev_configs()

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/42f8afb0b161631fd…
	https://git.kernel.org/stable/c/53b9e2659719b04f5…

Impacted products

Vendor

Product

Version

Linux

Affected: 02bd588e12df405bdf55244708151b7f238b79ba , < 42f8afb0b161631fd1d814d017f75f955475ad41 (git)
Affected: 02bd588e12df405bdf55244708151b7f238b79ba , < 53b9e2659719b04f5ba7593f2af0f2335f75e94a (git)

Linux

Affected: 5.17
Unaffected: 0 , < 5.17 (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/hwtracing/coresight/coresight-syscfg.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "42f8afb0b161631fd1d814d017f75f955475ad41",
              "status": "affected",
              "version": "02bd588e12df405bdf55244708151b7f238b79ba",
              "versionType": "git"
            },
            {
              "lessThan": "53b9e2659719b04f5ba7593f2af0f2335f75e94a",
              "status": "affected",
              "version": "02bd588e12df405bdf55244708151b7f238b79ba",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/hwtracing/coresight/coresight-syscfg.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.17"
            },
            {
              "lessThan": "5.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncoresight: holding cscfg_csdev_lock while removing cscfg from csdev\n\nThere\u0027ll be possible race scenario for coresight config:\n\nCPU0                                          CPU1\n(perf enable)                                 load module\n                                              cscfg_load_config_sets()\n                                              activate config. // sysfs\n                                              (sys_active_cnt == 1)\n...\ncscfg_csdev_enable_active_config()\n  lock(csdev-\u003ecscfg_csdev_lock)\n                                              deactivate config // sysfs\n                                              (sys_activec_cnt == 0)\n                                              cscfg_unload_config_sets()\n  \u003citerating config_csdev_list\u003e               cscfg_remove_owned_csdev_configs()\n  // here load config activate by CPU1\n  unlock(csdev-\u003ecscfg_csdev_lock)\n\niterating config_csdev_list could be raced with config_csdev_list\u0027s\nentry delete.\n\nTo resolve this race , hold csdev-\u003ecscfg_csdev_lock() while\ncscfg_remove_owned_csdev_configs()"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:13:02.340Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/42f8afb0b161631fd1d814d017f75f955475ad41"
        },
        {
          "url": "https://git.kernel.org/stable/c/53b9e2659719b04f5ba7593f2af0f2335f75e94a"
        }
      ],
      "title": "coresight: holding cscfg_csdev_lock while removing cscfg from csdev",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38132",
    "datePublished": "2025-07-03T08:35:35.695Z",
    "dateReserved": "2025-04-16T04:51:23.987Z",
    "dateUpdated": "2025-07-28T04:13:02.340Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38078 (GCVE-0-2025-38078)

Vulnerability from cvelistv5 – Published: 2025-06-18 09:33 – Updated: 2026-01-02 15:30

Title

ALSA: pcm: Fix race of buffer access at PCM OSS layer

Summary

In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Fix race of buffer access at PCM OSS layer The PCM OSS layer tries to clear the buffer with the silence data at initialization (or reconfiguration) of a stream with the explicit call of snd_pcm_format_set_silence() with runtime->dma_area. But this may lead to a UAF because the accessed runtime->dma_area might be freed concurrently, as it's performed outside the PCM ops. For avoiding it, move the code into the PCM core and perform it inside the buffer access lock, so that it won't be changed during the operation.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c0e05a76fc7279295…
	https://git.kernel.org/stable/c/8170d8ec4efd0be35…
	https://git.kernel.org/stable/c/10217da9644ae75ce…
	https://git.kernel.org/stable/c/f3e14d706ec18faf1…
	https://git.kernel.org/stable/c/74d90875f3d43f3ef…
	https://git.kernel.org/stable/c/bf85e49aaf3a3c577…
	https://git.kernel.org/stable/c/afa56c960fcb4db37…
	https://git.kernel.org/stable/c/93a81ca0657758b60…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c0e05a76fc727929524ef24a19c302e6dd40233f (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8170d8ec4efd0be352c14cb61f374e30fb0c2a25 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 10217da9644ae75cea7330f902c35fc5ba78bbbf (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f3e14d706ec18faf19f5a6e75060e140fea05d4a (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 74d90875f3d43f3eff0e9861c4701418795d3455 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < bf85e49aaf3a3c5775ea87369ea5f159c2148db4 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < afa56c960fcb4db37f2e3399f28e9402e4e1f470 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 93a81ca0657758b607c3f4ba889ae806be9beb73 (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.4.294 , ≤ 5.4.* (semver)
Unaffected: 5.10.238 , ≤ 5.10.* (semver)
Unaffected: 5.15.185 , ≤ 5.15.* (semver)
Unaffected: 6.1.141 , ≤ 6.1.* (semver)
Unaffected: 6.6.93 , ≤ 6.6.* (semver)
Unaffected: 6.12.31 , ≤ 6.12.* (semver)
Unaffected: 6.14.9 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:33:46.827Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/sound/pcm.h",
            "sound/core/oss/pcm_oss.c",
            "sound/core/pcm_native.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c0e05a76fc727929524ef24a19c302e6dd40233f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "8170d8ec4efd0be352c14cb61f374e30fb0c2a25",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "10217da9644ae75cea7330f902c35fc5ba78bbbf",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "f3e14d706ec18faf19f5a6e75060e140fea05d4a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "74d90875f3d43f3eff0e9861c4701418795d3455",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "bf85e49aaf3a3c5775ea87369ea5f159c2148db4",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "afa56c960fcb4db37f2e3399f28e9402e4e1f470",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "93a81ca0657758b607c3f4ba889ae806be9beb73",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/sound/pcm.h",
            "sound/core/oss/pcm_oss.c",
            "sound/core/pcm_native.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.294",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.238",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.185",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.93",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.294",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.238",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.185",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.141",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.93",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.31",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: pcm: Fix race of buffer access at PCM OSS layer\n\nThe PCM OSS layer tries to clear the buffer with the silence data at\ninitialization (or reconfiguration) of a stream with the explicit call\nof snd_pcm_format_set_silence() with runtime-\u003edma_area.  But this may\nlead to a UAF because the accessed runtime-\u003edma_area might be freed\nconcurrently, as it\u0027s performed outside the PCM ops.\n\nFor avoiding it, move the code into the PCM core and perform it inside\nthe buffer access lock, so that it won\u0027t be changed during the\noperation."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:30:06.526Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c0e05a76fc727929524ef24a19c302e6dd40233f"
        },
        {
          "url": "https://git.kernel.org/stable/c/8170d8ec4efd0be352c14cb61f374e30fb0c2a25"
        },
        {
          "url": "https://git.kernel.org/stable/c/10217da9644ae75cea7330f902c35fc5ba78bbbf"
        },
        {
          "url": "https://git.kernel.org/stable/c/f3e14d706ec18faf19f5a6e75060e140fea05d4a"
        },
        {
          "url": "https://git.kernel.org/stable/c/74d90875f3d43f3eff0e9861c4701418795d3455"
        },
        {
          "url": "https://git.kernel.org/stable/c/bf85e49aaf3a3c5775ea87369ea5f159c2148db4"
        },
        {
          "url": "https://git.kernel.org/stable/c/afa56c960fcb4db37f2e3399f28e9402e4e1f470"
        },
        {
          "url": "https://git.kernel.org/stable/c/93a81ca0657758b607c3f4ba889ae806be9beb73"
        }
      ],
      "title": "ALSA: pcm: Fix race of buffer access at PCM OSS layer",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38078",
    "datePublished": "2025-06-18T09:33:52.644Z",
    "dateReserved": "2025-04-16T04:51:23.980Z",
    "dateUpdated": "2026-01-02T15:30:06.526Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38268 (GCVE-0-2025-38268)

Vulnerability from cvelistv5 – Published: 2025-07-10 07:41 – Updated: 2025-07-28 04:16

Title

usb: typec: tcpm: move tcpm_queue_vdm_unlocked to asynchronous work

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: typec: tcpm: move tcpm_queue_vdm_unlocked to asynchronous work A state check was previously added to tcpm_queue_vdm_unlocked to prevent a deadlock where the DisplayPort Alt Mode driver would be executing work and attempting to grab the tcpm_lock while the TCPM was holding the lock and attempting to unregister the altmode, blocking on the altmode driver's cancel_work_sync call. Because the state check isn't protected, there is a small window where the Alt Mode driver could determine that the TCPM is in a ready state and attempt to grab the lock while the TCPM grabs the lock and changes the TCPM state to one that causes the deadlock. The callstack is provided below: [110121.667392][ C7] Call trace: [110121.667396][ C7] __switch_to+0x174/0x338 [110121.667406][ C7] __schedule+0x608/0x9f0 [110121.667414][ C7] schedule+0x7c/0xe8 [110121.667423][ C7] kernfs_drain+0xb0/0x114 [110121.667431][ C7] __kernfs_remove+0x16c/0x20c [110121.667436][ C7] kernfs_remove_by_name_ns+0x74/0xe8 [110121.667442][ C7] sysfs_remove_group+0x84/0xe8 [110121.667450][ C7] sysfs_remove_groups+0x34/0x58 [110121.667458][ C7] device_remove_groups+0x10/0x20 [110121.667464][ C7] device_release_driver_internal+0x164/0x2e4 [110121.667475][ C7] device_release_driver+0x18/0x28 [110121.667484][ C7] bus_remove_device+0xec/0x118 [110121.667491][ C7] device_del+0x1e8/0x4ac [110121.667498][ C7] device_unregister+0x18/0x38 [110121.667504][ C7] typec_unregister_altmode+0x30/0x44 [110121.667515][ C7] tcpm_reset_port+0xac/0x370 [110121.667523][ C7] tcpm_snk_detach+0x84/0xb8 [110121.667529][ C7] run_state_machine+0x4c0/0x1b68 [110121.667536][ C7] tcpm_state_machine_work+0x94/0xe4 [110121.667544][ C7] kthread_worker_fn+0x10c/0x244 [110121.667552][ C7] kthread+0x104/0x1d4 [110121.667557][ C7] ret_from_fork+0x10/0x20 [110121.667689][ C7] Workqueue: events dp_altmode_work [110121.667697][ C7] Call trace: [110121.667701][ C7] __switch_to+0x174/0x338 [110121.667710][ C7] __schedule+0x608/0x9f0 [110121.667717][ C7] schedule+0x7c/0xe8 [110121.667725][ C7] schedule_preempt_disabled+0x24/0x40 [110121.667733][ C7] __mutex_lock+0x408/0xdac [110121.667741][ C7] __mutex_lock_slowpath+0x14/0x24 [110121.667748][ C7] mutex_lock+0x40/0xec [110121.667757][ C7] tcpm_altmode_enter+0x78/0xb4 [110121.667764][ C7] typec_altmode_enter+0xdc/0x10c [110121.667769][ C7] dp_altmode_work+0x68/0x164 [110121.667775][ C7] process_one_work+0x1e4/0x43c [110121.667783][ C7] worker_thread+0x25c/0x430 [110121.667789][ C7] kthread+0x104/0x1d4 [110121.667794][ C7] ret_from_fork+0x10/0x20 Change tcpm_queue_vdm_unlocked to queue for tcpm_queue_vdm_work, which can perform the state check while holding the TCPM lock while the Alt Mode lock is no longer held. This requires a new struct to hold the vdm data, altmode_vdm_event.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/7bdd712abefbec791…
	https://git.kernel.org/stable/c/1970d34b48cbeceb0…
	https://git.kernel.org/stable/c/324d45e53f1a36c88…

Impacted products

Vendor

Product

Version

Linux

Affected: cdc9946ea6377e8e214b135ccc308c5e514ba25f , < 7bdd712abefbec79176ab412d8c623e755c5d0ba (git)
Affected: cdc9946ea6377e8e214b135ccc308c5e514ba25f , < 1970d34b48cbeceb0c765984c9a6bb204c77f16a (git)
Affected: cdc9946ea6377e8e214b135ccc308c5e514ba25f , < 324d45e53f1a36c88bc649dc39e0c8300a41be0a (git)

Linux

Affected: 6.9
Unaffected: 0 , < 6.9 (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/typec/tcpm/tcpm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7bdd712abefbec79176ab412d8c623e755c5d0ba",
              "status": "affected",
              "version": "cdc9946ea6377e8e214b135ccc308c5e514ba25f",
              "versionType": "git"
            },
            {
              "lessThan": "1970d34b48cbeceb0c765984c9a6bb204c77f16a",
              "status": "affected",
              "version": "cdc9946ea6377e8e214b135ccc308c5e514ba25f",
              "versionType": "git"
            },
            {
              "lessThan": "324d45e53f1a36c88bc649dc39e0c8300a41be0a",
              "status": "affected",
              "version": "cdc9946ea6377e8e214b135ccc308c5e514ba25f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/typec/tcpm/tcpm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.9"
            },
            {
              "lessThan": "6.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: tcpm: move tcpm_queue_vdm_unlocked to asynchronous work\n\nA state check was previously added to tcpm_queue_vdm_unlocked to\nprevent a deadlock where the DisplayPort Alt Mode driver would be\nexecuting work and attempting to grab the tcpm_lock while the TCPM\nwas holding the lock and attempting to unregister the altmode, blocking\non the altmode driver\u0027s cancel_work_sync call.\n\nBecause the state check isn\u0027t protected, there is a small window\nwhere the Alt Mode driver could determine that the TCPM is\nin a ready state and attempt to grab the lock while the\nTCPM grabs the lock and changes the TCPM state to one that\ncauses the deadlock. The callstack is provided below:\n\n[110121.667392][    C7] Call trace:\n[110121.667396][    C7]  __switch_to+0x174/0x338\n[110121.667406][    C7]  __schedule+0x608/0x9f0\n[110121.667414][    C7]  schedule+0x7c/0xe8\n[110121.667423][    C7]  kernfs_drain+0xb0/0x114\n[110121.667431][    C7]  __kernfs_remove+0x16c/0x20c\n[110121.667436][    C7]  kernfs_remove_by_name_ns+0x74/0xe8\n[110121.667442][    C7]  sysfs_remove_group+0x84/0xe8\n[110121.667450][    C7]  sysfs_remove_groups+0x34/0x58\n[110121.667458][    C7]  device_remove_groups+0x10/0x20\n[110121.667464][    C7]  device_release_driver_internal+0x164/0x2e4\n[110121.667475][    C7]  device_release_driver+0x18/0x28\n[110121.667484][    C7]  bus_remove_device+0xec/0x118\n[110121.667491][    C7]  device_del+0x1e8/0x4ac\n[110121.667498][    C7]  device_unregister+0x18/0x38\n[110121.667504][    C7]  typec_unregister_altmode+0x30/0x44\n[110121.667515][    C7]  tcpm_reset_port+0xac/0x370\n[110121.667523][    C7]  tcpm_snk_detach+0x84/0xb8\n[110121.667529][    C7]  run_state_machine+0x4c0/0x1b68\n[110121.667536][    C7]  tcpm_state_machine_work+0x94/0xe4\n[110121.667544][    C7]  kthread_worker_fn+0x10c/0x244\n[110121.667552][    C7]  kthread+0x104/0x1d4\n[110121.667557][    C7]  ret_from_fork+0x10/0x20\n\n[110121.667689][    C7] Workqueue: events dp_altmode_work\n[110121.667697][    C7] Call trace:\n[110121.667701][    C7]  __switch_to+0x174/0x338\n[110121.667710][    C7]  __schedule+0x608/0x9f0\n[110121.667717][    C7]  schedule+0x7c/0xe8\n[110121.667725][    C7]  schedule_preempt_disabled+0x24/0x40\n[110121.667733][    C7]  __mutex_lock+0x408/0xdac\n[110121.667741][    C7]  __mutex_lock_slowpath+0x14/0x24\n[110121.667748][    C7]  mutex_lock+0x40/0xec\n[110121.667757][    C7]  tcpm_altmode_enter+0x78/0xb4\n[110121.667764][    C7]  typec_altmode_enter+0xdc/0x10c\n[110121.667769][    C7]  dp_altmode_work+0x68/0x164\n[110121.667775][    C7]  process_one_work+0x1e4/0x43c\n[110121.667783][    C7]  worker_thread+0x25c/0x430\n[110121.667789][    C7]  kthread+0x104/0x1d4\n[110121.667794][    C7]  ret_from_fork+0x10/0x20\n\nChange tcpm_queue_vdm_unlocked to queue for tcpm_queue_vdm_work,\nwhich can perform the state check while holding the TCPM lock\nwhile the Alt Mode lock is no longer held. This requires a new\nstruct to hold the vdm data, altmode_vdm_event."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:16:48.451Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7bdd712abefbec79176ab412d8c623e755c5d0ba"
        },
        {
          "url": "https://git.kernel.org/stable/c/1970d34b48cbeceb0c765984c9a6bb204c77f16a"
        },
        {
          "url": "https://git.kernel.org/stable/c/324d45e53f1a36c88bc649dc39e0c8300a41be0a"
        }
      ],
      "title": "usb: typec: tcpm: move tcpm_queue_vdm_unlocked to asynchronous work",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38268",
    "datePublished": "2025-07-10T07:41:51.217Z",
    "dateReserved": "2025-04-16T04:51:23.998Z",
    "dateUpdated": "2025-07-28T04:16:48.451Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38448 (GCVE-0-2025-38448)

Vulnerability from cvelistv5 – Published: 2025-07-25 15:27 – Updated: 2025-11-03 17:38

Title

usb: gadget: u_serial: Fix race condition in TTY wakeup

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: u_serial: Fix race condition in TTY wakeup A race condition occurs when gs_start_io() calls either gs_start_rx() or gs_start_tx(), as those functions briefly drop the port_lock for usb_ep_queue(). This allows gs_close() and gserial_disconnect() to clear port.tty and port_usb, respectively. Use the null-safe TTY Port helper function to wake up TTY. Example CPU1: CPU2: gserial_connect() // lock gs_close() // await lock gs_start_rx() // unlock usb_ep_queue() gs_close() // lock, reset port.tty and unlock gs_start_rx() // lock tty_wakeup() // NPE

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/18d58a467ccf01107…
	https://git.kernel.org/stable/c/d43657b59f36e8828…
	https://git.kernel.org/stable/c/a5012673d49788f16…
	https://git.kernel.org/stable/c/ee8d688e2ba558f3b…
	https://git.kernel.org/stable/c/c6eb4a05af3d0ba3b…
	https://git.kernel.org/stable/c/abf3620cba68e0e51…
	https://git.kernel.org/stable/c/c8c80a3a35c2e3488…
	https://git.kernel.org/stable/c/c529c3730bd091156…

Impacted products

Vendor

Product

Version

Linux

Affected: 35f95fd7f234d2b58803bab6f6ebd6bb988050a2 , < 18d58a467ccf011078352d91b4d6a0108c7318e8 (git)
Affected: 35f95fd7f234d2b58803bab6f6ebd6bb988050a2 , < d43657b59f36e88289a6066f15bc9a80df5014eb (git)
Affected: 35f95fd7f234d2b58803bab6f6ebd6bb988050a2 , < a5012673d49788f16bb4e375b002d7743eb642d9 (git)
Affected: 35f95fd7f234d2b58803bab6f6ebd6bb988050a2 , < ee8d688e2ba558f3bb8ac225113740be5f335417 (git)
Affected: 35f95fd7f234d2b58803bab6f6ebd6bb988050a2 , < c6eb4a05af3d0ba3bc4e8159287722fb9abc6359 (git)
Affected: 35f95fd7f234d2b58803bab6f6ebd6bb988050a2 , < abf3620cba68e0e51e5c21054ce4f925f75b3661 (git)
Affected: 35f95fd7f234d2b58803bab6f6ebd6bb988050a2 , < c8c80a3a35c2e3488409de2d5376ef7e662a2bf5 (git)
Affected: 35f95fd7f234d2b58803bab6f6ebd6bb988050a2 , < c529c3730bd09115684644e26bf01ecbd7e2c2c9 (git)

Linux

Affected: 3.5
Unaffected: 0 , < 3.5 (semver)
Unaffected: 5.4.296 , ≤ 5.4.* (semver)
Unaffected: 5.10.240 , ≤ 5.10.* (semver)
Unaffected: 5.15.189 , ≤ 5.15.* (semver)
Unaffected: 6.1.146 , ≤ 6.1.* (semver)
Unaffected: 6.6.99 , ≤ 6.6.* (semver)
Unaffected: 6.12.39 , ≤ 6.12.* (semver)
Unaffected: 6.15.7 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:38:09.442Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/gadget/function/u_serial.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "18d58a467ccf011078352d91b4d6a0108c7318e8",
              "status": "affected",
              "version": "35f95fd7f234d2b58803bab6f6ebd6bb988050a2",
              "versionType": "git"
            },
            {
              "lessThan": "d43657b59f36e88289a6066f15bc9a80df5014eb",
              "status": "affected",
              "version": "35f95fd7f234d2b58803bab6f6ebd6bb988050a2",
              "versionType": "git"
            },
            {
              "lessThan": "a5012673d49788f16bb4e375b002d7743eb642d9",
              "status": "affected",
              "version": "35f95fd7f234d2b58803bab6f6ebd6bb988050a2",
              "versionType": "git"
            },
            {
              "lessThan": "ee8d688e2ba558f3bb8ac225113740be5f335417",
              "status": "affected",
              "version": "35f95fd7f234d2b58803bab6f6ebd6bb988050a2",
              "versionType": "git"
            },
            {
              "lessThan": "c6eb4a05af3d0ba3bc4e8159287722fb9abc6359",
              "status": "affected",
              "version": "35f95fd7f234d2b58803bab6f6ebd6bb988050a2",
              "versionType": "git"
            },
            {
              "lessThan": "abf3620cba68e0e51e5c21054ce4f925f75b3661",
              "status": "affected",
              "version": "35f95fd7f234d2b58803bab6f6ebd6bb988050a2",
              "versionType": "git"
            },
            {
              "lessThan": "c8c80a3a35c2e3488409de2d5376ef7e662a2bf5",
              "status": "affected",
              "version": "35f95fd7f234d2b58803bab6f6ebd6bb988050a2",
              "versionType": "git"
            },
            {
              "lessThan": "c529c3730bd09115684644e26bf01ecbd7e2c2c9",
              "status": "affected",
              "version": "35f95fd7f234d2b58803bab6f6ebd6bb988050a2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/gadget/function/u_serial.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.5"
            },
            {
              "lessThan": "3.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.189",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.146",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.99",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.189",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.146",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.99",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.39",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.7",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: u_serial: Fix race condition in TTY wakeup\n\nA race condition occurs when gs_start_io() calls either gs_start_rx() or\ngs_start_tx(), as those functions briefly drop the port_lock for\nusb_ep_queue(). This allows gs_close() and gserial_disconnect() to clear\nport.tty and port_usb, respectively.\n\nUse the null-safe TTY Port helper function to wake up TTY.\n\nExample\n  CPU1:\t\t\t      CPU2:\n  gserial_connect() // lock\n  \t\t\t      gs_close() // await lock\n  gs_start_rx()     // unlock\n  usb_ep_queue()\n  \t\t\t      gs_close() // lock, reset port.tty and unlock\n  gs_start_rx()     // lock\n  tty_wakeup()      // NPE"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:22:33.351Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/18d58a467ccf011078352d91b4d6a0108c7318e8"
        },
        {
          "url": "https://git.kernel.org/stable/c/d43657b59f36e88289a6066f15bc9a80df5014eb"
        },
        {
          "url": "https://git.kernel.org/stable/c/a5012673d49788f16bb4e375b002d7743eb642d9"
        },
        {
          "url": "https://git.kernel.org/stable/c/ee8d688e2ba558f3bb8ac225113740be5f335417"
        },
        {
          "url": "https://git.kernel.org/stable/c/c6eb4a05af3d0ba3bc4e8159287722fb9abc6359"
        },
        {
          "url": "https://git.kernel.org/stable/c/abf3620cba68e0e51e5c21054ce4f925f75b3661"
        },
        {
          "url": "https://git.kernel.org/stable/c/c8c80a3a35c2e3488409de2d5376ef7e662a2bf5"
        },
        {
          "url": "https://git.kernel.org/stable/c/c529c3730bd09115684644e26bf01ecbd7e2c2c9"
        }
      ],
      "title": "usb: gadget: u_serial: Fix race condition in TTY wakeup",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38448",
    "datePublished": "2025-07-25T15:27:30.040Z",
    "dateReserved": "2025-04-16T04:51:24.018Z",
    "dateUpdated": "2025-11-03T17:38:09.442Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38414 (GCVE-0-2025-38414)

Vulnerability from cvelistv5 – Published: 2025-07-25 13:32 – Updated: 2025-07-28 04:21

Title

wifi: ath12k: fix GCC_GCC_PCIE_HOT_RST definition for WCN7850

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix GCC_GCC_PCIE_HOT_RST definition for WCN7850 GCC_GCC_PCIE_HOT_RST is wrongly defined for WCN7850, causing kernel crash on some specific platforms. Since this register is divergent for WCN7850 and QCN9274, move it to register table to allow different definitions. Then correct the register address for WCN7850 to fix this issue. Note IPQ5332 is not affected as it is not PCIe based device. Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/569972c5bdb839b0e…
	https://git.kernel.org/stable/c/d71ac5694b33c80f1…
	https://git.kernel.org/stable/c/7588a893cde5385ad…

Impacted products

Vendor

Product

Version

Linux

Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < 569972c5bdb839b0eaf8aba6ce76ea0b78e2acf8 (git)
Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < d71ac5694b33c80f1de97d074f6fbdc6c01a9d61 (git)
Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < 7588a893cde5385ad308400ff167d29a29913b3a (git)

Linux

Affected: 6.3
Unaffected: 0 , < 6.3 (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath12k/hw.c",
            "drivers/net/wireless/ath/ath12k/hw.h",
            "drivers/net/wireless/ath/ath12k/pci.c",
            "drivers/net/wireless/ath/ath12k/pci.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "569972c5bdb839b0eaf8aba6ce76ea0b78e2acf8",
              "status": "affected",
              "version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
              "versionType": "git"
            },
            {
              "lessThan": "d71ac5694b33c80f1de97d074f6fbdc6c01a9d61",
              "status": "affected",
              "version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
              "versionType": "git"
            },
            {
              "lessThan": "7588a893cde5385ad308400ff167d29a29913b3a",
              "status": "affected",
              "version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath12k/hw.c",
            "drivers/net/wireless/ath/ath12k/hw.h",
            "drivers/net/wireless/ath/ath12k/pci.c",
            "drivers/net/wireless/ath/ath12k/pci.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.3"
            },
            {
              "lessThan": "6.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix GCC_GCC_PCIE_HOT_RST definition for WCN7850\n\nGCC_GCC_PCIE_HOT_RST is wrongly defined for WCN7850, causing kernel crash\non some specific platforms.\n\nSince this register is divergent for WCN7850 and QCN9274, move it to\nregister table to allow different definitions. Then correct the register\naddress for WCN7850 to fix this issue.\n\nNote IPQ5332 is not affected as it is not PCIe based device.\n\nTested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:21:27.806Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/569972c5bdb839b0eaf8aba6ce76ea0b78e2acf8"
        },
        {
          "url": "https://git.kernel.org/stable/c/d71ac5694b33c80f1de97d074f6fbdc6c01a9d61"
        },
        {
          "url": "https://git.kernel.org/stable/c/7588a893cde5385ad308400ff167d29a29913b3a"
        }
      ],
      "title": "wifi: ath12k: fix GCC_GCC_PCIE_HOT_RST definition for WCN7850",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38414",
    "datePublished": "2025-07-25T13:32:08.777Z",
    "dateReserved": "2025-04-16T04:51:24.013Z",
    "dateUpdated": "2025-07-28T04:21:27.806Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21922 (GCVE-0-2025-21922)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:40 – Updated: 2025-11-03 19:39

Title

ppp: Fix KMSAN uninit-value warning with bpf

Summary

In the Linux kernel, the following vulnerability has been resolved: ppp: Fix KMSAN uninit-value warning with bpf Syzbot caught an "KMSAN: uninit-value" warning [1], which is caused by the ppp driver not initializing a 2-byte header when using socket filter. The following code can generate a PPP filter BPF program: ''' struct bpf_program fp; pcap_t *handle; handle = pcap_open_dead(DLT_PPP_PPPD, 65535); pcap_compile(handle, &fp, "ip and outbound", 0, 0); bpf_dump(&fp, 1); ''' Its output is: ''' (000) ldh [2] (001) jeq #0x21 jt 2 jf 5 (002) ldb [0] (003) jeq #0x1 jt 4 jf 5 (004) ret #65535 (005) ret #0 ''' Wen can find similar code at the following link: https://github.com/ppp-project/ppp/blob/master/pppd/options.c#L1680 The maintainer of this code repository is also the original maintainer of the ppp driver. As you can see the BPF program skips 2 bytes of data and then reads the 'Protocol' field to determine if it's an IP packet. Then it read the first byte of the first 2 bytes to determine the direction. The issue is that only the first byte indicating direction is initialized in current ppp driver code while the second byte is not initialized. For normal BPF programs generated by libpcap, uninitialized data won't be used, so it's not a problem. However, for carefully crafted BPF programs, such as those generated by syzkaller [2], which start reading from offset 0, the uninitialized data will be used and caught by KMSAN. [1] https://syzkaller.appspot.com/bug?extid=853242d9c9917165d791 [2] https://syzkaller.appspot.com/text?tag=ReproC&x=11994913980000

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-908 - Use of Uninitialized Resource

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d685096c8129c9a92…
	https://git.kernel.org/stable/c/2f591cb158807bdcf…
	https://git.kernel.org/stable/c/4e2191b0fd0c064d3…
	https://git.kernel.org/stable/c/3de809a7684645287…
	https://git.kernel.org/stable/c/1eacd47636a9de5be…
	https://git.kernel.org/stable/c/8aa8a40c766b3945b…
	https://git.kernel.org/stable/c/c036f5f2680cbdabd…
	https://git.kernel.org/stable/c/4c2d14c40a68678d8…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d685096c8129c9a92689975193e268945fd21dbf (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2f591cb158807bdcf424f66f1fbfa6e4e50f3757 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4e2191b0fd0c064d37b0db67396216f2d4787e0f (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3de809a768464528762757e433cd50de35bcb3c1 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1eacd47636a9de5bee25d9d5962dc538a82d9f0b (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8aa8a40c766b3945b40565a70349d5581458ff63 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c036f5f2680cbdabdbbace86baee3c83721634d6 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4c2d14c40a68678d885eab4008a0129646805bae (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.131 , ≤ 6.1.* (semver)
Unaffected: 6.6.83 , ≤ 6.6.* (semver)
Unaffected: 6.12.19 , ≤ 6.12.* (semver)
Unaffected: 6.13.7 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21922",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T20:07:52.619189Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-908",
                "description": "CWE-908 Use of Uninitialized Resource",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T20:17:02.859Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:39:16.616Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ppp/ppp_generic.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d685096c8129c9a92689975193e268945fd21dbf",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "2f591cb158807bdcf424f66f1fbfa6e4e50f3757",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "4e2191b0fd0c064d37b0db67396216f2d4787e0f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "3de809a768464528762757e433cd50de35bcb3c1",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "1eacd47636a9de5bee25d9d5962dc538a82d9f0b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "8aa8a40c766b3945b40565a70349d5581458ff63",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "c036f5f2680cbdabdbbace86baee3c83721634d6",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "4c2d14c40a68678d885eab4008a0129646805bae",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ppp/ppp_generic.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.131",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.131",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.83",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.19",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.7",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nppp: Fix KMSAN uninit-value warning with bpf\n\nSyzbot caught an \"KMSAN: uninit-value\" warning [1], which is caused by the\nppp driver not initializing a 2-byte header when using socket filter.\n\nThe following code can generate a PPP filter BPF program:\n\u0027\u0027\u0027\nstruct bpf_program fp;\npcap_t *handle;\nhandle = pcap_open_dead(DLT_PPP_PPPD, 65535);\npcap_compile(handle, \u0026fp, \"ip and outbound\", 0, 0);\nbpf_dump(\u0026fp, 1);\n\u0027\u0027\u0027\nIts output is:\n\u0027\u0027\u0027\n(000) ldh [2]\n(001) jeq #0x21 jt 2 jf 5\n(002) ldb [0]\n(003) jeq #0x1 jt 4 jf 5\n(004) ret #65535\n(005) ret #0\n\u0027\u0027\u0027\nWen can find similar code at the following link:\nhttps://github.com/ppp-project/ppp/blob/master/pppd/options.c#L1680\nThe maintainer of this code repository is also the original maintainer\nof the ppp driver.\n\nAs you can see the BPF program skips 2 bytes of data and then reads the\n\u0027Protocol\u0027 field to determine if it\u0027s an IP packet. Then it read the first\nbyte of the first 2 bytes to determine the direction.\n\nThe issue is that only the first byte indicating direction is initialized\nin current ppp driver code while the second byte is not initialized.\n\nFor normal BPF programs generated by libpcap, uninitialized data won\u0027t be\nused, so it\u0027s not a problem. However, for carefully crafted BPF programs,\nsuch as those generated by syzkaller [2], which start reading from offset\n0, the uninitialized data will be used and caught by KMSAN.\n\n[1] https://syzkaller.appspot.com/bug?extid=853242d9c9917165d791\n[2] https://syzkaller.appspot.com/text?tag=ReproC\u0026x=11994913980000"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:24:37.600Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d685096c8129c9a92689975193e268945fd21dbf"
        },
        {
          "url": "https://git.kernel.org/stable/c/2f591cb158807bdcf424f66f1fbfa6e4e50f3757"
        },
        {
          "url": "https://git.kernel.org/stable/c/4e2191b0fd0c064d37b0db67396216f2d4787e0f"
        },
        {
          "url": "https://git.kernel.org/stable/c/3de809a768464528762757e433cd50de35bcb3c1"
        },
        {
          "url": "https://git.kernel.org/stable/c/1eacd47636a9de5bee25d9d5962dc538a82d9f0b"
        },
        {
          "url": "https://git.kernel.org/stable/c/8aa8a40c766b3945b40565a70349d5581458ff63"
        },
        {
          "url": "https://git.kernel.org/stable/c/c036f5f2680cbdabdbbace86baee3c83721634d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/4c2d14c40a68678d885eab4008a0129646805bae"
        }
      ],
      "title": "ppp: Fix KMSAN uninit-value warning with bpf",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21922",
    "datePublished": "2025-04-01T15:40:55.711Z",
    "dateReserved": "2024-12-29T08:45:45.788Z",
    "dateUpdated": "2025-11-03T19:39:16.616Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38170 (GCVE-0-2025-38170)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:36 – Updated: 2025-11-03 17:34

Title

arm64/fpsimd: Discard stale CPU state when handling SME traps

Summary

In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: Discard stale CPU state when handling SME traps The logic for handling SME traps manipulates saved FPSIMD/SVE/SME state incorrectly, and a race with preemption can result in a task having TIF_SME set and TIF_FOREIGN_FPSTATE clear even though the live CPU state is stale (e.g. with SME traps enabled). This can result in warnings from do_sme_acc() where SME traps are not expected while TIF_SME is set: | /* With TIF_SME userspace shouldn't generate any traps */ | if (test_and_set_thread_flag(TIF_SME)) | WARN_ON(1); This is very similar to the SVE issue we fixed in commit: 751ecf6afd6568ad ("arm64/sve: Discard stale CPU state when handling SVE traps") The race can occur when the SME trap handler is preempted before and after manipulating the saved FPSIMD/SVE/SME state, starting and ending on the same CPU, e.g. | void do_sme_acc(unsigned long esr, struct pt_regs *regs) | { | // Trap on CPU 0 with TIF_SME clear, SME traps enabled | // task->fpsimd_cpu is 0. | // per_cpu_ptr(&fpsimd_last_state, 0) is task. | | ... | | // Preempted; migrated from CPU 0 to CPU 1. | // TIF_FOREIGN_FPSTATE is set. | | get_cpu_fpsimd_context(); | | /* With TIF_SME userspace shouldn't generate any traps */ | if (test_and_set_thread_flag(TIF_SME)) | WARN_ON(1); | | if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) { | unsigned long vq_minus_one = | sve_vq_from_vl(task_get_sme_vl(current)) - 1; | sme_set_vq(vq_minus_one); | | fpsimd_bind_task_to_cpu(); | } | | put_cpu_fpsimd_context(); | | // Preempted; migrated from CPU 1 to CPU 0. | // task->fpsimd_cpu is still 0 | // If per_cpu_ptr(&fpsimd_last_state, 0) is still task then: | // - Stale HW state is reused (with SME traps enabled) | // - TIF_FOREIGN_FPSTATE is cleared | // - A return to userspace skips HW state restore | } Fix the case where the state is not live and TIF_FOREIGN_FPSTATE is set by calling fpsimd_flush_task_state() to detach from the saved CPU state. This ensures that a subsequent context switch will not reuse the stale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the new state to be reloaded from memory prior to a return to userspace. Note: this was originallly posted as [1]. [ Rutland: rewrite commit message ]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/de89368de3894a8db…
	https://git.kernel.org/stable/c/43be952e885476daf…
	https://git.kernel.org/stable/c/6103f9ba51a59afb5…
	https://git.kernel.org/stable/c/c4a4786d93e99517d…
	https://git.kernel.org/stable/c/d3eaab3c70905c546…

Impacted products

Vendor

Product

Version

Linux

Affected: 8bd7f91c03d886f41d35f6108078d20be5a4a1bd , < de89368de3894a8db27caeb8fd902ba1c49f696a (git)
Affected: 8bd7f91c03d886f41d35f6108078d20be5a4a1bd , < 43be952e885476dafb74aa832c0847b2f4f650c6 (git)
Affected: 8bd7f91c03d886f41d35f6108078d20be5a4a1bd , < 6103f9ba51a59afb5a0f32299c837377c5a5a693 (git)
Affected: 8bd7f91c03d886f41d35f6108078d20be5a4a1bd , < c4a4786d93e99517d6f10ed56b9ffba4ce88d3b3 (git)
Affected: 8bd7f91c03d886f41d35f6108078d20be5a4a1bd , < d3eaab3c70905c5467e5c4ea403053d67505adeb (git)

Linux

Affected: 5.19
Unaffected: 0 , < 5.19 (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.94 , ≤ 6.6.* (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:57.733Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/kernel/fpsimd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "de89368de3894a8db27caeb8fd902ba1c49f696a",
              "status": "affected",
              "version": "8bd7f91c03d886f41d35f6108078d20be5a4a1bd",
              "versionType": "git"
            },
            {
              "lessThan": "43be952e885476dafb74aa832c0847b2f4f650c6",
              "status": "affected",
              "version": "8bd7f91c03d886f41d35f6108078d20be5a4a1bd",
              "versionType": "git"
            },
            {
              "lessThan": "6103f9ba51a59afb5a0f32299c837377c5a5a693",
              "status": "affected",
              "version": "8bd7f91c03d886f41d35f6108078d20be5a4a1bd",
              "versionType": "git"
            },
            {
              "lessThan": "c4a4786d93e99517d6f10ed56b9ffba4ce88d3b3",
              "status": "affected",
              "version": "8bd7f91c03d886f41d35f6108078d20be5a4a1bd",
              "versionType": "git"
            },
            {
              "lessThan": "d3eaab3c70905c5467e5c4ea403053d67505adeb",
              "status": "affected",
              "version": "8bd7f91c03d886f41d35f6108078d20be5a4a1bd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/kernel/fpsimd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.19"
            },
            {
              "lessThan": "5.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64/fpsimd: Discard stale CPU state when handling SME traps\n\nThe logic for handling SME traps manipulates saved FPSIMD/SVE/SME state\nincorrectly, and a race with preemption can result in a task having\nTIF_SME set and TIF_FOREIGN_FPSTATE clear even though the live CPU state\nis stale (e.g. with SME traps enabled). This can result in warnings from\ndo_sme_acc() where SME traps are not expected while TIF_SME is set:\n\n|        /* With TIF_SME userspace shouldn\u0027t generate any traps */\n|        if (test_and_set_thread_flag(TIF_SME))\n|                WARN_ON(1);\n\nThis is very similar to the SVE issue we fixed in commit:\n\n  751ecf6afd6568ad (\"arm64/sve: Discard stale CPU state when handling SVE traps\")\n\nThe race can occur when the SME trap handler is preempted before and\nafter manipulating the saved FPSIMD/SVE/SME state, starting and ending on\nthe same CPU, e.g.\n\n| void do_sme_acc(unsigned long esr, struct pt_regs *regs)\n| {\n|         // Trap on CPU 0 with TIF_SME clear, SME traps enabled\n|         // task-\u003efpsimd_cpu is 0.\n|         // per_cpu_ptr(\u0026fpsimd_last_state, 0) is task.\n|\n|         ...\n|\n|         // Preempted; migrated from CPU 0 to CPU 1.\n|         // TIF_FOREIGN_FPSTATE is set.\n|\n|         get_cpu_fpsimd_context();\n|\n|         /* With TIF_SME userspace shouldn\u0027t generate any traps */\n|         if (test_and_set_thread_flag(TIF_SME))\n|                 WARN_ON(1);\n|\n|         if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) {\n|                 unsigned long vq_minus_one =\n|                         sve_vq_from_vl(task_get_sme_vl(current)) - 1;\n|                 sme_set_vq(vq_minus_one);\n|\n|                 fpsimd_bind_task_to_cpu();\n|         }\n|\n|         put_cpu_fpsimd_context();\n|\n|         // Preempted; migrated from CPU 1 to CPU 0.\n|         // task-\u003efpsimd_cpu is still 0\n|         // If per_cpu_ptr(\u0026fpsimd_last_state, 0) is still task then:\n|         // - Stale HW state is reused (with SME traps enabled)\n|         // - TIF_FOREIGN_FPSTATE is cleared\n|         // - A return to userspace skips HW state restore\n| }\n\nFix the case where the state is not live and TIF_FOREIGN_FPSTATE is set\nby calling fpsimd_flush_task_state() to detach from the saved CPU\nstate. This ensures that a subsequent context switch will not reuse the\nstale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the\nnew state to be reloaded from memory prior to a return to userspace.\n\nNote: this was originallly posted as [1].\n\n[ Rutland: rewrite commit message ]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:14:10.966Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/de89368de3894a8db27caeb8fd902ba1c49f696a"
        },
        {
          "url": "https://git.kernel.org/stable/c/43be952e885476dafb74aa832c0847b2f4f650c6"
        },
        {
          "url": "https://git.kernel.org/stable/c/6103f9ba51a59afb5a0f32299c837377c5a5a693"
        },
        {
          "url": "https://git.kernel.org/stable/c/c4a4786d93e99517d6f10ed56b9ffba4ce88d3b3"
        },
        {
          "url": "https://git.kernel.org/stable/c/d3eaab3c70905c5467e5c4ea403053d67505adeb"
        }
      ],
      "title": "arm64/fpsimd: Discard stale CPU state when handling SME traps",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38170",
    "datePublished": "2025-07-03T08:36:09.012Z",
    "dateReserved": "2025-04-16T04:51:23.991Z",
    "dateUpdated": "2025-11-03T17:34:57.733Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38465 (GCVE-0-2025-38465)

Vulnerability from cvelistv5 – Published: 2025-07-25 15:27 – Updated: 2025-11-03 17:38

Title

netlink: Fix wraparounds of sk->sk_rmem_alloc.

Summary

In the Linux kernel, the following vulnerability has been resolved: netlink: Fix wraparounds of sk->sk_rmem_alloc. Netlink has this pattern in some places if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf) atomic_add(skb->truesize, &sk->sk_rmem_alloc); , which has the same problem fixed by commit 5a465a0da13e ("udp: Fix multiple wraparounds of sk->sk_rmem_alloc."). For example, if we set INT_MAX to SO_RCVBUFFORCE, the condition is always false as the two operands are of int. Then, a single socket can eat as many skb as possible until OOM happens, and we can see multiple wraparounds of sk->sk_rmem_alloc. Let's fix it by using atomic_add_return() and comparing the two variables as unsigned int. Before: [root@fedora ~]# ss -f netlink Recv-Q Send-Q Local Address:Port Peer Address:Port -1668710080 0 rtnl:nl_wraparound/293 * After: [root@fedora ~]# ss -f netlink Recv-Q Send-Q Local Address:Port Peer Address:Port 2147483072 0 rtnl:nl_wraparound/290 * ^ `--- INT_MAX - 576

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/9da025150b7c14a83…
	https://git.kernel.org/stable/c/c4ceaac5c5ba0b992…
	https://git.kernel.org/stable/c/fd69af06101090eaa…
	https://git.kernel.org/stable/c/76602d8e138645243…
	https://git.kernel.org/stable/c/55baecb9eb90238f6…
	https://git.kernel.org/stable/c/4b8e18af7bea92f8b…
	https://git.kernel.org/stable/c/cd7ff61bfffd70001…
	https://git.kernel.org/stable/c/ae8f160e7eb24240a…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9da025150b7c14a8390fc06aea314c0a4011e82c (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c4ceaac5c5ba0b992ee1dc88e2a02421549e5c98 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < fd69af06101090eaa60b3d216ae715f9c0a58e5b (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 76602d8e13864524382b0687dc32cd8f19164d5a (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 55baecb9eb90238f60a8350660d6762046ebd3bd (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4b8e18af7bea92f8b7fb92d40aeae729209db250 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < cd7ff61bfffd7000143c42bbffb85eeb792466d6 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ae8f160e7eb24240a2a79fc4c815c6a0d4ee16cc (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.4.296 , ≤ 5.4.* (semver)
Unaffected: 5.10.240 , ≤ 5.10.* (semver)
Unaffected: 5.15.189 , ≤ 5.15.* (semver)
Unaffected: 6.1.146 , ≤ 6.1.* (semver)
Unaffected: 6.6.99 , ≤ 6.6.* (semver)
Unaffected: 6.12.39 , ≤ 6.12.* (semver)
Unaffected: 6.15.7 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:38:27.585Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netlink/af_netlink.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9da025150b7c14a8390fc06aea314c0a4011e82c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "c4ceaac5c5ba0b992ee1dc88e2a02421549e5c98",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "fd69af06101090eaa60b3d216ae715f9c0a58e5b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "76602d8e13864524382b0687dc32cd8f19164d5a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "55baecb9eb90238f60a8350660d6762046ebd3bd",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "4b8e18af7bea92f8b7fb92d40aeae729209db250",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "cd7ff61bfffd7000143c42bbffb85eeb792466d6",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ae8f160e7eb24240a2a79fc4c815c6a0d4ee16cc",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netlink/af_netlink.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.189",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.146",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.99",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.189",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.146",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.99",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.39",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.7",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: Fix wraparounds of sk-\u003esk_rmem_alloc.\n\nNetlink has this pattern in some places\n\n  if (atomic_read(\u0026sk-\u003esk_rmem_alloc) \u003e sk-\u003esk_rcvbuf)\n  \tatomic_add(skb-\u003etruesize, \u0026sk-\u003esk_rmem_alloc);\n\n, which has the same problem fixed by commit 5a465a0da13e (\"udp:\nFix multiple wraparounds of sk-\u003esk_rmem_alloc.\").\n\nFor example, if we set INT_MAX to SO_RCVBUFFORCE, the condition\nis always false as the two operands are of int.\n\nThen, a single socket can eat as many skb as possible until OOM\nhappens, and we can see multiple wraparounds of sk-\u003esk_rmem_alloc.\n\nLet\u0027s fix it by using atomic_add_return() and comparing the two\nvariables as unsigned int.\n\nBefore:\n  [root@fedora ~]# ss -f netlink\n  Recv-Q      Send-Q Local Address:Port                Peer Address:Port\n  -1668710080 0               rtnl:nl_wraparound/293               *\n\nAfter:\n  [root@fedora ~]# ss -f netlink\n  Recv-Q     Send-Q Local Address:Port                Peer Address:Port\n  2147483072 0               rtnl:nl_wraparound/290               *\n  ^\n  `--- INT_MAX - 576"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:23:13.790Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9da025150b7c14a8390fc06aea314c0a4011e82c"
        },
        {
          "url": "https://git.kernel.org/stable/c/c4ceaac5c5ba0b992ee1dc88e2a02421549e5c98"
        },
        {
          "url": "https://git.kernel.org/stable/c/fd69af06101090eaa60b3d216ae715f9c0a58e5b"
        },
        {
          "url": "https://git.kernel.org/stable/c/76602d8e13864524382b0687dc32cd8f19164d5a"
        },
        {
          "url": "https://git.kernel.org/stable/c/55baecb9eb90238f60a8350660d6762046ebd3bd"
        },
        {
          "url": "https://git.kernel.org/stable/c/4b8e18af7bea92f8b7fb92d40aeae729209db250"
        },
        {
          "url": "https://git.kernel.org/stable/c/cd7ff61bfffd7000143c42bbffb85eeb792466d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/ae8f160e7eb24240a2a79fc4c815c6a0d4ee16cc"
        }
      ],
      "title": "netlink: Fix wraparounds of sk-\u003esk_rmem_alloc.",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38465",
    "datePublished": "2025-07-25T15:27:47.510Z",
    "dateReserved": "2025-04-16T04:51:24.020Z",
    "dateUpdated": "2025-11-03T17:38:27.585Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38296 (GCVE-0-2025-38296)

Vulnerability from cvelistv5 – Published: 2025-07-10 07:42 – Updated: 2025-07-28 04:17

Title

ACPI: platform_profile: Avoid initializing on non-ACPI platforms

Summary

In the Linux kernel, the following vulnerability has been resolved: ACPI: platform_profile: Avoid initializing on non-ACPI platforms The platform profile driver is loaded even on platforms that do not have ACPI enabled. The initialization of the sysfs entries was recently moved from platform_profile_register() to the module init call, and those entries need acpi_kobj to be initialized which is not the case when ACPI is disabled. This results in the following warning: WARNING: CPU: 5 PID: 1 at fs/sysfs/group.c:131 internal_create_group+0xa22/0xdd8 Modules linked in: CPU: 5 UID: 0 PID: 1 Comm: swapper/0 Tainted: G W 6.15.0-rc7-dirty #6 PREEMPT Tainted: [W]=WARN Hardware name: riscv-virtio,qemu (DT) epc : internal_create_group+0xa22/0xdd8 ra : internal_create_group+0xa22/0xdd8 Call Trace: internal_create_group+0xa22/0xdd8 sysfs_create_group+0x22/0x2e platform_profile_init+0x74/0xb2 do_one_initcall+0x198/0xa9e kernel_init_freeable+0x6d8/0x780 kernel_init+0x28/0x24c ret_from_fork+0xe/0x18 Fix this by checking if ACPI is enabled before trying to create sysfs entries. [ rjw: Subject and changelog edits ]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/ccc3d68b92be89c30…
	https://git.kernel.org/stable/c/dd133162c9cff5951…

Impacted products

Vendor

Product

Version

Linux

Affected: 77be5cacb2c2d8c3ddd069f0b4e9408f553af1d8 , < ccc3d68b92be89c30ba42ac62d2a141bd0c2b457 (git)
Affected: 77be5cacb2c2d8c3ddd069f0b4e9408f553af1d8 , < dd133162c9cff5951a692fab9811fadf46a46457 (git)

Linux

Affected: 6.14
Unaffected: 0 , < 6.14 (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/acpi/platform_profile.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ccc3d68b92be89c30ba42ac62d2a141bd0c2b457",
              "status": "affected",
              "version": "77be5cacb2c2d8c3ddd069f0b4e9408f553af1d8",
              "versionType": "git"
            },
            {
              "lessThan": "dd133162c9cff5951a692fab9811fadf46a46457",
              "status": "affected",
              "version": "77be5cacb2c2d8c3ddd069f0b4e9408f553af1d8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/acpi/platform_profile.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.14"
            },
            {
              "lessThan": "6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: platform_profile: Avoid initializing on non-ACPI platforms\n\nThe platform profile driver is loaded even on platforms that do not have\nACPI enabled. The initialization of the sysfs entries was recently moved\nfrom platform_profile_register() to the module init call, and those\nentries need acpi_kobj to be initialized which is not the case when ACPI\nis disabled.\n\nThis results in the following warning:\n\n WARNING: CPU: 5 PID: 1 at fs/sysfs/group.c:131 internal_create_group+0xa22/0xdd8\n Modules linked in:\n CPU: 5 UID: 0 PID: 1 Comm: swapper/0 Tainted: G        W           6.15.0-rc7-dirty #6 PREEMPT\n Tainted: [W]=WARN\n Hardware name: riscv-virtio,qemu (DT)\n epc : internal_create_group+0xa22/0xdd8\n  ra : internal_create_group+0xa22/0xdd8\n\n Call Trace:\n\n internal_create_group+0xa22/0xdd8\n sysfs_create_group+0x22/0x2e\n platform_profile_init+0x74/0xb2\n do_one_initcall+0x198/0xa9e\n kernel_init_freeable+0x6d8/0x780\n kernel_init+0x28/0x24c\n ret_from_fork+0xe/0x18\n\nFix this by checking if ACPI is enabled before trying to create sysfs\nentries.\n\n[ rjw: Subject and changelog edits ]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:17:48.565Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ccc3d68b92be89c30ba42ac62d2a141bd0c2b457"
        },
        {
          "url": "https://git.kernel.org/stable/c/dd133162c9cff5951a692fab9811fadf46a46457"
        }
      ],
      "title": "ACPI: platform_profile: Avoid initializing on non-ACPI platforms",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38296",
    "datePublished": "2025-07-10T07:42:10.295Z",
    "dateReserved": "2025-04-16T04:51:24.001Z",
    "dateUpdated": "2025-07-28T04:17:48.565Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38203 (GCVE-0-2025-38203)

Vulnerability from cvelistv5 – Published: 2025-07-04 13:37 – Updated: 2025-11-03 17:35

Title

jfs: Fix null-ptr-deref in jfs_ioc_trim

Summary

In the Linux kernel, the following vulnerability has been resolved: jfs: Fix null-ptr-deref in jfs_ioc_trim [ Syzkaller Report ] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000087: 0000 [#1 KASAN: null-ptr-deref in range [0x0000000000000438-0x000000000000043f] CPU: 2 UID: 0 PID: 10614 Comm: syz-executor.0 Not tainted 6.13.0-rc6-gfbfd64d25c7a-dirty #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Sched_ext: serialise (enabled+all), task: runnable_at=-30ms RIP: 0010:jfs_ioc_trim+0x34b/0x8f0 Code: e7 e8 59 a4 87 fe 4d 8b 24 24 4d 8d bc 24 38 04 00 00 48 8d 93 90 82 fe ff 4c 89 ff 31 f6 RSP: 0018:ffffc900055f7cd0 EFLAGS: 00010206 RAX: 0000000000000087 RBX: 00005866a9e67ff8 RCX: 000000000000000a RDX: 0000000000000001 RSI: 0000000000000004 RDI: 0000000000000001 RBP: dffffc0000000000 R08: ffff88807c180003 R09: 1ffff1100f830000 R10: dffffc0000000000 R11: ffffed100f830001 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000438 FS: 00007fe520225640(0000) GS:ffff8880b7e80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005593c91b2c88 CR3: 000000014927c000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? __die_body+0x61/0xb0 ? die_addr+0xb1/0xe0 ? exc_general_protection+0x333/0x510 ? asm_exc_general_protection+0x26/0x30 ? jfs_ioc_trim+0x34b/0x8f0 jfs_ioctl+0x3c8/0x4f0 ? __pfx_jfs_ioctl+0x10/0x10 ? __pfx_jfs_ioctl+0x10/0x10 __se_sys_ioctl+0x269/0x350 ? __pfx___se_sys_ioctl+0x10/0x10 ? do_syscall_64+0xfb/0x210 do_syscall_64+0xee/0x210 ? syscall_exit_to_user_mode+0x1e0/0x330 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe51f4903ad Code: c3 e8 a7 2b 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d RSP: 002b:00007fe5202250c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fe51f5cbf80 RCX: 00007fe51f4903ad RDX: 0000000020000680 RSI: 00000000c0185879 RDI: 0000000000000005 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe520225640 R13: 000000000000000e R14: 00007fe51f44fca0 R15: 00007fe52021d000 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:jfs_ioc_trim+0x34b/0x8f0 Code: e7 e8 59 a4 87 fe 4d 8b 24 24 4d 8d bc 24 38 04 00 00 48 8d 93 90 82 fe ff 4c 89 ff 31 f6 RSP: 0018:ffffc900055f7cd0 EFLAGS: 00010206 RAX: 0000000000000087 RBX: 00005866a9e67ff8 RCX: 000000000000000a RDX: 0000000000000001 RSI: 0000000000000004 RDI: 0000000000000001 RBP: dffffc0000000000 R08: ffff88807c180003 R09: 1ffff1100f830000 R10: dffffc0000000000 R11: ffffed100f830001 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000438 FS: 00007fe520225640(0000) GS:ffff8880b7e80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005593c91b2c88 CR3: 000000014927c000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Kernel panic - not syncing: Fatal exception [ Analysis ] We believe that we have found a concurrency bug in the `fs/jfs` module that results in a null pointer dereference. There is a closely related issue which has been fixed: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d6c1b3599b2feb5c7291f5ac3a36e5fa7cedb234 ... but, unfortunately, the accepted patch appears to still be susceptible to a null pointer dereference under some interleavings. To trigger the bug, we think that `JFS_SBI(ipbmap->i_sb)->bmap` is set to NULL in `dbFreeBits` and then dereferenced in `jfs_ioc_trim`. This bug manifests quite rarely under normal circumstances, but is triggereable from a syz-program.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/0d50231d473f89024…
	https://git.kernel.org/stable/c/a9d41c925069c950e…
	https://git.kernel.org/stable/c/4a8cb9908b51500a7…
	https://git.kernel.org/stable/c/9806ae34d7d661c37…
	https://git.kernel.org/stable/c/a4685408ff6c3e2af…

Impacted products

Vendor

Product

Version

Linux

Affected: b40c2e665cd552eae5fbdbb878bc29a34357668e , < 0d50231d473f89024158dc62624930de45d13718 (git)
Affected: b40c2e665cd552eae5fbdbb878bc29a34357668e , < a9d41c925069c950e18160e12a7e10e0f58c56fb (git)
Affected: b40c2e665cd552eae5fbdbb878bc29a34357668e , < 4a8cb9908b51500a76f5156423bd295df53bff89 (git)
Affected: b40c2e665cd552eae5fbdbb878bc29a34357668e , < 9806ae34d7d661c372247cd36f83bfa0523d60ed (git)
Affected: b40c2e665cd552eae5fbdbb878bc29a34357668e , < a4685408ff6c3e2af366ad9a7274f45ff3f394ee (git)

Linux

Affected: 3.7
Unaffected: 0 , < 3.7 (semver)
Unaffected: 5.4.295 , ≤ 5.4.* (semver)
Unaffected: 5.10.239 , ≤ 5.10.* (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.15.4 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:35:25.733Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/jfs/jfs_discard.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0d50231d473f89024158dc62624930de45d13718",
              "status": "affected",
              "version": "b40c2e665cd552eae5fbdbb878bc29a34357668e",
              "versionType": "git"
            },
            {
              "lessThan": "a9d41c925069c950e18160e12a7e10e0f58c56fb",
              "status": "affected",
              "version": "b40c2e665cd552eae5fbdbb878bc29a34357668e",
              "versionType": "git"
            },
            {
              "lessThan": "4a8cb9908b51500a76f5156423bd295df53bff89",
              "status": "affected",
              "version": "b40c2e665cd552eae5fbdbb878bc29a34357668e",
              "versionType": "git"
            },
            {
              "lessThan": "9806ae34d7d661c372247cd36f83bfa0523d60ed",
              "status": "affected",
              "version": "b40c2e665cd552eae5fbdbb878bc29a34357668e",
              "versionType": "git"
            },
            {
              "lessThan": "a4685408ff6c3e2af366ad9a7274f45ff3f394ee",
              "status": "affected",
              "version": "b40c2e665cd552eae5fbdbb878bc29a34357668e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/jfs/jfs_discard.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.7"
            },
            {
              "lessThan": "3.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "3.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "3.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "3.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "3.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "3.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: Fix null-ptr-deref in jfs_ioc_trim\n\n[ Syzkaller Report ]\n\nOops: general protection fault, probably for non-canonical address\n0xdffffc0000000087: 0000 [#1\nKASAN: null-ptr-deref in range [0x0000000000000438-0x000000000000043f]\nCPU: 2 UID: 0 PID: 10614 Comm: syz-executor.0 Not tainted\n6.13.0-rc6-gfbfd64d25c7a-dirty #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nSched_ext: serialise (enabled+all), task: runnable_at=-30ms\nRIP: 0010:jfs_ioc_trim+0x34b/0x8f0\nCode: e7 e8 59 a4 87 fe 4d 8b 24 24 4d 8d bc 24 38 04 00 00 48 8d 93\n90 82 fe ff 4c 89 ff 31 f6\nRSP: 0018:ffffc900055f7cd0 EFLAGS: 00010206\nRAX: 0000000000000087 RBX: 00005866a9e67ff8 RCX: 000000000000000a\nRDX: 0000000000000001 RSI: 0000000000000004 RDI: 0000000000000001\nRBP: dffffc0000000000 R08: ffff88807c180003 R09: 1ffff1100f830000\nR10: dffffc0000000000 R11: ffffed100f830001 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000438\nFS:  00007fe520225640(0000) GS:ffff8880b7e80000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005593c91b2c88 CR3: 000000014927c000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\u003cTASK\u003e\n? __die_body+0x61/0xb0\n? die_addr+0xb1/0xe0\n? exc_general_protection+0x333/0x510\n? asm_exc_general_protection+0x26/0x30\n? jfs_ioc_trim+0x34b/0x8f0\njfs_ioctl+0x3c8/0x4f0\n? __pfx_jfs_ioctl+0x10/0x10\n? __pfx_jfs_ioctl+0x10/0x10\n__se_sys_ioctl+0x269/0x350\n? __pfx___se_sys_ioctl+0x10/0x10\n? do_syscall_64+0xfb/0x210\ndo_syscall_64+0xee/0x210\n? syscall_exit_to_user_mode+0x1e0/0x330\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fe51f4903ad\nCode: c3 e8 a7 2b 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48\n89 f7 48 89 d6 48 89 ca 4d\nRSP: 002b:00007fe5202250c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007fe51f5cbf80 RCX: 00007fe51f4903ad\nRDX: 0000000020000680 RSI: 00000000c0185879 RDI: 0000000000000005\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007fe520225640\nR13: 000000000000000e R14: 00007fe51f44fca0 R15: 00007fe52021d000\n\u003c/TASK\u003e\nModules linked in:\n---[ end trace 0000000000000000 ]---\nRIP: 0010:jfs_ioc_trim+0x34b/0x8f0\nCode: e7 e8 59 a4 87 fe 4d 8b 24 24 4d 8d bc 24 38 04 00 00 48 8d 93\n90 82 fe ff 4c 89 ff 31 f6\nRSP: 0018:ffffc900055f7cd0 EFLAGS: 00010206\nRAX: 0000000000000087 RBX: 00005866a9e67ff8 RCX: 000000000000000a\nRDX: 0000000000000001 RSI: 0000000000000004 RDI: 0000000000000001\nRBP: dffffc0000000000 R08: ffff88807c180003 R09: 1ffff1100f830000\nR10: dffffc0000000000 R11: ffffed100f830001 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000438\nFS:  00007fe520225640(0000) GS:ffff8880b7e80000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005593c91b2c88 CR3: 000000014927c000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nKernel panic - not syncing: Fatal exception\n\n[ Analysis ]\n\nWe believe that we have found a concurrency bug in the `fs/jfs` module\nthat results in a null pointer dereference. There is a closely related\nissue which has been fixed:\n\nhttps://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d6c1b3599b2feb5c7291f5ac3a36e5fa7cedb234\n\n... but, unfortunately, the accepted patch appears to still be\nsusceptible to a null pointer dereference under some interleavings.\n\nTo trigger the bug, we think that `JFS_SBI(ipbmap-\u003ei_sb)-\u003ebmap` is set\nto NULL in `dbFreeBits` and then dereferenced in `jfs_ioc_trim`. This\nbug manifests quite rarely under normal circumstances, but is\ntriggereable from a syz-program."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:14:59.793Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0d50231d473f89024158dc62624930de45d13718"
        },
        {
          "url": "https://git.kernel.org/stable/c/a9d41c925069c950e18160e12a7e10e0f58c56fb"
        },
        {
          "url": "https://git.kernel.org/stable/c/4a8cb9908b51500a76f5156423bd295df53bff89"
        },
        {
          "url": "https://git.kernel.org/stable/c/9806ae34d7d661c372247cd36f83bfa0523d60ed"
        },
        {
          "url": "https://git.kernel.org/stable/c/a4685408ff6c3e2af366ad9a7274f45ff3f394ee"
        }
      ],
      "title": "jfs: Fix null-ptr-deref in jfs_ioc_trim",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38203",
    "datePublished": "2025-07-04T13:37:23.975Z",
    "dateReserved": "2025-04-16T04:51:23.994Z",
    "dateUpdated": "2025-11-03T17:35:25.733Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21927 (GCVE-0-2025-21927)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:40 – Updated: 2025-10-01 19:26

Title

nvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu()

Summary

In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu() nvme_tcp_recv_pdu() doesn't check the validity of the header length. When header digests are enabled, a target might send a packet with an invalid header length (e.g. 255), causing nvme_tcp_verify_hdgst() to access memory outside the allocated area and cause memory corruptions by overwriting it with the calculated digest. Fix this by rejecting packets with an unexpected header length.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-787 - Out-of-bounds Write

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/9fbc953d6b38bc824…
	https://git.kernel.org/stable/c/22b06c89aa6b2d1ec…
	https://git.kernel.org/stable/c/ad95bab0cd28ed77c…

Impacted products

Vendor

Product

Version

Linux

Affected: 3f2304f8c6d6ed97849057bd16fee99e434ca796 , < 9fbc953d6b38bc824392e01850f0aeee3b348722 (git)
Affected: 3f2304f8c6d6ed97849057bd16fee99e434ca796 , < 22b06c89aa6b2d1ecb8aea72edfb9d53af8d5126 (git)
Affected: 3f2304f8c6d6ed97849057bd16fee99e434ca796 , < ad95bab0cd28ed77c2c0d0b6e76e03e031391064 (git)

Linux

Affected: 5.0
Unaffected: 0 , < 5.0 (semver)
Unaffected: 6.12.19 , ≤ 6.12.* (semver)
Unaffected: 6.13.7 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21927",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:22:21.408514Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-787",
                "description": "CWE-787 Out-of-bounds Write",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:26:33.723Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/nvme/host/tcp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9fbc953d6b38bc824392e01850f0aeee3b348722",
              "status": "affected",
              "version": "3f2304f8c6d6ed97849057bd16fee99e434ca796",
              "versionType": "git"
            },
            {
              "lessThan": "22b06c89aa6b2d1ecb8aea72edfb9d53af8d5126",
              "status": "affected",
              "version": "3f2304f8c6d6ed97849057bd16fee99e434ca796",
              "versionType": "git"
            },
            {
              "lessThan": "ad95bab0cd28ed77c2c0d0b6e76e03e031391064",
              "status": "affected",
              "version": "3f2304f8c6d6ed97849057bd16fee99e434ca796",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/nvme/host/tcp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.0"
            },
            {
              "lessThan": "5.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.19",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.7",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu()\n\nnvme_tcp_recv_pdu() doesn\u0027t check the validity of the header length.\nWhen header digests are enabled, a target might send a packet with an\ninvalid header length (e.g. 255), causing nvme_tcp_verify_hdgst()\nto access memory outside the allocated area and cause memory corruptions\nby overwriting it with the calculated digest.\n\nFix this by rejecting packets with an unexpected header length."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:24:44.571Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9fbc953d6b38bc824392e01850f0aeee3b348722"
        },
        {
          "url": "https://git.kernel.org/stable/c/22b06c89aa6b2d1ecb8aea72edfb9d53af8d5126"
        },
        {
          "url": "https://git.kernel.org/stable/c/ad95bab0cd28ed77c2c0d0b6e76e03e031391064"
        }
      ],
      "title": "nvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21927",
    "datePublished": "2025-04-01T15:40:58.432Z",
    "dateReserved": "2024-12-29T08:45:45.788Z",
    "dateUpdated": "2025-10-01T19:26:33.723Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38326 (GCVE-0-2025-38326)

Vulnerability from cvelistv5 – Published: 2025-07-10 08:15 – Updated: 2025-11-03 17:36

Title

aoe: clean device rq_list in aoedev_downdev()

Summary

In the Linux kernel, the following vulnerability has been resolved: aoe: clean device rq_list in aoedev_downdev() An aoe device's rq_list contains accepted block requests that are waiting to be transmitted to the aoe target. This queue was added as part of the conversion to blk_mq. However, the queue was not cleaned out when an aoe device is downed which caused blk_mq_freeze_queue() to sleep indefinitely waiting for those requests to complete, causing a hang. This fix cleans out the queue before calling blk_mq_freeze_queue().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/ed52e9652ba41d362…
	https://git.kernel.org/stable/c/64fc0bad62ed38874…
	https://git.kernel.org/stable/c/ef0b5bbbed7f220db…
	https://git.kernel.org/stable/c/531aef4a1accb13b2…
	https://git.kernel.org/stable/c/8662ac79a63488e27…
	https://git.kernel.org/stable/c/fa2a79f0da92614c5…
	https://git.kernel.org/stable/c/00be74e1470af292c…
	https://git.kernel.org/stable/c/7f90d45e57cb2ef1f…

Impacted products

Vendor

Product

Version

Linux

Affected: 3582dd291788e9441c3ba9047e55089edb98da5c , < ed52e9652ba41d362e9ec923077f6da23336f269 (git)
Affected: 3582dd291788e9441c3ba9047e55089edb98da5c , < 64fc0bad62ed38874131dd0337d844a43bd1017e (git)
Affected: 3582dd291788e9441c3ba9047e55089edb98da5c , < ef0b5bbbed7f220db2e9c73428f9a36e8dfc69ca (git)
Affected: 3582dd291788e9441c3ba9047e55089edb98da5c , < 531aef4a1accb13b21a3b82ec29955f4733367d5 (git)
Affected: 3582dd291788e9441c3ba9047e55089edb98da5c , < 8662ac79a63488e279b91c12a72b02bc0dc49f7b (git)
Affected: 3582dd291788e9441c3ba9047e55089edb98da5c , < fa2a79f0da92614c5dc45c8b3d2638681c7734ee (git)
Affected: 3582dd291788e9441c3ba9047e55089edb98da5c , < 00be74e1470af292c37a438b8e69dee47dcbf481 (git)
Affected: 3582dd291788e9441c3ba9047e55089edb98da5c , < 7f90d45e57cb2ef1f0adcaf925ddffdfc5e680ca (git)

Linux

Affected: 4.20
Unaffected: 0 , < 4.20 (semver)
Unaffected: 5.4.295 , ≤ 5.4.* (semver)
Unaffected: 5.10.239 , ≤ 5.10.* (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.95 , ≤ 6.6.* (semver)
Unaffected: 6.12.35 , ≤ 6.12.* (semver)
Unaffected: 6.15.4 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:36:37.143Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/block/aoe/aoedev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ed52e9652ba41d362e9ec923077f6da23336f269",
              "status": "affected",
              "version": "3582dd291788e9441c3ba9047e55089edb98da5c",
              "versionType": "git"
            },
            {
              "lessThan": "64fc0bad62ed38874131dd0337d844a43bd1017e",
              "status": "affected",
              "version": "3582dd291788e9441c3ba9047e55089edb98da5c",
              "versionType": "git"
            },
            {
              "lessThan": "ef0b5bbbed7f220db2e9c73428f9a36e8dfc69ca",
              "status": "affected",
              "version": "3582dd291788e9441c3ba9047e55089edb98da5c",
              "versionType": "git"
            },
            {
              "lessThan": "531aef4a1accb13b21a3b82ec29955f4733367d5",
              "status": "affected",
              "version": "3582dd291788e9441c3ba9047e55089edb98da5c",
              "versionType": "git"
            },
            {
              "lessThan": "8662ac79a63488e279b91c12a72b02bc0dc49f7b",
              "status": "affected",
              "version": "3582dd291788e9441c3ba9047e55089edb98da5c",
              "versionType": "git"
            },
            {
              "lessThan": "fa2a79f0da92614c5dc45c8b3d2638681c7734ee",
              "status": "affected",
              "version": "3582dd291788e9441c3ba9047e55089edb98da5c",
              "versionType": "git"
            },
            {
              "lessThan": "00be74e1470af292c37a438b8e69dee47dcbf481",
              "status": "affected",
              "version": "3582dd291788e9441c3ba9047e55089edb98da5c",
              "versionType": "git"
            },
            {
              "lessThan": "7f90d45e57cb2ef1f0adcaf925ddffdfc5e680ca",
              "status": "affected",
              "version": "3582dd291788e9441c3ba9047e55089edb98da5c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/block/aoe/aoedev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.20"
            },
            {
              "lessThan": "4.20",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naoe: clean device rq_list in aoedev_downdev()\n\nAn aoe device\u0027s rq_list contains accepted block requests that are\nwaiting to be transmitted to the aoe target. This queue was added as\npart of the conversion to blk_mq. However, the queue was not cleaned out\nwhen an aoe device is downed which caused blk_mq_freeze_queue() to sleep\nindefinitely waiting for those requests to complete, causing a hang. This\nfix cleans out the queue before calling blk_mq_freeze_queue()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:18:51.438Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ed52e9652ba41d362e9ec923077f6da23336f269"
        },
        {
          "url": "https://git.kernel.org/stable/c/64fc0bad62ed38874131dd0337d844a43bd1017e"
        },
        {
          "url": "https://git.kernel.org/stable/c/ef0b5bbbed7f220db2e9c73428f9a36e8dfc69ca"
        },
        {
          "url": "https://git.kernel.org/stable/c/531aef4a1accb13b21a3b82ec29955f4733367d5"
        },
        {
          "url": "https://git.kernel.org/stable/c/8662ac79a63488e279b91c12a72b02bc0dc49f7b"
        },
        {
          "url": "https://git.kernel.org/stable/c/fa2a79f0da92614c5dc45c8b3d2638681c7734ee"
        },
        {
          "url": "https://git.kernel.org/stable/c/00be74e1470af292c37a438b8e69dee47dcbf481"
        },
        {
          "url": "https://git.kernel.org/stable/c/7f90d45e57cb2ef1f0adcaf925ddffdfc5e680ca"
        }
      ],
      "title": "aoe: clean device rq_list in aoedev_downdev()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38326",
    "datePublished": "2025-07-10T08:15:00.752Z",
    "dateReserved": "2025-04-16T04:51:24.004Z",
    "dateUpdated": "2025-11-03T17:36:37.143Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38466 (GCVE-0-2025-38466)

Vulnerability from cvelistv5 – Published: 2025-07-25 15:27 – Updated: 2025-11-03 17:38

Title

perf: Revert to requiring CAP_SYS_ADMIN for uprobes

Summary

In the Linux kernel, the following vulnerability has been resolved: perf: Revert to requiring CAP_SYS_ADMIN for uprobes Jann reports that uprobes can be used destructively when used in the middle of an instruction. The kernel only verifies there is a valid instruction at the requested offset, but due to variable instruction length cannot determine if this is an instruction as seen by the intended execution stream. Additionally, Mark Rutland notes that on architectures that mix data in the text segment (like arm64), a similar things can be done if the data word is 'mistaken' for an instruction. As such, require CAP_SYS_ADMIN for uprobes.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d7ef1afd5b3f43f49…
	https://git.kernel.org/stable/c/c0aec35f861fa746c…
	https://git.kernel.org/stable/c/8e8bf7bc6aa6f5833…
	https://git.kernel.org/stable/c/183bdb89af1b5193b…
	https://git.kernel.org/stable/c/a0a8009083e569b55…
	https://git.kernel.org/stable/c/d5074256b642cdeb4…
	https://git.kernel.org/stable/c/ba677dbe77af5ffe6…

Impacted products

Vendor

Product

Version

Linux

Affected: c9e0924e5c2b59365f9c0d43ff8722e79ecf4088 , < d7ef1afd5b3f43f4924326164cee5397b66abd9c (git)
Affected: c9e0924e5c2b59365f9c0d43ff8722e79ecf4088 , < c0aec35f861fa746ca45aa816161c74352e6ada8 (git)
Affected: c9e0924e5c2b59365f9c0d43ff8722e79ecf4088 , < 8e8bf7bc6aa6f583336c2fda280b6cea0aed5612 (git)
Affected: c9e0924e5c2b59365f9c0d43ff8722e79ecf4088 , < 183bdb89af1b5193b1d1d9316986053b15ca6fa4 (git)
Affected: c9e0924e5c2b59365f9c0d43ff8722e79ecf4088 , < a0a8009083e569b5526c64f7d3f2a62baca95164 (git)
Affected: c9e0924e5c2b59365f9c0d43ff8722e79ecf4088 , < d5074256b642cdeb46a70ce2f15193e766edca68 (git)
Affected: c9e0924e5c2b59365f9c0d43ff8722e79ecf4088 , < ba677dbe77af5ffe6204e0f3f547f3ba059c6302 (git)

Linux

Affected: 5.8
Unaffected: 0 , < 5.8 (semver)
Unaffected: 5.10.240 , ≤ 5.10.* (semver)
Unaffected: 5.15.189 , ≤ 5.15.* (semver)
Unaffected: 6.1.146 , ≤ 6.1.* (semver)
Unaffected: 6.6.99 , ≤ 6.6.* (semver)
Unaffected: 6.12.39 , ≤ 6.12.* (semver)
Unaffected: 6.15.7 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:38:29.560Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/events/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d7ef1afd5b3f43f4924326164cee5397b66abd9c",
              "status": "affected",
              "version": "c9e0924e5c2b59365f9c0d43ff8722e79ecf4088",
              "versionType": "git"
            },
            {
              "lessThan": "c0aec35f861fa746ca45aa816161c74352e6ada8",
              "status": "affected",
              "version": "c9e0924e5c2b59365f9c0d43ff8722e79ecf4088",
              "versionType": "git"
            },
            {
              "lessThan": "8e8bf7bc6aa6f583336c2fda280b6cea0aed5612",
              "status": "affected",
              "version": "c9e0924e5c2b59365f9c0d43ff8722e79ecf4088",
              "versionType": "git"
            },
            {
              "lessThan": "183bdb89af1b5193b1d1d9316986053b15ca6fa4",
              "status": "affected",
              "version": "c9e0924e5c2b59365f9c0d43ff8722e79ecf4088",
              "versionType": "git"
            },
            {
              "lessThan": "a0a8009083e569b5526c64f7d3f2a62baca95164",
              "status": "affected",
              "version": "c9e0924e5c2b59365f9c0d43ff8722e79ecf4088",
              "versionType": "git"
            },
            {
              "lessThan": "d5074256b642cdeb46a70ce2f15193e766edca68",
              "status": "affected",
              "version": "c9e0924e5c2b59365f9c0d43ff8722e79ecf4088",
              "versionType": "git"
            },
            {
              "lessThan": "ba677dbe77af5ffe6204e0f3f547f3ba059c6302",
              "status": "affected",
              "version": "c9e0924e5c2b59365f9c0d43ff8722e79ecf4088",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/events/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.8"
            },
            {
              "lessThan": "5.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.189",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.146",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.99",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.189",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.146",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.99",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.39",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.7",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Revert to requiring CAP_SYS_ADMIN for uprobes\n\nJann reports that uprobes can be used destructively when used in the\nmiddle of an instruction. The kernel only verifies there is a valid\ninstruction at the requested offset, but due to variable instruction\nlength cannot determine if this is an instruction as seen by the\nintended execution stream.\n\nAdditionally, Mark Rutland notes that on architectures that mix data\nin the text segment (like arm64), a similar things can be done if the\ndata word is \u0027mistaken\u0027 for an instruction.\n\nAs such, require CAP_SYS_ADMIN for uprobes."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:23:15.427Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d7ef1afd5b3f43f4924326164cee5397b66abd9c"
        },
        {
          "url": "https://git.kernel.org/stable/c/c0aec35f861fa746ca45aa816161c74352e6ada8"
        },
        {
          "url": "https://git.kernel.org/stable/c/8e8bf7bc6aa6f583336c2fda280b6cea0aed5612"
        },
        {
          "url": "https://git.kernel.org/stable/c/183bdb89af1b5193b1d1d9316986053b15ca6fa4"
        },
        {
          "url": "https://git.kernel.org/stable/c/a0a8009083e569b5526c64f7d3f2a62baca95164"
        },
        {
          "url": "https://git.kernel.org/stable/c/d5074256b642cdeb46a70ce2f15193e766edca68"
        },
        {
          "url": "https://git.kernel.org/stable/c/ba677dbe77af5ffe6204e0f3f547f3ba059c6302"
        }
      ],
      "title": "perf: Revert to requiring CAP_SYS_ADMIN for uprobes",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38466",
    "datePublished": "2025-07-25T15:27:48.235Z",
    "dateReserved": "2025-04-16T04:51:24.020Z",
    "dateUpdated": "2025-11-03T17:38:29.560Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38105 (GCVE-0-2025-38105)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:35 – Updated: 2025-10-12 11:12

Title

ALSA: usb-audio: Kill timer properly at removal

Summary

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Kill timer properly at removal The USB-audio MIDI code initializes the timer, but in a rare case, the driver might be freed without the disconnect call. This leaves the timer in an active state while the assigned object is released via snd_usbmidi_free(), which ends up with a kernel warning when the debug configuration is enabled, as spotted by fuzzer. For avoiding the problem, put timer_shutdown_sync() at snd_usbmidi_free(), so that the timer can be killed properly. While we're at it, replace the existing timer_delete_sync() at the disconnect callback with timer_shutdown_sync(), too.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/647410a7da4606795…
	https://git.kernel.org/stable/c/c611b9e55174e439d…
	https://git.kernel.org/stable/c/62066758d2ae16927…
	https://git.kernel.org/stable/c/0718a78f6a9f04b88…

Impacted products

Vendor

Product

Version

Linux

Affected: c88469704d63787e8d44ca5ea1c1bd0adc29572d , < 647410a7da46067953a53c0d03f8680eff570959 (git)
Affected: c88469704d63787e8d44ca5ea1c1bd0adc29572d , < c611b9e55174e439dcd85a72969b43a95f3827a4 (git)
Affected: c88469704d63787e8d44ca5ea1c1bd0adc29572d , < 62066758d2ae169278e5d6aea5995b1b6f6ddeb5 (git)
Affected: c88469704d63787e8d44ca5ea1c1bd0adc29572d , < 0718a78f6a9f04b88d0dc9616cc216b31c5f3cf1 (git)

Linux

Affected: 2.6.14
Unaffected: 0 , < 2.6.14 (semver)
Unaffected: 6.6.111 , ≤ 6.6.* (semver)
Unaffected: 6.12.52 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/usb/midi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "647410a7da46067953a53c0d03f8680eff570959",
              "status": "affected",
              "version": "c88469704d63787e8d44ca5ea1c1bd0adc29572d",
              "versionType": "git"
            },
            {
              "lessThan": "c611b9e55174e439dcd85a72969b43a95f3827a4",
              "status": "affected",
              "version": "c88469704d63787e8d44ca5ea1c1bd0adc29572d",
              "versionType": "git"
            },
            {
              "lessThan": "62066758d2ae169278e5d6aea5995b1b6f6ddeb5",
              "status": "affected",
              "version": "c88469704d63787e8d44ca5ea1c1bd0adc29572d",
              "versionType": "git"
            },
            {
              "lessThan": "0718a78f6a9f04b88d0dc9616cc216b31c5f3cf1",
              "status": "affected",
              "version": "c88469704d63787e8d44ca5ea1c1bd0adc29572d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "sound/usb/midi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.14"
            },
            {
              "lessThan": "2.6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.111",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.52",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.111",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.52",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Kill timer properly at removal\n\nThe USB-audio MIDI code initializes the timer, but in a rare case, the\ndriver might be freed without the disconnect call.  This leaves the\ntimer in an active state while the assigned object is released via\nsnd_usbmidi_free(), which ends up with a kernel warning when the debug\nconfiguration is enabled, as spotted by fuzzer.\n\nFor avoiding the problem, put timer_shutdown_sync() at\nsnd_usbmidi_free(), so that the timer can be killed properly.\nWhile we\u0027re at it, replace the existing timer_delete_sync() at the\ndisconnect callback with timer_shutdown_sync(), too."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-12T11:12:51.099Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/647410a7da46067953a53c0d03f8680eff570959"
        },
        {
          "url": "https://git.kernel.org/stable/c/c611b9e55174e439dcd85a72969b43a95f3827a4"
        },
        {
          "url": "https://git.kernel.org/stable/c/62066758d2ae169278e5d6aea5995b1b6f6ddeb5"
        },
        {
          "url": "https://git.kernel.org/stable/c/0718a78f6a9f04b88d0dc9616cc216b31c5f3cf1"
        }
      ],
      "title": "ALSA: usb-audio: Kill timer properly at removal",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38105",
    "datePublished": "2025-07-03T08:35:15.301Z",
    "dateReserved": "2025-04-16T04:51:23.985Z",
    "dateUpdated": "2025-10-12T11:12:51.099Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38051 (GCVE-0-2025-38051)

Vulnerability from cvelistv5 – Published: 2025-06-18 09:33 – Updated: 2025-11-03 17:33

Title

smb: client: Fix use-after-free in cifs_fill_dirent

Summary

In the Linux kernel, the following vulnerability has been resolved: smb: client: Fix use-after-free in cifs_fill_dirent There is a race condition in the readdir concurrency process, which may access the rsp buffer after it has been released, triggering the following KASAN warning. ================================================================== BUG: KASAN: slab-use-after-free in cifs_fill_dirent+0xb03/0xb60 [cifs] Read of size 4 at addr ffff8880099b819c by task a.out/342975 CPU: 2 UID: 0 PID: 342975 Comm: a.out Not tainted 6.15.0-rc6+ #240 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x53/0x70 print_report+0xce/0x640 kasan_report+0xb8/0xf0 cifs_fill_dirent+0xb03/0xb60 [cifs] cifs_readdir+0x12cb/0x3190 [cifs] iterate_dir+0x1a1/0x520 __x64_sys_getdents+0x134/0x220 do_syscall_64+0x4b/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f996f64b9f9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0d f7 c3 0c 00 f7 d8 64 89 8 RSP: 002b:00007f996f53de78 EFLAGS: 00000207 ORIG_RAX: 000000000000004e RAX: ffffffffffffffda RBX: 00007f996f53ecdc RCX: 00007f996f64b9f9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007f996f53dea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000207 R12: ffffffffffffff88 R13: 0000000000000000 R14: 00007ffc8cd9a500 R15: 00007f996f51e000 </TASK> Allocated by task 408: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0x117/0x3d0 mempool_alloc_noprof+0xf2/0x2c0 cifs_buf_get+0x36/0x80 [cifs] allocate_buffers+0x1d2/0x330 [cifs] cifs_demultiplex_thread+0x22b/0x2690 [cifs] kthread+0x394/0x720 ret_from_fork+0x34/0x70 ret_from_fork_asm+0x1a/0x30 Freed by task 342979: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x37/0x50 kmem_cache_free+0x2b8/0x500 cifs_buf_release+0x3c/0x70 [cifs] cifs_readdir+0x1c97/0x3190 [cifs] iterate_dir+0x1a1/0x520 __x64_sys_getdents64+0x134/0x220 do_syscall_64+0x4b/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e The buggy address belongs to the object at ffff8880099b8000 which belongs to the cache cifs_request of size 16588 The buggy address is located 412 bytes inside of freed 16588-byte region [ffff8880099b8000, ffff8880099bc0cc) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x99b8 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 anon flags: 0x80000000000040(head|node=0|zone=1) page_type: f5(slab) raw: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001 raw: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000 head: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001 head: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000 head: 0080000000000003 ffffea0000266e01 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880099b8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880099b8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880099b8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880099b8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880099b8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== POC is available in the link [1]. The problem triggering process is as follows: Process 1 Process 2 ----------------------------------- ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/aee067e88d61eb72e…
	https://git.kernel.org/stable/c/a24c2f05ac3c5b0aa…
	https://git.kernel.org/stable/c/1b197931fbc821bc7…
	https://git.kernel.org/stable/c/c8623231e0edfcccb…
	https://git.kernel.org/stable/c/73cadde98f67f76c5…
	https://git.kernel.org/stable/c/9bea368648ac46f85…
	https://git.kernel.org/stable/c/9c9aafbacc183598f…
	https://git.kernel.org/stable/c/a7a8fe56e932a36f4…

Impacted products

Vendor

Product

Version

Linux

Affected: a364bc0b37f14ffd66c1f982af42990a9d77fa43 , < aee067e88d61eb72e966f094e4749c6b14e7008f (git)
Affected: a364bc0b37f14ffd66c1f982af42990a9d77fa43 , < a24c2f05ac3c5b0aaa539d9d913826d2643dfd0e (git)
Affected: a364bc0b37f14ffd66c1f982af42990a9d77fa43 , < 1b197931fbc821bc7e9e91bf619400db563e3338 (git)
Affected: a364bc0b37f14ffd66c1f982af42990a9d77fa43 , < c8623231e0edfcccb7cc6add0288fa0f0594282f (git)
Affected: a364bc0b37f14ffd66c1f982af42990a9d77fa43 , < 73cadde98f67f76c5eba00ac0b72c453383cec8b (git)
Affected: a364bc0b37f14ffd66c1f982af42990a9d77fa43 , < 9bea368648ac46f8593a780760362e40291d22a9 (git)
Affected: a364bc0b37f14ffd66c1f982af42990a9d77fa43 , < 9c9aafbacc183598f064902365e107b5e856531f (git)
Affected: a364bc0b37f14ffd66c1f982af42990a9d77fa43 , < a7a8fe56e932a36f43e031b398aef92341bf5ea0 (git)
Affected: 0f3da51e7046e2eb28992ba65c22d058f571356c (git)

Linux

Affected: 2.6.28
Unaffected: 0 , < 2.6.28 (semver)
Unaffected: 5.4.294 , ≤ 5.4.* (semver)
Unaffected: 5.10.238 , ≤ 5.10.* (semver)
Unaffected: 5.15.185 , ≤ 5.15.* (semver)
Unaffected: 6.1.141 , ≤ 6.1.* (semver)
Unaffected: 6.6.93 , ≤ 6.6.* (semver)
Unaffected: 6.12.31 , ≤ 6.12.* (semver)
Unaffected: 6.14.9 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:33:23.156Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/readdir.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "aee067e88d61eb72e966f094e4749c6b14e7008f",
              "status": "affected",
              "version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43",
              "versionType": "git"
            },
            {
              "lessThan": "a24c2f05ac3c5b0aaa539d9d913826d2643dfd0e",
              "status": "affected",
              "version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43",
              "versionType": "git"
            },
            {
              "lessThan": "1b197931fbc821bc7e9e91bf619400db563e3338",
              "status": "affected",
              "version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43",
              "versionType": "git"
            },
            {
              "lessThan": "c8623231e0edfcccb7cc6add0288fa0f0594282f",
              "status": "affected",
              "version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43",
              "versionType": "git"
            },
            {
              "lessThan": "73cadde98f67f76c5eba00ac0b72c453383cec8b",
              "status": "affected",
              "version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43",
              "versionType": "git"
            },
            {
              "lessThan": "9bea368648ac46f8593a780760362e40291d22a9",
              "status": "affected",
              "version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43",
              "versionType": "git"
            },
            {
              "lessThan": "9c9aafbacc183598f064902365e107b5e856531f",
              "status": "affected",
              "version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43",
              "versionType": "git"
            },
            {
              "lessThan": "a7a8fe56e932a36f43e031b398aef92341bf5ea0",
              "status": "affected",
              "version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "0f3da51e7046e2eb28992ba65c22d058f571356c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/readdir.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.28"
            },
            {
              "lessThan": "2.6.28",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.294",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.238",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.185",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.93",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.294",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.238",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.185",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.141",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.93",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.31",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "2.6.27.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: Fix use-after-free in cifs_fill_dirent\n\nThere is a race condition in the readdir concurrency process, which may\naccess the rsp buffer after it has been released, triggering the\nfollowing KASAN warning.\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in cifs_fill_dirent+0xb03/0xb60 [cifs]\n Read of size 4 at addr ffff8880099b819c by task a.out/342975\n\n CPU: 2 UID: 0 PID: 342975 Comm: a.out Not tainted 6.15.0-rc6+ #240 PREEMPT(full)\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014\n Call Trace:\n  \u003cTASK\u003e\n  dump_stack_lvl+0x53/0x70\n  print_report+0xce/0x640\n  kasan_report+0xb8/0xf0\n  cifs_fill_dirent+0xb03/0xb60 [cifs]\n  cifs_readdir+0x12cb/0x3190 [cifs]\n  iterate_dir+0x1a1/0x520\n  __x64_sys_getdents+0x134/0x220\n  do_syscall_64+0x4b/0x110\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7f996f64b9f9\n Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89\n f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01\n f0 ff ff  0d f7 c3 0c 00 f7 d8 64 89 8\n RSP: 002b:00007f996f53de78 EFLAGS: 00000207 ORIG_RAX: 000000000000004e\n RAX: ffffffffffffffda RBX: 00007f996f53ecdc RCX: 00007f996f64b9f9\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003\n RBP: 00007f996f53dea0 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000207 R12: ffffffffffffff88\n R13: 0000000000000000 R14: 00007ffc8cd9a500 R15: 00007f996f51e000\n  \u003c/TASK\u003e\n\n Allocated by task 408:\n  kasan_save_stack+0x20/0x40\n  kasan_save_track+0x14/0x30\n  __kasan_slab_alloc+0x6e/0x70\n  kmem_cache_alloc_noprof+0x117/0x3d0\n  mempool_alloc_noprof+0xf2/0x2c0\n  cifs_buf_get+0x36/0x80 [cifs]\n  allocate_buffers+0x1d2/0x330 [cifs]\n  cifs_demultiplex_thread+0x22b/0x2690 [cifs]\n  kthread+0x394/0x720\n  ret_from_fork+0x34/0x70\n  ret_from_fork_asm+0x1a/0x30\n\n Freed by task 342979:\n  kasan_save_stack+0x20/0x40\n  kasan_save_track+0x14/0x30\n  kasan_save_free_info+0x3b/0x60\n  __kasan_slab_free+0x37/0x50\n  kmem_cache_free+0x2b8/0x500\n  cifs_buf_release+0x3c/0x70 [cifs]\n  cifs_readdir+0x1c97/0x3190 [cifs]\n  iterate_dir+0x1a1/0x520\n  __x64_sys_getdents64+0x134/0x220\n  do_syscall_64+0x4b/0x110\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n The buggy address belongs to the object at ffff8880099b8000\n  which belongs to the cache cifs_request of size 16588\n The buggy address is located 412 bytes inside of\n  freed 16588-byte region [ffff8880099b8000, ffff8880099bc0cc)\n\n The buggy address belongs to the physical page:\n page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x99b8\n head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n anon flags: 0x80000000000040(head|node=0|zone=1)\n page_type: f5(slab)\n raw: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001\n raw: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000\n head: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001\n head: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000\n head: 0080000000000003 ffffea0000266e01 00000000ffffffff 00000000ffffffff\n head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n  ffff8880099b8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n  ffff8880099b8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n \u003effff8880099b8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n                             ^\n  ffff8880099b8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n  ffff8880099b8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ==================================================================\n\nPOC is available in the link [1].\n\nThe problem triggering process is as follows:\n\nProcess 1                       Process 2\n-----------------------------------\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-18T09:33:32.805Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/aee067e88d61eb72e966f094e4749c6b14e7008f"
        },
        {
          "url": "https://git.kernel.org/stable/c/a24c2f05ac3c5b0aaa539d9d913826d2643dfd0e"
        },
        {
          "url": "https://git.kernel.org/stable/c/1b197931fbc821bc7e9e91bf619400db563e3338"
        },
        {
          "url": "https://git.kernel.org/stable/c/c8623231e0edfcccb7cc6add0288fa0f0594282f"
        },
        {
          "url": "https://git.kernel.org/stable/c/73cadde98f67f76c5eba00ac0b72c453383cec8b"
        },
        {
          "url": "https://git.kernel.org/stable/c/9bea368648ac46f8593a780760362e40291d22a9"
        },
        {
          "url": "https://git.kernel.org/stable/c/9c9aafbacc183598f064902365e107b5e856531f"
        },
        {
          "url": "https://git.kernel.org/stable/c/a7a8fe56e932a36f43e031b398aef92341bf5ea0"
        }
      ],
      "title": "smb: client: Fix use-after-free in cifs_fill_dirent",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38051",
    "datePublished": "2025-06-18T09:33:32.805Z",
    "dateReserved": "2025-04-16T04:51:23.979Z",
    "dateUpdated": "2025-11-03T17:33:23.156Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21924 (GCVE-0-2025-21924)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:40 – Updated: 2025-11-03 19:39

Title

net: hns3: make sure ptp clock is unregister and freed if hclge_ptp_get_cycle returns an error

Summary

In the Linux kernel, the following vulnerability has been resolved: net: hns3: make sure ptp clock is unregister and freed if hclge_ptp_get_cycle returns an error During the initialization of ptp, hclge_ptp_get_cycle might return an error and returned directly without unregister clock and free it. To avoid that, call hclge_ptp_destroy_clock to unregist and free clock if hclge_ptp_get_cycle failed.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b7d8d4529984e2d4a…
	https://git.kernel.org/stable/c/33244e98aa9503585…
	https://git.kernel.org/stable/c/2c04e507f3a5c5dc6…
	https://git.kernel.org/stable/c/9cfc43c0e6e6a3112…
	https://git.kernel.org/stable/c/21dba813d9821687a…
	https://git.kernel.org/stable/c/b7365eab39831487a…

Impacted products

Vendor

Product

Version

Linux

Affected: 8373cd38a8888549ace7c7617163a2e826970a92 , < b7d8d4529984e2d4a72a6d552fb886233e8e83cb (git)
Affected: 8373cd38a8888549ace7c7617163a2e826970a92 , < 33244e98aa9503585e585335fe2ceb4492630949 (git)
Affected: 8373cd38a8888549ace7c7617163a2e826970a92 , < 2c04e507f3a5c5dc6e2b9ab37d8cdedee1ef1a37 (git)
Affected: 8373cd38a8888549ace7c7617163a2e826970a92 , < 9cfc43c0e6e6a31122b4008d763a2960c206aa2d (git)
Affected: 8373cd38a8888549ace7c7617163a2e826970a92 , < 21dba813d9821687a7f9aff576798ba21a859a32 (git)
Affected: 8373cd38a8888549ace7c7617163a2e826970a92 , < b7365eab39831487a84e63a9638209b68dc54008 (git)

Linux

Affected: 5.14
Unaffected: 0 , < 5.14 (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.131 , ≤ 6.1.* (semver)
Unaffected: 6.6.83 , ≤ 6.6.* (semver)
Unaffected: 6.12.19 , ≤ 6.12.* (semver)
Unaffected: 6.13.7 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:39:17.991Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b7d8d4529984e2d4a72a6d552fb886233e8e83cb",
              "status": "affected",
              "version": "8373cd38a8888549ace7c7617163a2e826970a92",
              "versionType": "git"
            },
            {
              "lessThan": "33244e98aa9503585e585335fe2ceb4492630949",
              "status": "affected",
              "version": "8373cd38a8888549ace7c7617163a2e826970a92",
              "versionType": "git"
            },
            {
              "lessThan": "2c04e507f3a5c5dc6e2b9ab37d8cdedee1ef1a37",
              "status": "affected",
              "version": "8373cd38a8888549ace7c7617163a2e826970a92",
              "versionType": "git"
            },
            {
              "lessThan": "9cfc43c0e6e6a31122b4008d763a2960c206aa2d",
              "status": "affected",
              "version": "8373cd38a8888549ace7c7617163a2e826970a92",
              "versionType": "git"
            },
            {
              "lessThan": "21dba813d9821687a7f9aff576798ba21a859a32",
              "status": "affected",
              "version": "8373cd38a8888549ace7c7617163a2e826970a92",
              "versionType": "git"
            },
            {
              "lessThan": "b7365eab39831487a84e63a9638209b68dc54008",
              "status": "affected",
              "version": "8373cd38a8888549ace7c7617163a2e826970a92",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.14"
            },
            {
              "lessThan": "5.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.131",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.131",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.83",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.19",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.7",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: make sure ptp clock is unregister and freed if hclge_ptp_get_cycle returns an error\n\nDuring the initialization of ptp, hclge_ptp_get_cycle might return an error\nand returned directly without unregister clock and free it. To avoid that,\ncall hclge_ptp_destroy_clock to unregist and free clock if\nhclge_ptp_get_cycle failed."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:24:40.722Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b7d8d4529984e2d4a72a6d552fb886233e8e83cb"
        },
        {
          "url": "https://git.kernel.org/stable/c/33244e98aa9503585e585335fe2ceb4492630949"
        },
        {
          "url": "https://git.kernel.org/stable/c/2c04e507f3a5c5dc6e2b9ab37d8cdedee1ef1a37"
        },
        {
          "url": "https://git.kernel.org/stable/c/9cfc43c0e6e6a31122b4008d763a2960c206aa2d"
        },
        {
          "url": "https://git.kernel.org/stable/c/21dba813d9821687a7f9aff576798ba21a859a32"
        },
        {
          "url": "https://git.kernel.org/stable/c/b7365eab39831487a84e63a9638209b68dc54008"
        }
      ],
      "title": "net: hns3: make sure ptp clock is unregister and freed if hclge_ptp_get_cycle returns an error",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21924",
    "datePublished": "2025-04-01T15:40:56.841Z",
    "dateReserved": "2024-12-29T08:45:45.788Z",
    "dateUpdated": "2025-11-03T19:39:17.991Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21944 (GCVE-0-2025-21944)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:41 – Updated: 2025-11-03 19:39

Title

ksmbd: fix bug on trap in smb2_lock

Summary

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix bug on trap in smb2_lock If lock count is greater than 1, flags could be old value. It should be checked with flags of smb_lock, not flags. It will cause bug-on trap from locks_free_lock in error handling routine.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/11e0e74e14f1832a9…
	https://git.kernel.org/stable/c/8994f0ce8259f812b…
	https://git.kernel.org/stable/c/dbcd7fdd86f775292…
	https://git.kernel.org/stable/c/2b70e3ac79eacbdf3…
	https://git.kernel.org/stable/c/e26e2d2e15daf1ab3…

Impacted products

Vendor

Product

Version

Linux

Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 11e0e74e14f1832a95092f2c98ed3b99f57797ee (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 8994f0ce8259f812b4f4a681d8298c6ff682efaa (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < dbcd7fdd86f77529210fe8978154a81cd479844c (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 2b70e3ac79eacbdf32571f7af48dd81cdd957ca8 (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < e26e2d2e15daf1ab33e0135caf2304a0cfa2744b (git)

Linux

Affected: 5.15
Unaffected: 0 , < 5.15 (semver)
Unaffected: 6.1.131 , ≤ 6.1.* (semver)
Unaffected: 6.6.83 , ≤ 6.6.* (semver)
Unaffected: 6.12.19 , ≤ 6.12.* (semver)
Unaffected: 6.13.7 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:39:44.619Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/server/smb2pdu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "11e0e74e14f1832a95092f2c98ed3b99f57797ee",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "8994f0ce8259f812b4f4a681d8298c6ff682efaa",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "dbcd7fdd86f77529210fe8978154a81cd479844c",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "2b70e3ac79eacbdf32571f7af48dd81cdd957ca8",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "e26e2d2e15daf1ab33e0135caf2304a0cfa2744b",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/server/smb2pdu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.131",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.131",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.83",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.19",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.7",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix bug on trap in smb2_lock\n\nIf lock count is greater than 1, flags could be old value.\nIt should be checked with flags of smb_lock, not flags.\nIt will cause bug-on trap from locks_free_lock in error handling\nroutine."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:25:22.648Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/11e0e74e14f1832a95092f2c98ed3b99f57797ee"
        },
        {
          "url": "https://git.kernel.org/stable/c/8994f0ce8259f812b4f4a681d8298c6ff682efaa"
        },
        {
          "url": "https://git.kernel.org/stable/c/dbcd7fdd86f77529210fe8978154a81cd479844c"
        },
        {
          "url": "https://git.kernel.org/stable/c/2b70e3ac79eacbdf32571f7af48dd81cdd957ca8"
        },
        {
          "url": "https://git.kernel.org/stable/c/e26e2d2e15daf1ab33e0135caf2304a0cfa2744b"
        }
      ],
      "title": "ksmbd: fix bug on trap in smb2_lock",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21944",
    "datePublished": "2025-04-01T15:41:07.977Z",
    "dateReserved": "2024-12-29T08:45:45.790Z",
    "dateUpdated": "2025-11-03T19:39:44.619Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-22008 (GCVE-0-2025-22008)

Vulnerability from cvelistv5 – Published: 2025-04-08 08:17 – Updated: 2026-01-02 15:28

Title

regulator: check that dummy regulator has been probed before using it

Summary

In the Linux kernel, the following vulnerability has been resolved: regulator: check that dummy regulator has been probed before using it Due to asynchronous driver probing there is a chance that the dummy regulator hasn't already been probed when first accessing it.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/998b1aae22dca87da…
	https://git.kernel.org/stable/c/a99f1254b11eaadd0…
	https://git.kernel.org/stable/c/21e3fdf3146f9c638…
	https://git.kernel.org/stable/c/2c7a50bec4958f1d1…

Impacted products

Vendor

Product

Version

Linux

Affected: 259b93b21a9ffe5117af4dfb5505437e463c6a5a , < 998b1aae22dca87da392ea35f089406cbef6032d (git)
Affected: 259b93b21a9ffe5117af4dfb5505437e463c6a5a , < a99f1254b11eaadd0794b74a8178bad92ab01cae (git)
Affected: 259b93b21a9ffe5117af4dfb5505437e463c6a5a , < 21e3fdf3146f9c63888d6bfabbd553434a5fb93f (git)
Affected: 259b93b21a9ffe5117af4dfb5505437e463c6a5a , < 2c7a50bec4958f1d1c84d19cde518d0e96a676fd (git)

Linux

Affected: 6.4
Unaffected: 0 , < 6.4 (semver)
Unaffected: 6.6.85 , ≤ 6.6.* (semver)
Unaffected: 6.12.21 , ≤ 6.12.* (semver)
Unaffected: 6.13.9 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:40:53.165Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/regulator/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "998b1aae22dca87da392ea35f089406cbef6032d",
              "status": "affected",
              "version": "259b93b21a9ffe5117af4dfb5505437e463c6a5a",
              "versionType": "git"
            },
            {
              "lessThan": "a99f1254b11eaadd0794b74a8178bad92ab01cae",
              "status": "affected",
              "version": "259b93b21a9ffe5117af4dfb5505437e463c6a5a",
              "versionType": "git"
            },
            {
              "lessThan": "21e3fdf3146f9c63888d6bfabbd553434a5fb93f",
              "status": "affected",
              "version": "259b93b21a9ffe5117af4dfb5505437e463c6a5a",
              "versionType": "git"
            },
            {
              "lessThan": "2c7a50bec4958f1d1c84d19cde518d0e96a676fd",
              "status": "affected",
              "version": "259b93b21a9ffe5117af4dfb5505437e463c6a5a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/regulator/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.85",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.21",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.85",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.21",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.9",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: check that dummy regulator has been probed before using it\n\nDue to asynchronous driver probing there is a chance that the dummy\nregulator hasn\u0027t already been probed when first accessing it."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:28:45.857Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/998b1aae22dca87da392ea35f089406cbef6032d"
        },
        {
          "url": "https://git.kernel.org/stable/c/a99f1254b11eaadd0794b74a8178bad92ab01cae"
        },
        {
          "url": "https://git.kernel.org/stable/c/21e3fdf3146f9c63888d6bfabbd553434a5fb93f"
        },
        {
          "url": "https://git.kernel.org/stable/c/2c7a50bec4958f1d1c84d19cde518d0e96a676fd"
        }
      ],
      "title": "regulator: check that dummy regulator has been probed before using it",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22008",
    "datePublished": "2025-04-08T08:17:59.257Z",
    "dateReserved": "2024-12-29T08:45:45.803Z",
    "dateUpdated": "2026-01-02T15:28:45.857Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38457 (GCVE-0-2025-38457)

Vulnerability from cvelistv5 – Published: 2025-07-25 15:27 – Updated: 2025-11-03 17:38

Title

net/sched: Abort __tc_modify_qdisc if parent class does not exist

Summary

In the Linux kernel, the following vulnerability has been resolved: net/sched: Abort __tc_modify_qdisc if parent class does not exist Lion's patch [1] revealed an ancient bug in the qdisc API. Whenever a user creates/modifies a qdisc specifying as a parent another qdisc, the qdisc API will, during grafting, detect that the user is not trying to attach to a class and reject. However grafting is performed after qdisc_create (and thus the qdiscs' init callback) is executed. In qdiscs that eventually call qdisc_tree_reduce_backlog during init or change (such as fq, hhf, choke, etc), an issue arises. For example, executing the following commands: sudo tc qdisc add dev lo root handle a: htb default 2 sudo tc qdisc add dev lo parent a: handle beef fq Qdiscs such as fq, hhf, choke, etc unconditionally invoke qdisc_tree_reduce_backlog() in their control path init() or change() which then causes a failure to find the child class; however, that does not stop the unconditional invocation of the assumed child qdisc's qlen_notify with a null class. All these qdiscs make the assumption that class is non-null. The solution is ensure that qdisc_leaf() which looks up the parent class, and is invoked prior to qdisc_create(), should return failure on not finding the class. In this patch, we leverage qdisc_leaf to return ERR_PTRs whenever the parentid doesn't correspond to a class, so that we can detect it earlier on and abort before qdisc_create is called. [1] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/923a276c74e25073a…
	https://git.kernel.org/stable/c/90436e72c9622c2f7…
	https://git.kernel.org/stable/c/25452638f133ac19d…
	https://git.kernel.org/stable/c/23c165dde88eac405…
	https://git.kernel.org/stable/c/4c691d1b6b6dbd73f…
	https://git.kernel.org/stable/c/8ecd651ef24ab5012…
	https://git.kernel.org/stable/c/e28a383d6485c3bb5…
	https://git.kernel.org/stable/c/ffdde7bf5a439aaa1…

Impacted products

Vendor

Product

Version

Linux

Affected: 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 , < 923a276c74e25073ae391e930792ac86a9f77f1e (git)
Affected: 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 , < 90436e72c9622c2f70389070088325a3232d339f (git)
Affected: 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 , < 25452638f133ac19d75af3f928327d8016952c8e (git)
Affected: 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 , < 23c165dde88eac405eebb59051ea1fe139a45803 (git)
Affected: 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 , < 4c691d1b6b6dbd73f30ed9ee7da05f037b0c49af (git)
Affected: 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 , < 8ecd651ef24ab50123692a4e3e25db93cb11602a (git)
Affected: 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 , < e28a383d6485c3bb51dc5953552f76c4dea33eea (git)
Affected: 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 , < ffdde7bf5a439aaa1955ebd581f5c64ab1533963 (git)

Linux

Affected: 2.6.20
Unaffected: 0 , < 2.6.20 (semver)
Unaffected: 5.4.296 , ≤ 5.4.* (semver)
Unaffected: 5.10.240 , ≤ 5.10.* (semver)
Unaffected: 5.15.189 , ≤ 5.15.* (semver)
Unaffected: 6.1.146 , ≤ 6.1.* (semver)
Unaffected: 6.6.99 , ≤ 6.6.* (semver)
Unaffected: 6.12.39 , ≤ 6.12.* (semver)
Unaffected: 6.15.7 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:38:14.193Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_api.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "923a276c74e25073ae391e930792ac86a9f77f1e",
              "status": "affected",
              "version": "5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6",
              "versionType": "git"
            },
            {
              "lessThan": "90436e72c9622c2f70389070088325a3232d339f",
              "status": "affected",
              "version": "5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6",
              "versionType": "git"
            },
            {
              "lessThan": "25452638f133ac19d75af3f928327d8016952c8e",
              "status": "affected",
              "version": "5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6",
              "versionType": "git"
            },
            {
              "lessThan": "23c165dde88eac405eebb59051ea1fe139a45803",
              "status": "affected",
              "version": "5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6",
              "versionType": "git"
            },
            {
              "lessThan": "4c691d1b6b6dbd73f30ed9ee7da05f037b0c49af",
              "status": "affected",
              "version": "5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6",
              "versionType": "git"
            },
            {
              "lessThan": "8ecd651ef24ab50123692a4e3e25db93cb11602a",
              "status": "affected",
              "version": "5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6",
              "versionType": "git"
            },
            {
              "lessThan": "e28a383d6485c3bb51dc5953552f76c4dea33eea",
              "status": "affected",
              "version": "5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6",
              "versionType": "git"
            },
            {
              "lessThan": "ffdde7bf5a439aaa1955ebd581f5c64ab1533963",
              "status": "affected",
              "version": "5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_api.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.20"
            },
            {
              "lessThan": "2.6.20",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.189",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.146",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.99",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.189",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.146",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.99",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.39",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.7",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Abort __tc_modify_qdisc if parent class does not exist\n\nLion\u0027s patch [1] revealed an ancient bug in the qdisc API.\nWhenever a user creates/modifies a qdisc specifying as a parent another\nqdisc, the qdisc API will, during grafting, detect that the user is\nnot trying to attach to a class and reject. However grafting is\nperformed after qdisc_create (and thus the qdiscs\u0027 init callback) is\nexecuted. In qdiscs that eventually call qdisc_tree_reduce_backlog\nduring init or change (such as fq, hhf, choke, etc), an issue\narises. For example, executing the following commands:\n\nsudo tc qdisc add dev lo root handle a: htb default 2\nsudo tc qdisc add dev lo parent a: handle beef fq\n\nQdiscs such as fq, hhf, choke, etc unconditionally invoke\nqdisc_tree_reduce_backlog() in their control path init() or change() which\nthen causes a failure to find the child class; however, that does not stop\nthe unconditional invocation of the assumed child qdisc\u0027s qlen_notify with\na null class. All these qdiscs make the assumption that class is non-null.\n\nThe solution is ensure that qdisc_leaf() which looks up the parent\nclass, and is invoked prior to qdisc_create(), should return failure on\nnot finding the class.\nIn this patch, we leverage qdisc_leaf to return ERR_PTRs whenever the\nparentid doesn\u0027t correspond to a class, so that we can detect it\nearlier on and abort before qdisc_create is called.\n\n[1] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:22:51.557Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/923a276c74e25073ae391e930792ac86a9f77f1e"
        },
        {
          "url": "https://git.kernel.org/stable/c/90436e72c9622c2f70389070088325a3232d339f"
        },
        {
          "url": "https://git.kernel.org/stable/c/25452638f133ac19d75af3f928327d8016952c8e"
        },
        {
          "url": "https://git.kernel.org/stable/c/23c165dde88eac405eebb59051ea1fe139a45803"
        },
        {
          "url": "https://git.kernel.org/stable/c/4c691d1b6b6dbd73f30ed9ee7da05f037b0c49af"
        },
        {
          "url": "https://git.kernel.org/stable/c/8ecd651ef24ab50123692a4e3e25db93cb11602a"
        },
        {
          "url": "https://git.kernel.org/stable/c/e28a383d6485c3bb51dc5953552f76c4dea33eea"
        },
        {
          "url": "https://git.kernel.org/stable/c/ffdde7bf5a439aaa1955ebd581f5c64ab1533963"
        }
      ],
      "title": "net/sched: Abort __tc_modify_qdisc if parent class does not exist",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38457",
    "datePublished": "2025-07-25T15:27:36.226Z",
    "dateReserved": "2025-04-16T04:51:24.019Z",
    "dateUpdated": "2025-11-03T17:38:14.193Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38175 (GCVE-0-2025-38175)

Vulnerability from cvelistv5 – Published: 2025-07-04 10:39 – Updated: 2025-07-28 04:14

Title

binder: fix yet another UAF in binder_devices

Summary

In the Linux kernel, the following vulnerability has been resolved: binder: fix yet another UAF in binder_devices Commit e77aff5528a18 ("binderfs: fix use-after-free in binder_devices") addressed a use-after-free where devices could be released without first being removed from the binder_devices list. However, there is a similar path in binder_free_proc() that was missed: ================================================================== BUG: KASAN: slab-use-after-free in binder_remove_device+0xd4/0x100 Write of size 8 at addr ffff0000c773b900 by task umount/467 CPU: 12 UID: 0 PID: 467 Comm: umount Not tainted 6.15.0-rc7-00138-g57483a362741 #9 PREEMPT Hardware name: linux,dummy-virt (DT) Call trace: binder_remove_device+0xd4/0x100 binderfs_evict_inode+0x230/0x2f0 evict+0x25c/0x5dc iput+0x304/0x480 dentry_unlink_inode+0x208/0x46c __dentry_kill+0x154/0x530 [...] Allocated by task 463: __kmalloc_cache_noprof+0x13c/0x324 binderfs_binder_device_create.isra.0+0x138/0xa60 binder_ctl_ioctl+0x1ac/0x230 [...] Freed by task 215: kfree+0x184/0x31c binder_proc_dec_tmpref+0x33c/0x4ac binder_deferred_func+0xc10/0x1108 process_one_work+0x520/0xba4 [...] ================================================================== Call binder_remove_device() within binder_free_proc() to ensure the device is removed from the binder_devices list before being kfreed.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/4a7694f499cae5b83…
	https://git.kernel.org/stable/c/72a726fb5f25fbb31…
	https://git.kernel.org/stable/c/9857af0fcff385c75…

Impacted products

Vendor

Product

Version

Linux

Affected: 12d909cac1e1c4147cc3417fee804ee12fc6b984 , < 4a7694f499cae5b83412c5281bf2c961f34f2ed6 (git)
Affected: 12d909cac1e1c4147cc3417fee804ee12fc6b984 , < 72a726fb5f25fbb31d6060acfb671c1955831245 (git)
Affected: 12d909cac1e1c4147cc3417fee804ee12fc6b984 , < 9857af0fcff385c75433f2162c30c62eb912ef6d (git)

Linux

Affected: 6.14
Unaffected: 0 , < 6.14 (semver)
Unaffected: 6.14.11 , ≤ 6.14.* (semver)
Unaffected: 6.15.2 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/android/binder.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4a7694f499cae5b83412c5281bf2c961f34f2ed6",
              "status": "affected",
              "version": "12d909cac1e1c4147cc3417fee804ee12fc6b984",
              "versionType": "git"
            },
            {
              "lessThan": "72a726fb5f25fbb31d6060acfb671c1955831245",
              "status": "affected",
              "version": "12d909cac1e1c4147cc3417fee804ee12fc6b984",
              "versionType": "git"
            },
            {
              "lessThan": "9857af0fcff385c75433f2162c30c62eb912ef6d",
              "status": "affected",
              "version": "12d909cac1e1c4147cc3417fee804ee12fc6b984",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/android/binder.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.14"
            },
            {
              "lessThan": "6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.11",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.2",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix yet another UAF in binder_devices\n\nCommit e77aff5528a18 (\"binderfs: fix use-after-free in binder_devices\")\naddressed a use-after-free where devices could be released without first\nbeing removed from the binder_devices list. However, there is a similar\npath in binder_free_proc() that was missed:\n\n  ==================================================================\n  BUG: KASAN: slab-use-after-free in binder_remove_device+0xd4/0x100\n  Write of size 8 at addr ffff0000c773b900 by task umount/467\n  CPU: 12 UID: 0 PID: 467 Comm: umount Not tainted 6.15.0-rc7-00138-g57483a362741 #9 PREEMPT\n  Hardware name: linux,dummy-virt (DT)\n  Call trace:\n   binder_remove_device+0xd4/0x100\n   binderfs_evict_inode+0x230/0x2f0\n   evict+0x25c/0x5dc\n   iput+0x304/0x480\n   dentry_unlink_inode+0x208/0x46c\n   __dentry_kill+0x154/0x530\n   [...]\n\n  Allocated by task 463:\n   __kmalloc_cache_noprof+0x13c/0x324\n   binderfs_binder_device_create.isra.0+0x138/0xa60\n   binder_ctl_ioctl+0x1ac/0x230\n  [...]\n\n  Freed by task 215:\n   kfree+0x184/0x31c\n   binder_proc_dec_tmpref+0x33c/0x4ac\n   binder_deferred_func+0xc10/0x1108\n   process_one_work+0x520/0xba4\n  [...]\n  ==================================================================\n\nCall binder_remove_device() within binder_free_proc() to ensure the\ndevice is removed from the binder_devices list before being kfreed."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:14:17.635Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4a7694f499cae5b83412c5281bf2c961f34f2ed6"
        },
        {
          "url": "https://git.kernel.org/stable/c/72a726fb5f25fbb31d6060acfb671c1955831245"
        },
        {
          "url": "https://git.kernel.org/stable/c/9857af0fcff385c75433f2162c30c62eb912ef6d"
        }
      ],
      "title": "binder: fix yet another UAF in binder_devices",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38175",
    "datePublished": "2025-07-04T10:39:56.392Z",
    "dateReserved": "2025-04-16T04:51:23.992Z",
    "dateUpdated": "2025-07-28T04:14:17.635Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38119 (GCVE-0-2025-38119)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:35 – Updated: 2026-01-19 12:17

Title

scsi: core: ufs: Fix a hang in the error handler

Summary

In the Linux kernel, the following vulnerability has been resolved: scsi: core: ufs: Fix a hang in the error handler ufshcd_err_handling_prepare() calls ufshcd_rpm_get_sync(). The latter function can only succeed if UFSHCD_EH_IN_PROGRESS is not set because resuming involves submitting a SCSI command and ufshcd_queuecommand() returns SCSI_MLQUEUE_HOST_BUSY if UFSHCD_EH_IN_PROGRESS is set. Fix this hang by setting UFSHCD_EH_IN_PROGRESS after ufshcd_rpm_get_sync() has been called instead of before. Backtrace: __switch_to+0x174/0x338 __schedule+0x600/0x9e4 schedule+0x7c/0xe8 schedule_timeout+0xa4/0x1c8 io_schedule_timeout+0x48/0x70 wait_for_common_io+0xa8/0x160 //waiting on START_STOP wait_for_completion_io_timeout+0x10/0x20 blk_execute_rq+0xe4/0x1e4 scsi_execute_cmd+0x108/0x244 ufshcd_set_dev_pwr_mode+0xe8/0x250 __ufshcd_wl_resume+0x94/0x354 ufshcd_wl_runtime_resume+0x3c/0x174 scsi_runtime_resume+0x64/0xa4 rpm_resume+0x15c/0xa1c __pm_runtime_resume+0x4c/0x90 // Runtime resume ongoing ufshcd_err_handler+0x1a0/0xd08 process_one_work+0x174/0x808 worker_thread+0x15c/0x490 kthread+0xf4/0x1ec ret_from_fork+0x10/0x20 [ bvanassche: rewrote patch description ]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f210ea4e7a790c9f5…
	https://git.kernel.org/stable/c/f592eb12b43f21dbc…
	https://git.kernel.org/stable/c/ded80255c59a57cd3…
	https://git.kernel.org/stable/c/21f071261f946c5ca…
	https://git.kernel.org/stable/c/3464a707d137efc8a…
	https://git.kernel.org/stable/c/bb37f795d01961286…
	https://git.kernel.org/stable/c/8a3514d348de87a9d…

Impacted products

Vendor

Product

Version

Linux

Affected: 62694735ca95c74dac4eb9068d59801ac0ddebaf , < f210ea4e7a790c9f5e613e5302175abd539fe9d5 (git)
Affected: 62694735ca95c74dac4eb9068d59801ac0ddebaf , < f592eb12b43f21dbc972cbe583a12d256901e569 (git)
Affected: 62694735ca95c74dac4eb9068d59801ac0ddebaf , < ded80255c59a57cd3270d98461f6508730f9767c (git)
Affected: 62694735ca95c74dac4eb9068d59801ac0ddebaf , < 21f071261f946c5ca1adf378f818082a112b34d2 (git)
Affected: 62694735ca95c74dac4eb9068d59801ac0ddebaf , < 3464a707d137efc8aea1d4ae234d26a28d82b78c (git)
Affected: 62694735ca95c74dac4eb9068d59801ac0ddebaf , < bb37f795d01961286b8f768a6d7152f32b589067 (git)
Affected: 62694735ca95c74dac4eb9068d59801ac0ddebaf , < 8a3514d348de87a9d5e2ac00fbac4faae0b97996 (git)

Linux

Affected: 3.12
Unaffected: 0 , < 3.12 (semver)
Unaffected: 5.10.248 , ≤ 5.10.* (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.94 , ≤ 6.6.* (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:20.294Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/ufs/core/ufshcd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f210ea4e7a790c9f5e613e5302175abd539fe9d5",
              "status": "affected",
              "version": "62694735ca95c74dac4eb9068d59801ac0ddebaf",
              "versionType": "git"
            },
            {
              "lessThan": "f592eb12b43f21dbc972cbe583a12d256901e569",
              "status": "affected",
              "version": "62694735ca95c74dac4eb9068d59801ac0ddebaf",
              "versionType": "git"
            },
            {
              "lessThan": "ded80255c59a57cd3270d98461f6508730f9767c",
              "status": "affected",
              "version": "62694735ca95c74dac4eb9068d59801ac0ddebaf",
              "versionType": "git"
            },
            {
              "lessThan": "21f071261f946c5ca1adf378f818082a112b34d2",
              "status": "affected",
              "version": "62694735ca95c74dac4eb9068d59801ac0ddebaf",
              "versionType": "git"
            },
            {
              "lessThan": "3464a707d137efc8aea1d4ae234d26a28d82b78c",
              "status": "affected",
              "version": "62694735ca95c74dac4eb9068d59801ac0ddebaf",
              "versionType": "git"
            },
            {
              "lessThan": "bb37f795d01961286b8f768a6d7152f32b589067",
              "status": "affected",
              "version": "62694735ca95c74dac4eb9068d59801ac0ddebaf",
              "versionType": "git"
            },
            {
              "lessThan": "8a3514d348de87a9d5e2ac00fbac4faae0b97996",
              "status": "affected",
              "version": "62694735ca95c74dac4eb9068d59801ac0ddebaf",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/ufs/core/ufshcd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.12"
            },
            {
              "lessThan": "3.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.248",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.248",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: ufs: Fix a hang in the error handler\n\nufshcd_err_handling_prepare() calls ufshcd_rpm_get_sync(). The latter\nfunction can only succeed if UFSHCD_EH_IN_PROGRESS is not set because\nresuming involves submitting a SCSI command and ufshcd_queuecommand()\nreturns SCSI_MLQUEUE_HOST_BUSY if UFSHCD_EH_IN_PROGRESS is set. Fix this\nhang by setting UFSHCD_EH_IN_PROGRESS after ufshcd_rpm_get_sync() has\nbeen called instead of before.\n\nBacktrace:\n__switch_to+0x174/0x338\n__schedule+0x600/0x9e4\nschedule+0x7c/0xe8\nschedule_timeout+0xa4/0x1c8\nio_schedule_timeout+0x48/0x70\nwait_for_common_io+0xa8/0x160 //waiting on START_STOP\nwait_for_completion_io_timeout+0x10/0x20\nblk_execute_rq+0xe4/0x1e4\nscsi_execute_cmd+0x108/0x244\nufshcd_set_dev_pwr_mode+0xe8/0x250\n__ufshcd_wl_resume+0x94/0x354\nufshcd_wl_runtime_resume+0x3c/0x174\nscsi_runtime_resume+0x64/0xa4\nrpm_resume+0x15c/0xa1c\n__pm_runtime_resume+0x4c/0x90 // Runtime resume ongoing\nufshcd_err_handler+0x1a0/0xd08\nprocess_one_work+0x174/0x808\nworker_thread+0x15c/0x490\nkthread+0xf4/0x1ec\nret_from_fork+0x10/0x20\n\n[ bvanassche: rewrote patch description ]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-19T12:17:59.357Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f210ea4e7a790c9f5e613e5302175abd539fe9d5"
        },
        {
          "url": "https://git.kernel.org/stable/c/f592eb12b43f21dbc972cbe583a12d256901e569"
        },
        {
          "url": "https://git.kernel.org/stable/c/ded80255c59a57cd3270d98461f6508730f9767c"
        },
        {
          "url": "https://git.kernel.org/stable/c/21f071261f946c5ca1adf378f818082a112b34d2"
        },
        {
          "url": "https://git.kernel.org/stable/c/3464a707d137efc8aea1d4ae234d26a28d82b78c"
        },
        {
          "url": "https://git.kernel.org/stable/c/bb37f795d01961286b8f768a6d7152f32b589067"
        },
        {
          "url": "https://git.kernel.org/stable/c/8a3514d348de87a9d5e2ac00fbac4faae0b97996"
        }
      ],
      "title": "scsi: core: ufs: Fix a hang in the error handler",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38119",
    "datePublished": "2025-07-03T08:35:26.616Z",
    "dateReserved": "2025-04-16T04:51:23.986Z",
    "dateUpdated": "2026-01-19T12:17:59.357Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21948 (GCVE-0-2025-21948)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:41 – Updated: 2025-11-03 19:39

Title

HID: appleir: Fix potential NULL dereference at raw event handle

Summary

In the Linux kernel, the following vulnerability has been resolved: HID: appleir: Fix potential NULL dereference at raw event handle Syzkaller reports a NULL pointer dereference issue in input_event(). BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:68 [inline] BUG: KASAN: null-ptr-deref in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] BUG: KASAN: null-ptr-deref in is_event_supported drivers/input/input.c:67 [inline] BUG: KASAN: null-ptr-deref in input_event+0x42/0xa0 drivers/input/input.c:395 Read of size 8 at addr 0000000000000028 by task syz-executor199/2949 CPU: 0 UID: 0 PID: 2949 Comm: syz-executor199 Not tainted 6.13.0-rc4-syzkaller-00076-gf097a36ef88d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 kasan_report+0xd9/0x110 mm/kasan/report.c:602 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189 instrument_atomic_read include/linux/instrumented.h:68 [inline] _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] is_event_supported drivers/input/input.c:67 [inline] input_event+0x42/0xa0 drivers/input/input.c:395 input_report_key include/linux/input.h:439 [inline] key_down drivers/hid/hid-appleir.c:159 [inline] appleir_raw_event+0x3e5/0x5e0 drivers/hid/hid-appleir.c:232 __hid_input_report.constprop.0+0x312/0x440 drivers/hid/hid-core.c:2111 hid_ctrl+0x49f/0x550 drivers/hid/usbhid/hid-core.c:484 __usb_hcd_giveback_urb+0x389/0x6e0 drivers/usb/core/hcd.c:1650 usb_hcd_giveback_urb+0x396/0x450 drivers/usb/core/hcd.c:1734 dummy_timer+0x17f7/0x3960 drivers/usb/gadget/udc/dummy_hcd.c:1993 __run_hrtimer kernel/time/hrtimer.c:1739 [inline] __hrtimer_run_queues+0x20a/0xae0 kernel/time/hrtimer.c:1803 hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1820 handle_softirqs+0x206/0x8d0 kernel/softirq.c:561 __do_softirq kernel/softirq.c:595 [inline] invoke_softirq kernel/softirq.c:435 [inline] __irq_exit_rcu+0xfa/0x160 kernel/softirq.c:662 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1049 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 __mod_timer+0x8f6/0xdc0 kernel/time/timer.c:1185 add_timer+0x62/0x90 kernel/time/timer.c:1295 schedule_timeout+0x11f/0x280 kernel/time/sleep_timeout.c:98 usbhid_wait_io+0x1c7/0x380 drivers/hid/usbhid/hid-core.c:645 usbhid_init_reports+0x19f/0x390 drivers/hid/usbhid/hid-core.c:784 hiddev_ioctl+0x1133/0x15b0 drivers/hid/usbhid/hiddev.c:794 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> This happens due to the malformed report items sent by the emulated device which results in a report, that has no fields, being added to the report list. Due to this appleir_input_configured() is never called, hidinput_connect() fails which results in the HID_CLAIMED_INPUT flag is not being set. However, it does not make appleir_probe() fail and lets the event callback to be called without the associated input device. Thus, add a check for the HID_CLAIMED_INPUT flag and leave the event hook early if the driver didn't claim any input_dev for some reason. Moreover, some other hid drivers accessing input_dev in their event callbacks do have similar checks, too. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/6db423b00940b05df…
	https://git.kernel.org/stable/c/0df1ac8ee417ad767…
	https://git.kernel.org/stable/c/b1d95d733cd6e74f5…
	https://git.kernel.org/stable/c/8d39eb8c5e14f2f0f…
	https://git.kernel.org/stable/c/fc69e2c3219d433ca…
	https://git.kernel.org/stable/c/d335fce8b88b2353f…
	https://git.kernel.org/stable/c/68cdf6710f228dfd7…
	https://git.kernel.org/stable/c/2ff5baa9b5275e3ac…

Impacted products

Vendor

Product

Version

Linux

Affected: 9a4a5574ce427c364d81746fc7fb82d86b5f1a7e , < 6db423b00940b05df2a1265d3c7eabafe9f1734c (git)
Affected: 9a4a5574ce427c364d81746fc7fb82d86b5f1a7e , < 0df1ac8ee417ad76760ff076faa4518a4d861894 (git)
Affected: 9a4a5574ce427c364d81746fc7fb82d86b5f1a7e , < b1d95d733cd6e74f595653daddcfc357bea461e8 (git)
Affected: 9a4a5574ce427c364d81746fc7fb82d86b5f1a7e , < 8d39eb8c5e14f2f0f441eed832ef8a7b654e6fee (git)
Affected: 9a4a5574ce427c364d81746fc7fb82d86b5f1a7e , < fc69e2c3219d433caabba4b5d6371ba726a4b37f (git)
Affected: 9a4a5574ce427c364d81746fc7fb82d86b5f1a7e , < d335fce8b88b2353f4bb20c631698e20384e3610 (git)
Affected: 9a4a5574ce427c364d81746fc7fb82d86b5f1a7e , < 68cdf6710f228dfd74f66ec61fbe636da2646a73 (git)
Affected: 9a4a5574ce427c364d81746fc7fb82d86b5f1a7e , < 2ff5baa9b5275e3acafdf7f2089f74cccb2f38d1 (git)

Linux

Affected: 3.10
Unaffected: 0 , < 3.10 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.131 , ≤ 6.1.* (semver)
Unaffected: 6.6.83 , ≤ 6.6.* (semver)
Unaffected: 6.12.19 , ≤ 6.12.* (semver)
Unaffected: 6.13.7 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21948",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T17:17:14.096468Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T17:17:18.360Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:39:50.130Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-appleir.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6db423b00940b05df2a1265d3c7eabafe9f1734c",
              "status": "affected",
              "version": "9a4a5574ce427c364d81746fc7fb82d86b5f1a7e",
              "versionType": "git"
            },
            {
              "lessThan": "0df1ac8ee417ad76760ff076faa4518a4d861894",
              "status": "affected",
              "version": "9a4a5574ce427c364d81746fc7fb82d86b5f1a7e",
              "versionType": "git"
            },
            {
              "lessThan": "b1d95d733cd6e74f595653daddcfc357bea461e8",
              "status": "affected",
              "version": "9a4a5574ce427c364d81746fc7fb82d86b5f1a7e",
              "versionType": "git"
            },
            {
              "lessThan": "8d39eb8c5e14f2f0f441eed832ef8a7b654e6fee",
              "status": "affected",
              "version": "9a4a5574ce427c364d81746fc7fb82d86b5f1a7e",
              "versionType": "git"
            },
            {
              "lessThan": "fc69e2c3219d433caabba4b5d6371ba726a4b37f",
              "status": "affected",
              "version": "9a4a5574ce427c364d81746fc7fb82d86b5f1a7e",
              "versionType": "git"
            },
            {
              "lessThan": "d335fce8b88b2353f4bb20c631698e20384e3610",
              "status": "affected",
              "version": "9a4a5574ce427c364d81746fc7fb82d86b5f1a7e",
              "versionType": "git"
            },
            {
              "lessThan": "68cdf6710f228dfd74f66ec61fbe636da2646a73",
              "status": "affected",
              "version": "9a4a5574ce427c364d81746fc7fb82d86b5f1a7e",
              "versionType": "git"
            },
            {
              "lessThan": "2ff5baa9b5275e3acafdf7f2089f74cccb2f38d1",
              "status": "affected",
              "version": "9a4a5574ce427c364d81746fc7fb82d86b5f1a7e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-appleir.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.10"
            },
            {
              "lessThan": "3.10",

CERTFR-2025-AVI-0843

Solutions

Action not permitted

CERTFR-2025-AVI-0843

Solutions

CVE-2025-21946 (GCVE-0-2025-21946)

CVE-2025-37889 (GCVE-0-2025-37889)

CVE-2025-22010 (GCVE-0-2025-22010)

CVE-2025-38227 (GCVE-0-2025-38227)

CVE-2025-22015 (GCVE-0-2025-22015)

CVE-2025-38055 (GCVE-0-2025-38055)

CVE-2025-38073 (GCVE-0-2025-38073)

CVE-2025-38090 (GCVE-0-2025-38090)

CVE-2025-38129 (GCVE-0-2025-38129)

CVE-2025-38412 (GCVE-0-2025-38412)

CVE-2025-38377 (GCVE-0-2025-38377)

CVE-2025-38287 (GCVE-0-2025-38287)

CVE-2025-38109 (GCVE-0-2025-38109)

CVE-2025-38683 (GCVE-0-2025-38683)

CVE-2025-38300 (GCVE-0-2025-38300)

CVE-2025-38295 (GCVE-0-2025-38295)

CVE-2025-38037 (GCVE-0-2025-38037)

CVE-2025-38439 (GCVE-0-2025-38439)

CVE-2025-21919 (GCVE-0-2025-21919)

CVE-2025-21926 (GCVE-0-2025-21926)

CVE-2025-21887 (GCVE-0-2025-21887)

CVE-2025-38393 (GCVE-0-2025-38393)

CVE-2025-38155 (GCVE-0-2025-38155)

CVE-2025-38416 (GCVE-0-2025-38416)

CVE-2025-38070 (GCVE-0-2025-38070)

CVE-2025-21912 (GCVE-0-2025-21912)

CVE-2025-38100 (GCVE-0-2025-38100)

CVE-2025-21945 (GCVE-0-2025-21945)

CVE-2025-21978 (GCVE-0-2025-21978)

CVE-2025-38301 (GCVE-0-2025-38301)

CVE-2025-38101 (GCVE-0-2025-38101)

CVE-2025-38098 (GCVE-0-2025-38098)

CVE-2025-38074 (GCVE-0-2025-38074)

CVE-2025-38135 (GCVE-0-2025-38135)

CVE-2025-21881 (GCVE-0-2025-21881)

CVE-2025-38284 (GCVE-0-2025-38284)

CVE-2025-38142 (GCVE-0-2025-38142)

CVE-2025-22014 (GCVE-0-2025-22014)

CVE-2025-21891 (GCVE-0-2025-21891)

CVE-2025-21913 (GCVE-0-2025-21913)

CVE-2025-38041 (GCVE-0-2025-38041)

CVE-2025-38498 (GCVE-0-2025-38498)

CVE-2025-38303 (GCVE-0-2025-38303)

CVE-2025-38194 (GCVE-0-2025-38194)

CVE-2025-38219 (GCVE-0-2025-38219)

CVE-2025-21992 (GCVE-0-2025-21992)

CVE-2025-21888 (GCVE-0-2025-21888)

CVE-2025-38443 (GCVE-0-2025-38443)

CVE-2025-38206 (GCVE-0-2025-38206)

CVE-2025-21997 (GCVE-0-2025-21997)

CVE-2025-38305 (GCVE-0-2025-38305)

CVE-2025-21929 (GCVE-0-2025-21929)

CVE-2025-21976 (GCVE-0-2025-21976)

CVE-2025-38004 (GCVE-0-2025-38004)

CVE-2025-38050 (GCVE-0-2025-38050)

CVE-2025-21951 (GCVE-0-2025-21951)

CVE-2025-38033 (GCVE-0-2025-38033)

CVE-2025-21872 (GCVE-0-2025-21872)

CVE-2025-38103 (GCVE-0-2025-38103)

CVE-2025-38307 (GCVE-0-2025-38307)

CVE-2025-39890 (GCVE-0-2025-39890)

CVE-2025-38125 (GCVE-0-2025-38125)

CVE-2025-38337 (GCVE-0-2025-38337)

CVE-2025-38154 (GCVE-0-2025-38154)

CVE-2025-38386 (GCVE-0-2025-38386)

CVE-2025-21917 (GCVE-0-2025-21917)

CVE-2025-38269 (GCVE-0-2025-38269)

CVE-2025-38314 (GCVE-0-2025-38314)

CVE-2025-38302 (GCVE-0-2025-38302)

CVE-2025-22001 (GCVE-0-2025-22001)

CVE-2025-38342 (GCVE-0-2025-38342)

CVE-2025-22007 (GCVE-0-2025-22007)

CVE-2025-38324 (GCVE-0-2025-38324)

CVE-2025-38267 (GCVE-0-2025-38267)

CVE-2025-37752 (GCVE-0-2025-37752)

CVE-2025-38172 (GCVE-0-2025-38172)

CVE-2025-38371 (GCVE-0-2025-38371)