certfr_avis - certfr-2025-avi-0860

CERTFR-2025-AVI-0860

Vulnerability from certfr_avis

De multiples vulnérabilités ont été découvertes dans le noyau Linux de SUSE. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
SUSE	N/A	SUSE Linux Enterprise Real Time 15 SP7
SUSE	N/A	SUSE Linux Enterprise High Performance Computing 12 SP5
SUSE	N/A	SUSE Linux Enterprise Server 12 SP5
SUSE	N/A	SUSE Linux Enterprise Live Patching 15-SP3
SUSE	N/A	SUSE Linux Enterprise Server for SAP Applications 15 SP7
SUSE	N/A	SUSE Linux Enterprise Live Patching 15-SP6
SUSE	N/A	SUSE Linux Enterprise Live Patching 12-SP5
SUSE	N/A	SUSE Linux Enterprise Server 15 SP7
SUSE	N/A	SUSE Linux Enterprise Live Patching 15-SP7
SUSE	N/A	SUSE Linux Enterprise Server 15 SP3
SUSE	N/A	SUSE Linux Enterprise Micro 5.2
SUSE	N/A	SUSE Linux Enterprise Real Time 15 SP6
SUSE	N/A	SUSE Linux Enterprise High Performance Computing 15 SP3
SUSE	N/A	SUSE Linux Enterprise Server for SAP Applications 15 SP3
SUSE	N/A	SUSE Linux Enterprise Server for SAP Applications 12 SP5
SUSE	N/A	SUSE Linux Enterprise Micro 5.1
SUSE	N/A	openSUSE Leap 15.3
SUSE	N/A	SUSE Linux Enterprise Server for SAP Applications 15 SP6
SUSE	N/A	SUSE Linux Enterprise Server 15 SP6

References

Title

Publication Time

Tags

Bulletin de sécurité SUSE SUSE-SU-2025:03483-1	2025-10-07	vendor-advisory
Bulletin de sécurité SUSE SUSE-SU-2025:03476-1	2025-10-07	vendor-advisory
Bulletin de sécurité SUSE SUSE-SU-2025:03472-1	2025-10-07	vendor-advisory
Bulletin de sécurité SUSE SUSE-SU-2025:03479-1	2025-10-07	vendor-advisory
Bulletin de sécurité SUSE SUSE-SU-2025:03503-1	2025-10-09	vendor-advisory
Bulletin de sécurité SUSE SUSE-SU-2025:03482-1	2025-10-08	vendor-advisory
Bulletin de sécurité SUSE SUSE-SU-2025:03475-1	2025-10-07	vendor-advisory
Bulletin de sécurité SUSE SUSE-SU-2025:03514-1	2025-10-09	vendor-advisory
Bulletin de sécurité SUSE SUSE-SU-2025:03504-1	2025-10-09	vendor-advisory
Bulletin de sécurité SUSE SUSE-SU-2025:03498-1	2025-10-08	vendor-advisory
Bulletin de sécurité SUSE SUSE-SU-2025:03497-1	2025-10-08	vendor-advisory
Bulletin de sécurité SUSE SUSE-SU-2025:03470-1	2025-10-07	vendor-advisory
Bulletin de sécurité SUSE SUSE-SU-2025:03515-1	2025-10-09	vendor-advisory
Bulletin de sécurité SUSE SUSE-SU-2025:03485-1	2025-10-08	vendor-advisory
Bulletin de sécurité SUSE SUSE-SU-2025:03495-1	2025-10-08	vendor-advisory
Bulletin de sécurité SUSE SUSE-SU-2025:03494-1	2025-10-08	vendor-advisory
Bulletin de sécurité SUSE SUSE-SU-2025:03469-1	2025-10-07	vendor-advisory
Bulletin de sécurité SUSE SUSE-SU-2025:03480-1	2025-10-07	vendor-advisory
Bulletin de sécurité SUSE SUSE-SU-2025:03465-1	2025-10-07	vendor-advisory
Bulletin de sécurité SUSE SUSE-SU-2025:03496-1	2025-10-08	vendor-advisory
Bulletin de sécurité SUSE SUSE-SU-2025:03473-1	2025-10-07	vendor-advisory
Bulletin de sécurité SUSE SUSE-SU-2025:03468-1	2025-10-07	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "SUSE Linux Enterprise Real Time 15 SP7",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SUSE",
          "scada": false
        }
      }
    },
    {
      "description": "SUSE Linux Enterprise High Performance Computing 12 SP5",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SUSE",
          "scada": false
        }
      }
    },
    {
      "description": "SUSE Linux Enterprise Server 12 SP5",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SUSE",
          "scada": false
        }
      }
    },
    {
      "description": "SUSE Linux Enterprise Live Patching 15-SP3",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SUSE",
          "scada": false
        }
      }
    },
    {
      "description": "SUSE Linux Enterprise Server for SAP Applications 15 SP7",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SUSE",
          "scada": false
        }
      }
    },
    {
      "description": "SUSE Linux Enterprise Live Patching 15-SP6",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SUSE",
          "scada": false
        }
      }
    },
    {
      "description": "SUSE Linux Enterprise Live Patching 12-SP5",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SUSE",
          "scada": false
        }
      }
    },
    {
      "description": "SUSE Linux Enterprise Server 15 SP7",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SUSE",
          "scada": false
        }
      }
    },
    {
      "description": "SUSE Linux Enterprise Live Patching 15-SP7",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SUSE",
          "scada": false
        }
      }
    },
    {
      "description": "SUSE Linux Enterprise Server 15 SP3",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SUSE",
          "scada": false
        }
      }
    },
    {
      "description": "SUSE Linux Enterprise Micro 5.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SUSE",
          "scada": false
        }
      }
    },
    {
      "description": "SUSE Linux Enterprise Real Time 15 SP6",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SUSE",
          "scada": false
        }
      }
    },
    {
      "description": "SUSE Linux Enterprise High Performance Computing 15 SP3",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SUSE",
          "scada": false
        }
      }
    },
    {
      "description": "SUSE Linux Enterprise Server for SAP Applications 15 SP3",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SUSE",
          "scada": false
        }
      }
    },
    {
      "description": "SUSE Linux Enterprise Server for SAP Applications 12 SP5",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SUSE",
          "scada": false
        }
      }
    },
    {
      "description": "SUSE Linux Enterprise Micro 5.1",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SUSE",
          "scada": false
        }
      }
    },
    {
      "description": "openSUSE Leap 15.3",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SUSE",
          "scada": false
        }
      }
    },
    {
      "description": "SUSE Linux Enterprise Server for SAP Applications 15 SP6",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SUSE",
          "scada": false
        }
      }
    },
    {
      "description": "SUSE Linux Enterprise Server 15 SP6",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SUSE",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2024-50154",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-50154"
    },
    {
      "name": "CVE-2025-21791",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-21791"
    },
    {
      "name": "CVE-2025-38089",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-38089"
    },
    {
      "name": "CVE-2025-21692",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-21692"
    },
    {
      "name": "CVE-2025-38477",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-38477"
    },
    {
      "name": "CVE-2024-53168",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-53168"
    }
  ],
  "initial_release_date": "2025-10-10T00:00:00",
  "last_revision_date": "2025-10-10T00:00:00",
  "links": [],
  "reference": "CERTFR-2025-AVI-0860",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2025-10-10T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de SUSE. Elles permettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de SUSE",
  "vendor_advisories": [
    {
      "published_at": "2025-10-07",
      "title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03483-1",
      "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503483-1"
    },
    {
      "published_at": "2025-10-07",
      "title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03476-1",
      "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503476-1"
    },
    {
      "published_at": "2025-10-07",
      "title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03472-1",
      "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503472-1"
    },
    {
      "published_at": "2025-10-07",
      "title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03479-1",
      "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503479-1"
    },
    {
      "published_at": "2025-10-09",
      "title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03503-1",
      "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503503-1"
    },
    {
      "published_at": "2025-10-08",
      "title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03482-1",
      "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503482-1"
    },
    {
      "published_at": "2025-10-07",
      "title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03475-1",
      "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503475-1"
    },
    {
      "published_at": "2025-10-09",
      "title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03514-1",
      "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503514-1"
    },
    {
      "published_at": "2025-10-09",
      "title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03504-1",
      "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503504-1"
    },
    {
      "published_at": "2025-10-08",
      "title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03498-1",
      "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503498-1"
    },
    {
      "published_at": "2025-10-08",
      "title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03497-1",
      "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503497-1"
    },
    {
      "published_at": "2025-10-07",
      "title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03470-1",
      "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503470-1"
    },
    {
      "published_at": "2025-10-09",
      "title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03515-1",
      "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503515-1"
    },
    {
      "published_at": "2025-10-08",
      "title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03485-1",
      "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503485-1"
    },
    {
      "published_at": "2025-10-08",
      "title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03495-1",
      "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503495-1"
    },
    {
      "published_at": "2025-10-08",
      "title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03494-1",
      "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503494-1"
    },
    {
      "published_at": "2025-10-07",
      "title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03469-1",
      "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503469-1"
    },
    {
      "published_at": "2025-10-07",
      "title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03480-1",
      "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503480-1"
    },
    {
      "published_at": "2025-10-07",
      "title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03465-1",
      "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503465-1"
    },
    {
      "published_at": "2025-10-08",
      "title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03496-1",
      "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503496-1"
    },
    {
      "published_at": "2025-10-07",
      "title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03473-1",
      "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503473-1"
    },
    {
      "published_at": "2025-10-07",
      "title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03468-1",
      "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503468-1"
    }
  ]
}

CVE-2025-21791 (GCVE-0-2025-21791)

Vulnerability from cvelistv5

Published

2025-02-27 02:18

Modified

2025-05-04 07:21

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: vrf: use RCU protection in l3mdev_l3_out() l3mdev_l3_out() can be called without RCU being held: raw_sendmsg() ip_push_pending_frames() ip_send_skb() ip_local_out() __ip_local_out() l3mdev_ip_out() Add rcu_read_lock() / rcu_read_unlock() pair to avoid a potential UAF.

References

URL

Tags

	https://git.kernel.org/stable/c/6ccaa5797f5362a2aad6baa6ddaf4715ac2dd51e
	https://git.kernel.org/stable/c/20a3489b396764cc9376e32a9172bee26a89dc3b
	https://git.kernel.org/stable/c/5bb4228c32261d06e4fbece37ec3828bcc005b6b
	https://git.kernel.org/stable/c/c7574740be8ce68a57d0aece24987b9be2114c3c
	https://git.kernel.org/stable/c/c40cb5c03e37552d6eff963187109e2c3f78ef6f
	https://git.kernel.org/stable/c/022cac1c693add610ae76ede03adf4d9d5a2cf21
	https://git.kernel.org/stable/c/7b81425b517accefd46bee854d94954f5c57e019
	https://git.kernel.org/stable/c/6d0ce46a93135d96b7fa075a94a88fe0da8e8773

Impacted products

Vendor

Product

Version

Linux

Version: a8e3e1a9f02094145580ea7920c6a1d9aabd5539
Version: a8e3e1a9f02094145580ea7920c6a1d9aabd5539
Version: a8e3e1a9f02094145580ea7920c6a1d9aabd5539
Version: a8e3e1a9f02094145580ea7920c6a1d9aabd5539
Version: a8e3e1a9f02094145580ea7920c6a1d9aabd5539
Version: a8e3e1a9f02094145580ea7920c6a1d9aabd5539
Version: a8e3e1a9f02094145580ea7920c6a1d9aabd5539
Version: a8e3e1a9f02094145580ea7920c6a1d9aabd5539

Linux

Version: 4.9

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21791",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T17:57:16.236835Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T18:02:26.723Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/net/l3mdev.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6ccaa5797f5362a2aad6baa6ddaf4715ac2dd51e",
              "status": "affected",
              "version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
              "versionType": "git"
            },
            {
              "lessThan": "20a3489b396764cc9376e32a9172bee26a89dc3b",
              "status": "affected",
              "version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
              "versionType": "git"
            },
            {
              "lessThan": "5bb4228c32261d06e4fbece37ec3828bcc005b6b",
              "status": "affected",
              "version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
              "versionType": "git"
            },
            {
              "lessThan": "c7574740be8ce68a57d0aece24987b9be2114c3c",
              "status": "affected",
              "version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
              "versionType": "git"
            },
            {
              "lessThan": "c40cb5c03e37552d6eff963187109e2c3f78ef6f",
              "status": "affected",
              "version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
              "versionType": "git"
            },
            {
              "lessThan": "022cac1c693add610ae76ede03adf4d9d5a2cf21",
              "status": "affected",
              "version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
              "versionType": "git"
            },
            {
              "lessThan": "7b81425b517accefd46bee854d94954f5c57e019",
              "status": "affected",
              "version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
              "versionType": "git"
            },
            {
              "lessThan": "6d0ce46a93135d96b7fa075a94a88fe0da8e8773",
              "status": "affected",
              "version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/net/l3mdev.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.9"
            },
            {
              "lessThan": "4.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvrf: use RCU protection in l3mdev_l3_out()\n\nl3mdev_l3_out() can be called without RCU being held:\n\nraw_sendmsg()\n ip_push_pending_frames()\n  ip_send_skb()\n   ip_local_out()\n    __ip_local_out()\n     l3mdev_ip_out()\n\nAdd rcu_read_lock() / rcu_read_unlock() pair to avoid\na potential UAF."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:21:18.929Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6ccaa5797f5362a2aad6baa6ddaf4715ac2dd51e"
        },
        {
          "url": "https://git.kernel.org/stable/c/20a3489b396764cc9376e32a9172bee26a89dc3b"
        },
        {
          "url": "https://git.kernel.org/stable/c/5bb4228c32261d06e4fbece37ec3828bcc005b6b"
        },
        {
          "url": "https://git.kernel.org/stable/c/c7574740be8ce68a57d0aece24987b9be2114c3c"
        },
        {
          "url": "https://git.kernel.org/stable/c/c40cb5c03e37552d6eff963187109e2c3f78ef6f"
        },
        {
          "url": "https://git.kernel.org/stable/c/022cac1c693add610ae76ede03adf4d9d5a2cf21"
        },
        {
          "url": "https://git.kernel.org/stable/c/7b81425b517accefd46bee854d94954f5c57e019"
        },
        {
          "url": "https://git.kernel.org/stable/c/6d0ce46a93135d96b7fa075a94a88fe0da8e8773"
        }
      ],
      "title": "vrf: use RCU protection in l3mdev_l3_out()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21791",
    "datePublished": "2025-02-27T02:18:29.014Z",
    "dateReserved": "2024-12-29T08:45:45.766Z",
    "dateUpdated": "2025-05-04T07:21:18.929Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21692 (GCVE-0-2025-21692)

Vulnerability from cvelistv5

Published

2025-02-10 15:58

Modified

2025-10-01 19:57

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: net: sched: fix ets qdisc OOB Indexing Haowei Yan <g1042620637@gmail.com> found that ets_class_from_arg() can index an Out-Of-Bound class in ets_class_from_arg() when passed clid of 0. The overflow may cause local privilege escalation. [ 18.852298] ------------[ cut here ]------------ [ 18.853271] UBSAN: array-index-out-of-bounds in net/sched/sch_ets.c:93:20 [ 18.853743] index 18446744073709551615 is out of range for type 'ets_class [16]' [ 18.854254] CPU: 0 UID: 0 PID: 1275 Comm: poc Not tainted 6.12.6-dirty #17 [ 18.854821] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 18.856532] Call Trace: [ 18.857441] <TASK> [ 18.858227] dump_stack_lvl+0xc2/0xf0 [ 18.859607] dump_stack+0x10/0x20 [ 18.860908] __ubsan_handle_out_of_bounds+0xa7/0xf0 [ 18.864022] ets_class_change+0x3d6/0x3f0 [ 18.864322] tc_ctl_tclass+0x251/0x910 [ 18.864587] ? lock_acquire+0x5e/0x140 [ 18.865113] ? __mutex_lock+0x9c/0xe70 [ 18.866009] ? __mutex_lock+0xa34/0xe70 [ 18.866401] rtnetlink_rcv_msg+0x170/0x6f0 [ 18.866806] ? __lock_acquire+0x578/0xc10 [ 18.867184] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 18.867503] netlink_rcv_skb+0x59/0x110 [ 18.867776] rtnetlink_rcv+0x15/0x30 [ 18.868159] netlink_unicast+0x1c3/0x2b0 [ 18.868440] netlink_sendmsg+0x239/0x4b0 [ 18.868721] ____sys_sendmsg+0x3e2/0x410 [ 18.869012] ___sys_sendmsg+0x88/0xe0 [ 18.869276] ? rseq_ip_fixup+0x198/0x260 [ 18.869563] ? rseq_update_cpu_node_id+0x10a/0x190 [ 18.869900] ? trace_hardirqs_off+0x5a/0xd0 [ 18.870196] ? syscall_exit_to_user_mode+0xcc/0x220 [ 18.870547] ? do_syscall_64+0x93/0x150 [ 18.870821] ? __memcg_slab_free_hook+0x69/0x290 [ 18.871157] __sys_sendmsg+0x69/0xd0 [ 18.871416] __x64_sys_sendmsg+0x1d/0x30 [ 18.871699] x64_sys_call+0x9e2/0x2670 [ 18.871979] do_syscall_64+0x87/0x150 [ 18.873280] ? do_syscall_64+0x93/0x150 [ 18.874742] ? lock_release+0x7b/0x160 [ 18.876157] ? do_user_addr_fault+0x5ce/0x8f0 [ 18.877833] ? irqentry_exit_to_user_mode+0xc2/0x210 [ 18.879608] ? irqentry_exit+0x77/0xb0 [ 18.879808] ? clear_bhb_loop+0x15/0x70 [ 18.880023] ? clear_bhb_loop+0x15/0x70 [ 18.880223] ? clear_bhb_loop+0x15/0x70 [ 18.880426] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 18.880683] RIP: 0033:0x44a957 [ 18.880851] Code: ff ff e8 fc 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 8974 24 10 [ 18.881766] RSP: 002b:00007ffcdd00fad8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 18.882149] RAX: ffffffffffffffda RBX: 00007ffcdd010db8 RCX: 000000000044a957 [ 18.882507] RDX: 0000000000000000 RSI: 00007ffcdd00fb70 RDI: 0000000000000003 [ 18.885037] RBP: 00007ffcdd010bc0 R08: 000000000703c770 R09: 000000000703c7c0 [ 18.887203] R10: 0000000000000080 R11: 0000000000000246 R12: 0000000000000001 [ 18.888026] R13: 00007ffcdd010da8 R14: 00000000004ca7d0 R15: 0000000000000001 [ 18.888395] </TASK> [ 18.888610] ---[ end trace ]---

References

URL

Tags

	https://git.kernel.org/stable/c/03c56665dab1f4ac844bc156652d50d639093fa5
	https://git.kernel.org/stable/c/bcf0d815e728a3a304b50455b32a3170c16e1eaa
	https://git.kernel.org/stable/c/1332c6ed446be787f901ed1064ec6a3c694f028a
	https://git.kernel.org/stable/c/f4168299e553f17aa2ba4016e77a9c38da40eb1d
	https://git.kernel.org/stable/c/997f6ec4208b23c87daf9f044689685f091826f7
	https://git.kernel.org/stable/c/f6b0f05fbfa4044f890e8a348288c0d9a20bd1d0
	https://git.kernel.org/stable/c/d62b04fca4340a0d468d7853bd66e511935a18cb

Impacted products

Vendor

Product

Version

Linux

Version: dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33
Version: dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33
Version: dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33
Version: dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33
Version: dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33
Version: dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33
Version: dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33

Linux

Version: 5.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21692",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:51:24.646401Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-129",
                "description": "CWE-129 Improper Validation of Array Index",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:10.054Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_ets.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "03c56665dab1f4ac844bc156652d50d639093fa5",
              "status": "affected",
              "version": "dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33",
              "versionType": "git"
            },
            {
              "lessThan": "bcf0d815e728a3a304b50455b32a3170c16e1eaa",
              "status": "affected",
              "version": "dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33",
              "versionType": "git"
            },
            {
              "lessThan": "1332c6ed446be787f901ed1064ec6a3c694f028a",
              "status": "affected",
              "version": "dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33",
              "versionType": "git"
            },
            {
              "lessThan": "f4168299e553f17aa2ba4016e77a9c38da40eb1d",
              "status": "affected",
              "version": "dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33",
              "versionType": "git"
            },
            {
              "lessThan": "997f6ec4208b23c87daf9f044689685f091826f7",
              "status": "affected",
              "version": "dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33",
              "versionType": "git"
            },
            {
              "lessThan": "f6b0f05fbfa4044f890e8a348288c0d9a20bd1d0",
              "status": "affected",
              "version": "dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33",
              "versionType": "git"
            },
            {
              "lessThan": "d62b04fca4340a0d468d7853bd66e511935a18cb",
              "status": "affected",
              "version": "dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_ets.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.6"
            },
            {
              "lessThan": "5.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.234",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.178",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.128",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.234",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.178",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.128",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.75",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.12",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.1",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: fix ets qdisc OOB Indexing\n\nHaowei Yan \u003cg1042620637@gmail.com\u003e found that ets_class_from_arg() can\nindex an Out-Of-Bound class in ets_class_from_arg() when passed clid of\n0. The overflow may cause local privilege escalation.\n\n [   18.852298] ------------[ cut here ]------------\n [   18.853271] UBSAN: array-index-out-of-bounds in net/sched/sch_ets.c:93:20\n [   18.853743] index 18446744073709551615 is out of range for type \u0027ets_class [16]\u0027\n [   18.854254] CPU: 0 UID: 0 PID: 1275 Comm: poc Not tainted 6.12.6-dirty #17\n [   18.854821] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n [   18.856532] Call Trace:\n [   18.857441]  \u003cTASK\u003e\n [   18.858227]  dump_stack_lvl+0xc2/0xf0\n [   18.859607]  dump_stack+0x10/0x20\n [   18.860908]  __ubsan_handle_out_of_bounds+0xa7/0xf0\n [   18.864022]  ets_class_change+0x3d6/0x3f0\n [   18.864322]  tc_ctl_tclass+0x251/0x910\n [   18.864587]  ? lock_acquire+0x5e/0x140\n [   18.865113]  ? __mutex_lock+0x9c/0xe70\n [   18.866009]  ? __mutex_lock+0xa34/0xe70\n [   18.866401]  rtnetlink_rcv_msg+0x170/0x6f0\n [   18.866806]  ? __lock_acquire+0x578/0xc10\n [   18.867184]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10\n [   18.867503]  netlink_rcv_skb+0x59/0x110\n [   18.867776]  rtnetlink_rcv+0x15/0x30\n [   18.868159]  netlink_unicast+0x1c3/0x2b0\n [   18.868440]  netlink_sendmsg+0x239/0x4b0\n [   18.868721]  ____sys_sendmsg+0x3e2/0x410\n [   18.869012]  ___sys_sendmsg+0x88/0xe0\n [   18.869276]  ? rseq_ip_fixup+0x198/0x260\n [   18.869563]  ? rseq_update_cpu_node_id+0x10a/0x190\n [   18.869900]  ? trace_hardirqs_off+0x5a/0xd0\n [   18.870196]  ? syscall_exit_to_user_mode+0xcc/0x220\n [   18.870547]  ? do_syscall_64+0x93/0x150\n [   18.870821]  ? __memcg_slab_free_hook+0x69/0x290\n [   18.871157]  __sys_sendmsg+0x69/0xd0\n [   18.871416]  __x64_sys_sendmsg+0x1d/0x30\n [   18.871699]  x64_sys_call+0x9e2/0x2670\n [   18.871979]  do_syscall_64+0x87/0x150\n [   18.873280]  ? do_syscall_64+0x93/0x150\n [   18.874742]  ? lock_release+0x7b/0x160\n [   18.876157]  ? do_user_addr_fault+0x5ce/0x8f0\n [   18.877833]  ? irqentry_exit_to_user_mode+0xc2/0x210\n [   18.879608]  ? irqentry_exit+0x77/0xb0\n [   18.879808]  ? clear_bhb_loop+0x15/0x70\n [   18.880023]  ? clear_bhb_loop+0x15/0x70\n [   18.880223]  ? clear_bhb_loop+0x15/0x70\n [   18.880426]  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [   18.880683] RIP: 0033:0x44a957\n [   18.880851] Code: ff ff e8 fc 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 8974 24 10\n [   18.881766] RSP: 002b:00007ffcdd00fad8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\n [   18.882149] RAX: ffffffffffffffda RBX: 00007ffcdd010db8 RCX: 000000000044a957\n [   18.882507] RDX: 0000000000000000 RSI: 00007ffcdd00fb70 RDI: 0000000000000003\n [   18.885037] RBP: 00007ffcdd010bc0 R08: 000000000703c770 R09: 000000000703c7c0\n [   18.887203] R10: 0000000000000080 R11: 0000000000000246 R12: 0000000000000001\n [   18.888026] R13: 00007ffcdd010da8 R14: 00000000004ca7d0 R15: 0000000000000001\n [   18.888395]  \u003c/TASK\u003e\n [   18.888610] ---[ end trace ]---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:19:09.132Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/03c56665dab1f4ac844bc156652d50d639093fa5"
        },
        {
          "url": "https://git.kernel.org/stable/c/bcf0d815e728a3a304b50455b32a3170c16e1eaa"
        },
        {
          "url": "https://git.kernel.org/stable/c/1332c6ed446be787f901ed1064ec6a3c694f028a"
        },
        {
          "url": "https://git.kernel.org/stable/c/f4168299e553f17aa2ba4016e77a9c38da40eb1d"
        },
        {
          "url": "https://git.kernel.org/stable/c/997f6ec4208b23c87daf9f044689685f091826f7"
        },
        {
          "url": "https://git.kernel.org/stable/c/f6b0f05fbfa4044f890e8a348288c0d9a20bd1d0"
        },
        {
          "url": "https://git.kernel.org/stable/c/d62b04fca4340a0d468d7853bd66e511935a18cb"
        }
      ],
      "title": "net: sched: fix ets qdisc OOB Indexing",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21692",
    "datePublished": "2025-02-10T15:58:48.087Z",
    "dateReserved": "2024-12-29T08:45:45.742Z",
    "dateUpdated": "2025-10-01T19:57:10.054Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38089 (GCVE-0-2025-38089)

Vulnerability from cvelistv5

Published

2025-06-30 07:29

Modified

2025-07-28 04:12

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: sunrpc: handle SVC_GARBAGE during svc auth processing as auth error tianshuo han reported a remotely-triggerable crash if the client sends a kernel RPC server a specially crafted packet. If decoding the RPC reply fails in such a way that SVC_GARBAGE is returned without setting the rq_accept_statp pointer, then that pointer can be dereferenced and a value stored there. If it's the first time the thread has processed an RPC, then that pointer will be set to NULL and the kernel will crash. In other cases, it could create a memory scribble. The server sunrpc code treats a SVC_GARBAGE return from svc_authenticate or pg_authenticate as if it should send a GARBAGE_ARGS reply. RFC 5531 says that if authentication fails that the RPC should be rejected instead with a status of AUTH_ERR. Handle a SVC_GARBAGE return as an AUTH_ERROR, with a reason of AUTH_BADCRED instead of returning GARBAGE_ARGS in that case. This sidesteps the whole problem of touching the rpc_accept_statp pointer in this situation and avoids the crash.

References

URL

Tags

	https://git.kernel.org/stable/c/599c489eea793821232a2f69a00fa57d82b0ac98
	https://git.kernel.org/stable/c/353e75b55e583635bf71cde6abcec274dba05edd
	https://git.kernel.org/stable/c/c90459cd58bb421d275337093d8e901e0ba748dd
	https://git.kernel.org/stable/c/94d10a4dba0bc482f2b01e39f06d5513d0f75742
	https://www.openwall.com/lists/oss-security/2025/07/02/2
	https://github.com/keymaker-arch/NFSundown

Impacted products

Vendor

Product

Version

Linux

Version: 29cd2927fb914cc53b5ba4f67d2b74695c994ba4
Version: 29cd2927fb914cc53b5ba4f67d2b74695c994ba4
Version: 29cd2927fb914cc53b5ba4f67d2b74695c994ba4
Version: 29cd2927fb914cc53b5ba4f67d2b74695c994ba4
Version: 9b59f5c4911e87264507e0934cd2bb277390c560

Linux

Version: 6.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sunrpc/svc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "599c489eea793821232a2f69a00fa57d82b0ac98",
              "status": "affected",
              "version": "29cd2927fb914cc53b5ba4f67d2b74695c994ba4",
              "versionType": "git"
            },
            {
              "lessThan": "353e75b55e583635bf71cde6abcec274dba05edd",
              "status": "affected",
              "version": "29cd2927fb914cc53b5ba4f67d2b74695c994ba4",
              "versionType": "git"
            },
            {
              "lessThan": "c90459cd58bb421d275337093d8e901e0ba748dd",
              "status": "affected",
              "version": "29cd2927fb914cc53b5ba4f67d2b74695c994ba4",
              "versionType": "git"
            },
            {
              "lessThan": "94d10a4dba0bc482f2b01e39f06d5513d0f75742",
              "status": "affected",
              "version": "29cd2927fb914cc53b5ba4f67d2b74695c994ba4",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "9b59f5c4911e87264507e0934cd2bb277390c560",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sunrpc/svc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.3.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsunrpc: handle SVC_GARBAGE during svc auth processing as auth error\n\ntianshuo han reported a remotely-triggerable crash if the client sends a\nkernel RPC server a specially crafted packet. If decoding the RPC reply\nfails in such a way that SVC_GARBAGE is returned without setting the\nrq_accept_statp pointer, then that pointer can be dereferenced and a\nvalue stored there.\n\nIf it\u0027s the first time the thread has processed an RPC, then that\npointer will be set to NULL and the kernel will crash. In other cases,\nit could create a memory scribble.\n\nThe server sunrpc code treats a SVC_GARBAGE return from svc_authenticate\nor pg_authenticate as if it should send a GARBAGE_ARGS reply. RFC 5531\nsays that if authentication fails that the RPC should be rejected\ninstead with a status of AUTH_ERR.\n\nHandle a SVC_GARBAGE return as an AUTH_ERROR, with a reason of\nAUTH_BADCRED instead of returning GARBAGE_ARGS in that case. This\nsidesteps the whole problem of touching the rpc_accept_statp pointer in\nthis situation and avoids the crash."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:12:04.604Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/599c489eea793821232a2f69a00fa57d82b0ac98"
        },
        {
          "url": "https://git.kernel.org/stable/c/353e75b55e583635bf71cde6abcec274dba05edd"
        },
        {
          "url": "https://git.kernel.org/stable/c/c90459cd58bb421d275337093d8e901e0ba748dd"
        },
        {
          "url": "https://git.kernel.org/stable/c/94d10a4dba0bc482f2b01e39f06d5513d0f75742"
        },
        {
          "url": "https://www.openwall.com/lists/oss-security/2025/07/02/2"
        },
        {
          "url": "https://github.com/keymaker-arch/NFSundown"
        }
      ],
      "title": "sunrpc: handle SVC_GARBAGE during svc auth processing as auth error",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38089",
    "datePublished": "2025-06-30T07:29:44.836Z",
    "dateReserved": "2025-04-16T04:51:23.982Z",
    "dateUpdated": "2025-07-28T04:12:04.604Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38477 (GCVE-0-2025-38477)

Vulnerability from cvelistv5

Published

2025-07-28 11:21

Modified

2025-08-28 14:43

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix race condition on qfq_aggregate A race condition can occur when 'agg' is modified in qfq_change_agg (called during qfq_enqueue) while other threads access it concurrently. For example, qfq_dump_class may trigger a NULL dereference, and qfq_delete_class may cause a use-after-free. This patch addresses the issue by: 1. Moved qfq_destroy_class into the critical section. 2. Added sch_tree_lock protection to qfq_dump_class and qfq_dump_class_stats.

References

URL

Tags

	https://git.kernel.org/stable/c/aa7a22c4d678bf649fd3a1d27debec583563414d
	https://git.kernel.org/stable/c/d841aa5518508ab195b6781ad0d73ee378d713dd
	https://git.kernel.org/stable/c/c6df794000147a3a02f79984aada4ce83f8d0a1e
	https://git.kernel.org/stable/c/466e10194ab81caa2ee6a332d33ba16bcceeeba6
	https://git.kernel.org/stable/c/fbe48f06e64134dfeafa89ad23387f66ebca3527
	https://git.kernel.org/stable/c/a6d735100f602c830c16d69fb6d780eebd8c9ae1
	https://git.kernel.org/stable/c/c000a3a330d97f6c073ace5aa5faf94b9adb4b79
	https://git.kernel.org/stable/c/5e28d5a3f774f118896aec17a3a20a9c5c9dfc64

Impacted products

Vendor

Product

Version

Linux

Version: 462dbc9101acd38e92eda93c0726857517a24bbd
Version: 462dbc9101acd38e92eda93c0726857517a24bbd
Version: 462dbc9101acd38e92eda93c0726857517a24bbd
Version: 462dbc9101acd38e92eda93c0726857517a24bbd
Version: 462dbc9101acd38e92eda93c0726857517a24bbd
Version: 462dbc9101acd38e92eda93c0726857517a24bbd
Version: 462dbc9101acd38e92eda93c0726857517a24bbd
Version: 462dbc9101acd38e92eda93c0726857517a24bbd

Linux

Version: 3.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_qfq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "aa7a22c4d678bf649fd3a1d27debec583563414d",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            },
            {
              "lessThan": "d841aa5518508ab195b6781ad0d73ee378d713dd",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            },
            {
              "lessThan": "c6df794000147a3a02f79984aada4ce83f8d0a1e",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            },
            {
              "lessThan": "466e10194ab81caa2ee6a332d33ba16bcceeeba6",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            },
            {
              "lessThan": "fbe48f06e64134dfeafa89ad23387f66ebca3527",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            },
            {
              "lessThan": "a6d735100f602c830c16d69fb6d780eebd8c9ae1",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            },
            {
              "lessThan": "c000a3a330d97f6c073ace5aa5faf94b9adb4b79",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            },
            {
              "lessThan": "5e28d5a3f774f118896aec17a3a20a9c5c9dfc64",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_qfq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.8"
            },
            {
              "lessThan": "3.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.147",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.100",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.40",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.147",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.100",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.40",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.8",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_qfq: Fix race condition on qfq_aggregate\n\nA race condition can occur when \u0027agg\u0027 is modified in qfq_change_agg\n(called during qfq_enqueue) while other threads access it\nconcurrently. For example, qfq_dump_class may trigger a NULL\ndereference, and qfq_delete_class may cause a use-after-free.\n\nThis patch addresses the issue by:\n\n1. Moved qfq_destroy_class into the critical section.\n\n2. Added sch_tree_lock protection to qfq_dump_class and\nqfq_dump_class_stats."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-28T14:43:15.237Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/aa7a22c4d678bf649fd3a1d27debec583563414d"
        },
        {
          "url": "https://git.kernel.org/stable/c/d841aa5518508ab195b6781ad0d73ee378d713dd"
        },
        {
          "url": "https://git.kernel.org/stable/c/c6df794000147a3a02f79984aada4ce83f8d0a1e"
        },
        {
          "url": "https://git.kernel.org/stable/c/466e10194ab81caa2ee6a332d33ba16bcceeeba6"
        },
        {
          "url": "https://git.kernel.org/stable/c/fbe48f06e64134dfeafa89ad23387f66ebca3527"
        },
        {
          "url": "https://git.kernel.org/stable/c/a6d735100f602c830c16d69fb6d780eebd8c9ae1"
        },
        {
          "url": "https://git.kernel.org/stable/c/c000a3a330d97f6c073ace5aa5faf94b9adb4b79"
        },
        {
          "url": "https://git.kernel.org/stable/c/5e28d5a3f774f118896aec17a3a20a9c5c9dfc64"
        }
      ],
      "title": "net/sched: sch_qfq: Fix race condition on qfq_aggregate",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38477",
    "datePublished": "2025-07-28T11:21:38.319Z",
    "dateReserved": "2025-04-16T04:51:24.021Z",
    "dateUpdated": "2025-08-28T14:43:15.237Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-53168 (GCVE-0-2024-53168)

Vulnerability from cvelistv5

Published

2024-12-27 13:49

Modified

2025-05-04 09:54

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix one UAF issue caused by sunrpc kernel tcp socket BUG: KASAN: slab-use-after-free in tcp_write_timer_handler+0x156/0x3e0 Read of size 1 at addr ffff888111f322cd by task swapper/0/0 CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.0-rc4-dirty #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 Call Trace: <IRQ> dump_stack_lvl+0x68/0xa0 print_address_description.constprop.0+0x2c/0x3d0 print_report+0xb4/0x270 kasan_report+0xbd/0xf0 tcp_write_timer_handler+0x156/0x3e0 tcp_write_timer+0x66/0x170 call_timer_fn+0xfb/0x1d0 __run_timers+0x3f8/0x480 run_timer_softirq+0x9b/0x100 handle_softirqs+0x153/0x390 __irq_exit_rcu+0x103/0x120 irq_exit_rcu+0xe/0x20 sysvec_apic_timer_interrupt+0x76/0x90 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 RIP: 0010:default_idle+0xf/0x20 Code: 4c 01 c7 4c 29 c2 e9 72 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d 33 f8 25 00 fb f4 <fa> c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 RSP: 0018:ffffffffa2007e28 EFLAGS: 00000242 RAX: 00000000000f3b31 RBX: 1ffffffff4400fc7 RCX: ffffffffa09c3196 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff9f00590f RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed102360835d R10: ffff88811b041aeb R11: 0000000000000001 R12: 0000000000000000 R13: ffffffffa202d7c0 R14: 0000000000000000 R15: 00000000000147d0 default_idle_call+0x6b/0xa0 cpuidle_idle_call+0x1af/0x1f0 do_idle+0xbc/0x130 cpu_startup_entry+0x33/0x40 rest_init+0x11f/0x210 start_kernel+0x39a/0x420 x86_64_start_reservations+0x18/0x30 x86_64_start_kernel+0x97/0xa0 common_startup_64+0x13e/0x141 </TASK> Allocated by task 595: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_slab_alloc+0x87/0x90 kmem_cache_alloc_noprof+0x12b/0x3f0 copy_net_ns+0x94/0x380 create_new_namespaces+0x24c/0x500 unshare_nsproxy_namespaces+0x75/0xf0 ksys_unshare+0x24e/0x4f0 __x64_sys_unshare+0x1f/0x30 do_syscall_64+0x70/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 100: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x54/0x70 kmem_cache_free+0x156/0x5d0 cleanup_net+0x5d3/0x670 process_one_work+0x776/0xa90 worker_thread+0x2e2/0x560 kthread+0x1a8/0x1f0 ret_from_fork+0x34/0x60 ret_from_fork_asm+0x1a/0x30 Reproduction script: mkdir -p /mnt/nfsshare mkdir -p /mnt/nfs/netns_1 mkfs.ext4 /dev/sdb mount /dev/sdb /mnt/nfsshare systemctl restart nfs-server chmod 777 /mnt/nfsshare exportfs -i -o rw,no_root_squash *:/mnt/nfsshare ip netns add netns_1 ip link add name veth_1_peer type veth peer veth_1 ifconfig veth_1_peer 11.11.0.254 up ip link set veth_1 netns netns_1 ip netns exec netns_1 ifconfig veth_1 11.11.0.1 ip netns exec netns_1 /root/iptables -A OUTPUT -d 11.11.0.254 -p tcp \ --tcp-flags FIN FIN -j DROP (note: In my environment, a DESTROY_CLIENTID operation is always sent immediately, breaking the nfs tcp connection.) ip netns exec netns_1 timeout -s 9 300 mount -t nfs -o proto=tcp,vers=4.1 \ 11.11.0.254:/mnt/nfsshare /mnt/nfs/netns_1 ip netns del netns_1 The reason here is that the tcp socket in netns_1 (nfs side) has been shutdown and closed (done in xs_destroy), but the FIN message (with ack) is discarded, and the nfsd side keeps sending retransmission messages. As a result, when the tcp sock in netns_1 processes the received message, it sends the message (FIN message) in the sending queue, and the tcp timer is re-established. When the network namespace is deleted, the net structure accessed by tcp's timer handler function causes problems. To fix this problem, let's hold netns refcnt for the tcp kernel socket as done in other modules. This is an ugly hack which can easily be backported to earlier kernels. A proper fix which cleans up the interfaces will follow, but may not be so easy to backport.

References

URL

Tags

	https://git.kernel.org/stable/c/0ca87e5063757132a044d35baba40a7d4bb25394
	https://git.kernel.org/stable/c/694ccb05b79ee5f5a9f14c2f80d2635d3bb8bdc3
	https://git.kernel.org/stable/c/61c0a5eac96836de5e3a5897eccdc63162a94936
	https://git.kernel.org/stable/c/3f23f96528e8fcf8619895c4c916c52653892ec1

Impacted products

Vendor

Product

Version

Linux

Version: 26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe
Version: 26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe
Version: 26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe
Version: 26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe

Linux

Version: 4.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-53168",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-10T17:13:17.133716Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-10T17:21:09.665Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sunrpc/svcsock.c",
            "net/sunrpc/xprtsock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0ca87e5063757132a044d35baba40a7d4bb25394",
              "status": "affected",
              "version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe",
              "versionType": "git"
            },
            {
              "lessThan": "694ccb05b79ee5f5a9f14c2f80d2635d3bb8bdc3",
              "status": "affected",
              "version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe",
              "versionType": "git"
            },
            {
              "lessThan": "61c0a5eac96836de5e3a5897eccdc63162a94936",
              "status": "affected",
              "version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe",
              "versionType": "git"
            },
            {
              "lessThan": "3f23f96528e8fcf8619895c4c916c52653892ec1",
              "status": "affected",
              "version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sunrpc/svcsock.c",
            "net/sunrpc/xprtsock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.2"
            },
            {
              "lessThan": "4.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.64",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.11",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.2",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsunrpc: fix one UAF issue caused by sunrpc kernel tcp socket\n\nBUG: KASAN: slab-use-after-free in tcp_write_timer_handler+0x156/0x3e0\nRead of size 1 at addr ffff888111f322cd by task swapper/0/0\n\nCPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.0-rc4-dirty #7\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1\nCall Trace:\n \u003cIRQ\u003e\n dump_stack_lvl+0x68/0xa0\n print_address_description.constprop.0+0x2c/0x3d0\n print_report+0xb4/0x270\n kasan_report+0xbd/0xf0\n tcp_write_timer_handler+0x156/0x3e0\n tcp_write_timer+0x66/0x170\n call_timer_fn+0xfb/0x1d0\n __run_timers+0x3f8/0x480\n run_timer_softirq+0x9b/0x100\n handle_softirqs+0x153/0x390\n __irq_exit_rcu+0x103/0x120\n irq_exit_rcu+0xe/0x20\n sysvec_apic_timer_interrupt+0x76/0x90\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n asm_sysvec_apic_timer_interrupt+0x1a/0x20\nRIP: 0010:default_idle+0xf/0x20\nCode: 4c 01 c7 4c 29 c2 e9 72 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90\n 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d 33 f8 25 00 fb f4 \u003cfa\u003e c3 cc cc cc\n cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90\nRSP: 0018:ffffffffa2007e28 EFLAGS: 00000242\nRAX: 00000000000f3b31 RBX: 1ffffffff4400fc7 RCX: ffffffffa09c3196\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff9f00590f\nRBP: 0000000000000000 R08: 0000000000000001 R09: ffffed102360835d\nR10: ffff88811b041aeb R11: 0000000000000001 R12: 0000000000000000\nR13: ffffffffa202d7c0 R14: 0000000000000000 R15: 00000000000147d0\n default_idle_call+0x6b/0xa0\n cpuidle_idle_call+0x1af/0x1f0\n do_idle+0xbc/0x130\n cpu_startup_entry+0x33/0x40\n rest_init+0x11f/0x210\n start_kernel+0x39a/0x420\n x86_64_start_reservations+0x18/0x30\n x86_64_start_kernel+0x97/0xa0\n common_startup_64+0x13e/0x141\n \u003c/TASK\u003e\n\nAllocated by task 595:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n __kasan_slab_alloc+0x87/0x90\n kmem_cache_alloc_noprof+0x12b/0x3f0\n copy_net_ns+0x94/0x380\n create_new_namespaces+0x24c/0x500\n unshare_nsproxy_namespaces+0x75/0xf0\n ksys_unshare+0x24e/0x4f0\n __x64_sys_unshare+0x1f/0x30\n do_syscall_64+0x70/0x180\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nFreed by task 100:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n __kasan_slab_free+0x54/0x70\n kmem_cache_free+0x156/0x5d0\n cleanup_net+0x5d3/0x670\n process_one_work+0x776/0xa90\n worker_thread+0x2e2/0x560\n kthread+0x1a8/0x1f0\n ret_from_fork+0x34/0x60\n ret_from_fork_asm+0x1a/0x30\n\nReproduction script:\n\nmkdir -p /mnt/nfsshare\nmkdir -p /mnt/nfs/netns_1\nmkfs.ext4 /dev/sdb\nmount /dev/sdb /mnt/nfsshare\nsystemctl restart nfs-server\nchmod 777 /mnt/nfsshare\nexportfs -i -o rw,no_root_squash *:/mnt/nfsshare\n\nip netns add netns_1\nip link add name veth_1_peer type veth peer veth_1\nifconfig veth_1_peer 11.11.0.254 up\nip link set veth_1 netns netns_1\nip netns exec netns_1 ifconfig veth_1 11.11.0.1\n\nip netns exec netns_1 /root/iptables -A OUTPUT -d 11.11.0.254 -p tcp \\\n\t--tcp-flags FIN FIN  -j DROP\n\n(note: In my environment, a DESTROY_CLIENTID operation is always sent\n immediately, breaking the nfs tcp connection.)\nip netns exec netns_1 timeout -s 9 300 mount -t nfs -o proto=tcp,vers=4.1 \\\n\t11.11.0.254:/mnt/nfsshare /mnt/nfs/netns_1\n\nip netns del netns_1\n\nThe reason here is that the tcp socket in netns_1 (nfs side) has been\nshutdown and closed (done in xs_destroy), but the FIN message (with ack)\nis discarded, and the nfsd side keeps sending retransmission messages.\nAs a result, when the tcp sock in netns_1 processes the received message,\nit sends the message (FIN message) in the sending queue, and the tcp timer\nis re-established. When the network namespace is deleted, the net structure\naccessed by tcp\u0027s timer handler function causes problems.\n\nTo fix this problem, let\u0027s hold netns refcnt for the tcp kernel socket as\ndone in other modules. This is an ugly hack which can easily be backported\nto earlier kernels. A proper fix which cleans up the interfaces will\nfollow, but may not be so easy to backport."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:54:45.571Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0ca87e5063757132a044d35baba40a7d4bb25394"
        },
        {
          "url": "https://git.kernel.org/stable/c/694ccb05b79ee5f5a9f14c2f80d2635d3bb8bdc3"
        },
        {
          "url": "https://git.kernel.org/stable/c/61c0a5eac96836de5e3a5897eccdc63162a94936"
        },
        {
          "url": "https://git.kernel.org/stable/c/3f23f96528e8fcf8619895c4c916c52653892ec1"
        }
      ],
      "title": "sunrpc: fix one UAF issue caused by sunrpc kernel tcp socket",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-53168",
    "datePublished": "2024-12-27T13:49:14.165Z",
    "dateReserved": "2024-11-19T17:17:25.005Z",
    "dateUpdated": "2025-05-04T09:54:45.571Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-50154 (GCVE-0-2024-50154)

Vulnerability from cvelistv5

Published

2024-11-07 09:31

Modified

2025-05-04 12:59

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink(). Martin KaFai Lau reported use-after-free [0] in reqsk_timer_handler(). """ We are seeing a use-after-free from a bpf prog attached to trace_tcp_retransmit_synack. The program passes the req->sk to the bpf_sk_storage_get_tracing kernel helper which does check for null before using it. """ The commit 83fccfc3940c ("inet: fix potential deadlock in reqsk_queue_unlink()") added timer_pending() in reqsk_queue_unlink() not to call del_timer_sync() from reqsk_timer_handler(), but it introduced a small race window. Before the timer is called, expire_timers() calls detach_timer(timer, true) to clear timer->entry.pprev and marks it as not pending. If reqsk_queue_unlink() checks timer_pending() just after expire_timers() calls detach_timer(), TCP will miss del_timer_sync(); the reqsk timer will continue running and send multiple SYN+ACKs until it expires. The reported UAF could happen if req->sk is close()d earlier than the timer expiration, which is 63s by default. The scenario would be 1. inet_csk_complete_hashdance() calls inet_csk_reqsk_queue_drop(), but del_timer_sync() is missed 2. reqsk timer is executed and scheduled again 3. req->sk is accept()ed and reqsk_put() decrements rsk_refcnt, but reqsk timer still has another one, and inet_csk_accept() does not clear req->sk for non-TFO sockets 4. sk is close()d 5. reqsk timer is executed again, and BPF touches req->sk Let's not use timer_pending() by passing the caller context to __inet_csk_reqsk_queue_drop(). Note that reqsk timer is pinned, so the issue does not happen in most use cases. [1] [0] BUG: KFENCE: use-after-free read in bpf_sk_storage_get_tracing+0x2e/0x1b0 Use-after-free read at 0x00000000a891fb3a (in kfence-#1): bpf_sk_storage_get_tracing+0x2e/0x1b0 bpf_prog_5ea3e95db6da0438_tcp_retransmit_synack+0x1d20/0x1dda bpf_trace_run2+0x4c/0xc0 tcp_rtx_synack+0xf9/0x100 reqsk_timer_handler+0xda/0x3d0 run_timer_softirq+0x292/0x8a0 irq_exit_rcu+0xf5/0x320 sysvec_apic_timer_interrupt+0x6d/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 intel_idle_irq+0x5a/0xa0 cpuidle_enter_state+0x94/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb kfence-#1: 0x00000000a72cc7b6-0x00000000d97616d9, size=2376, cache=TCPv6 allocated by task 0 on cpu 9 at 260507.901592s: sk_prot_alloc+0x35/0x140 sk_clone_lock+0x1f/0x3f0 inet_csk_clone_lock+0x15/0x160 tcp_create_openreq_child+0x1f/0x410 tcp_v6_syn_recv_sock+0x1da/0x700 tcp_check_req+0x1fb/0x510 tcp_v6_rcv+0x98b/0x1420 ipv6_list_rcv+0x2258/0x26e0 napi_complete_done+0x5b1/0x2990 mlx5e_napi_poll+0x2ae/0x8d0 net_rx_action+0x13e/0x590 irq_exit_rcu+0xf5/0x320 common_interrupt+0x80/0x90 asm_common_interrupt+0x22/0x40 cpuidle_enter_state+0xfb/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb freed by task 0 on cpu 9 at 260507.927527s: rcu_core_si+0x4ff/0xf10 irq_exit_rcu+0xf5/0x320 sysvec_apic_timer_interrupt+0x6d/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 cpuidle_enter_state+0xfb/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb

References

URL

Tags

	https://git.kernel.org/stable/c/106e457953315e476b3642ef24be25ed862aaba3
	https://git.kernel.org/stable/c/c964bf65f80a14288d767023a1b300b30f5b9cd0
	https://git.kernel.org/stable/c/8459d61fbf24967839a70235165673148c7c7f17
	https://git.kernel.org/stable/c/5071beb59ee416e8ab456ac8647a4dabcda823b1
	https://git.kernel.org/stable/c/997ae8da14f1639ce6fb66a063dab54031cd61b3
	https://git.kernel.org/stable/c/51e34db64f4e43c7b055ccf881b7f3e0c31bb26d
	https://git.kernel.org/stable/c/e8c526f2bdf1845bedaf6a478816a3d06fa78b8f

Impacted products

Vendor

Product

Version

Linux

Version: 83fccfc3940c4a2db90fd7e7079f5b465cd8c6af
Version: 83fccfc3940c4a2db90fd7e7079f5b465cd8c6af
Version: 83fccfc3940c4a2db90fd7e7079f5b465cd8c6af
Version: 83fccfc3940c4a2db90fd7e7079f5b465cd8c6af
Version: 83fccfc3940c4a2db90fd7e7079f5b465cd8c6af
Version: 83fccfc3940c4a2db90fd7e7079f5b465cd8c6af
Version: 83fccfc3940c4a2db90fd7e7079f5b465cd8c6af
Version: d3a1196bfc462943694623412d8e03aaf172bdc1

Linux

Version: 4.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-50154",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-11T14:25:48.087506Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-11T14:58:32.999Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/inet_connection_sock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "106e457953315e476b3642ef24be25ed862aaba3",
              "status": "affected",
              "version": "83fccfc3940c4a2db90fd7e7079f5b465cd8c6af",
              "versionType": "git"
            },
            {
              "lessThan": "c964bf65f80a14288d767023a1b300b30f5b9cd0",
              "status": "affected",
              "version": "83fccfc3940c4a2db90fd7e7079f5b465cd8c6af",
              "versionType": "git"
            },
            {
              "lessThan": "8459d61fbf24967839a70235165673148c7c7f17",
              "status": "affected",
              "version": "83fccfc3940c4a2db90fd7e7079f5b465cd8c6af",
              "versionType": "git"
            },
            {
              "lessThan": "5071beb59ee416e8ab456ac8647a4dabcda823b1",
              "status": "affected",
              "version": "83fccfc3940c4a2db90fd7e7079f5b465cd8c6af",
              "versionType": "git"
            },
            {
              "lessThan": "997ae8da14f1639ce6fb66a063dab54031cd61b3",
              "status": "affected",
              "version": "83fccfc3940c4a2db90fd7e7079f5b465cd8c6af",
              "versionType": "git"
            },
            {
              "lessThan": "51e34db64f4e43c7b055ccf881b7f3e0c31bb26d",
              "status": "affected",
              "version": "83fccfc3940c4a2db90fd7e7079f5b465cd8c6af",
              "versionType": "git"
            },
            {
              "lessThan": "e8c526f2bdf1845bedaf6a478816a3d06fa78b8f",
              "status": "affected",
              "version": "83fccfc3940c4a2db90fd7e7079f5b465cd8c6af",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "d3a1196bfc462943694623412d8e03aaf172bdc1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/inet_connection_sock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.2"
            },
            {
              "lessThan": "4.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.293",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.170",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.115",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.12",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.293",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.237",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.170",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.115",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.59",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.6",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.1.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp/dccp: Don\u0027t use timer_pending() in reqsk_queue_unlink().\n\nMartin KaFai Lau reported use-after-free [0] in reqsk_timer_handler().\n\n  \"\"\"\n  We are seeing a use-after-free from a bpf prog attached to\n  trace_tcp_retransmit_synack. The program passes the req-\u003esk to the\n  bpf_sk_storage_get_tracing kernel helper which does check for null\n  before using it.\n  \"\"\"\n\nThe commit 83fccfc3940c (\"inet: fix potential deadlock in\nreqsk_queue_unlink()\") added timer_pending() in reqsk_queue_unlink() not\nto call del_timer_sync() from reqsk_timer_handler(), but it introduced a\nsmall race window.\n\nBefore the timer is called, expire_timers() calls detach_timer(timer, true)\nto clear timer-\u003eentry.pprev and marks it as not pending.\n\nIf reqsk_queue_unlink() checks timer_pending() just after expire_timers()\ncalls detach_timer(), TCP will miss del_timer_sync(); the reqsk timer will\ncontinue running and send multiple SYN+ACKs until it expires.\n\nThe reported UAF could happen if req-\u003esk is close()d earlier than the timer\nexpiration, which is 63s by default.\n\nThe scenario would be\n\n  1. inet_csk_complete_hashdance() calls inet_csk_reqsk_queue_drop(),\n     but del_timer_sync() is missed\n\n  2. reqsk timer is executed and scheduled again\n\n  3. req-\u003esk is accept()ed and reqsk_put() decrements rsk_refcnt, but\n     reqsk timer still has another one, and inet_csk_accept() does not\n     clear req-\u003esk for non-TFO sockets\n\n  4. sk is close()d\n\n  5. reqsk timer is executed again, and BPF touches req-\u003esk\n\nLet\u0027s not use timer_pending() by passing the caller context to\n__inet_csk_reqsk_queue_drop().\n\nNote that reqsk timer is pinned, so the issue does not happen in most\nuse cases. [1]\n\n[0]\nBUG: KFENCE: use-after-free read in bpf_sk_storage_get_tracing+0x2e/0x1b0\n\nUse-after-free read at 0x00000000a891fb3a (in kfence-#1):\nbpf_sk_storage_get_tracing+0x2e/0x1b0\nbpf_prog_5ea3e95db6da0438_tcp_retransmit_synack+0x1d20/0x1dda\nbpf_trace_run2+0x4c/0xc0\ntcp_rtx_synack+0xf9/0x100\nreqsk_timer_handler+0xda/0x3d0\nrun_timer_softirq+0x292/0x8a0\nirq_exit_rcu+0xf5/0x320\nsysvec_apic_timer_interrupt+0x6d/0x80\nasm_sysvec_apic_timer_interrupt+0x16/0x20\nintel_idle_irq+0x5a/0xa0\ncpuidle_enter_state+0x94/0x273\ncpu_startup_entry+0x15e/0x260\nstart_secondary+0x8a/0x90\nsecondary_startup_64_no_verify+0xfa/0xfb\n\nkfence-#1: 0x00000000a72cc7b6-0x00000000d97616d9, size=2376, cache=TCPv6\n\nallocated by task 0 on cpu 9 at 260507.901592s:\nsk_prot_alloc+0x35/0x140\nsk_clone_lock+0x1f/0x3f0\ninet_csk_clone_lock+0x15/0x160\ntcp_create_openreq_child+0x1f/0x410\ntcp_v6_syn_recv_sock+0x1da/0x700\ntcp_check_req+0x1fb/0x510\ntcp_v6_rcv+0x98b/0x1420\nipv6_list_rcv+0x2258/0x26e0\nnapi_complete_done+0x5b1/0x2990\nmlx5e_napi_poll+0x2ae/0x8d0\nnet_rx_action+0x13e/0x590\nirq_exit_rcu+0xf5/0x320\ncommon_interrupt+0x80/0x90\nasm_common_interrupt+0x22/0x40\ncpuidle_enter_state+0xfb/0x273\ncpu_startup_entry+0x15e/0x260\nstart_secondary+0x8a/0x90\nsecondary_startup_64_no_verify+0xfa/0xfb\n\nfreed by task 0 on cpu 9 at 260507.927527s:\nrcu_core_si+0x4ff/0xf10\nirq_exit_rcu+0xf5/0x320\nsysvec_apic_timer_interrupt+0x6d/0x80\nasm_sysvec_apic_timer_interrupt+0x16/0x20\ncpuidle_enter_state+0xfb/0x273\ncpu_startup_entry+0x15e/0x260\nstart_secondary+0x8a/0x90\nsecondary_startup_64_no_verify+0xfa/0xfb"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T12:59:37.593Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/106e457953315e476b3642ef24be25ed862aaba3"
        },
        {
          "url": "https://git.kernel.org/stable/c/c964bf65f80a14288d767023a1b300b30f5b9cd0"
        },
        {
          "url": "https://git.kernel.org/stable/c/8459d61fbf24967839a70235165673148c7c7f17"
        },
        {
          "url": "https://git.kernel.org/stable/c/5071beb59ee416e8ab456ac8647a4dabcda823b1"
        },
        {
          "url": "https://git.kernel.org/stable/c/997ae8da14f1639ce6fb66a063dab54031cd61b3"
        },
        {
          "url": "https://git.kernel.org/stable/c/51e34db64f4e43c7b055ccf881b7f3e0c31bb26d"
        },
        {
          "url": "https://git.kernel.org/stable/c/e8c526f2bdf1845bedaf6a478816a3d06fa78b8f"
        }
      ],
      "title": "tcp/dccp: Don\u0027t use timer_pending() in reqsk_queue_unlink().",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-50154",
    "datePublished": "2024-11-07T09:31:30.855Z",
    "dateReserved": "2024-10-21T19:36:19.960Z",
    "dateUpdated": "2025-05-04T12:59:37.593Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CERTFR-2025-AVI-0860

Vulnerability from certfr_avis

Solutions

CVE-2025-21791 (GCVE-0-2025-21791)

Vulnerability from cvelistv5

CVE-2025-21692 (GCVE-0-2025-21692)

Vulnerability from cvelistv5

CVE-2025-38089 (GCVE-0-2025-38089)

Vulnerability from cvelistv5

CVE-2025-38477 (GCVE-0-2025-38477)

Vulnerability from cvelistv5

CVE-2024-53168 (GCVE-0-2024-53168)

Vulnerability from cvelistv5

CVE-2024-50154 (GCVE-0-2024-50154)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature