Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2025-AVI-0895
Vulnerability from certfr_avis - Published: 2025-10-17 - Updated: 2025-10-17
De multiples vulnérabilités ont été découvertes dans le noyau Linux de SUSE. Certaines d'entre elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, une atteinte à l'intégrité des données et un contournement de la politique de sécurité.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| SUSE | SUSE Linux Enterprise High Performance Computing | SUSE Linux Enterprise High Performance Computing 15 SP5 | ||
| SUSE | SUSE Linux Enterprise High Performance Computing | SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server 15 SP3 LTSS | ||
| SUSE | SUSE Linux Enterprise High Performance Computing | SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 | ||
| SUSE | Confidential Computing Module | Confidential Computing Module 15-SP6 | ||
| SUSE | openSUSE Leap | openSUSE Leap 15.5 | ||
| SUSE | SUSE Linux Enterprise Live Patching | SUSE Linux Enterprise Live Patching 15-SP5 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server 12 SP5 LTSS | ||
| SUSE | SUSE Linux Enterprise Real Time | SUSE Linux Enterprise Real Time 15 SP7 | ||
| SUSE | SUSE Manager Retail Branch Server | SUSE Manager Retail Branch Server 4.2 | ||
| SUSE | openSUSE Leap | openSUSE Leap 15.3 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server for SAP Applications 15 SP6 | ||
| SUSE | SUSE Linux Enterprise High Performance Computing | SUSE Linux Enterprise High Performance Computing 12 SP5 | ||
| SUSE | SUSE Linux Enterprise High Performance Computing | SUSE Linux Enterprise High Performance Computing 15 SP4 | ||
| SUSE | SUSE Manager Proxy | SUSE Manager Proxy 4.2 | ||
| SUSE | SUSE Linux Enterprise Live Patching | SUSE Linux Enterprise Live Patching 12-SP5 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security | ||
| SUSE | openSUSE Leap | openSUSE Leap 15.4 | ||
| SUSE | Basesystem Module | Basesystem Module 15-SP6 | ||
| SUSE | SUSE Linux Enterprise Desktop | SUSE Linux Enterprise Desktop 15 SP7 | ||
| SUSE | SUSE Linux Enterprise Live Patching | SUSE Linux Enterprise Live Patching 15-SP6 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server for SAP Applications 12 SP5 | ||
| SUSE | SUSE Linux Enterprise Live Patching | SUSE Linux Enterprise Live Patching 15-SP7 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server 12 SP5 | ||
| SUSE | SUSE Linux Enterprise Micro | SUSE Linux Enterprise Micro 5.2 | ||
| SUSE | SUSE Manager Server | SUSE Manager Server 4.2 | ||
| SUSE | Legacy Module | Legacy Module 15-SP6 | ||
| SUSE | SUSE Linux Enterprise High Availability Extension | SUSE Linux Enterprise High Availability Extension 15 SP3 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server 15 SP5 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server for SAP Applications 15 SP3 | ||
| SUSE | SUSE Linux Enterprise Micro | SUSE Linux Enterprise Micro 5.1 | ||
| SUSE | SUSE Enterprise Storage | SUSE Enterprise Storage 7.1 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server for SAP Applications 15 SP5 | ||
| SUSE | SUSE Linux Enterprise High Performance Computing | SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 | ||
| SUSE | openSUSE Leap | openSUSE Leap 15.6 | ||
| SUSE | SUSE Linux Enterprise Micro | SUSE Linux Enterprise Micro 5.3 | ||
| SUSE | SUSE Linux Enterprise Real Time | SUSE Linux Enterprise Real Time 15 SP5 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server 15 SP6 | ||
| SUSE | Development Tools Module | Development Tools Module 15-SP6 | ||
| SUSE | SUSE Linux Enterprise Workstation Extension | SUSE Linux Enterprise Workstation Extension 15 SP7 | ||
| SUSE | SUSE Linux Enterprise Real Time | SUSE Linux Enterprise Real Time 15 SP4 | ||
| SUSE | SUSE Linux Enterprise Live Patching | SUSE Linux Enterprise Live Patching 15-SP3 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server for SAP Applications 15 SP7 | ||
| SUSE | SUSE Linux Enterprise Micro | SUSE Linux Enterprise Micro for Rancher 5.2 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server for SAP Applications 15 SP4 | ||
| SUSE | Basesystem Module | Basesystem Module 15-SP7 | ||
| SUSE | SUSE Linux Enterprise High Availability Extension | SUSE Linux Enterprise High Availability Extension 15 SP7 | ||
| SUSE | SUSE Linux Enterprise Desktop | SUSE Linux Enterprise Desktop 15 SP6 | ||
| SUSE | SUSE Linux Enterprise High Performance Computing | SUSE Linux Enterprise High Performance Computing 15 SP3 | ||
| SUSE | SUSE Linux Enterprise Micro | SUSE Linux Enterprise Micro 5.5 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server 15 SP4 | ||
| SUSE | SUSE Linux Enterprise Real Time | SUSE Linux Enterprise Real Time 15 SP6 | ||
| SUSE | Legacy Module | Legacy Module 15-SP7 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server 15 SP7 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server 15 SP5 LTSS | ||
| SUSE | SUSE Linux Enterprise Workstation Extension | SUSE Linux Enterprise Workstation Extension 15 SP6 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server 15 SP3 Business Critical Linux | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server 15 SP3 | ||
| SUSE | Development Tools Module | Development Tools Module 15-SP7 | ||
| SUSE | SUSE Linux Enterprise High Availability Extension | SUSE Linux Enterprise High Availability Extension 15 SP6 | ||
| SUSE | SUSE Linux Enterprise Micro | SUSE Linux Enterprise Micro 5.4 | ||
| SUSE | SUSE Linux Enterprise Live Patching | SUSE Linux Enterprise Live Patching 15-SP4 |
References
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "SUSE Linux Enterprise High Performance Computing 15 SP5",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 15 SP3 LTSS",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Performance Computing LTSS 15 SP3",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "Confidential Computing Module 15-SP6",
"product": {
"name": "Confidential Computing Module",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "openSUSE Leap 15.5",
"product": {
"name": "openSUSE Leap",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Live Patching 15-SP5",
"product": {
"name": "SUSE Linux Enterprise Live Patching",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 12 SP5 LTSS",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Real Time 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Real Time",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Manager Retail Branch Server 4.2",
"product": {
"name": "SUSE Manager Retail Branch Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "openSUSE Leap 15.3",
"product": {
"name": "openSUSE Leap",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Performance Computing 12 SP5",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Performance Computing 15 SP4",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Manager Proxy 4.2",
"product": {
"name": "SUSE Manager Proxy",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Live Patching 12-SP5",
"product": {
"name": "SUSE Linux Enterprise Live Patching",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "openSUSE Leap 15.4",
"product": {
"name": "openSUSE Leap",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "Basesystem Module 15-SP6",
"product": {
"name": "Basesystem Module",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Desktop 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Desktop",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Live Patching 15-SP6",
"product": {
"name": "SUSE Linux Enterprise Live Patching",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 12 SP5",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Live Patching 15-SP7",
"product": {
"name": "SUSE Linux Enterprise Live Patching",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 12 SP5",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Micro 5.2",
"product": {
"name": "SUSE Linux Enterprise Micro",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Manager Server 4.2",
"product": {
"name": "SUSE Manager Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "Legacy Module 15-SP6",
"product": {
"name": "Legacy Module",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Availability Extension 15 SP3",
"product": {
"name": "SUSE Linux Enterprise High Availability Extension",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 15 SP5",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 15 SP3",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Micro 5.1",
"product": {
"name": "SUSE Linux Enterprise Micro",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Enterprise Storage 7.1",
"product": {
"name": "SUSE Enterprise Storage",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Performance Computing LTSS 15 SP5",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Micro 5.3",
"product": {
"name": "SUSE Linux Enterprise Micro",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Real Time 15 SP5",
"product": {
"name": "SUSE Linux Enterprise Real Time",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "Development Tools Module 15-SP6",
"product": {
"name": "Development Tools Module",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Workstation Extension 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Workstation Extension",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Real Time 15 SP4",
"product": {
"name": "SUSE Linux Enterprise Real Time",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Live Patching 15-SP3",
"product": {
"name": "SUSE Linux Enterprise Live Patching",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Micro for Rancher 5.2",
"product": {
"name": "SUSE Linux Enterprise Micro",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "Basesystem Module 15-SP7",
"product": {
"name": "Basesystem Module",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Availability Extension 15 SP7",
"product": {
"name": "SUSE Linux Enterprise High Availability Extension",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Desktop 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Desktop",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Performance Computing 15 SP3",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Micro 5.5",
"product": {
"name": "SUSE Linux Enterprise Micro",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 15 SP4",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Real Time 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Real Time",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "Legacy Module 15-SP7",
"product": {
"name": "Legacy Module",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 15 SP5 LTSS",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Workstation Extension 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Workstation Extension",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 15 SP3 Business Critical Linux",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 15 SP3",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "Development Tools Module 15-SP7",
"product": {
"name": "Development Tools Module",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Availability Extension 15 SP6",
"product": {
"name": "SUSE Linux Enterprise High Availability Extension",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Micro 5.4",
"product": {
"name": "SUSE Linux Enterprise Micro",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Live Patching 15-SP4",
"product": {
"name": "SUSE Linux Enterprise Live Patching",
"vendor": {
"name": "SUSE",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2023-53443",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53443"
},
{
"name": "CVE-2023-53453",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53453"
},
{
"name": "CVE-2022-50378",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50378"
},
{
"name": "CVE-2025-38380",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38380"
},
{
"name": "CVE-2022-50291",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50291"
},
{
"name": "CVE-2023-53247",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53247"
},
{
"name": "CVE-2022-50433",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50433"
},
{
"name": "CVE-2022-50356",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50356"
},
{
"name": "CVE-2023-53473",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53473"
},
{
"name": "CVE-2022-49138",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49138"
},
{
"name": "CVE-2022-50425",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50425"
},
{
"name": "CVE-2025-38201",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38201"
},
{
"name": "CVE-2022-50367",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50367"
},
{
"name": "CVE-2025-39808",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39808"
},
{
"name": "CVE-2023-53347",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53347"
},
{
"name": "CVE-2023-53475",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53475"
},
{
"name": "CVE-2025-38520",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38520"
},
{
"name": "CVE-2023-53312",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53312"
},
{
"name": "CVE-2025-38588",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38588"
},
{
"name": "CVE-2023-53311",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53311"
},
{
"name": "CVE-2025-38574",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38574"
},
{
"name": "CVE-2022-50398",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50398"
},
{
"name": "CVE-2023-53393",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53393"
},
{
"name": "CVE-2023-53480",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53480"
},
{
"name": "CVE-2023-53303",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53303"
},
{
"name": "CVE-2023-28328",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28328"
},
{
"name": "CVE-2025-39757",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39757"
},
{
"name": "CVE-2022-50469",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50469"
},
{
"name": "CVE-2022-50429",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50429"
},
{
"name": "CVE-2023-53193",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53193"
},
{
"name": "CVE-2023-53150",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53150"
},
{
"name": "CVE-2023-53321",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53321"
},
{
"name": "CVE-2025-39772",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39772"
},
{
"name": "CVE-2023-53317",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53317"
},
{
"name": "CVE-2023-53176",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53176"
},
{
"name": "CVE-2023-53362",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53362"
},
{
"name": "CVE-2022-50298",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50298"
},
{
"name": "CVE-2025-38601",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38601"
},
{
"name": "CVE-2025-39826",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39826"
},
{
"name": "CVE-2022-50288",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50288"
},
{
"name": "CVE-2025-38515",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38515"
},
{
"name": "CVE-2025-38645",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38645"
},
{
"name": "CVE-2023-5633",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-5633"
},
{
"name": "CVE-2025-38444",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38444"
},
{
"name": "CVE-2023-53349",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53349"
},
{
"name": "CVE-2025-39685",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39685"
},
{
"name": "CVE-2025-38660",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38660"
},
{
"name": "CVE-2025-39761",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39761"
},
{
"name": "CVE-2023-53405",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53405"
},
{
"name": "CVE-2023-53185",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53185"
},
{
"name": "CVE-2023-53320",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53320"
},
{
"name": "CVE-2023-53359",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53359"
},
{
"name": "CVE-2022-50466",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50466"
},
{
"name": "CVE-2023-53509",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53509"
},
{
"name": "CVE-2023-53421",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53421"
},
{
"name": "CVE-2023-53441",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53441"
},
{
"name": "CVE-2023-53199",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53199"
},
{
"name": "CVE-2025-39764",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39764"
},
{
"name": "CVE-2023-53245",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53245"
},
{
"name": "CVE-2023-53415",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53415"
},
{
"name": "CVE-2025-38624",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38624"
},
{
"name": "CVE-2024-53194",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53194"
},
{
"name": "CVE-2025-39827",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39827"
},
{
"name": "CVE-2022-50255",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50255"
},
{
"name": "CVE-2025-39746",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39746"
},
{
"name": "CVE-2023-53461",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53461"
},
{
"name": "CVE-2025-38208",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38208"
},
{
"name": "CVE-2023-53531",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53531"
},
{
"name": "CVE-2025-39889",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39889"
},
{
"name": "CVE-2025-38524",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38524"
},
{
"name": "CVE-2025-38466",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38466"
},
{
"name": "CVE-2023-53258",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53258"
},
{
"name": "CVE-2023-53429",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53429"
},
{
"name": "CVE-2023-53449",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53449"
},
{
"name": "CVE-2025-38595",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38595"
},
{
"name": "CVE-2023-53451",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53451"
},
{
"name": "CVE-2023-53325",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53325"
},
{
"name": "CVE-2022-50368",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50368"
},
{
"name": "CVE-2023-53511",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53511"
},
{
"name": "CVE-2025-38216",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38216"
},
{
"name": "CVE-2022-50349",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50349"
},
{
"name": "CVE-2023-53394",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53394"
},
{
"name": "CVE-2023-53494",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53494"
},
{
"name": "CVE-2025-39925",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39925"
},
{
"name": "CVE-2025-39811",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39811"
},
{
"name": "CVE-2022-50358",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50358"
},
{
"name": "CVE-2025-38646",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38646"
},
{
"name": "CVE-2025-38491",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38491"
},
{
"name": "CVE-2025-38408",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38408"
},
{
"name": "CVE-2022-50386",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50386"
},
{
"name": "CVE-2025-38644",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38644"
},
{
"name": "CVE-2025-38692",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38692"
},
{
"name": "CVE-2022-50244",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50244"
},
{
"name": "CVE-2025-38563",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38563"
},
{
"name": "CVE-2023-53209",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53209"
},
{
"name": "CVE-2025-39701",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39701"
},
{
"name": "CVE-2023-53222",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53222"
},
{
"name": "CVE-2023-53264",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53264"
},
{
"name": "CVE-2022-50323",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50323"
},
{
"name": "CVE-2025-38591",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38591"
},
{
"name": "CVE-2022-50441",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50441"
},
{
"name": "CVE-2025-38609",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38609"
},
{
"name": "CVE-2023-53519",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53519"
},
{
"name": "CVE-2022-50294",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50294"
},
{
"name": "CVE-2023-53447",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53447"
},
{
"name": "CVE-2023-53472",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53472"
},
{
"name": "CVE-2022-50242",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50242"
},
{
"name": "CVE-2023-53248",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53248"
},
{
"name": "CVE-2025-22023",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22023"
},
{
"name": "CVE-2025-38500",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38500"
},
{
"name": "CVE-2025-39709",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39709"
},
{
"name": "CVE-2023-53217",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53217"
},
{
"name": "CVE-2023-53390",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53390"
},
{
"name": "CVE-2023-53491",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53491"
},
{
"name": "CVE-2025-39787",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39787"
},
{
"name": "CVE-2025-39920",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39920"
},
{
"name": "CVE-2022-50379",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50379"
},
{
"name": "CVE-2022-50257",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50257"
},
{
"name": "CVE-2023-53354",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53354"
},
{
"name": "CVE-2023-53504",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53504"
},
{
"name": "CVE-2025-38734",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38734"
},
{
"name": "CVE-2025-38571",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38571"
},
{
"name": "CVE-2022-50301",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50301"
},
{
"name": "CVE-2022-50432",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50432"
},
{
"name": "CVE-2023-53340",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53340"
},
{
"name": "CVE-2025-38695",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38695"
},
{
"name": "CVE-2023-52923",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52923"
},
{
"name": "CVE-2023-53323",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53323"
},
{
"name": "CVE-2025-39749",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39749"
},
{
"name": "CVE-2022-50304",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50304"
},
{
"name": "CVE-2024-26661",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26661"
},
{
"name": "CVE-2023-53189",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53189"
},
{
"name": "CVE-2023-53427",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53427"
},
{
"name": "CVE-2023-53498",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53498"
},
{
"name": "CVE-2023-4130",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4130"
},
{
"name": "CVE-2023-53242",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53242"
},
{
"name": "CVE-2022-50395",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50395"
},
{
"name": "CVE-2023-53309",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53309"
},
{
"name": "CVE-2025-39923",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39923"
},
{
"name": "CVE-2025-38445",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38445"
},
{
"name": "CVE-2025-38456",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38456"
},
{
"name": "CVE-2025-38538",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38538"
},
{
"name": "CVE-2022-50456",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50456"
},
{
"name": "CVE-2025-39751",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39751"
},
{
"name": "CVE-2024-58238",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58238"
},
{
"name": "CVE-2023-53425",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53425"
},
{
"name": "CVE-2022-50458",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50458"
},
{
"name": "CVE-2022-50321",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50321"
},
{
"name": "CVE-2023-53235",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53235"
},
{
"name": "CVE-2025-38565",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38565"
},
{
"name": "CVE-2022-50439",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50439"
},
{
"name": "CVE-2025-38710",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38710"
},
{
"name": "CVE-2023-53304",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53304"
},
{
"name": "CVE-2025-39681",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39681"
},
{
"name": "CVE-2023-53216",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53216"
},
{
"name": "CVE-2025-39770",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39770"
},
{
"name": "CVE-2023-53339",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53339"
},
{
"name": "CVE-2023-53239",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53239"
},
{
"name": "CVE-2023-53280",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53280"
},
{
"name": "CVE-2025-38705",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38705"
},
{
"name": "CVE-2023-53179",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53179"
},
{
"name": "CVE-2022-50434",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50434"
},
{
"name": "CVE-2025-38706",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38706"
},
{
"name": "CVE-2022-50234",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50234"
},
{
"name": "CVE-2025-39750",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39750"
},
{
"name": "CVE-2025-38587",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38587"
},
{
"name": "CVE-2023-53520",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53520"
},
{
"name": "CVE-2022-50353",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50353"
},
{
"name": "CVE-2023-53493",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53493"
},
{
"name": "CVE-2022-49975",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49975"
},
{
"name": "CVE-2022-50404",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50404"
},
{
"name": "CVE-2023-53492",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53492"
},
{
"name": "CVE-2023-31248",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-31248"
},
{
"name": "CVE-2022-50360",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50360"
},
{
"name": "CVE-2023-53388",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53388"
},
{
"name": "CVE-2025-39853",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39853"
},
{
"name": "CVE-2025-38555",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38555"
},
{
"name": "CVE-2023-53221",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53221"
},
{
"name": "CVE-2022-50264",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50264"
},
{
"name": "CVE-2025-39871",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39871"
},
{
"name": "CVE-2025-39857",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39857"
},
{
"name": "CVE-2022-50452",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50452"
},
{
"name": "CVE-2022-50320",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50320"
},
{
"name": "CVE-2025-38590",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38590"
},
{
"name": "CVE-2025-38709",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38709"
},
{
"name": "CVE-2022-50286",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50286"
},
{
"name": "CVE-2022-50449",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50449"
},
{
"name": "CVE-2023-53431",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53431"
},
{
"name": "CVE-2022-50324",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50324"
},
{
"name": "CVE-2024-58090",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58090"
},
{
"name": "CVE-2023-53462",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53462"
},
{
"name": "CVE-2025-39865",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39865"
},
{
"name": "CVE-2025-39816",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39816"
},
{
"name": "CVE-2025-38584",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38584"
},
{
"name": "CVE-2025-39675",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39675"
},
{
"name": "CVE-2025-39679",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39679"
},
{
"name": "CVE-2025-38527",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38527"
},
{
"name": "CVE-2025-37958",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37958"
},
{
"name": "CVE-2022-50447",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50447"
},
{
"name": "CVE-2022-50251",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50251"
},
{
"name": "CVE-2025-39763",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39763"
},
{
"name": "CVE-2023-53148",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53148"
},
{
"name": "CVE-2025-38693",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38693"
},
{
"name": "CVE-2025-38679",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38679"
},
{
"name": "CVE-2025-38459",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38459"
},
{
"name": "CVE-2022-50373",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50373"
},
{
"name": "CVE-2023-53505",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53505"
},
{
"name": "CVE-2025-38685",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38685"
},
{
"name": "CVE-2022-50269",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50269"
},
{
"name": "CVE-2023-53275",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53275"
},
{
"name": "CVE-2022-50437",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50437"
},
{
"name": "CVE-2022-50391",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50391"
},
{
"name": "CVE-2023-53476",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53476"
},
{
"name": "CVE-2025-38184",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38184"
},
{
"name": "CVE-2023-53468",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53468"
},
{
"name": "CVE-2022-50261",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50261"
},
{
"name": "CVE-2022-50351",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50351"
},
{
"name": "CVE-2022-50272",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50272"
},
{
"name": "CVE-2022-50331",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50331"
},
{
"name": "CVE-2025-39838",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39838"
},
{
"name": "CVE-2025-39823",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39823"
},
{
"name": "CVE-2025-38234",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38234"
},
{
"name": "CVE-2024-50154",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50154"
},
{
"name": "CVE-2025-38634",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38634"
},
{
"name": "CVE-2023-53183",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53183"
},
{
"name": "CVE-2023-53195",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53195"
},
{
"name": "CVE-2023-53232",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53232"
},
{
"name": "CVE-2025-39864",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39864"
},
{
"name": "CVE-2025-38458",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38458"
},
{
"name": "CVE-2025-39730",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39730"
},
{
"name": "CVE-2025-38011",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38011"
},
{
"name": "CVE-2022-50268",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50268"
},
{
"name": "CVE-2022-36280",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36280"
},
{
"name": "CVE-2023-53319",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53319"
},
{
"name": "CVE-2022-50444",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50444"
},
{
"name": "CVE-2025-39824",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39824"
},
{
"name": "CVE-2023-53515",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53515"
},
{
"name": "CVE-2023-53420",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53420"
},
{
"name": "CVE-2023-53424",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53424"
},
{
"name": "CVE-2025-38464",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38464"
},
{
"name": "CVE-2023-53241",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53241"
},
{
"name": "CVE-2023-53305",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53305"
},
{
"name": "CVE-2023-42753",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-42753"
},
{
"name": "CVE-2025-38702",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38702"
},
{
"name": "CVE-2023-53177",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53177"
},
{
"name": "CVE-2023-53381",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53381"
},
{
"name": "CVE-2023-53369",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53369"
},
{
"name": "CVE-2025-38724",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38724"
},
{
"name": "CVE-2022-50419",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50419"
},
{
"name": "CVE-2025-38582",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38582"
},
{
"name": "CVE-2023-53332",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53332"
},
{
"name": "CVE-2025-38543",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38543"
},
{
"name": "CVE-2025-38698",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38698"
},
{
"name": "CVE-2023-53328",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53328"
},
{
"name": "CVE-2022-50289",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50289"
},
{
"name": "CVE-2022-50329",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50329"
},
{
"name": "CVE-2025-39842",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39842"
},
{
"name": "CVE-2025-39739",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39739"
},
{
"name": "CVE-2023-53165",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53165"
},
{
"name": "CVE-2023-53270",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53270"
},
{
"name": "CVE-2025-38419",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38419"
},
{
"name": "CVE-2025-38533",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38533"
},
{
"name": "CVE-2023-53284",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53284"
},
{
"name": "CVE-2022-50265",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50265"
},
{
"name": "CVE-2025-38537",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38537"
},
{
"name": "CVE-2025-39849",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39849"
},
{
"name": "CVE-2025-38546",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38546"
},
{
"name": "CVE-2022-50409",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50409"
},
{
"name": "CVE-2022-50453",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50453"
},
{
"name": "CVE-2023-53512",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53512"
},
{
"name": "CVE-2022-50418",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50418"
},
{
"name": "CVE-2023-53438",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53438"
},
{
"name": "CVE-2023-53238",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53238"
},
{
"name": "CVE-2025-21791",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21791"
},
{
"name": "CVE-2025-39861",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39861"
},
{
"name": "CVE-2022-50253",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50253"
},
{
"name": "CVE-2022-50405",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50405"
},
{
"name": "CVE-2025-38251",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38251"
},
{
"name": "CVE-2023-53378",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53378"
},
{
"name": "CVE-2025-38597",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38597"
},
{
"name": "CVE-2025-39743",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39743"
},
{
"name": "CVE-2025-39718",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39718"
},
{
"name": "CVE-2022-50333",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50333"
},
{
"name": "CVE-2025-38712",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38712"
},
{
"name": "CVE-2025-38732",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38732"
},
{
"name": "CVE-2025-39773",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39773"
},
{
"name": "CVE-2023-53360",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53360"
},
{
"name": "CVE-2025-39885",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39885"
},
{
"name": "CVE-2023-53336",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53336"
},
{
"name": "CVE-2023-53426",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53426"
},
{
"name": "CVE-2023-53370",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53370"
},
{
"name": "CVE-2022-50330",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50330"
},
{
"name": "CVE-2023-53223",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53223"
},
{
"name": "CVE-2022-2602",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2602"
},
{
"name": "CVE-2025-38632",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38632"
},
{
"name": "CVE-2022-50309",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50309"
},
{
"name": "CVE-2025-38548",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38548"
},
{
"name": "CVE-2023-53448",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53448"
},
{
"name": "CVE-2023-53308",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53308"
},
{
"name": "CVE-2023-53374",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53374"
},
{
"name": "CVE-2023-53384",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53384"
},
{
"name": "CVE-2025-38014",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38014"
},
{
"name": "CVE-2022-50297",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50297"
},
{
"name": "CVE-2025-38727",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38727"
},
{
"name": "CVE-2025-38465",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38465"
},
{
"name": "CVE-2022-50435",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50435"
},
{
"name": "CVE-2025-38513",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38513"
},
{
"name": "CVE-2022-50411",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50411"
},
{
"name": "CVE-2022-50465",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50465"
},
{
"name": "CVE-2022-50346",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50346"
},
{
"name": "CVE-2025-38670",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38670"
},
{
"name": "CVE-2025-39732",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39732"
},
{
"name": "CVE-2023-53458",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53458"
},
{
"name": "CVE-2022-50393",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50393"
},
{
"name": "CVE-2023-53367",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53367"
},
{
"name": "CVE-2025-38602",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38602"
},
{
"name": "CVE-2022-50417",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50417"
},
{
"name": "CVE-2023-53326",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53326"
},
{
"name": "CVE-2025-38441",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38441"
},
{
"name": "CVE-2023-53457",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53457"
},
{
"name": "CVE-2025-39845",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39845"
},
{
"name": "CVE-2023-53230",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53230"
},
{
"name": "CVE-2023-53397",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53397"
},
{
"name": "CVE-2023-53171",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53171"
},
{
"name": "CVE-2025-38568",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38568"
},
{
"name": "CVE-2023-53489",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53489"
},
{
"name": "CVE-2022-50370",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50370"
},
{
"name": "CVE-2025-38583",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38583"
},
{
"name": "CVE-2023-53516",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53516"
},
{
"name": "CVE-2023-53474",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53474"
},
{
"name": "CVE-2025-38499",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38499"
},
{
"name": "CVE-2025-38735",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38735"
},
{
"name": "CVE-2022-50247",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50247"
},
{
"name": "CVE-2025-38402",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38402"
},
{
"name": "CVE-2022-50325",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50325"
},
{
"name": "CVE-2022-50355",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50355"
},
{
"name": "CVE-2023-53400",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53400"
},
{
"name": "CVE-2022-50292",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50292"
},
{
"name": "CVE-2023-53287",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53287"
},
{
"name": "CVE-2025-38616",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38616"
},
{
"name": "CVE-2025-37738",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37738"
},
{
"name": "CVE-2022-50406",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50406"
},
{
"name": "CVE-2025-38119",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38119"
},
{
"name": "CVE-2025-38245",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38245"
},
{
"name": "CVE-2025-38656",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38656"
},
{
"name": "CVE-2022-50454",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50454"
},
{
"name": "CVE-2023-53350",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53350"
},
{
"name": "CVE-2025-38614",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38614"
},
{
"name": "CVE-2022-50354",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50354"
},
{
"name": "CVE-2022-50249",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50249"
},
{
"name": "CVE-2023-53237",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53237"
},
{
"name": "CVE-2025-38664",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38664"
},
{
"name": "CVE-2023-53454",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53454"
},
{
"name": "CVE-2023-53471",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53471"
},
{
"name": "CVE-2023-53182",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53182"
},
{
"name": "CVE-2025-38541",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38541"
},
{
"name": "CVE-2023-53416",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53416"
},
{
"name": "CVE-2022-50344",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50344"
},
{
"name": "CVE-2023-53322",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53322"
},
{
"name": "CVE-2023-53220",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53220"
},
{
"name": "CVE-2023-53272",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53272"
},
{
"name": "CVE-2022-50388",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50388"
},
{
"name": "CVE-2023-53178",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53178"
},
{
"name": "CVE-2023-53210",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53210"
},
{
"name": "CVE-2025-38694",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38694"
},
{
"name": "CVE-2021-4460",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4460"
},
{
"name": "CVE-2023-3772",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3772"
},
{
"name": "CVE-2023-53259",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53259"
},
{
"name": "CVE-2025-38676",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38676"
},
{
"name": "CVE-2025-38530",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38530"
},
{
"name": "CVE-2024-26583",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26583"
},
{
"name": "CVE-2022-50318",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50318"
},
{
"name": "CVE-2023-53413",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53413"
},
{
"name": "CVE-2022-50389",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50389"
},
{
"name": "CVE-2023-53528",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53528"
},
{
"name": "CVE-2023-53524",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53524"
},
{
"name": "CVE-2023-53496",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53496"
},
{
"name": "CVE-2025-38729",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38729"
},
{
"name": "CVE-2023-53257",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53257"
},
{
"name": "CVE-2022-50390",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50390"
},
{
"name": "CVE-2023-53523",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53523"
},
{
"name": "CVE-2022-50359",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50359"
},
{
"name": "CVE-2023-53357",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53357"
},
{
"name": "CVE-2025-38681",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38681"
},
{
"name": "CVE-2025-38593",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38593"
},
{
"name": "CVE-2022-50285",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50285"
},
{
"name": "CVE-2022-2978",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2978"
},
{
"name": "CVE-2025-38687",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38687"
},
{
"name": "CVE-2022-49980",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49980"
},
{
"name": "CVE-2023-53335",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53335"
},
{
"name": "CVE-2023-53488",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53488"
},
{
"name": "CVE-2023-53464",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53464"
},
{
"name": "CVE-2025-38111",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38111"
},
{
"name": "CVE-2023-53334",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53334"
},
{
"name": "CVE-2022-43945",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43945"
},
{
"name": "CVE-2023-53356",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53356"
},
{
"name": "CVE-2025-38529",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38529"
},
{
"name": "CVE-2023-53510",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53510"
},
{
"name": "CVE-2023-53151",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53151"
},
{
"name": "CVE-2025-38715",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38715"
},
{
"name": "CVE-2025-38089",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38089"
},
{
"name": "CVE-2022-50352",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50352"
},
{
"name": "CVE-2025-38608",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38608"
},
{
"name": "CVE-2025-38650",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38650"
},
{
"name": "CVE-2025-39710",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39710"
},
{
"name": "CVE-2023-53215",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53215"
},
{
"name": "CVE-2022-50342",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50342"
},
{
"name": "CVE-2023-53288",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53288"
},
{
"name": "CVE-2024-26584",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26584"
},
{
"name": "CVE-2023-53406",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53406"
},
{
"name": "CVE-2025-38621",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38621"
},
{
"name": "CVE-2023-53352",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53352"
},
{
"name": "CVE-2025-38160",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38160"
},
{
"name": "CVE-2023-1380",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1380"
},
{
"name": "CVE-2023-53291",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53291"
},
{
"name": "CVE-2022-50408",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50408"
},
{
"name": "CVE-2025-38528",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38528"
},
{
"name": "CVE-2022-50399",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50399"
},
{
"name": "CVE-2022-50372",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50372"
},
{
"name": "CVE-2025-39834",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39834"
},
{
"name": "CVE-2022-50431",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50431"
},
{
"name": "CVE-2022-50357",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50357"
},
{
"name": "CVE-2023-53263",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53263"
},
{
"name": "CVE-2023-53527",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53527"
},
{
"name": "CVE-2022-50303",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50303"
},
{
"name": "CVE-2025-38713",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38713"
},
{
"name": "CVE-2023-53404",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53404"
},
{
"name": "CVE-2025-38556",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38556"
},
{
"name": "CVE-2025-38678",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38678"
},
{
"name": "CVE-2023-53344",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53344"
},
{
"name": "CVE-2023-53324",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53324"
},
{
"name": "CVE-2023-53465",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53465"
},
{
"name": "CVE-2022-50468",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50468"
},
{
"name": "CVE-2025-39810",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39810"
},
{
"name": "CVE-2025-39782",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39782"
},
{
"name": "CVE-2025-38075",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38075"
},
{
"name": "CVE-2025-37885",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37885"
},
{
"name": "CVE-2023-53368",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53368"
},
{
"name": "CVE-2025-38697",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38697"
},
{
"name": "CVE-2022-50282",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50282"
},
{
"name": "CVE-2025-38691",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38691"
},
{
"name": "CVE-2023-53276",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53276"
},
{
"name": "CVE-2025-39759",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39759"
},
{
"name": "CVE-2025-38617",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38617"
},
{
"name": "CVE-2025-38639",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38639"
},
{
"name": "CVE-2025-38628",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38628"
},
{
"name": "CVE-2023-53518",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53518"
},
{
"name": "CVE-2025-38612",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38612"
},
{
"name": "CVE-2022-50250",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50250"
},
{
"name": "CVE-2023-53466",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53466"
},
{
"name": "CVE-2023-53168",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53168"
},
{
"name": "CVE-2025-39860",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39860"
},
{
"name": "CVE-2025-21692",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21692"
},
{
"name": "CVE-2022-50347",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50347"
},
{
"name": "CVE-2025-39754",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39754"
},
{
"name": "CVE-2023-53506",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53506"
},
{
"name": "CVE-2025-38566",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38566"
},
{
"name": "CVE-2025-39721",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39721"
},
{
"name": "CVE-2023-53398",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53398"
},
{
"name": "CVE-2025-39760",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39760"
},
{
"name": "CVE-2023-53149",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53149"
},
{
"name": "CVE-2022-50443",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50443"
},
{
"name": "CVE-2025-38663",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38663"
},
{
"name": "CVE-2023-53409",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53409"
},
{
"name": "CVE-2023-53396",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53396"
},
{
"name": "CVE-2022-50260",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50260"
},
{
"name": "CVE-2025-39839",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39839"
},
{
"name": "CVE-2023-53282",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53282"
},
{
"name": "CVE-2025-39848",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39848"
},
{
"name": "CVE-2025-38722",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38722"
},
{
"name": "CVE-2025-39800",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39800"
},
{
"name": "CVE-2023-53435",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53435"
},
{
"name": "CVE-2022-50328",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50328"
},
{
"name": "CVE-2023-53391",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53391"
},
{
"name": "CVE-2023-53487",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53487"
},
{
"name": "CVE-2022-50267",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50267"
},
{
"name": "CVE-2023-53437",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53437"
},
{
"name": "CVE-2022-50317",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50317"
},
{
"name": "CVE-2025-39703",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39703"
},
{
"name": "CVE-2023-53250",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53250"
},
{
"name": "CVE-2023-53338",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53338"
},
{
"name": "CVE-2025-38665",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38665"
},
{
"name": "CVE-2022-50235",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50235"
},
{
"name": "CVE-2025-38671",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38671"
},
{
"name": "CVE-2023-53231",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53231"
},
{
"name": "CVE-2023-53206",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53206"
},
{
"name": "CVE-2022-50364",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50364"
},
{
"name": "CVE-2025-38635",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38635"
},
{
"name": "CVE-2022-50276",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50276"
},
{
"name": "CVE-2023-53432",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53432"
},
{
"name": "CVE-2025-38488",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38488"
},
{
"name": "CVE-2022-50464",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50464"
},
{
"name": "CVE-2023-3867",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3867"
},
{
"name": "CVE-2022-50401",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50401"
},
{
"name": "CVE-2025-38540",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38540"
},
{
"name": "CVE-2022-50376",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50376"
},
{
"name": "CVE-2025-39825",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39825"
},
{
"name": "CVE-2023-53422",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53422"
},
{
"name": "CVE-2023-53383",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53383"
},
{
"name": "CVE-2023-53244",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53244"
},
{
"name": "CVE-2022-50275",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50275"
},
{
"name": "CVE-2023-53373",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53373"
},
{
"name": "CVE-2022-50287",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50287"
},
{
"name": "CVE-2023-53375",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53375"
},
{
"name": "CVE-2025-39882",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39882"
},
{
"name": "CVE-2025-39766",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39766"
},
{
"name": "CVE-2025-39801",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39801"
},
{
"name": "CVE-2022-50308",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50308"
},
{
"name": "CVE-2023-53530",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53530"
},
{
"name": "CVE-2025-38146",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38146"
},
{
"name": "CVE-2023-53197",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53197"
},
{
"name": "CVE-2025-39724",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39724"
},
{
"name": "CVE-2025-38510",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38510"
},
{
"name": "CVE-2025-39758",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39758"
},
{
"name": "CVE-2025-39694",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39694"
},
{
"name": "CVE-2025-38418",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38418"
},
{
"name": "CVE-2025-40300",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40300"
},
{
"name": "CVE-2023-53401",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53401"
},
{
"name": "CVE-2023-53229",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53229"
},
{
"name": "CVE-2025-39806",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39806"
},
{
"name": "CVE-2022-50414",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50414"
},
{
"name": "CVE-2023-53521",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53521"
},
{
"name": "CVE-2023-53479",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53479"
},
{
"name": "CVE-2025-38668",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38668"
},
{
"name": "CVE-2025-38721",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38721"
},
{
"name": "CVE-2023-53313",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53313"
},
{
"name": "CVE-2023-53395",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53395"
},
{
"name": "CVE-2025-39684",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39684"
},
{
"name": "CVE-2022-50339",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50339"
},
{
"name": "CVE-2022-50436",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50436"
},
{
"name": "CVE-2022-50271",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50271"
},
{
"name": "CVE-2025-38526",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38526"
},
{
"name": "CVE-2023-53485",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53485"
},
{
"name": "CVE-2025-38472",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38472"
},
{
"name": "CVE-2025-38506",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38506"
},
{
"name": "CVE-2025-38703",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38703"
},
{
"name": "CVE-2025-39870",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39870"
},
{
"name": "CVE-2022-50241",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50241"
},
{
"name": "CVE-2025-39807",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39807"
},
{
"name": "CVE-2022-50258",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50258"
},
{
"name": "CVE-2025-38604",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38604"
},
{
"name": "CVE-2025-38623",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38623"
},
{
"name": "CVE-2023-53365",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53365"
},
{
"name": "CVE-2025-22022",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22022"
},
{
"name": "CVE-2025-38544",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38544"
},
{
"name": "CVE-2025-39922",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39922"
},
{
"name": "CVE-2025-39797",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39797"
},
{
"name": "CVE-2025-38725",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38725"
},
{
"name": "CVE-2023-53184",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53184"
},
{
"name": "CVE-2022-50365",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50365"
},
{
"name": "CVE-2025-38006",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38006"
},
{
"name": "CVE-2022-50312",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50312"
},
{
"name": "CVE-2023-53196",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53196"
},
{
"name": "CVE-2025-38125",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38125"
},
{
"name": "CVE-2023-53501",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53501"
},
{
"name": "CVE-2025-38351",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38351"
},
{
"name": "CVE-2025-38477",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38477"
},
{
"name": "CVE-2022-50340",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50340"
},
{
"name": "CVE-2023-53331",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53331"
},
{
"name": "CVE-2024-46733",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-46733"
},
{
"name": "CVE-2025-38683",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38683"
},
{
"name": "CVE-2023-53440",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53440"
},
{
"name": "CVE-2025-39846",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39846"
},
{
"name": "CVE-2022-50374",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50374"
},
{
"name": "CVE-2022-50375",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50375"
},
{
"name": "CVE-2024-58239",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58239"
},
{
"name": "CVE-2022-50460",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50460"
},
{
"name": "CVE-2023-53307",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53307"
},
{
"name": "CVE-2023-53152",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53152"
},
{
"name": "CVE-2025-38185",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38185"
},
{
"name": "CVE-2025-39691",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39691"
},
{
"name": "CVE-2025-39850",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39850"
},
{
"name": "CVE-2023-53442",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53442"
},
{
"name": "CVE-2025-39890",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39890"
},
{
"name": "CVE-2025-39844",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39844"
},
{
"name": "CVE-2025-39742",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39742"
},
{
"name": "CVE-2023-53286",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53286"
},
{
"name": "CVE-2023-53207",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53207"
},
{
"name": "CVE-2025-38605",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38605"
},
{
"name": "CVE-2022-50362",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50362"
},
{
"name": "CVE-2023-53205",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53205"
},
{
"name": "CVE-2025-38263",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38263"
},
{
"name": "CVE-2025-38610",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38610"
},
{
"name": "CVE-2025-39863",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39863"
},
{
"name": "CVE-2023-53180",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53180"
},
{
"name": "CVE-2025-38560",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38560"
},
{
"name": "CVE-2023-53385",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53385"
},
{
"name": "CVE-2023-53226",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53226"
},
{
"name": "CVE-2023-53525",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53525"
},
{
"name": "CVE-2025-38701",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38701"
},
{
"name": "CVE-2024-58240",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58240"
},
{
"name": "CVE-2023-53249",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53249"
},
{
"name": "CVE-2023-53252",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53252"
},
{
"name": "CVE-2023-53261",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53261"
},
{
"name": "CVE-2022-50396",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50396"
},
{
"name": "CVE-2025-39726",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39726"
},
{
"name": "CVE-2023-53246",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53246"
},
{
"name": "CVE-2024-53168",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53168"
},
{
"name": "CVE-2023-53364",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53364"
},
{
"name": "CVE-2022-50423",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50423"
},
{
"name": "CVE-2025-38618",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38618"
},
{
"name": "CVE-2022-50239",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50239"
},
{
"name": "CVE-2023-53532",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53532"
},
{
"name": "CVE-2022-50348",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50348"
},
{
"name": "CVE-2023-53508",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53508"
},
{
"name": "CVE-2025-38581",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38581"
},
{
"name": "CVE-2023-53213",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53213"
},
{
"name": "CVE-2023-53526",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53526"
},
{
"name": "CVE-2025-39891",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39891"
},
{
"name": "CVE-2025-39790",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39790"
},
{
"name": "CVE-2023-53255",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53255"
},
{
"name": "CVE-2023-53277",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53277"
},
{
"name": "CVE-2025-38680",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38680"
},
{
"name": "CVE-2023-53379",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53379"
},
{
"name": "CVE-2025-38684",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38684"
},
{
"name": "CVE-2025-39686",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39686"
},
{
"name": "CVE-2025-39798",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39798"
},
{
"name": "CVE-2025-38730",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38730"
},
{
"name": "CVE-2023-4515",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4515"
},
{
"name": "CVE-2025-39747",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39747"
},
{
"name": "CVE-2023-53343",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53343"
},
{
"name": "CVE-2023-53299",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53299"
},
{
"name": "CVE-2023-53268",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53268"
},
{
"name": "CVE-2025-38516",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38516"
},
{
"name": "CVE-2023-53204",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53204"
},
{
"name": "CVE-2025-39714",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39714"
},
{
"name": "CVE-2023-53333",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53333"
},
{
"name": "CVE-2022-50394",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50394"
},
{
"name": "CVE-2023-53456",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53456"
},
{
"name": "CVE-2022-50266",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50266"
},
{
"name": "CVE-2023-53446",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53446"
},
{
"name": "CVE-2023-53463",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53463"
},
{
"name": "CVE-2023-53170",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53170"
},
{
"name": "CVE-2023-53260",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53260"
},
{
"name": "CVE-2025-39854",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39854"
},
{
"name": "CVE-2023-53386",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53386"
},
{
"name": "CVE-2025-39706",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39706"
},
{
"name": "CVE-2025-39830",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39830"
},
{
"name": "CVE-2025-38576",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38576"
},
{
"name": "CVE-2025-39869",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39869"
},
{
"name": "CVE-2023-53181",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53181"
},
{
"name": "CVE-2023-53174",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53174"
},
{
"name": "CVE-2025-38439",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38439"
},
{
"name": "CVE-2025-39719",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39719"
},
{
"name": "CVE-2025-39695",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39695"
},
{
"name": "CVE-2023-53254",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53254"
},
{
"name": "CVE-2022-50430",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50430"
},
{
"name": "CVE-2025-38553",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38553"
},
{
"name": "CVE-2025-38190",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38190"
},
{
"name": "CVE-2025-39738",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39738"
},
{
"name": "CVE-2023-53295",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53295"
},
{
"name": "CVE-2023-53298",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53298"
},
{
"name": "CVE-2025-38205",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38205"
},
{
"name": "CVE-2023-53507",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53507"
},
{
"name": "CVE-2023-53314",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53314"
},
{
"name": "CVE-2023-53281",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53281"
},
{
"name": "CVE-2023-53330",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53330"
},
{
"name": "CVE-2025-39705",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39705"
},
{
"name": "CVE-2022-50422",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50422"
},
{
"name": "CVE-2022-50252",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50252"
},
{
"name": "CVE-2025-39713",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39713"
},
{
"name": "CVE-2023-53316",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53316"
},
{
"name": "CVE-2022-50412",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50412"
},
{
"name": "CVE-2022-50299",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50299"
},
{
"name": "CVE-2023-53208",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53208"
},
{
"name": "CVE-2025-39744",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39744"
},
{
"name": "CVE-2023-53315",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53315"
},
{
"name": "CVE-2025-38736",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38736"
},
{
"name": "CVE-2023-53297",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53297"
},
{
"name": "CVE-2023-53499",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53499"
},
{
"name": "CVE-2023-53234",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53234"
},
{
"name": "CVE-2025-21969",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21969"
},
{
"name": "CVE-2023-53167",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53167"
},
{
"name": "CVE-2023-53342",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53342"
},
{
"name": "CVE-2025-39678",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39678"
},
{
"name": "CVE-2023-53414",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53414"
},
{
"name": "CVE-2025-38531",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38531"
},
{
"name": "CVE-2023-53265",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53265"
},
{
"name": "CVE-2025-39693",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39693"
},
{
"name": "CVE-2022-50246",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50246"
},
{
"name": "CVE-2025-38503",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38503"
},
{
"name": "CVE-2025-38630",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38630"
},
{
"name": "CVE-2023-53490",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53490"
},
{
"name": "CVE-2023-53302",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53302"
},
{
"name": "CVE-2023-53482",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53482"
},
{
"name": "CVE-2023-53444",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53444"
},
{
"name": "CVE-2023-53175",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53175"
},
{
"name": "CVE-2022-50392",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50392"
},
{
"name": "CVE-2025-38585",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38585"
},
{
"name": "CVE-2022-50233",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50233"
},
{
"name": "CVE-2023-53274",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53274"
},
{
"name": "CVE-2025-39682",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39682"
},
{
"name": "CVE-2022-50410",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50410"
},
{
"name": "CVE-2022-50428",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50428"
},
{
"name": "CVE-2023-39197",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39197"
},
{
"name": "CVE-2025-39833",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39833"
},
{
"name": "CVE-2025-39832",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39832"
},
{
"name": "CVE-2023-53495",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53495"
},
{
"name": "CVE-2023-53436",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53436"
},
{
"name": "CVE-2022-50402",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50402"
},
{
"name": "CVE-2025-38643",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38643"
},
{
"name": "CVE-2022-50427",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50427"
},
{
"name": "CVE-2022-50278",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50278"
},
{
"name": "CVE-2023-53273",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53273"
},
{
"name": "CVE-2023-53377",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53377"
},
{
"name": "CVE-2023-53500",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53500"
},
{
"name": "CVE-2025-38103",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38103"
},
{
"name": "CVE-2025-39847",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39847"
},
{
"name": "CVE-2025-38514",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38514"
},
{
"name": "CVE-2025-38360",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38360"
},
{
"name": "CVE-2025-39783",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39783"
},
{
"name": "CVE-2025-39835",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39835"
},
{
"name": "CVE-2025-38255",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38255"
},
{
"name": "CVE-2025-38512",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38512"
},
{
"name": "CVE-2025-38622",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38622"
},
{
"name": "CVE-2022-50279",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50279"
},
{
"name": "CVE-2023-53243",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53243"
},
{
"name": "CVE-2023-53348",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53348"
},
{
"name": "CVE-2023-53219",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53219"
},
{
"name": "CVE-2022-50467",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50467"
},
{
"name": "CVE-2023-53428",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53428"
},
{
"name": "CVE-2025-39677",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39677"
},
{
"name": "CVE-2022-50440",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50440"
},
{
"name": "CVE-2025-39707",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39707"
},
{
"name": "CVE-2022-50248",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50248"
},
{
"name": "CVE-2025-39907",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39907"
},
{
"name": "CVE-2023-53147",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53147"
},
{
"name": "CVE-2023-53292",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53292"
},
{
"name": "CVE-2025-38640",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38640"
},
{
"name": "CVE-2023-53371",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53371"
},
{
"name": "CVE-2025-38659",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38659"
},
{
"name": "CVE-2022-50311",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50311"
},
{
"name": "CVE-2024-53125",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53125"
},
{
"name": "CVE-2025-38572",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38572"
},
{
"name": "CVE-2022-50381",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50381"
},
{
"name": "CVE-2023-53187",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53187"
},
{
"name": "CVE-2025-38550",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38550"
},
{
"name": "CVE-2023-53201",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53201"
},
{
"name": "CVE-2025-39711",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39711"
},
{
"name": "CVE-2022-50385",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50385"
},
{
"name": "CVE-2025-38535",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38535"
},
{
"name": "CVE-2025-39873",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39873"
},
{
"name": "CVE-2022-50459",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50459"
},
{
"name": "CVE-2023-53192",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53192"
},
{
"name": "CVE-2022-50277",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50277"
},
{
"name": "CVE-2025-38714",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38714"
},
{
"name": "CVE-2023-53251",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53251"
},
{
"name": "CVE-2024-53093",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53093"
},
{
"name": "CVE-2023-53337",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53337"
},
{
"name": "CVE-2023-53380",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53380"
},
{
"name": "CVE-2023-53452",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53452"
},
{
"name": "CVE-2022-50369",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50369"
},
{
"name": "CVE-2023-53153",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53153"
}
],
"initial_release_date": "2025-10-17T00:00:00",
"last_revision_date": "2025-10-17T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0895",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-10-17T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Ex\u00e9cution de code arbitraire"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de SUSE. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es, une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es et un contournement de la politique de s\u00e9curit\u00e9.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de SUSE",
"vendor_advisories": [
{
"published_at": "2025-10-16",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03615-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503615-1"
},
{
"published_at": "2025-10-11",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03553-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503553-1"
},
{
"published_at": "2025-10-11",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03557-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503557-1"
},
{
"published_at": "2025-10-10",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03539-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503539-1"
},
{
"published_at": "2025-10-10",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03543-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503543-1"
},
{
"published_at": "2025-10-13",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03580-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503580-1"
},
{
"published_at": "2025-10-16",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03613-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503613-1"
},
{
"published_at": "2025-10-15",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03600-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503600-1"
},
{
"published_at": "2025-10-15",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03602-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503602-1"
},
{
"published_at": "2025-10-12",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03561-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503561-1"
},
{
"published_at": "2025-10-16",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03614-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503614-1"
},
{
"published_at": "2025-10-12",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03567-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503567-1"
},
{
"published_at": "2025-10-11",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03554-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503554-1"
},
{
"published_at": "2025-10-12",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03576-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503576-1"
},
{
"published_at": "2025-10-17",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03626-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503626-1"
},
{
"published_at": "2025-10-11",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03548-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503548-1"
},
{
"published_at": "2025-10-11",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03551-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503551-1"
},
{
"published_at": "2025-10-15",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03601-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503601-1"
},
{
"published_at": "2025-10-13",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03578-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503578-1"
},
{
"published_at": "2025-10-12",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03575-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503575-1"
},
{
"published_at": "2025-10-12",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03562-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503562-1"
},
{
"published_at": "2025-10-12",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03572-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503572-1"
},
{
"published_at": "2025-10-11",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03550-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503550-1"
},
{
"published_at": "2025-10-12",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03568-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503568-1"
},
{
"published_at": "2025-10-12",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03569-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503569-1"
},
{
"published_at": "2025-10-12",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03563-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503563-1"
},
{
"published_at": "2025-10-12",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03566-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503566-1"
},
{
"published_at": "2025-10-11",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03555-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503555-1"
},
{
"published_at": "2025-10-10",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03529-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503529-1"
},
{
"published_at": "2025-10-10",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03538-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503538-1"
},
{
"published_at": "2025-10-12",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03571-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503571-1"
},
{
"published_at": "2025-10-12",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03559-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503559-1"
},
{
"published_at": "2025-10-10",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03528-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503528-1"
},
{
"published_at": "2025-10-13",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03583-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503583-1"
},
{
"published_at": "2025-10-11",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03552-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503552-1"
},
{
"published_at": "2025-10-12",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:03577-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503577-1"
}
]
}
CVE-2023-53208 (GCVE-0-2023-53208)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:21 – Updated: 2026-01-14 17:52
VLAI?
EPSS
Title
KVM: nSVM: Load L1's TSC multiplier based on L1 state, not L2 state
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: nSVM: Load L1's TSC multiplier based on L1 state, not L2 state
When emulating nested VM-Exit, load L1's TSC multiplier if L1's desired
ratio doesn't match the current ratio, not if the ratio L1 is using for
L2 diverges from the default. Functionally, the end result is the same
as KVM will run L2 with L1's multiplier if L2's multiplier is the default,
i.e. checking that L1's multiplier is loaded is equivalent to checking if
L2 has a non-default multiplier.
However, the assertion that TSC scaling is exposed to L1 is flawed, as
userspace can trigger the WARN at will by writing the MSR and then
updating guest CPUID to hide the feature (modifying guest CPUID is
allowed anytime before KVM_RUN). E.g. hacking KVM's state_test
selftest to do
vcpu_set_msr(vcpu, MSR_AMD64_TSC_RATIO, 0);
vcpu_clear_cpuid_feature(vcpu, X86_FEATURE_TSCRATEMSR);
after restoring state in a new VM+vCPU yields an endless supply of:
------------[ cut here ]------------
WARNING: CPU: 10 PID: 206939 at arch/x86/kvm/svm/nested.c:1105
nested_svm_vmexit+0x6af/0x720 [kvm_amd]
Call Trace:
nested_svm_exit_handled+0x102/0x1f0 [kvm_amd]
svm_handle_exit+0xb9/0x180 [kvm_amd]
kvm_arch_vcpu_ioctl_run+0x1eab/0x2570 [kvm]
kvm_vcpu_ioctl+0x4c9/0x5b0 [kvm]
? trace_hardirqs_off+0x4d/0xa0
__se_sys_ioctl+0x7a/0xc0
__x64_sys_ioctl+0x21/0x30
do_syscall_64+0x41/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Unlike the nested VMRUN path, hoisting the svm->tsc_scaling_enabled check
into the if-statement is wrong as KVM needs to ensure L1's multiplier is
loaded in the above scenario. Alternatively, the WARN_ON() could simply
be deleted, but that would make KVM's behavior even more subtle, e.g. it's
not immediately obvious why it's safe to write MSR_AMD64_TSC_RATIO when
checking only tsc_ratio_msr.
Severity ?
5.5 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5228eb96a4875f8cf5d61d486e3795ac14df8904 , < 5b2b0535fa7adee7e295fed0a3095082131a8d05
(git)
Affected: 5228eb96a4875f8cf5d61d486e3795ac14df8904 , < e91c07f6cf7060d2acb3aeee31a6baebe3773d3f (git) Affected: 5228eb96a4875f8cf5d61d486e3795ac14df8904 , < 0c94e2468491cbf0754f49a5136ab51294a96b69 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53208",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T17:48:02.195989Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T17:52:56.568Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/nested.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5b2b0535fa7adee7e295fed0a3095082131a8d05",
"status": "affected",
"version": "5228eb96a4875f8cf5d61d486e3795ac14df8904",
"versionType": "git"
},
{
"lessThan": "e91c07f6cf7060d2acb3aeee31a6baebe3773d3f",
"status": "affected",
"version": "5228eb96a4875f8cf5d61d486e3795ac14df8904",
"versionType": "git"
},
{
"lessThan": "0c94e2468491cbf0754f49a5136ab51294a96b69",
"status": "affected",
"version": "5228eb96a4875f8cf5d61d486e3795ac14df8904",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/nested.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: nSVM: Load L1\u0027s TSC multiplier based on L1 state, not L2 state\n\nWhen emulating nested VM-Exit, load L1\u0027s TSC multiplier if L1\u0027s desired\nratio doesn\u0027t match the current ratio, not if the ratio L1 is using for\nL2 diverges from the default. Functionally, the end result is the same\nas KVM will run L2 with L1\u0027s multiplier if L2\u0027s multiplier is the default,\ni.e. checking that L1\u0027s multiplier is loaded is equivalent to checking if\nL2 has a non-default multiplier.\n\nHowever, the assertion that TSC scaling is exposed to L1 is flawed, as\nuserspace can trigger the WARN at will by writing the MSR and then\nupdating guest CPUID to hide the feature (modifying guest CPUID is\nallowed anytime before KVM_RUN). E.g. hacking KVM\u0027s state_test\nselftest to do\n\n vcpu_set_msr(vcpu, MSR_AMD64_TSC_RATIO, 0);\n vcpu_clear_cpuid_feature(vcpu, X86_FEATURE_TSCRATEMSR);\n\nafter restoring state in a new VM+vCPU yields an endless supply of:\n\n ------------[ cut here ]------------\n WARNING: CPU: 10 PID: 206939 at arch/x86/kvm/svm/nested.c:1105\n nested_svm_vmexit+0x6af/0x720 [kvm_amd]\n Call Trace:\n nested_svm_exit_handled+0x102/0x1f0 [kvm_amd]\n svm_handle_exit+0xb9/0x180 [kvm_amd]\n kvm_arch_vcpu_ioctl_run+0x1eab/0x2570 [kvm]\n kvm_vcpu_ioctl+0x4c9/0x5b0 [kvm]\n ? trace_hardirqs_off+0x4d/0xa0\n __se_sys_ioctl+0x7a/0xc0\n __x64_sys_ioctl+0x21/0x30\n do_syscall_64+0x41/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nUnlike the nested VMRUN path, hoisting the svm-\u003etsc_scaling_enabled check\ninto the if-statement is wrong as KVM needs to ensure L1\u0027s multiplier is\nloaded in the above scenario. Alternatively, the WARN_ON() could simply\nbe deleted, but that would make KVM\u0027s behavior even more subtle, e.g. it\u0027s\nnot immediately obvious why it\u0027s safe to write MSR_AMD64_TSC_RATIO when\nchecking only tsc_ratio_msr."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:21:36.170Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5b2b0535fa7adee7e295fed0a3095082131a8d05"
},
{
"url": "https://git.kernel.org/stable/c/e91c07f6cf7060d2acb3aeee31a6baebe3773d3f"
},
{
"url": "https://git.kernel.org/stable/c/0c94e2468491cbf0754f49a5136ab51294a96b69"
}
],
"title": "KVM: nSVM: Load L1\u0027s TSC multiplier based on L1 state, not L2 state",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53208",
"datePublished": "2025-09-15T14:21:36.170Z",
"dateReserved": "2025-09-15T13:59:19.068Z",
"dateUpdated": "2026-01-14T17:52:56.568Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38639 (GCVE-0-2025-38639)
Vulnerability from cvelistv5 – Published: 2025-08-22 16:00 – Updated: 2025-11-03 17:40
VLAI?
EPSS
Title
netfilter: xt_nfacct: don't assume acct name is null-terminated
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: xt_nfacct: don't assume acct name is null-terminated
BUG: KASAN: slab-out-of-bounds in .. lib/vsprintf.c:721
Read of size 1 at addr ffff88801eac95c8 by task syz-executor183/5851
[..]
string+0x231/0x2b0 lib/vsprintf.c:721
vsnprintf+0x739/0xf00 lib/vsprintf.c:2874
[..]
nfacct_mt_checkentry+0xd2/0xe0 net/netfilter/xt_nfacct.c:41
xt_check_match+0x3d1/0xab0 net/netfilter/x_tables.c:523
nfnl_acct_find_get() handles non-null input, but the error
printk relied on its presence.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ceb98d03eac5704820f2ac1f370c9ff385e3a9f5 , < 66d41268ede1e1b6e71ba28be923397ff0b2b9c3
(git)
Affected: ceb98d03eac5704820f2ac1f370c9ff385e3a9f5 , < e021a1eee196887536a6630c5492c23a4c78d452 (git) Affected: ceb98d03eac5704820f2ac1f370c9ff385e3a9f5 , < b10cfa2de13d28ddd03210eb234422b7ec92725a (git) Affected: ceb98d03eac5704820f2ac1f370c9ff385e3a9f5 , < e18939176e657a3a20bfbed357b8c55a9f82aba3 (git) Affected: ceb98d03eac5704820f2ac1f370c9ff385e3a9f5 , < 58004aa21e79addaf41667bfe65e93ec51653f18 (git) Affected: ceb98d03eac5704820f2ac1f370c9ff385e3a9f5 , < 7c1ae471da69c09242834e956218ea6a42dd405a (git) Affected: ceb98d03eac5704820f2ac1f370c9ff385e3a9f5 , < 58007fc7b94fb2702000045ff401eb7f5bde7828 (git) Affected: ceb98d03eac5704820f2ac1f370c9ff385e3a9f5 , < df13c9c6ce1d55c31d1bd49db65a7fbbd86aab13 (git) Affected: ceb98d03eac5704820f2ac1f370c9ff385e3a9f5 , < bf58e667af7d96c8eb9411f926a0a0955f41ce21 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:40:40.018Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/xt_nfacct.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "66d41268ede1e1b6e71ba28be923397ff0b2b9c3",
"status": "affected",
"version": "ceb98d03eac5704820f2ac1f370c9ff385e3a9f5",
"versionType": "git"
},
{
"lessThan": "e021a1eee196887536a6630c5492c23a4c78d452",
"status": "affected",
"version": "ceb98d03eac5704820f2ac1f370c9ff385e3a9f5",
"versionType": "git"
},
{
"lessThan": "b10cfa2de13d28ddd03210eb234422b7ec92725a",
"status": "affected",
"version": "ceb98d03eac5704820f2ac1f370c9ff385e3a9f5",
"versionType": "git"
},
{
"lessThan": "e18939176e657a3a20bfbed357b8c55a9f82aba3",
"status": "affected",
"version": "ceb98d03eac5704820f2ac1f370c9ff385e3a9f5",
"versionType": "git"
},
{
"lessThan": "58004aa21e79addaf41667bfe65e93ec51653f18",
"status": "affected",
"version": "ceb98d03eac5704820f2ac1f370c9ff385e3a9f5",
"versionType": "git"
},
{
"lessThan": "7c1ae471da69c09242834e956218ea6a42dd405a",
"status": "affected",
"version": "ceb98d03eac5704820f2ac1f370c9ff385e3a9f5",
"versionType": "git"
},
{
"lessThan": "58007fc7b94fb2702000045ff401eb7f5bde7828",
"status": "affected",
"version": "ceb98d03eac5704820f2ac1f370c9ff385e3a9f5",
"versionType": "git"
},
{
"lessThan": "df13c9c6ce1d55c31d1bd49db65a7fbbd86aab13",
"status": "affected",
"version": "ceb98d03eac5704820f2ac1f370c9ff385e3a9f5",
"versionType": "git"
},
{
"lessThan": "bf58e667af7d96c8eb9411f926a0a0955f41ce21",
"status": "affected",
"version": "ceb98d03eac5704820f2ac1f370c9ff385e3a9f5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/xt_nfacct.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.3"
},
{
"lessThan": "3.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: xt_nfacct: don\u0027t assume acct name is null-terminated\n\nBUG: KASAN: slab-out-of-bounds in .. lib/vsprintf.c:721\nRead of size 1 at addr ffff88801eac95c8 by task syz-executor183/5851\n[..]\n string+0x231/0x2b0 lib/vsprintf.c:721\n vsnprintf+0x739/0xf00 lib/vsprintf.c:2874\n [..]\n nfacct_mt_checkentry+0xd2/0xe0 net/netfilter/xt_nfacct.c:41\n xt_check_match+0x3d1/0xab0 net/netfilter/x_tables.c:523\n\nnfnl_acct_find_get() handles non-null input, but the error\nprintk relied on its presence."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:55:18.042Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/66d41268ede1e1b6e71ba28be923397ff0b2b9c3"
},
{
"url": "https://git.kernel.org/stable/c/e021a1eee196887536a6630c5492c23a4c78d452"
},
{
"url": "https://git.kernel.org/stable/c/b10cfa2de13d28ddd03210eb234422b7ec92725a"
},
{
"url": "https://git.kernel.org/stable/c/e18939176e657a3a20bfbed357b8c55a9f82aba3"
},
{
"url": "https://git.kernel.org/stable/c/58004aa21e79addaf41667bfe65e93ec51653f18"
},
{
"url": "https://git.kernel.org/stable/c/7c1ae471da69c09242834e956218ea6a42dd405a"
},
{
"url": "https://git.kernel.org/stable/c/58007fc7b94fb2702000045ff401eb7f5bde7828"
},
{
"url": "https://git.kernel.org/stable/c/df13c9c6ce1d55c31d1bd49db65a7fbbd86aab13"
},
{
"url": "https://git.kernel.org/stable/c/bf58e667af7d96c8eb9411f926a0a0955f41ce21"
}
],
"title": "netfilter: xt_nfacct: don\u0027t assume acct name is null-terminated",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38639",
"datePublished": "2025-08-22T16:00:45.953Z",
"dateReserved": "2025-04-16T04:51:24.030Z",
"dateUpdated": "2025-11-03T17:40:40.018Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53183 (GCVE-0-2023-53183)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:04 – Updated: 2026-01-05 10:43
VLAI?
EPSS
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Show details on NVD website{
"containers": {
"cna": {
"providerMetadata": {
"dateUpdated": "2026-01-05T10:43:58.174Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"rejectedReasons": [
{
"lang": "en",
"value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53183",
"datePublished": "2025-09-15T14:04:35.399Z",
"dateRejected": "2026-01-05T10:43:58.174Z",
"dateReserved": "2025-09-15T13:59:19.065Z",
"dateUpdated": "2026-01-05T10:43:58.174Z",
"state": "REJECTED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53197 (GCVE-0-2023-53197)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:06 – Updated: 2026-01-05 10:18
VLAI?
EPSS
Title
USB: uhci: fix memory leak with using debugfs_lookup()
Summary
In the Linux kernel, the following vulnerability has been resolved:
USB: uhci: fix memory leak with using debugfs_lookup()
When calling debugfs_lookup() the result must have dput() called on it,
otherwise the memory will leak over time. To make things simpler, just
call debugfs_lookup_and_remove() instead which handles all of the logic
at once.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5649d86f537887c2be88689986ec4dd493d4babe , < c6af1dbc99ad37bf67c8703982df4d7f12d256c1
(git)
Affected: 5649d86f537887c2be88689986ec4dd493d4babe , < e529aeb771aef1402c899b6b405610ef444d5d88 (git) Affected: 5649d86f537887c2be88689986ec4dd493d4babe , < 9cb88847b8b86f132309030022a23dca895b6f61 (git) Affected: 5649d86f537887c2be88689986ec4dd493d4babe , < 0a3f82c79c86278e7f144564b1cb6cc5c3657144 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/uhci-hcd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c6af1dbc99ad37bf67c8703982df4d7f12d256c1",
"status": "affected",
"version": "5649d86f537887c2be88689986ec4dd493d4babe",
"versionType": "git"
},
{
"lessThan": "e529aeb771aef1402c899b6b405610ef444d5d88",
"status": "affected",
"version": "5649d86f537887c2be88689986ec4dd493d4babe",
"versionType": "git"
},
{
"lessThan": "9cb88847b8b86f132309030022a23dca895b6f61",
"status": "affected",
"version": "5649d86f537887c2be88689986ec4dd493d4babe",
"versionType": "git"
},
{
"lessThan": "0a3f82c79c86278e7f144564b1cb6cc5c3657144",
"status": "affected",
"version": "5649d86f537887c2be88689986ec4dd493d4babe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/uhci-hcd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.100",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.18",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.5",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: uhci: fix memory leak with using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. To make things simpler, just\ncall debugfs_lookup_and_remove() instead which handles all of the logic\nat once."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:18:40.213Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c6af1dbc99ad37bf67c8703982df4d7f12d256c1"
},
{
"url": "https://git.kernel.org/stable/c/e529aeb771aef1402c899b6b405610ef444d5d88"
},
{
"url": "https://git.kernel.org/stable/c/9cb88847b8b86f132309030022a23dca895b6f61"
},
{
"url": "https://git.kernel.org/stable/c/0a3f82c79c86278e7f144564b1cb6cc5c3657144"
}
],
"title": "USB: uhci: fix memory leak with using debugfs_lookup()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53197",
"datePublished": "2025-09-15T14:06:45.301Z",
"dateReserved": "2025-09-15T13:59:19.067Z",
"dateUpdated": "2026-01-05T10:18:40.213Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53231 (GCVE-0-2023-53231)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:22 – Updated: 2026-01-14 18:02
VLAI?
EPSS
Title
erofs: Fix detection of atomic context
Summary
In the Linux kernel, the following vulnerability has been resolved:
erofs: Fix detection of atomic context
Current check for atomic context is not sufficient as
z_erofs_decompressqueue_endio can be called under rcu lock
from blk_mq_flush_plug_list(). See the stacktrace [1]
In such case we should hand off the decompression work for async
processing rather than trying to do sync decompression in current
context. Patch fixes the detection by checking for
rcu_read_lock_any_held() and while at it use more appropriate
!in_task() check than in_atomic().
Background: Historically erofs would always schedule a kworker for
decompression which would incur the scheduling cost regardless of
the context. But z_erofs_decompressqueue_endio() may not always
be in atomic context and we could actually benefit from doing the
decompression in z_erofs_decompressqueue_endio() if we are in
thread context, for example when running with dm-verity.
This optimization was later added in patch [2] which has shown
improvement in performance benchmarks.
==============================================
[1] Problem stacktrace
[name:core&]BUG: sleeping function called from invalid context at kernel/locking/mutex.c:291
[name:core&]in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 1615, name: CpuMonitorServi
[name:core&]preempt_count: 0, expected: 0
[name:core&]RCU nest depth: 1, expected: 0
CPU: 7 PID: 1615 Comm: CpuMonitorServi Tainted: G S W OE 6.1.25-android14-5-maybe-dirty-mainline #1
Hardware name: MT6897 (DT)
Call trace:
dump_backtrace+0x108/0x15c
show_stack+0x20/0x30
dump_stack_lvl+0x6c/0x8c
dump_stack+0x20/0x48
__might_resched+0x1fc/0x308
__might_sleep+0x50/0x88
mutex_lock+0x2c/0x110
z_erofs_decompress_queue+0x11c/0xc10
z_erofs_decompress_kickoff+0x110/0x1a4
z_erofs_decompressqueue_endio+0x154/0x180
bio_endio+0x1b0/0x1d8
__dm_io_complete+0x22c/0x280
clone_endio+0xe4/0x280
bio_endio+0x1b0/0x1d8
blk_update_request+0x138/0x3a4
blk_mq_plug_issue_direct+0xd4/0x19c
blk_mq_flush_plug_list+0x2b0/0x354
__blk_flush_plug+0x110/0x160
blk_finish_plug+0x30/0x4c
read_pages+0x2fc/0x370
page_cache_ra_unbounded+0xa4/0x23c
page_cache_ra_order+0x290/0x320
do_sync_mmap_readahead+0x108/0x2c0
filemap_fault+0x19c/0x52c
__do_fault+0xc4/0x114
handle_mm_fault+0x5b4/0x1168
do_page_fault+0x338/0x4b4
do_translation_fault+0x40/0x60
do_mem_abort+0x60/0xc8
el0_da+0x4c/0xe0
el0t_64_sync_handler+0xd4/0xfc
el0t_64_sync+0x1a0/0x1a4
[2] Link: https://lore.kernel.org/all/20210317035448.13921-1-huangjianan@oppo.com/
Severity ?
5.5 (Medium)
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53231",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T17:55:25.324929Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:02:49.372Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/erofs/zdata.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "597fb60c75132719687e173b75cab8f6eb1ca657",
"status": "affected",
"version": "aea1286dcbbb87cf33595c2ac8b153c29a4611cb",
"versionType": "git"
},
{
"lessThan": "12d0a24afd9ea58e581ea64d64e066f2027b28d9",
"status": "affected",
"version": "aea1286dcbbb87cf33595c2ac8b153c29a4611cb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/erofs/zdata.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: Fix detection of atomic context\n\nCurrent check for atomic context is not sufficient as\nz_erofs_decompressqueue_endio can be called under rcu lock\nfrom blk_mq_flush_plug_list(). See the stacktrace [1]\n\nIn such case we should hand off the decompression work for async\nprocessing rather than trying to do sync decompression in current\ncontext. Patch fixes the detection by checking for\nrcu_read_lock_any_held() and while at it use more appropriate\n!in_task() check than in_atomic().\n\nBackground: Historically erofs would always schedule a kworker for\ndecompression which would incur the scheduling cost regardless of\nthe context. But z_erofs_decompressqueue_endio() may not always\nbe in atomic context and we could actually benefit from doing the\ndecompression in z_erofs_decompressqueue_endio() if we are in\nthread context, for example when running with dm-verity.\nThis optimization was later added in patch [2] which has shown\nimprovement in performance benchmarks.\n\n==============================================\n[1] Problem stacktrace\n[name:core\u0026]BUG: sleeping function called from invalid context at kernel/locking/mutex.c:291\n[name:core\u0026]in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 1615, name: CpuMonitorServi\n[name:core\u0026]preempt_count: 0, expected: 0\n[name:core\u0026]RCU nest depth: 1, expected: 0\nCPU: 7 PID: 1615 Comm: CpuMonitorServi Tainted: G S W OE 6.1.25-android14-5-maybe-dirty-mainline #1\nHardware name: MT6897 (DT)\nCall trace:\n dump_backtrace+0x108/0x15c\n show_stack+0x20/0x30\n dump_stack_lvl+0x6c/0x8c\n dump_stack+0x20/0x48\n __might_resched+0x1fc/0x308\n __might_sleep+0x50/0x88\n mutex_lock+0x2c/0x110\n z_erofs_decompress_queue+0x11c/0xc10\n z_erofs_decompress_kickoff+0x110/0x1a4\n z_erofs_decompressqueue_endio+0x154/0x180\n bio_endio+0x1b0/0x1d8\n __dm_io_complete+0x22c/0x280\n clone_endio+0xe4/0x280\n bio_endio+0x1b0/0x1d8\n blk_update_request+0x138/0x3a4\n blk_mq_plug_issue_direct+0xd4/0x19c\n blk_mq_flush_plug_list+0x2b0/0x354\n __blk_flush_plug+0x110/0x160\n blk_finish_plug+0x30/0x4c\n read_pages+0x2fc/0x370\n page_cache_ra_unbounded+0xa4/0x23c\n page_cache_ra_order+0x290/0x320\n do_sync_mmap_readahead+0x108/0x2c0\n filemap_fault+0x19c/0x52c\n __do_fault+0xc4/0x114\n handle_mm_fault+0x5b4/0x1168\n do_page_fault+0x338/0x4b4\n do_translation_fault+0x40/0x60\n do_mem_abort+0x60/0xc8\n el0_da+0x4c/0xe0\n el0t_64_sync_handler+0xd4/0xfc\n el0t_64_sync+0x1a0/0x1a4\n\n[2] Link: https://lore.kernel.org/all/20210317035448.13921-1-huangjianan@oppo.com/"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T08:02:24.954Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/597fb60c75132719687e173b75cab8f6eb1ca657"
},
{
"url": "https://git.kernel.org/stable/c/12d0a24afd9ea58e581ea64d64e066f2027b28d9"
}
],
"title": "erofs: Fix detection of atomic context",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53231",
"datePublished": "2025-09-15T14:22:03.599Z",
"dateReserved": "2025-09-15T14:19:21.847Z",
"dateUpdated": "2026-01-14T18:02:49.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38587 (GCVE-0-2025-38587)
Vulnerability from cvelistv5 – Published: 2025-08-19 17:03 – Updated: 2025-11-03 17:40
VLAI?
EPSS
Title
ipv6: fix possible infinite loop in fib6_info_uses_dev()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: fix possible infinite loop in fib6_info_uses_dev()
fib6_info_uses_dev() seems to rely on RCU without an explicit
protection.
Like the prior fix in rt6_nlmsg_size(),
we need to make sure fib6_del_route() or fib6_add_rt2node()
have not removed the anchor from the list, or we risk an infinite loop.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d0ec61c9f3583b76aebdbb271f5c0d3fcccd48b2 , < bc85e62394f008fa848c4ba02c936c735a3e8ef5
(git)
Affected: 52da02521ede55fb86546c3fffd9377b3261b91f , < 9cb6de8ee144a94ae7a40bdb32560329ab7276f0 (git) Affected: 34a949e7a0869dfa31a40416d2a56973fae1807b , < db65739d406c72776fbdbbc334be827ef05880d2 (git) Affected: d9ccb18f83ea2bb654289b6ecf014fd267cc988b , < 16d21816c0918f8058b5fc14cbe8595d62046e2d (git) Affected: d9ccb18f83ea2bb654289b6ecf014fd267cc988b , < e09be457b71b983a085312ff9e981f51e4ed3211 (git) Affected: d9ccb18f83ea2bb654289b6ecf014fd267cc988b , < f8d8ce1b515a0a6af72b30502670a406cfb75073 (git) Affected: 11edcd026012ac18acee0f1514db3ed1b160fc6f (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:40:12.598Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bc85e62394f008fa848c4ba02c936c735a3e8ef5",
"status": "affected",
"version": "d0ec61c9f3583b76aebdbb271f5c0d3fcccd48b2",
"versionType": "git"
},
{
"lessThan": "9cb6de8ee144a94ae7a40bdb32560329ab7276f0",
"status": "affected",
"version": "52da02521ede55fb86546c3fffd9377b3261b91f",
"versionType": "git"
},
{
"lessThan": "db65739d406c72776fbdbbc334be827ef05880d2",
"status": "affected",
"version": "34a949e7a0869dfa31a40416d2a56973fae1807b",
"versionType": "git"
},
{
"lessThan": "16d21816c0918f8058b5fc14cbe8595d62046e2d",
"status": "affected",
"version": "d9ccb18f83ea2bb654289b6ecf014fd267cc988b",
"versionType": "git"
},
{
"lessThan": "e09be457b71b983a085312ff9e981f51e4ed3211",
"status": "affected",
"version": "d9ccb18f83ea2bb654289b6ecf014fd267cc988b",
"versionType": "git"
},
{
"lessThan": "f8d8ce1b515a0a6af72b30502670a406cfb75073",
"status": "affected",
"version": "d9ccb18f83ea2bb654289b6ecf014fd267cc988b",
"versionType": "git"
},
{
"status": "affected",
"version": "11edcd026012ac18acee0f1514db3ed1b160fc6f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "6.1.128",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "6.6.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "6.12.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.11.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix possible infinite loop in fib6_info_uses_dev()\n\nfib6_info_uses_dev() seems to rely on RCU without an explicit\nprotection.\n\nLike the prior fix in rt6_nlmsg_size(),\nwe need to make sure fib6_del_route() or fib6_add_rt2node()\nhave not removed the anchor from the list, or we risk an infinite loop."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:54:19.423Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bc85e62394f008fa848c4ba02c936c735a3e8ef5"
},
{
"url": "https://git.kernel.org/stable/c/9cb6de8ee144a94ae7a40bdb32560329ab7276f0"
},
{
"url": "https://git.kernel.org/stable/c/db65739d406c72776fbdbbc334be827ef05880d2"
},
{
"url": "https://git.kernel.org/stable/c/16d21816c0918f8058b5fc14cbe8595d62046e2d"
},
{
"url": "https://git.kernel.org/stable/c/e09be457b71b983a085312ff9e981f51e4ed3211"
},
{
"url": "https://git.kernel.org/stable/c/f8d8ce1b515a0a6af72b30502670a406cfb75073"
}
],
"title": "ipv6: fix possible infinite loop in fib6_info_uses_dev()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38587",
"datePublished": "2025-08-19T17:03:08.924Z",
"dateReserved": "2025-04-16T04:51:24.026Z",
"dateUpdated": "2025-11-03T17:40:12.598Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39783 (GCVE-0-2025-39783)
Vulnerability from cvelistv5 – Published: 2025-09-11 16:56 – Updated: 2025-11-03 17:43
VLAI?
EPSS
Title
PCI: endpoint: Fix configfs group list head handling
Summary
In the Linux kernel, the following vulnerability has been resolved:
PCI: endpoint: Fix configfs group list head handling
Doing a list_del() on the epf_group field of struct pci_epf_driver in
pci_epf_remove_cfs() is not correct as this field is a list head, not
a list entry. This list_del() call triggers a KASAN warning when an
endpoint function driver which has a configfs attribute group is torn
down:
==================================================================
BUG: KASAN: slab-use-after-free in pci_epf_remove_cfs+0x17c/0x198
Write of size 8 at addr ffff00010f4a0d80 by task rmmod/319
CPU: 3 UID: 0 PID: 319 Comm: rmmod Not tainted 6.16.0-rc2 #1 NONE
Hardware name: Radxa ROCK 5B (DT)
Call trace:
show_stack+0x2c/0x84 (C)
dump_stack_lvl+0x70/0x98
print_report+0x17c/0x538
kasan_report+0xb8/0x190
__asan_report_store8_noabort+0x20/0x2c
pci_epf_remove_cfs+0x17c/0x198
pci_epf_unregister_driver+0x18/0x30
nvmet_pci_epf_cleanup_module+0x24/0x30 [nvmet_pci_epf]
__arm64_sys_delete_module+0x264/0x424
invoke_syscall+0x70/0x260
el0_svc_common.constprop.0+0xac/0x230
do_el0_svc+0x40/0x58
el0_svc+0x48/0xdc
el0t_64_sync_handler+0x10c/0x138
el0t_64_sync+0x198/0x19c
...
Remove this incorrect list_del() call from pci_epf_remove_cfs().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ef1433f717a2c63747a519d86965d73ff9bd08b3 , < 80ea6e6904fb2ba4ccb5d909579988466ec65358
(git)
Affected: ef1433f717a2c63747a519d86965d73ff9bd08b3 , < d5aecddc3452371d9da82cdbb0c715812524b54b (git) Affected: ef1433f717a2c63747a519d86965d73ff9bd08b3 , < dc4ffbd571716ff3b171418fb03abe80e720a7b1 (git) Affected: ef1433f717a2c63747a519d86965d73ff9bd08b3 , < 409af8b9f7b4f23cd0464e71c6cd6fe13c076ae2 (git) Affected: ef1433f717a2c63747a519d86965d73ff9bd08b3 , < 0758862386f114d9ab1e23181461bd1e2e9ec4c6 (git) Affected: ef1433f717a2c63747a519d86965d73ff9bd08b3 , < 6cf65505523224cab1449d726d2ce8180c2941ee (git) Affected: ef1433f717a2c63747a519d86965d73ff9bd08b3 , < a302bd89db35d8b7e279de4d2b41c16c7f191069 (git) Affected: ef1433f717a2c63747a519d86965d73ff9bd08b3 , < d79123d79a8154b4318529b7b2ff7e15806f480b (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:19.404Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pci/endpoint/pci-epf-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "80ea6e6904fb2ba4ccb5d909579988466ec65358",
"status": "affected",
"version": "ef1433f717a2c63747a519d86965d73ff9bd08b3",
"versionType": "git"
},
{
"lessThan": "d5aecddc3452371d9da82cdbb0c715812524b54b",
"status": "affected",
"version": "ef1433f717a2c63747a519d86965d73ff9bd08b3",
"versionType": "git"
},
{
"lessThan": "dc4ffbd571716ff3b171418fb03abe80e720a7b1",
"status": "affected",
"version": "ef1433f717a2c63747a519d86965d73ff9bd08b3",
"versionType": "git"
},
{
"lessThan": "409af8b9f7b4f23cd0464e71c6cd6fe13c076ae2",
"status": "affected",
"version": "ef1433f717a2c63747a519d86965d73ff9bd08b3",
"versionType": "git"
},
{
"lessThan": "0758862386f114d9ab1e23181461bd1e2e9ec4c6",
"status": "affected",
"version": "ef1433f717a2c63747a519d86965d73ff9bd08b3",
"versionType": "git"
},
{
"lessThan": "6cf65505523224cab1449d726d2ce8180c2941ee",
"status": "affected",
"version": "ef1433f717a2c63747a519d86965d73ff9bd08b3",
"versionType": "git"
},
{
"lessThan": "a302bd89db35d8b7e279de4d2b41c16c7f191069",
"status": "affected",
"version": "ef1433f717a2c63747a519d86965d73ff9bd08b3",
"versionType": "git"
},
{
"lessThan": "d79123d79a8154b4318529b7b2ff7e15806f480b",
"status": "affected",
"version": "ef1433f717a2c63747a519d86965d73ff9bd08b3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pci/endpoint/pci-epf-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: Fix configfs group list head handling\n\nDoing a list_del() on the epf_group field of struct pci_epf_driver in\npci_epf_remove_cfs() is not correct as this field is a list head, not\na list entry. This list_del() call triggers a KASAN warning when an\nendpoint function driver which has a configfs attribute group is torn\ndown:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in pci_epf_remove_cfs+0x17c/0x198\nWrite of size 8 at addr ffff00010f4a0d80 by task rmmod/319\n\nCPU: 3 UID: 0 PID: 319 Comm: rmmod Not tainted 6.16.0-rc2 #1 NONE\nHardware name: Radxa ROCK 5B (DT)\nCall trace:\nshow_stack+0x2c/0x84 (C)\ndump_stack_lvl+0x70/0x98\nprint_report+0x17c/0x538\nkasan_report+0xb8/0x190\n__asan_report_store8_noabort+0x20/0x2c\npci_epf_remove_cfs+0x17c/0x198\npci_epf_unregister_driver+0x18/0x30\nnvmet_pci_epf_cleanup_module+0x24/0x30 [nvmet_pci_epf]\n__arm64_sys_delete_module+0x264/0x424\ninvoke_syscall+0x70/0x260\nel0_svc_common.constprop.0+0xac/0x230\ndo_el0_svc+0x40/0x58\nel0_svc+0x48/0xdc\nel0t_64_sync_handler+0x10c/0x138\nel0t_64_sync+0x198/0x19c\n...\n\nRemove this incorrect list_del() call from pci_epf_remove_cfs()."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:59:19.426Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/80ea6e6904fb2ba4ccb5d909579988466ec65358"
},
{
"url": "https://git.kernel.org/stable/c/d5aecddc3452371d9da82cdbb0c715812524b54b"
},
{
"url": "https://git.kernel.org/stable/c/dc4ffbd571716ff3b171418fb03abe80e720a7b1"
},
{
"url": "https://git.kernel.org/stable/c/409af8b9f7b4f23cd0464e71c6cd6fe13c076ae2"
},
{
"url": "https://git.kernel.org/stable/c/0758862386f114d9ab1e23181461bd1e2e9ec4c6"
},
{
"url": "https://git.kernel.org/stable/c/6cf65505523224cab1449d726d2ce8180c2941ee"
},
{
"url": "https://git.kernel.org/stable/c/a302bd89db35d8b7e279de4d2b41c16c7f191069"
},
{
"url": "https://git.kernel.org/stable/c/d79123d79a8154b4318529b7b2ff7e15806f480b"
}
],
"title": "PCI: endpoint: Fix configfs group list head handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39783",
"datePublished": "2025-09-11T16:56:33.376Z",
"dateReserved": "2025-04-16T07:20:57.130Z",
"dateUpdated": "2025-11-03T17:43:19.404Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53476 (GCVE-0-2023-53476)
Vulnerability from cvelistv5 – Published: 2025-10-01 11:42 – Updated: 2025-10-01 11:42
VLAI?
EPSS
Title
iw_cxgb4: Fix potential NULL dereference in c4iw_fill_res_cm_id_entry()
Summary
In the Linux kernel, the following vulnerability has been resolved:
iw_cxgb4: Fix potential NULL dereference in c4iw_fill_res_cm_id_entry()
This condition needs to match the previous "if (epcp->state == LISTEN) {"
exactly to avoid a NULL dereference of either "listen_ep" or "ep". The
problem is that "epcp" has been re-assigned so just testing
"if (epcp->state == LISTEN) {" a second time is not sufficient.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
116aeb8873712ea559d26b0d9d88147af5c88db5 , < 76e0396313c79ecd0df44ee3c18745cfac52b3e6
(git)
Affected: 116aeb8873712ea559d26b0d9d88147af5c88db5 , < 24278dc380aab6a1aef0a75317f57ad4c2453cf6 (git) Affected: 116aeb8873712ea559d26b0d9d88147af5c88db5 , < dd55240e4364d64befcc575b0d33091881524f42 (git) Affected: 116aeb8873712ea559d26b0d9d88147af5c88db5 , < 4ca446b127c568b59cb8d9748b6f70499624bb18 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/cxgb4/restrack.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "76e0396313c79ecd0df44ee3c18745cfac52b3e6",
"status": "affected",
"version": "116aeb8873712ea559d26b0d9d88147af5c88db5",
"versionType": "git"
},
{
"lessThan": "24278dc380aab6a1aef0a75317f57ad4c2453cf6",
"status": "affected",
"version": "116aeb8873712ea559d26b0d9d88147af5c88db5",
"versionType": "git"
},
{
"lessThan": "dd55240e4364d64befcc575b0d33091881524f42",
"status": "affected",
"version": "116aeb8873712ea559d26b0d9d88147af5c88db5",
"versionType": "git"
},
{
"lessThan": "4ca446b127c568b59cb8d9748b6f70499624bb18",
"status": "affected",
"version": "116aeb8873712ea559d26b0d9d88147af5c88db5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/cxgb4/restrack.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niw_cxgb4: Fix potential NULL dereference in c4iw_fill_res_cm_id_entry()\n\nThis condition needs to match the previous \"if (epcp-\u003estate == LISTEN) {\"\nexactly to avoid a NULL dereference of either \"listen_ep\" or \"ep\". The\nproblem is that \"epcp\" has been re-assigned so just testing\n\"if (epcp-\u003estate == LISTEN) {\" a second time is not sufficient."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:45.499Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/76e0396313c79ecd0df44ee3c18745cfac52b3e6"
},
{
"url": "https://git.kernel.org/stable/c/24278dc380aab6a1aef0a75317f57ad4c2453cf6"
},
{
"url": "https://git.kernel.org/stable/c/dd55240e4364d64befcc575b0d33091881524f42"
},
{
"url": "https://git.kernel.org/stable/c/4ca446b127c568b59cb8d9748b6f70499624bb18"
}
],
"title": "iw_cxgb4: Fix potential NULL dereference in c4iw_fill_res_cm_id_entry()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53476",
"datePublished": "2025-10-01T11:42:45.499Z",
"dateReserved": "2025-10-01T11:39:39.401Z",
"dateUpdated": "2025-10-01T11:42:45.499Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53274 (GCVE-0-2023-53274)
Vulnerability from cvelistv5 – Published: 2025-09-16 08:11 – Updated: 2026-01-14 18:12
VLAI?
EPSS
Title
clk: mediatek: mt8183: Add back SSPM related clocks
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: mediatek: mt8183: Add back SSPM related clocks
This reverts commit 860690a93ef23b567f781c1b631623e27190f101.
On the MT8183, the SSPM related clocks were removed claiming a lack of
usage. This however causes some issues when the driver was converted to
the new simple-probe mechanism. This mechanism allocates enough space
for all the clocks defined in the clock driver, not the highest index
in the DT binding. This leads to out-of-bound writes if their are holes
in the DT binding or the driver (due to deprecated or unimplemented
clocks). These errors can go unnoticed and cause memory corruption,
leading to crashes in unrelated areas, or nothing at all. KASAN will
detect them.
Add the SSPM related clocks back to the MT8183 clock driver to fully
implement the DT binding. The SSPM clocks are for the power management
co-processor, and should never be turned off. They are marked as such.
Severity ?
7.8 (High)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53274",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:06:27.260606Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:12:53.858Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/mediatek/clk-mt8183.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "45d69917a4af6c869193f95932dc6d6f15d5ef86",
"status": "affected",
"version": "3f37ba7cc385ba07762ffcd7ac38af8c0f84dd3e",
"versionType": "git"
},
{
"lessThan": "1eb8d61ac5c9c7ec56bb96d433532807509b9288",
"status": "affected",
"version": "3f37ba7cc385ba07762ffcd7ac38af8c0f84dd3e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/mediatek/clk-mt8183.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.10",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: mt8183: Add back SSPM related clocks\n\nThis reverts commit 860690a93ef23b567f781c1b631623e27190f101.\n\nOn the MT8183, the SSPM related clocks were removed claiming a lack of\nusage. This however causes some issues when the driver was converted to\nthe new simple-probe mechanism. This mechanism allocates enough space\nfor all the clocks defined in the clock driver, not the highest index\nin the DT binding. This leads to out-of-bound writes if their are holes\nin the DT binding or the driver (due to deprecated or unimplemented\nclocks). These errors can go unnoticed and cause memory corruption,\nleading to crashes in unrelated areas, or nothing at all. KASAN will\ndetect them.\n\nAdd the SSPM related clocks back to the MT8183 clock driver to fully\nimplement the DT binding. The SSPM clocks are for the power management\nco-processor, and should never be turned off. They are marked as such."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T08:11:09.549Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/45d69917a4af6c869193f95932dc6d6f15d5ef86"
},
{
"url": "https://git.kernel.org/stable/c/1eb8d61ac5c9c7ec56bb96d433532807509b9288"
}
],
"title": "clk: mediatek: mt8183: Add back SSPM related clocks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53274",
"datePublished": "2025-09-16T08:11:09.549Z",
"dateReserved": "2025-09-16T08:09:37.990Z",
"dateUpdated": "2026-01-14T18:12:53.858Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53396 (GCVE-0-2023-53396)
Vulnerability from cvelistv5 – Published: 2025-09-18 13:33 – Updated: 2026-01-14 19:03
VLAI?
EPSS
Title
ubifs: Fix memory leak in do_rename
Summary
In the Linux kernel, the following vulnerability has been resolved:
ubifs: Fix memory leak in do_rename
If renaming a file in an encrypted directory, function
fscrypt_setup_filename allocates memory for a file name. This name is
never used, and before returning to the caller the memory for it is not
freed.
When running kmemleak on it we see that it is registered as a leak. The
report below is triggered by a simple program 'rename' that renames a
file in an encrypted directory:
unreferenced object 0xffff888101502840 (size 32):
comm "rename", pid 9404, jiffies 4302582475 (age 435.735s)
backtrace:
__kmem_cache_alloc_node
__kmalloc
fscrypt_setup_filename
do_rename
ubifs_rename
vfs_rename
do_renameat2
To fix this we can remove the call to fscrypt_setup_filename as it's not
needed.
Severity ?
5.5 (Medium)
CWE
- CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c67bc98d1f0853bb196e9c48eab38b6f2ddab795 , < 43b2f7d690697182beed6f71aa57b7249d3cfc9c
(git)
Affected: 278d9a243635f26c05ad95dcf9c5a593b9e04dc6 , < 9f565752b328fe53c9e42b7d4e4d89a1da63d738 (git) Affected: 278d9a243635f26c05ad95dcf9c5a593b9e04dc6 , < 7e264f67b7d6580eff5c2696961039fd05c69258 (git) Affected: 278d9a243635f26c05ad95dcf9c5a593b9e04dc6 , < 517ddc0259d7a7231486bdafde8035c478bc4088 (git) Affected: 278d9a243635f26c05ad95dcf9c5a593b9e04dc6 , < 3a36d20e012903f45714df2731261fdefac900cb (git) Affected: 17495eb2f7f08113b50aba298c2c1a045824c4f7 (git) Affected: 868de33a39e0e1e91ed3ce4a23a65f30144d2443 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53396",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T19:00:16.329006Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T19:03:06.225Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ubifs/dir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "43b2f7d690697182beed6f71aa57b7249d3cfc9c",
"status": "affected",
"version": "c67bc98d1f0853bb196e9c48eab38b6f2ddab795",
"versionType": "git"
},
{
"lessThan": "9f565752b328fe53c9e42b7d4e4d89a1da63d738",
"status": "affected",
"version": "278d9a243635f26c05ad95dcf9c5a593b9e04dc6",
"versionType": "git"
},
{
"lessThan": "7e264f67b7d6580eff5c2696961039fd05c69258",
"status": "affected",
"version": "278d9a243635f26c05ad95dcf9c5a593b9e04dc6",
"versionType": "git"
},
{
"lessThan": "517ddc0259d7a7231486bdafde8035c478bc4088",
"status": "affected",
"version": "278d9a243635f26c05ad95dcf9c5a593b9e04dc6",
"versionType": "git"
},
{
"lessThan": "3a36d20e012903f45714df2731261fdefac900cb",
"status": "affected",
"version": "278d9a243635f26c05ad95dcf9c5a593b9e04dc6",
"versionType": "git"
},
{
"status": "affected",
"version": "17495eb2f7f08113b50aba298c2c1a045824c4f7",
"versionType": "git"
},
{
"status": "affected",
"version": "868de33a39e0e1e91ed3ce4a23a65f30144d2443",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ubifs/dir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.112",
"versionStartIncluding": "5.15.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.16.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: Fix memory leak in do_rename\n\nIf renaming a file in an encrypted directory, function\nfscrypt_setup_filename allocates memory for a file name. This name is\nnever used, and before returning to the caller the memory for it is not\nfreed.\n\nWhen running kmemleak on it we see that it is registered as a leak. The\nreport below is triggered by a simple program \u0027rename\u0027 that renames a\nfile in an encrypted directory:\n\n unreferenced object 0xffff888101502840 (size 32):\n comm \"rename\", pid 9404, jiffies 4302582475 (age 435.735s)\n backtrace:\n __kmem_cache_alloc_node\n __kmalloc\n fscrypt_setup_filename\n do_rename\n ubifs_rename\n vfs_rename\n do_renameat2\n\nTo fix this we can remove the call to fscrypt_setup_filename as it\u0027s not\nneeded."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T13:33:37.360Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/43b2f7d690697182beed6f71aa57b7249d3cfc9c"
},
{
"url": "https://git.kernel.org/stable/c/9f565752b328fe53c9e42b7d4e4d89a1da63d738"
},
{
"url": "https://git.kernel.org/stable/c/7e264f67b7d6580eff5c2696961039fd05c69258"
},
{
"url": "https://git.kernel.org/stable/c/517ddc0259d7a7231486bdafde8035c478bc4088"
},
{
"url": "https://git.kernel.org/stable/c/3a36d20e012903f45714df2731261fdefac900cb"
}
],
"title": "ubifs: Fix memory leak in do_rename",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53396",
"datePublished": "2025-09-18T13:33:37.360Z",
"dateReserved": "2025-09-17T14:54:09.738Z",
"dateUpdated": "2026-01-14T19:03:06.225Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53308 (GCVE-0-2023-53308)
Vulnerability from cvelistv5 – Published: 2025-09-16 16:11 – Updated: 2026-01-14 18:32
VLAI?
EPSS
Title
net: fec: Better handle pm_runtime_get() failing in .remove()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: fec: Better handle pm_runtime_get() failing in .remove()
In the (unlikely) event that pm_runtime_get() (disguised as
pm_runtime_resume_and_get()) fails, the remove callback returned an
error early. The problem with this is that the driver core ignores the
error value and continues removing the device. This results in a
resource leak. Worse the devm allocated resources are freed and so if a
callback of the driver is called later the register mapping is already
gone which probably results in a crash.
Severity ?
7.8 (High)
CWE
- CWE-415 - Double Free
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
982d424239d7fae74938557428d45c717567ea9b , < d52a0cca591e899d4e5c8ab19e067b4c6b7d104f
(git)
Affected: 04748841f7a02ec6ff07fadfc5d1f8e24e61946d , < be85912c36ddca3e8b2eef1b5392cd8db6bdb730 (git) Affected: a31eda65ba210741b598044d045480494d0ed52a , < b22b514209ff8c4287abb853399890ab97e1b5ca (git) Affected: a31eda65ba210741b598044d045480494d0ed52a , < 83996d317b1deddc85006376082e8886f55aa709 (git) Affected: a31eda65ba210741b598044d045480494d0ed52a , < c1bc2870f14e526a01897e14c747a0a0ca125231 (git) Affected: a31eda65ba210741b598044d045480494d0ed52a , < 9407454a9b18bbeff216e8ecde87ffb2171e9ccf (git) Affected: a31eda65ba210741b598044d045480494d0ed52a , < e02d8d5b1602689b98d9b91550a11b9b57baedbe (git) Affected: a31eda65ba210741b598044d045480494d0ed52a , < f816b9829b19394d318e01953aa3b2721bca040d (git) Affected: d961a58dcc9778948502847303d29d018a49710a (git) Affected: d9c7531fb4708eb3f22cccdb0b7371834d37555a (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53308",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:23:55.145889Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-415",
"description": "CWE-415 Double Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:32:56.675Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/freescale/fec_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d52a0cca591e899d4e5c8ab19e067b4c6b7d104f",
"status": "affected",
"version": "982d424239d7fae74938557428d45c717567ea9b",
"versionType": "git"
},
{
"lessThan": "be85912c36ddca3e8b2eef1b5392cd8db6bdb730",
"status": "affected",
"version": "04748841f7a02ec6ff07fadfc5d1f8e24e61946d",
"versionType": "git"
},
{
"lessThan": "b22b514209ff8c4287abb853399890ab97e1b5ca",
"status": "affected",
"version": "a31eda65ba210741b598044d045480494d0ed52a",
"versionType": "git"
},
{
"lessThan": "83996d317b1deddc85006376082e8886f55aa709",
"status": "affected",
"version": "a31eda65ba210741b598044d045480494d0ed52a",
"versionType": "git"
},
{
"lessThan": "c1bc2870f14e526a01897e14c747a0a0ca125231",
"status": "affected",
"version": "a31eda65ba210741b598044d045480494d0ed52a",
"versionType": "git"
},
{
"lessThan": "9407454a9b18bbeff216e8ecde87ffb2171e9ccf",
"status": "affected",
"version": "a31eda65ba210741b598044d045480494d0ed52a",
"versionType": "git"
},
{
"lessThan": "e02d8d5b1602689b98d9b91550a11b9b57baedbe",
"status": "affected",
"version": "a31eda65ba210741b598044d045480494d0ed52a",
"versionType": "git"
},
{
"lessThan": "f816b9829b19394d318e01953aa3b2721bca040d",
"status": "affected",
"version": "a31eda65ba210741b598044d045480494d0ed52a",
"versionType": "git"
},
{
"status": "affected",
"version": "d961a58dcc9778948502847303d29d018a49710a",
"versionType": "git"
},
{
"status": "affected",
"version": "d9c7531fb4708eb3f22cccdb0b7371834d37555a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/freescale/fec_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.316",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.284",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.244",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.316",
"versionStartIncluding": "4.14.158",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.284",
"versionStartIncluding": "4.19.88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.244",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.206",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.3.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fec: Better handle pm_runtime_get() failing in .remove()\n\nIn the (unlikely) event that pm_runtime_get() (disguised as\npm_runtime_resume_and_get()) fails, the remove callback returned an\nerror early. The problem with this is that the driver core ignores the\nerror value and continues removing the device. This results in a\nresource leak. Worse the devm allocated resources are freed and so if a\ncallback of the driver is called later the register mapping is already\ngone which probably results in a crash."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:46.998Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d52a0cca591e899d4e5c8ab19e067b4c6b7d104f"
},
{
"url": "https://git.kernel.org/stable/c/be85912c36ddca3e8b2eef1b5392cd8db6bdb730"
},
{
"url": "https://git.kernel.org/stable/c/b22b514209ff8c4287abb853399890ab97e1b5ca"
},
{
"url": "https://git.kernel.org/stable/c/83996d317b1deddc85006376082e8886f55aa709"
},
{
"url": "https://git.kernel.org/stable/c/c1bc2870f14e526a01897e14c747a0a0ca125231"
},
{
"url": "https://git.kernel.org/stable/c/9407454a9b18bbeff216e8ecde87ffb2171e9ccf"
},
{
"url": "https://git.kernel.org/stable/c/e02d8d5b1602689b98d9b91550a11b9b57baedbe"
},
{
"url": "https://git.kernel.org/stable/c/f816b9829b19394d318e01953aa3b2721bca040d"
}
],
"title": "net: fec: Better handle pm_runtime_get() failing in .remove()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53308",
"datePublished": "2025-09-16T16:11:46.998Z",
"dateReserved": "2025-09-16T16:08:59.561Z",
"dateUpdated": "2026-01-14T18:32:56.675Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38659 (GCVE-0-2025-38659)
Vulnerability from cvelistv5 – Published: 2025-08-22 16:01 – Updated: 2025-09-29 05:55
VLAI?
EPSS
Title
gfs2: No more self recovery
Summary
In the Linux kernel, the following vulnerability has been resolved:
gfs2: No more self recovery
When a node withdraws and it turns out that it is the only node that has
the filesystem mounted, gfs2 currently tries to replay the local journal
to bring the filesystem back into a consistent state. Not only is that
a very bad idea, it has also never worked because gfs2_recover_func()
will refuse to do anything during a withdraw.
However, before even getting to this point, gfs2_recover_func()
dereferences sdp->sd_jdesc->jd_inode. This was a use-after-free before
commit 04133b607a78 ("gfs2: Prevent double iput for journal on error")
and is a NULL pointer dereference since then.
Simply get rid of self recovery to fix that.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
601ef0d52e9617588fcff3df26953592f2eb44ac , < 1a91ba12abef628b43cada87478328274d988e88
(git)
Affected: 601ef0d52e9617588fcff3df26953592f2eb44ac , < f5426ffbec971a8f7346a57392d3a901bdee5a9b (git) Affected: 601ef0d52e9617588fcff3df26953592f2eb44ac , < 6784367b2f3cd7b89103de35764f37f152590dbd (git) Affected: 601ef0d52e9617588fcff3df26953592f2eb44ac , < 97c94c7dbddc34d353c83b541b3decabf98d04af (git) Affected: 601ef0d52e9617588fcff3df26953592f2eb44ac , < deb016c1669002e48c431d6fd32ea1c20ef41756 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/gfs2/util.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1a91ba12abef628b43cada87478328274d988e88",
"status": "affected",
"version": "601ef0d52e9617588fcff3df26953592f2eb44ac",
"versionType": "git"
},
{
"lessThan": "f5426ffbec971a8f7346a57392d3a901bdee5a9b",
"status": "affected",
"version": "601ef0d52e9617588fcff3df26953592f2eb44ac",
"versionType": "git"
},
{
"lessThan": "6784367b2f3cd7b89103de35764f37f152590dbd",
"status": "affected",
"version": "601ef0d52e9617588fcff3df26953592f2eb44ac",
"versionType": "git"
},
{
"lessThan": "97c94c7dbddc34d353c83b541b3decabf98d04af",
"status": "affected",
"version": "601ef0d52e9617588fcff3df26953592f2eb44ac",
"versionType": "git"
},
{
"lessThan": "deb016c1669002e48c431d6fd32ea1c20ef41756",
"status": "affected",
"version": "601ef0d52e9617588fcff3df26953592f2eb44ac",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/gfs2/util.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: No more self recovery\n\nWhen a node withdraws and it turns out that it is the only node that has\nthe filesystem mounted, gfs2 currently tries to replay the local journal\nto bring the filesystem back into a consistent state. Not only is that\na very bad idea, it has also never worked because gfs2_recover_func()\nwill refuse to do anything during a withdraw.\n\nHowever, before even getting to this point, gfs2_recover_func()\ndereferences sdp-\u003esd_jdesc-\u003ejd_inode. This was a use-after-free before\ncommit 04133b607a78 (\"gfs2: Prevent double iput for journal on error\")\nand is a NULL pointer dereference since then.\n\nSimply get rid of self recovery to fix that."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:55:41.837Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1a91ba12abef628b43cada87478328274d988e88"
},
{
"url": "https://git.kernel.org/stable/c/f5426ffbec971a8f7346a57392d3a901bdee5a9b"
},
{
"url": "https://git.kernel.org/stable/c/6784367b2f3cd7b89103de35764f37f152590dbd"
},
{
"url": "https://git.kernel.org/stable/c/97c94c7dbddc34d353c83b541b3decabf98d04af"
},
{
"url": "https://git.kernel.org/stable/c/deb016c1669002e48c431d6fd32ea1c20ef41756"
}
],
"title": "gfs2: No more self recovery",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38659",
"datePublished": "2025-08-22T16:01:02.448Z",
"dateReserved": "2025-04-16T04:51:24.031Z",
"dateUpdated": "2025-09-29T05:55:41.837Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39923 (GCVE-0-2025-39923)
Vulnerability from cvelistv5 – Published: 2025-10-01 08:07 – Updated: 2025-11-03 17:44
VLAI?
EPSS
Title
dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees
When we don't have a clock specified in the device tree, we have no way to
ensure the BAM is on. This is often the case for remotely-controlled or
remotely-powered BAM instances. In this case, we need to read num-channels
from the DT to have all the necessary information to complete probing.
However, at the moment invalid device trees without clock and without
num-channels still continue probing, because the error handling is missing
return statements. The driver will then later try to read the number of
channels from the registers. This is unsafe, because it relies on boot
firmware and lucky timing to succeed. Unfortunately, the lack of proper
error handling here has been abused for several Qualcomm SoCs upstream,
causing early boot crashes in several situations [1, 2].
Avoid these early crashes by erroring out when any of the required DT
properties are missing. Note that this will break some of the existing DTs
upstream (mainly BAM instances related to the crypto engine). However,
clearly these DTs have never been tested properly, since the error in the
kernel log was just ignored. It's safer to disable the crypto engine for
these broken DTBs.
[1]: https://lore.kernel.org/r/CY01EKQVWE36.B9X5TDXAREPF@fairphone.com/
[2]: https://lore.kernel.org/r/20230626145959.646747-1-krzysztof.kozlowski@linaro.org/
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
48d163b1aa6e7f650c0b7a4f9c61c387a6def868 , < 2e257a6125c63350f00dc42b9674f20fd3cf4a9f
(git)
Affected: 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 , < 1d98ba204d8a6db0d986c7f1aefaa0dcd1c007a2 (git) Affected: 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 , < 6ac1599d0e78036d9d08efc2f58c2d91f0a3ee4c (git) Affected: 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 , < 555bd16351a35c79efb029a196975a5a27f7fbc4 (git) Affected: 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 , < ebf6c7c908e5999531c3517289598f187776124f (git) Affected: 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 , < 1fc14731f0be4885e60702b9596d14d9a79cf053 (git) Affected: 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 , < 0ff9df758af7022d749718fb6b8385cc5693acf3 (git) Affected: 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 , < 5068b5254812433e841a40886e695633148d362d (git) Affected: cecf8a69042b3a54cb843223756c10ee8a8665e3 (git) Affected: 909474cd384cb206f33461fbd18089cf170533f8 (git) Affected: 5e0986f7caf17d7b1acd2092975360bf8e88a57d (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:41.678Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/qcom/bam_dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2e257a6125c63350f00dc42b9674f20fd3cf4a9f",
"status": "affected",
"version": "48d163b1aa6e7f650c0b7a4f9c61c387a6def868",
"versionType": "git"
},
{
"lessThan": "1d98ba204d8a6db0d986c7f1aefaa0dcd1c007a2",
"status": "affected",
"version": "48d163b1aa6e7f650c0b7a4f9c61c387a6def868",
"versionType": "git"
},
{
"lessThan": "6ac1599d0e78036d9d08efc2f58c2d91f0a3ee4c",
"status": "affected",
"version": "48d163b1aa6e7f650c0b7a4f9c61c387a6def868",
"versionType": "git"
},
{
"lessThan": "555bd16351a35c79efb029a196975a5a27f7fbc4",
"status": "affected",
"version": "48d163b1aa6e7f650c0b7a4f9c61c387a6def868",
"versionType": "git"
},
{
"lessThan": "ebf6c7c908e5999531c3517289598f187776124f",
"status": "affected",
"version": "48d163b1aa6e7f650c0b7a4f9c61c387a6def868",
"versionType": "git"
},
{
"lessThan": "1fc14731f0be4885e60702b9596d14d9a79cf053",
"status": "affected",
"version": "48d163b1aa6e7f650c0b7a4f9c61c387a6def868",
"versionType": "git"
},
{
"lessThan": "0ff9df758af7022d749718fb6b8385cc5693acf3",
"status": "affected",
"version": "48d163b1aa6e7f650c0b7a4f9c61c387a6def868",
"versionType": "git"
},
{
"lessThan": "5068b5254812433e841a40886e695633148d362d",
"status": "affected",
"version": "48d163b1aa6e7f650c0b7a4f9c61c387a6def868",
"versionType": "git"
},
{
"status": "affected",
"version": "cecf8a69042b3a54cb843223756c10ee8a8665e3",
"versionType": "git"
},
{
"status": "affected",
"version": "909474cd384cb206f33461fbd18089cf170533f8",
"versionType": "git"
},
{
"status": "affected",
"version": "5e0986f7caf17d7b1acd2092975360bf8e88a57d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/qcom/bam_dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.104",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.16.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees\n\nWhen we don\u0027t have a clock specified in the device tree, we have no way to\nensure the BAM is on. This is often the case for remotely-controlled or\nremotely-powered BAM instances. In this case, we need to read num-channels\nfrom the DT to have all the necessary information to complete probing.\n\nHowever, at the moment invalid device trees without clock and without\nnum-channels still continue probing, because the error handling is missing\nreturn statements. The driver will then later try to read the number of\nchannels from the registers. This is unsafe, because it relies on boot\nfirmware and lucky timing to succeed. Unfortunately, the lack of proper\nerror handling here has been abused for several Qualcomm SoCs upstream,\ncausing early boot crashes in several situations [1, 2].\n\nAvoid these early crashes by erroring out when any of the required DT\nproperties are missing. Note that this will break some of the existing DTs\nupstream (mainly BAM instances related to the crypto engine). However,\nclearly these DTs have never been tested properly, since the error in the\nkernel log was just ignored. It\u0027s safer to disable the crypto engine for\nthese broken DTBs.\n\n[1]: https://lore.kernel.org/r/CY01EKQVWE36.B9X5TDXAREPF@fairphone.com/\n[2]: https://lore.kernel.org/r/20230626145959.646747-1-krzysztof.kozlowski@linaro.org/"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:26:52.384Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2e257a6125c63350f00dc42b9674f20fd3cf4a9f"
},
{
"url": "https://git.kernel.org/stable/c/1d98ba204d8a6db0d986c7f1aefaa0dcd1c007a2"
},
{
"url": "https://git.kernel.org/stable/c/6ac1599d0e78036d9d08efc2f58c2d91f0a3ee4c"
},
{
"url": "https://git.kernel.org/stable/c/555bd16351a35c79efb029a196975a5a27f7fbc4"
},
{
"url": "https://git.kernel.org/stable/c/ebf6c7c908e5999531c3517289598f187776124f"
},
{
"url": "https://git.kernel.org/stable/c/1fc14731f0be4885e60702b9596d14d9a79cf053"
},
{
"url": "https://git.kernel.org/stable/c/0ff9df758af7022d749718fb6b8385cc5693acf3"
},
{
"url": "https://git.kernel.org/stable/c/5068b5254812433e841a40886e695633148d362d"
}
],
"title": "dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39923",
"datePublished": "2025-10-01T08:07:11.469Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-11-03T17:44:41.678Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39847 (GCVE-0-2025-39847)
Vulnerability from cvelistv5 – Published: 2025-09-19 15:26 – Updated: 2025-11-03 17:44
VLAI?
EPSS
Title
ppp: fix memory leak in pad_compress_skb
Summary
In the Linux kernel, the following vulnerability has been resolved:
ppp: fix memory leak in pad_compress_skb
If alloc_skb() fails in pad_compress_skb(), it returns NULL without
releasing the old skb. The caller does:
skb = pad_compress_skb(ppp, skb);
if (!skb)
goto drop;
drop:
kfree_skb(skb);
When pad_compress_skb() returns NULL, the reference to the old skb is
lost and kfree_skb(skb) ends up doing nothing, leading to a memory leak.
Align pad_compress_skb() semantics with realloc(): only free the old
skb if allocation and compression succeed. At the call site, use the
new_skb variable so the original skb is not lost when pad_compress_skb()
fails.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c , < 9ca6a040f76c0b149293e430dabab446f3fc8ab7
(git)
Affected: b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c , < 87a35a36742df328d0badf4fbc2e56061c15846c (git) Affected: b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c , < 0b21e9cd4559102da798bdcba453b64ecd7be7ee (git) Affected: b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c , < 1d8b354eafb8876d8bdb1bef69c7d2438aacfbe8 (git) Affected: b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c , < 85c1c86a67e09143aa464e9bf09c397816772348 (git) Affected: b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c , < 631fc8ab5beb9e0ec8651fb9875b9a968e7b4ae4 (git) Affected: b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c , < 33a5bac5f14772730d2caf632ae97b6c2ee95044 (git) Affected: b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c , < 4844123fe0b853a4982c02666cb3fd863d701d50 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:04.958Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ppp/ppp_generic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9ca6a040f76c0b149293e430dabab446f3fc8ab7",
"status": "affected",
"version": "b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c",
"versionType": "git"
},
{
"lessThan": "87a35a36742df328d0badf4fbc2e56061c15846c",
"status": "affected",
"version": "b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c",
"versionType": "git"
},
{
"lessThan": "0b21e9cd4559102da798bdcba453b64ecd7be7ee",
"status": "affected",
"version": "b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c",
"versionType": "git"
},
{
"lessThan": "1d8b354eafb8876d8bdb1bef69c7d2438aacfbe8",
"status": "affected",
"version": "b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c",
"versionType": "git"
},
{
"lessThan": "85c1c86a67e09143aa464e9bf09c397816772348",
"status": "affected",
"version": "b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c",
"versionType": "git"
},
{
"lessThan": "631fc8ab5beb9e0ec8651fb9875b9a968e7b4ae4",
"status": "affected",
"version": "b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c",
"versionType": "git"
},
{
"lessThan": "33a5bac5f14772730d2caf632ae97b6c2ee95044",
"status": "affected",
"version": "b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c",
"versionType": "git"
},
{
"lessThan": "4844123fe0b853a4982c02666cb3fd863d701d50",
"status": "affected",
"version": "b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ppp/ppp_generic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.15"
},
{
"lessThan": "2.6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.299",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.299",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.243",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.192",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nppp: fix memory leak in pad_compress_skb\n\nIf alloc_skb() fails in pad_compress_skb(), it returns NULL without\nreleasing the old skb. The caller does:\n\n skb = pad_compress_skb(ppp, skb);\n if (!skb)\n goto drop;\n\ndrop:\n kfree_skb(skb);\n\nWhen pad_compress_skb() returns NULL, the reference to the old skb is\nlost and kfree_skb(skb) ends up doing nothing, leading to a memory leak.\n\nAlign pad_compress_skb() semantics with realloc(): only free the old\nskb if allocation and compression succeed. At the call site, use the\nnew_skb variable so the original skb is not lost when pad_compress_skb()\nfails."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:57.392Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9ca6a040f76c0b149293e430dabab446f3fc8ab7"
},
{
"url": "https://git.kernel.org/stable/c/87a35a36742df328d0badf4fbc2e56061c15846c"
},
{
"url": "https://git.kernel.org/stable/c/0b21e9cd4559102da798bdcba453b64ecd7be7ee"
},
{
"url": "https://git.kernel.org/stable/c/1d8b354eafb8876d8bdb1bef69c7d2438aacfbe8"
},
{
"url": "https://git.kernel.org/stable/c/85c1c86a67e09143aa464e9bf09c397816772348"
},
{
"url": "https://git.kernel.org/stable/c/631fc8ab5beb9e0ec8651fb9875b9a968e7b4ae4"
},
{
"url": "https://git.kernel.org/stable/c/33a5bac5f14772730d2caf632ae97b6c2ee95044"
},
{
"url": "https://git.kernel.org/stable/c/4844123fe0b853a4982c02666cb3fd863d701d50"
}
],
"title": "ppp: fix memory leak in pad_compress_skb",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39847",
"datePublished": "2025-09-19T15:26:20.648Z",
"dateReserved": "2025-04-16T07:20:57.141Z",
"dateUpdated": "2025-11-03T17:44:04.958Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-2602 (GCVE-0-2022-2602)
Vulnerability from cvelistv5 – Published: 2024-01-08 17:56 – Updated: 2025-04-17 17:54
VLAI?
EPSS
Summary
io_uring UAF, Unix SCM garbage collection
Severity ?
5.3 (Medium)
CWE
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Linux Kernel Organization | linux |
Affected:
0 , < 6.1~rc1
(semver)
|
Credits
David Bouman
Billy Jheng Bing Jhong working with Trend Micro's Zero Day Initiative
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:46:03.143Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://ubuntu.com/security/notices/USN-5692-1"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://ubuntu.com/security/notices/USN-5752-1"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://ubuntu.com/security/notices/USN-5693-1"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2602"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://ubuntu.com/security/notices/USN-5691-1"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://ubuntu.com/security/notices/USN-5700-1"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/176533/Linux-Broken-Unix-GC-Interaction-Use-After-Free.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-2602",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-10T15:31:14.667406Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-17T17:54:49.459Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"packageName": "linux",
"platforms": [
"Linux"
],
"product": "linux",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git",
"vendor": "The Linux Kernel Organization",
"versions": [
{
"lessThan": "6.1~rc1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "David Bouman"
},
{
"lang": "en",
"type": "finder",
"value": "Billy Jheng Bing Jhong working with Trend Micro\u0027s Zero Day Initiative"
}
],
"descriptions": [
{
"lang": "en",
"value": "io_uring UAF, Unix SCM garbage collection"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-12T16:06:18.102Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://ubuntu.com/security/notices/USN-5692-1"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://ubuntu.com/security/notices/USN-5752-1"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://ubuntu.com/security/notices/USN-5693-1"
},
{
"tags": [
"issue-tracking"
],
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2602"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://ubuntu.com/security/notices/USN-5691-1"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://ubuntu.com/security/notices/USN-5700-1"
},
{
"url": "http://packetstormsecurity.com/files/176533/Linux-Broken-Unix-GC-Interaction-Use-After-Free.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2022-2602",
"datePublished": "2024-01-08T17:56:16.403Z",
"dateReserved": "2022-08-01T19:49:01.609Z",
"dateUpdated": "2025-04-17T17:54:49.459Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53449 (GCVE-0-2023-53449)
Vulnerability from cvelistv5 – Published: 2025-10-01 11:42 – Updated: 2025-10-01 11:42
VLAI?
EPSS
Title
s390/dasd: Fix potential memleak in dasd_eckd_init()
Summary
In the Linux kernel, the following vulnerability has been resolved:
s390/dasd: Fix potential memleak in dasd_eckd_init()
`dasd_reserve_req` is allocated before `dasd_vol_info_req`, and it
also needs to be freed before the error returns, just like the other
cases in this function.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
9e12e54c7a8f616190beffb0f7ce778a86aec175 , < ee986d80acdef710a886be404308188ea11000c8
(git)
Affected: 9e12e54c7a8f616190beffb0f7ce778a86aec175 , < a50e28d433acf22258f9f34831057387f04ef074 (git) Affected: 9e12e54c7a8f616190beffb0f7ce778a86aec175 , < 544a552be0869231799784279d52704c4d314d33 (git) Affected: 9e12e54c7a8f616190beffb0f7ce778a86aec175 , < ef3a7ffc0a6f833578bc8d1dcb79d0633c7e4ec3 (git) Affected: 9e12e54c7a8f616190beffb0f7ce778a86aec175 , < aede5230d154b6b237985ec9df7ebbd1dce96810 (git) Affected: 9e12e54c7a8f616190beffb0f7ce778a86aec175 , < 460e9bed82e49db1b823dcb4e421783854d86c40 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/s390/block/dasd_eckd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ee986d80acdef710a886be404308188ea11000c8",
"status": "affected",
"version": "9e12e54c7a8f616190beffb0f7ce778a86aec175",
"versionType": "git"
},
{
"lessThan": "a50e28d433acf22258f9f34831057387f04ef074",
"status": "affected",
"version": "9e12e54c7a8f616190beffb0f7ce778a86aec175",
"versionType": "git"
},
{
"lessThan": "544a552be0869231799784279d52704c4d314d33",
"status": "affected",
"version": "9e12e54c7a8f616190beffb0f7ce778a86aec175",
"versionType": "git"
},
{
"lessThan": "ef3a7ffc0a6f833578bc8d1dcb79d0633c7e4ec3",
"status": "affected",
"version": "9e12e54c7a8f616190beffb0f7ce778a86aec175",
"versionType": "git"
},
{
"lessThan": "aede5230d154b6b237985ec9df7ebbd1dce96810",
"status": "affected",
"version": "9e12e54c7a8f616190beffb0f7ce778a86aec175",
"versionType": "git"
},
{
"lessThan": "460e9bed82e49db1b823dcb4e421783854d86c40",
"status": "affected",
"version": "9e12e54c7a8f616190beffb0f7ce778a86aec175",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/s390/block/dasd_eckd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/dasd: Fix potential memleak in dasd_eckd_init()\n\n`dasd_reserve_req` is allocated before `dasd_vol_info_req`, and it\nalso needs to be freed before the error returns, just like the other\ncases in this function."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:21.371Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ee986d80acdef710a886be404308188ea11000c8"
},
{
"url": "https://git.kernel.org/stable/c/a50e28d433acf22258f9f34831057387f04ef074"
},
{
"url": "https://git.kernel.org/stable/c/544a552be0869231799784279d52704c4d314d33"
},
{
"url": "https://git.kernel.org/stable/c/ef3a7ffc0a6f833578bc8d1dcb79d0633c7e4ec3"
},
{
"url": "https://git.kernel.org/stable/c/aede5230d154b6b237985ec9df7ebbd1dce96810"
},
{
"url": "https://git.kernel.org/stable/c/460e9bed82e49db1b823dcb4e421783854d86c40"
}
],
"title": "s390/dasd: Fix potential memleak in dasd_eckd_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53449",
"datePublished": "2025-10-01T11:42:21.371Z",
"dateReserved": "2025-09-17T14:54:09.753Z",
"dateUpdated": "2025-10-01T11:42:21.371Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53488 (GCVE-0-2023-53488)
Vulnerability from cvelistv5 – Published: 2025-10-01 11:45 – Updated: 2025-10-01 11:45
VLAI?
EPSS
Title
IB/hfi1: Fix possible panic during hotplug remove
Summary
In the Linux kernel, the following vulnerability has been resolved:
IB/hfi1: Fix possible panic during hotplug remove
During hotplug remove it is possible that the update counters work
might be pending, and may run after memory has been freed.
Cancel the update counters work before freeing memory.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7724105686e718ac476a6ad3304fea2fbcfcffde , < 5e72f33ddfdb69cb21c1b59d31bbd3498d31b14a
(git)
Affected: 7724105686e718ac476a6ad3304fea2fbcfcffde , < bfd727ad8411995218f336ead9f2becfde7f3a89 (git) Affected: 7724105686e718ac476a6ad3304fea2fbcfcffde , < c2145b18740c7e697748e4005ce93a5c683c86a8 (git) Affected: 7724105686e718ac476a6ad3304fea2fbcfcffde , < 33c677d1e087e437c7dcaad8d73402cf6add282e (git) Affected: 7724105686e718ac476a6ad3304fea2fbcfcffde , < 918c1e6843b7e81d0e5cf7994f41f28dc34c98b0 (git) Affected: 7724105686e718ac476a6ad3304fea2fbcfcffde , < ac6640f4193d0f5b44269a7f08372909f9a18e5c (git) Affected: 7724105686e718ac476a6ad3304fea2fbcfcffde , < d32a5e9b825d40c08a43dfbcba007159fed41a5d (git) Affected: 7724105686e718ac476a6ad3304fea2fbcfcffde , < 4fdfaef71fced490835145631a795497646f4555 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/hfi1/chip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5e72f33ddfdb69cb21c1b59d31bbd3498d31b14a",
"status": "affected",
"version": "7724105686e718ac476a6ad3304fea2fbcfcffde",
"versionType": "git"
},
{
"lessThan": "bfd727ad8411995218f336ead9f2becfde7f3a89",
"status": "affected",
"version": "7724105686e718ac476a6ad3304fea2fbcfcffde",
"versionType": "git"
},
{
"lessThan": "c2145b18740c7e697748e4005ce93a5c683c86a8",
"status": "affected",
"version": "7724105686e718ac476a6ad3304fea2fbcfcffde",
"versionType": "git"
},
{
"lessThan": "33c677d1e087e437c7dcaad8d73402cf6add282e",
"status": "affected",
"version": "7724105686e718ac476a6ad3304fea2fbcfcffde",
"versionType": "git"
},
{
"lessThan": "918c1e6843b7e81d0e5cf7994f41f28dc34c98b0",
"status": "affected",
"version": "7724105686e718ac476a6ad3304fea2fbcfcffde",
"versionType": "git"
},
{
"lessThan": "ac6640f4193d0f5b44269a7f08372909f9a18e5c",
"status": "affected",
"version": "7724105686e718ac476a6ad3304fea2fbcfcffde",
"versionType": "git"
},
{
"lessThan": "d32a5e9b825d40c08a43dfbcba007159fed41a5d",
"status": "affected",
"version": "7724105686e718ac476a6ad3304fea2fbcfcffde",
"versionType": "git"
},
{
"lessThan": "4fdfaef71fced490835145631a795497646f4555",
"status": "affected",
"version": "7724105686e718ac476a6ad3304fea2fbcfcffde",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/hfi1/chip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.323",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.292",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.323",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.292",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.254",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.191",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.127",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.46",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/hfi1: Fix possible panic during hotplug remove\n\nDuring hotplug remove it is possible that the update counters work\nmight be pending, and may run after memory has been freed.\nCancel the update counters work before freeing memory."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:40.546Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5e72f33ddfdb69cb21c1b59d31bbd3498d31b14a"
},
{
"url": "https://git.kernel.org/stable/c/bfd727ad8411995218f336ead9f2becfde7f3a89"
},
{
"url": "https://git.kernel.org/stable/c/c2145b18740c7e697748e4005ce93a5c683c86a8"
},
{
"url": "https://git.kernel.org/stable/c/33c677d1e087e437c7dcaad8d73402cf6add282e"
},
{
"url": "https://git.kernel.org/stable/c/918c1e6843b7e81d0e5cf7994f41f28dc34c98b0"
},
{
"url": "https://git.kernel.org/stable/c/ac6640f4193d0f5b44269a7f08372909f9a18e5c"
},
{
"url": "https://git.kernel.org/stable/c/d32a5e9b825d40c08a43dfbcba007159fed41a5d"
},
{
"url": "https://git.kernel.org/stable/c/4fdfaef71fced490835145631a795497646f4555"
}
],
"title": "IB/hfi1: Fix possible panic during hotplug remove",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53488",
"datePublished": "2025-10-01T11:45:40.546Z",
"dateReserved": "2025-10-01T11:39:39.402Z",
"dateUpdated": "2025-10-01T11:45:40.546Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38531 (GCVE-0-2025-38531)
Vulnerability from cvelistv5 – Published: 2025-08-16 11:12 – Updated: 2026-01-02 15:30
VLAI?
EPSS
Title
iio: common: st_sensors: Fix use of uninitialize device structs
Summary
In the Linux kernel, the following vulnerability has been resolved:
iio: common: st_sensors: Fix use of uninitialize device structs
Throughout the various probe functions &indio_dev->dev is used before it
is initialized. This caused a kernel panic in st_sensors_power_enable()
when the call to devm_regulator_bulk_get_enable() fails and then calls
dev_err_probe() with the uninitialized device.
This seems to only cause a panic with dev_err_probe(), dev_err(),
dev_warn() and dev_info() don't seem to cause a panic, but are fixed
as well.
The issue is reported and traced here: [1]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4dff754876959b3f3b354800089bc8aaa3ec1d95 , < 610615c9668037e3eca11132063b93b2d945af13
(git)
Affected: 4dff754876959b3f3b354800089bc8aaa3ec1d95 , < 3297a9016a45144883ec990bd4bd5b1d79cafb46 (git) Affected: 4dff754876959b3f3b354800089bc8aaa3ec1d95 , < 9f92e93e257b33e73622640a9205f8642ec16ddd (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iio/accel/st_accel_core.c",
"drivers/iio/common/st_sensors/st_sensors_core.c",
"drivers/iio/common/st_sensors/st_sensors_trigger.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "610615c9668037e3eca11132063b93b2d945af13",
"status": "affected",
"version": "4dff754876959b3f3b354800089bc8aaa3ec1d95",
"versionType": "git"
},
{
"lessThan": "3297a9016a45144883ec990bd4bd5b1d79cafb46",
"status": "affected",
"version": "4dff754876959b3f3b354800089bc8aaa3ec1d95",
"versionType": "git"
},
{
"lessThan": "9f92e93e257b33e73622640a9205f8642ec16ddd",
"status": "affected",
"version": "4dff754876959b3f3b354800089bc8aaa3ec1d95",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iio/accel/st_accel_core.c",
"drivers/iio/common/st_sensors/st_sensors_core.c",
"drivers/iio/common/st_sensors/st_sensors_trigger.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.40",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.8",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: common: st_sensors: Fix use of uninitialize device structs\n\nThroughout the various probe functions \u0026indio_dev-\u003edev is used before it\nis initialized. This caused a kernel panic in st_sensors_power_enable()\nwhen the call to devm_regulator_bulk_get_enable() fails and then calls\ndev_err_probe() with the uninitialized device.\n\nThis seems to only cause a panic with dev_err_probe(), dev_err(),\ndev_warn() and dev_info() don\u0027t seem to cause a panic, but are fixed\nas well.\n\nThe issue is reported and traced here: [1]"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:30:48.551Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/610615c9668037e3eca11132063b93b2d945af13"
},
{
"url": "https://git.kernel.org/stable/c/3297a9016a45144883ec990bd4bd5b1d79cafb46"
},
{
"url": "https://git.kernel.org/stable/c/9f92e93e257b33e73622640a9205f8642ec16ddd"
}
],
"title": "iio: common: st_sensors: Fix use of uninitialize device structs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38531",
"datePublished": "2025-08-16T11:12:24.405Z",
"dateReserved": "2025-04-16T04:51:24.023Z",
"dateUpdated": "2026-01-02T15:30:48.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39711 (GCVE-0-2025-39711)
Vulnerability from cvelistv5 – Published: 2025-09-05 17:21 – Updated: 2025-09-29 05:57
VLAI?
EPSS
Title
media: ivsc: Fix crash at shutdown due to missing mei_cldev_disable() calls
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: ivsc: Fix crash at shutdown due to missing mei_cldev_disable() calls
Both the ACE and CSI driver are missing a mei_cldev_disable() call in
their remove() function.
This causes the mei_cl client to stay part of the mei_device->file_list
list even though its memory is freed by mei_cl_bus_dev_release() calling
kfree(cldev->cl).
This leads to a use-after-free when mei_vsc_remove() runs mei_stop()
which first removes all mei bus devices calling mei_ace_remove() and
mei_csi_remove() followed by mei_cl_bus_dev_release() and then calls
mei_cl_all_disconnect() which walks over mei_device->file_list dereferecing
the just freed cldev->cl.
And mei_vsc_remove() it self is run at shutdown because of the
platform_device_unregister(tp->pdev) in vsc_tp_shutdown()
When building a kernel with KASAN this leads to the following KASAN report:
[ 106.634504] ==================================================================
[ 106.634623] BUG: KASAN: slab-use-after-free in mei_cl_set_disconnected (drivers/misc/mei/client.c:783) mei
[ 106.634683] Read of size 4 at addr ffff88819cb62018 by task systemd-shutdow/1
[ 106.634729]
[ 106.634767] Tainted: [E]=UNSIGNED_MODULE
[ 106.634770] Hardware name: Dell Inc. XPS 16 9640/09CK4V, BIOS 1.12.0 02/10/2025
[ 106.634773] Call Trace:
[ 106.634777] <TASK>
...
[ 106.634871] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:636)
[ 106.634901] mei_cl_set_disconnected (drivers/misc/mei/client.c:783) mei
[ 106.634921] mei_cl_all_disconnect (drivers/misc/mei/client.c:2165 (discriminator 4)) mei
[ 106.634941] mei_reset (drivers/misc/mei/init.c:163) mei
...
[ 106.635042] mei_stop (drivers/misc/mei/init.c:348) mei
[ 106.635062] mei_vsc_remove (drivers/misc/mei/mei_dev.h:784 drivers/misc/mei/platform-vsc.c:393) mei_vsc
[ 106.635066] platform_remove (drivers/base/platform.c:1424)
Add the missing mei_cldev_disable() calls so that the mei_cl gets removed
from mei_device->file_list before it is freed to fix this.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
29006e196a5661d9afc8152fa2bf8a5347ac17b4 , < 3c0e4cc4f55f9a1db2a761e4ffb27c9594245888
(git)
Affected: 29006e196a5661d9afc8152fa2bf8a5347ac17b4 , < 639f5b33fcd7c59157f29b09f6f2866eacf9279c (git) Affected: 29006e196a5661d9afc8152fa2bf8a5347ac17b4 , < 1dfe73394dcfc9b049c8da0dc181c45f156a5f49 (git) Affected: 29006e196a5661d9afc8152fa2bf8a5347ac17b4 , < 0c92c49fc688cfadacc47ae99b06a31237702e9e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/pci/intel/ivsc/mei_ace.c",
"drivers/media/pci/intel/ivsc/mei_csi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3c0e4cc4f55f9a1db2a761e4ffb27c9594245888",
"status": "affected",
"version": "29006e196a5661d9afc8152fa2bf8a5347ac17b4",
"versionType": "git"
},
{
"lessThan": "639f5b33fcd7c59157f29b09f6f2866eacf9279c",
"status": "affected",
"version": "29006e196a5661d9afc8152fa2bf8a5347ac17b4",
"versionType": "git"
},
{
"lessThan": "1dfe73394dcfc9b049c8da0dc181c45f156a5f49",
"status": "affected",
"version": "29006e196a5661d9afc8152fa2bf8a5347ac17b4",
"versionType": "git"
},
{
"lessThan": "0c92c49fc688cfadacc47ae99b06a31237702e9e",
"status": "affected",
"version": "29006e196a5661d9afc8152fa2bf8a5347ac17b4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/pci/intel/ivsc/mei_ace.c",
"drivers/media/pci/intel/ivsc/mei_csi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ivsc: Fix crash at shutdown due to missing mei_cldev_disable() calls\n\nBoth the ACE and CSI driver are missing a mei_cldev_disable() call in\ntheir remove() function.\n\nThis causes the mei_cl client to stay part of the mei_device-\u003efile_list\nlist even though its memory is freed by mei_cl_bus_dev_release() calling\nkfree(cldev-\u003ecl).\n\nThis leads to a use-after-free when mei_vsc_remove() runs mei_stop()\nwhich first removes all mei bus devices calling mei_ace_remove() and\nmei_csi_remove() followed by mei_cl_bus_dev_release() and then calls\nmei_cl_all_disconnect() which walks over mei_device-\u003efile_list dereferecing\nthe just freed cldev-\u003ecl.\n\nAnd mei_vsc_remove() it self is run at shutdown because of the\nplatform_device_unregister(tp-\u003epdev) in vsc_tp_shutdown()\n\nWhen building a kernel with KASAN this leads to the following KASAN report:\n\n[ 106.634504] ==================================================================\n[ 106.634623] BUG: KASAN: slab-use-after-free in mei_cl_set_disconnected (drivers/misc/mei/client.c:783) mei\n[ 106.634683] Read of size 4 at addr ffff88819cb62018 by task systemd-shutdow/1\n[ 106.634729]\n[ 106.634767] Tainted: [E]=UNSIGNED_MODULE\n[ 106.634770] Hardware name: Dell Inc. XPS 16 9640/09CK4V, BIOS 1.12.0 02/10/2025\n[ 106.634773] Call Trace:\n[ 106.634777] \u003cTASK\u003e\n...\n[ 106.634871] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:636)\n[ 106.634901] mei_cl_set_disconnected (drivers/misc/mei/client.c:783) mei\n[ 106.634921] mei_cl_all_disconnect (drivers/misc/mei/client.c:2165 (discriminator 4)) mei\n[ 106.634941] mei_reset (drivers/misc/mei/init.c:163) mei\n...\n[ 106.635042] mei_stop (drivers/misc/mei/init.c:348) mei\n[ 106.635062] mei_vsc_remove (drivers/misc/mei/mei_dev.h:784 drivers/misc/mei/platform-vsc.c:393) mei_vsc\n[ 106.635066] platform_remove (drivers/base/platform.c:1424)\n\nAdd the missing mei_cldev_disable() calls so that the mei_cl gets removed\nfrom mei_device-\u003efile_list before it is freed to fix this."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:57:55.383Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3c0e4cc4f55f9a1db2a761e4ffb27c9594245888"
},
{
"url": "https://git.kernel.org/stable/c/639f5b33fcd7c59157f29b09f6f2866eacf9279c"
},
{
"url": "https://git.kernel.org/stable/c/1dfe73394dcfc9b049c8da0dc181c45f156a5f49"
},
{
"url": "https://git.kernel.org/stable/c/0c92c49fc688cfadacc47ae99b06a31237702e9e"
}
],
"title": "media: ivsc: Fix crash at shutdown due to missing mei_cldev_disable() calls",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39711",
"datePublished": "2025-09-05T17:21:18.348Z",
"dateReserved": "2025-04-16T07:20:57.116Z",
"dateUpdated": "2025-09-29T05:57:55.383Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38201 (GCVE-0-2025-38201)
Vulnerability from cvelistv5 – Published: 2025-07-04 13:37 – Updated: 2025-07-28 04:14
VLAI?
EPSS
Title
netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX
Otherwise, it is possible to hit WARN_ON_ONCE in __kvmalloc_node_noprof()
when resizing hashtable because __GFP_NOWARN is unset.
Similar to:
b541ba7d1f5a ("netfilter: conntrack: clamp maximum hashtable size to INT_MAX")
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3c4287f62044a90e73a561aa05fc46e62da173da , < 0ab3de047808f375a36cd345225572eb3366f3c6
(git)
Affected: 3c4287f62044a90e73a561aa05fc46e62da173da , < d2768016f091f8a5264076b433fd7c3fabb6eb97 (git) Affected: 3c4287f62044a90e73a561aa05fc46e62da173da , < b85e3367a5716ed3662a4fe266525190d2af76df (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_set_pipapo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0ab3de047808f375a36cd345225572eb3366f3c6",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
},
{
"lessThan": "d2768016f091f8a5264076b433fd7c3fabb6eb97",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
},
{
"lessThan": "b85e3367a5716ed3662a4fe266525190d2af76df",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_set_pipapo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.35",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.4",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX\n\nOtherwise, it is possible to hit WARN_ON_ONCE in __kvmalloc_node_noprof()\nwhen resizing hashtable because __GFP_NOWARN is unset.\n\nSimilar to:\n\n b541ba7d1f5a (\"netfilter: conntrack: clamp maximum hashtable size to INT_MAX\")"
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:14:56.757Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0ab3de047808f375a36cd345225572eb3366f3c6"
},
{
"url": "https://git.kernel.org/stable/c/d2768016f091f8a5264076b433fd7c3fabb6eb97"
},
{
"url": "https://git.kernel.org/stable/c/b85e3367a5716ed3662a4fe266525190d2af76df"
}
],
"title": "netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38201",
"datePublished": "2025-07-04T13:37:22.732Z",
"dateReserved": "2025-04-16T04:51:23.993Z",
"dateUpdated": "2025-07-28T04:14:56.757Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50441 (GCVE-0-2022-50441)
Vulnerability from cvelistv5 – Published: 2025-10-01 11:42 – Updated: 2025-10-01 11:42
VLAI?
EPSS
Title
net/mlx5: Lag, fix failure to cancel delayed bond work
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Lag, fix failure to cancel delayed bond work
Commit 0d4e8ed139d8 ("net/mlx5: Lag, avoid lockdep warnings")
accidentally removed a call to cancel delayed bond work thus it may
cause queued delay to expire and fall on an already destroyed work
queue.
Fix by restoring the call cancel_delayed_work_sync() before
destroying the workqueue.
This prevents call trace such as this:
[ 329.230417] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 329.231444] #PF: supervisor write access in kernel mode
[ 329.232233] #PF: error_code(0x0002) - not-present page
[ 329.233007] PGD 0 P4D 0
[ 329.233476] Oops: 0002 [#1] SMP
[ 329.234012] CPU: 5 PID: 145 Comm: kworker/u20:4 Tainted: G OE 6.0.0-rc5_mlnx #1
[ 329.235282] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
[ 329.236868] Workqueue: mlx5_cmd_0000:08:00.1 cmd_work_handler [mlx5_core]
[ 329.237886] RIP: 0010:_raw_spin_lock+0xc/0x20
[ 329.238585] Code: f0 0f b1 17 75 02 f3 c3 89 c6 e9 6f 3c 5f ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 0f 1f 44 00 00 31 c0 ba 01 00 00 00 <f0> 0f b1 17 75 02 f3 c3 89 c6 e9 45 3c 5f ff 0f 1f 44 00 00 0f 1f
[ 329.241156] RSP: 0018:ffffc900001b0e98 EFLAGS: 00010046
[ 329.241940] RAX: 0000000000000000 RBX: ffffffff82374ae0 RCX: 0000000000000000
[ 329.242954] RDX: 0000000000000001 RSI: 0000000000000014 RDI: 0000000000000000
[ 329.243974] RBP: ffff888106ccf000 R08: ffff8881004000c8 R09: ffff888100400000
[ 329.244990] R10: 0000000000000000 R11: ffffffff826669f8 R12: 0000000000002000
[ 329.246009] R13: 0000000000000005 R14: ffff888100aa7ce0 R15: ffff88852ca80000
[ 329.247030] FS: 0000000000000000(0000) GS:ffff88852ca80000(0000) knlGS:0000000000000000
[ 329.248260] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 329.249111] CR2: 0000000000000000 CR3: 000000016d675001 CR4: 0000000000770ee0
[ 329.250133] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 329.251152] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 329.252176] PKRU: 55555554
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ff24a802204620214afa75a5e64280f40015e399 , < 5df57bb04e91add52fb67e226209df9a17f06a89
(git)
Affected: 0d4e8ed139d871fcb2844dd71075997753baeec8 , < 8f1b8b3133504bf9125ee507ddcc3a8fb41a41f0 (git) Affected: 0d4e8ed139d871fcb2844dd71075997753baeec8 , < 4d1c1379d71777ddeda3e54f8fc26e9ecbfd1009 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5df57bb04e91add52fb67e226209df9a17f06a89",
"status": "affected",
"version": "ff24a802204620214afa75a5e64280f40015e399",
"versionType": "git"
},
{
"lessThan": "8f1b8b3133504bf9125ee507ddcc3a8fb41a41f0",
"status": "affected",
"version": "0d4e8ed139d871fcb2844dd71075997753baeec8",
"versionType": "git"
},
{
"lessThan": "4d1c1379d71777ddeda3e54f8fc26e9ecbfd1009",
"status": "affected",
"version": "0d4e8ed139d871fcb2844dd71075997753baeec8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.19",
"versionStartIncluding": "6.0.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.5",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Lag, fix failure to cancel delayed bond work\n\nCommit 0d4e8ed139d8 (\"net/mlx5: Lag, avoid lockdep warnings\")\naccidentally removed a call to cancel delayed bond work thus it may\ncause queued delay to expire and fall on an already destroyed work\nqueue.\n\nFix by restoring the call cancel_delayed_work_sync() before\ndestroying the workqueue.\n\nThis prevents call trace such as this:\n\n[ 329.230417] BUG: kernel NULL pointer dereference, address: 0000000000000000\n [ 329.231444] #PF: supervisor write access in kernel mode\n [ 329.232233] #PF: error_code(0x0002) - not-present page\n [ 329.233007] PGD 0 P4D 0\n [ 329.233476] Oops: 0002 [#1] SMP\n [ 329.234012] CPU: 5 PID: 145 Comm: kworker/u20:4 Tainted: G OE 6.0.0-rc5_mlnx #1\n [ 329.235282] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n [ 329.236868] Workqueue: mlx5_cmd_0000:08:00.1 cmd_work_handler [mlx5_core]\n [ 329.237886] RIP: 0010:_raw_spin_lock+0xc/0x20\n [ 329.238585] Code: f0 0f b1 17 75 02 f3 c3 89 c6 e9 6f 3c 5f ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 0f 1f 44 00 00 31 c0 ba 01 00 00 00 \u003cf0\u003e 0f b1 17 75 02 f3 c3 89 c6 e9 45 3c 5f ff 0f 1f 44 00 00 0f 1f\n [ 329.241156] RSP: 0018:ffffc900001b0e98 EFLAGS: 00010046\n [ 329.241940] RAX: 0000000000000000 RBX: ffffffff82374ae0 RCX: 0000000000000000\n [ 329.242954] RDX: 0000000000000001 RSI: 0000000000000014 RDI: 0000000000000000\n [ 329.243974] RBP: ffff888106ccf000 R08: ffff8881004000c8 R09: ffff888100400000\n [ 329.244990] R10: 0000000000000000 R11: ffffffff826669f8 R12: 0000000000002000\n [ 329.246009] R13: 0000000000000005 R14: ffff888100aa7ce0 R15: ffff88852ca80000\n [ 329.247030] FS: 0000000000000000(0000) GS:ffff88852ca80000(0000) knlGS:0000000000000000\n [ 329.248260] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [ 329.249111] CR2: 0000000000000000 CR3: 000000016d675001 CR4: 0000000000770ee0\n [ 329.250133] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n [ 329.251152] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n [ 329.252176] PKRU: 55555554"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:17.313Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5df57bb04e91add52fb67e226209df9a17f06a89"
},
{
"url": "https://git.kernel.org/stable/c/8f1b8b3133504bf9125ee507ddcc3a8fb41a41f0"
},
{
"url": "https://git.kernel.org/stable/c/4d1c1379d71777ddeda3e54f8fc26e9ecbfd1009"
}
],
"title": "net/mlx5: Lag, fix failure to cancel delayed bond work",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50441",
"datePublished": "2025-10-01T11:42:17.313Z",
"dateReserved": "2025-09-17T14:53:07.010Z",
"dateUpdated": "2025-10-01T11:42:17.313Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53199 (GCVE-0-2023-53199)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:21 – Updated: 2025-09-15 14:21
VLAI?
EPSS
Title
wifi: ath9k: hif_usb: clean up skbs if ath9k_hif_usb_rx_stream() fails
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath9k: hif_usb: clean up skbs if ath9k_hif_usb_rx_stream() fails
Syzkaller detected a memory leak of skbs in ath9k_hif_usb_rx_stream().
While processing skbs in ath9k_hif_usb_rx_stream(), the already allocated
skbs in skb_pool are not freed if ath9k_hif_usb_rx_stream() fails. If we
have an incorrect pkt_len or pkt_tag, the input skb is considered invalid
and dropped. All the associated packets already in skb_pool should be
dropped and freed. Added a comment describing this issue.
The patch also makes remain_skb NULL after being processed so that it
cannot be referenced after potential free. The initialization of hif_dev
fields which are associated with remain_skb (rx_remain_len,
rx_transfer_len and rx_pad_len) is moved after a new remain_skb is
allocated.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
44b23b488d44e56d467764ecb661830e5b02b308 , < 3fc6401fafde11712a83089fa2cc874cfd10e2cd
(git)
Affected: 44b23b488d44e56d467764ecb661830e5b02b308 , < cd8316767099920a5d41feed1afab0c482a43e9f (git) Affected: 44b23b488d44e56d467764ecb661830e5b02b308 , < f26dd69f61eff2eedf5df2d199bdd23108309947 (git) Affected: 44b23b488d44e56d467764ecb661830e5b02b308 , < 61490d2710277e8a55009b7682456ae22f8087cf (git) Affected: 44b23b488d44e56d467764ecb661830e5b02b308 , < 9acdec72787af1bc8ed92711b52118c8e3e638a2 (git) Affected: 44b23b488d44e56d467764ecb661830e5b02b308 , < c766e37fccd5a5c5059be7efcd9618bf8a2c17c3 (git) Affected: 44b23b488d44e56d467764ecb661830e5b02b308 , < 0af54343a76263a12dbae7fafb64eb47c4a6ad38 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath9k/hif_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3fc6401fafde11712a83089fa2cc874cfd10e2cd",
"status": "affected",
"version": "44b23b488d44e56d467764ecb661830e5b02b308",
"versionType": "git"
},
{
"lessThan": "cd8316767099920a5d41feed1afab0c482a43e9f",
"status": "affected",
"version": "44b23b488d44e56d467764ecb661830e5b02b308",
"versionType": "git"
},
{
"lessThan": "f26dd69f61eff2eedf5df2d199bdd23108309947",
"status": "affected",
"version": "44b23b488d44e56d467764ecb661830e5b02b308",
"versionType": "git"
},
{
"lessThan": "61490d2710277e8a55009b7682456ae22f8087cf",
"status": "affected",
"version": "44b23b488d44e56d467764ecb661830e5b02b308",
"versionType": "git"
},
{
"lessThan": "9acdec72787af1bc8ed92711b52118c8e3e638a2",
"status": "affected",
"version": "44b23b488d44e56d467764ecb661830e5b02b308",
"versionType": "git"
},
{
"lessThan": "c766e37fccd5a5c5059be7efcd9618bf8a2c17c3",
"status": "affected",
"version": "44b23b488d44e56d467764ecb661830e5b02b308",
"versionType": "git"
},
{
"lessThan": "0af54343a76263a12dbae7fafb64eb47c4a6ad38",
"status": "affected",
"version": "44b23b488d44e56d467764ecb661830e5b02b308",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath9k/hif_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.38"
},
{
"lessThan": "2.6.38",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "2.6.38",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: hif_usb: clean up skbs if ath9k_hif_usb_rx_stream() fails\n\nSyzkaller detected a memory leak of skbs in ath9k_hif_usb_rx_stream().\nWhile processing skbs in ath9k_hif_usb_rx_stream(), the already allocated\nskbs in skb_pool are not freed if ath9k_hif_usb_rx_stream() fails. If we\nhave an incorrect pkt_len or pkt_tag, the input skb is considered invalid\nand dropped. All the associated packets already in skb_pool should be\ndropped and freed. Added a comment describing this issue.\n\nThe patch also makes remain_skb NULL after being processed so that it\ncannot be referenced after potential free. The initialization of hif_dev\nfields which are associated with remain_skb (rx_remain_len,\nrx_transfer_len and rx_pad_len) is moved after a new remain_skb is\nallocated.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:21:27.451Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3fc6401fafde11712a83089fa2cc874cfd10e2cd"
},
{
"url": "https://git.kernel.org/stable/c/cd8316767099920a5d41feed1afab0c482a43e9f"
},
{
"url": "https://git.kernel.org/stable/c/f26dd69f61eff2eedf5df2d199bdd23108309947"
},
{
"url": "https://git.kernel.org/stable/c/61490d2710277e8a55009b7682456ae22f8087cf"
},
{
"url": "https://git.kernel.org/stable/c/9acdec72787af1bc8ed92711b52118c8e3e638a2"
},
{
"url": "https://git.kernel.org/stable/c/c766e37fccd5a5c5059be7efcd9618bf8a2c17c3"
},
{
"url": "https://git.kernel.org/stable/c/0af54343a76263a12dbae7fafb64eb47c4a6ad38"
}
],
"title": "wifi: ath9k: hif_usb: clean up skbs if ath9k_hif_usb_rx_stream() fails",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53199",
"datePublished": "2025-09-15T14:21:27.451Z",
"dateReserved": "2025-09-15T13:59:19.067Z",
"dateUpdated": "2025-09-15T14:21:27.451Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50431 (GCVE-0-2022-50431)
Vulnerability from cvelistv5 – Published: 2025-10-01 11:42 – Updated: 2025-10-01 11:42
VLAI?
EPSS
Title
ALSA: aoa: i2sbus: fix possible memory leak in i2sbus_add_dev()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: aoa: i2sbus: fix possible memory leak in i2sbus_add_dev()
dev_set_name() in soundbus_add_one() allocates memory for name, it need be
freed when of_device_register() fails, call soundbus_dev_put() to give up
the reference that hold in device_initialize(), so that it can be freed in
kobject_cleanup() when the refcount hit to 0. And other resources are also
freed in i2sbus_release_dev(), so it can return 0 directly.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f3d9478b2ce468c3115b02ecae7e975990697f15 , < fd410d24665e4efb3c1796797181265efe553e9c
(git)
Affected: f3d9478b2ce468c3115b02ecae7e975990697f15 , < 802532a50acf501fdafe38a84ca2aa886d68af68 (git) Affected: f3d9478b2ce468c3115b02ecae7e975990697f15 , < 027fee10e3a400cf6f3237374a1248da1082807b (git) Affected: f3d9478b2ce468c3115b02ecae7e975990697f15 , < 5bdea674534153110b90d70b02f2fbaf48b2c0eb (git) Affected: f3d9478b2ce468c3115b02ecae7e975990697f15 , < ce6fd1c382a38b75557db85a2fe99d285540a03d (git) Affected: f3d9478b2ce468c3115b02ecae7e975990697f15 , < e81d7826b8f40430a1ea1b330e24d9a9eb4512c4 (git) Affected: f3d9478b2ce468c3115b02ecae7e975990697f15 , < c7524279c8ddc7dbf3463bec70e0289097959944 (git) Affected: f3d9478b2ce468c3115b02ecae7e975990697f15 , < 4a4c8482e370d697738a78dcd7bf2780832cb712 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/aoa/soundbus/i2sbus/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fd410d24665e4efb3c1796797181265efe553e9c",
"status": "affected",
"version": "f3d9478b2ce468c3115b02ecae7e975990697f15",
"versionType": "git"
},
{
"lessThan": "802532a50acf501fdafe38a84ca2aa886d68af68",
"status": "affected",
"version": "f3d9478b2ce468c3115b02ecae7e975990697f15",
"versionType": "git"
},
{
"lessThan": "027fee10e3a400cf6f3237374a1248da1082807b",
"status": "affected",
"version": "f3d9478b2ce468c3115b02ecae7e975990697f15",
"versionType": "git"
},
{
"lessThan": "5bdea674534153110b90d70b02f2fbaf48b2c0eb",
"status": "affected",
"version": "f3d9478b2ce468c3115b02ecae7e975990697f15",
"versionType": "git"
},
{
"lessThan": "ce6fd1c382a38b75557db85a2fe99d285540a03d",
"status": "affected",
"version": "f3d9478b2ce468c3115b02ecae7e975990697f15",
"versionType": "git"
},
{
"lessThan": "e81d7826b8f40430a1ea1b330e24d9a9eb4512c4",
"status": "affected",
"version": "f3d9478b2ce468c3115b02ecae7e975990697f15",
"versionType": "git"
},
{
"lessThan": "c7524279c8ddc7dbf3463bec70e0289097959944",
"status": "affected",
"version": "f3d9478b2ce468c3115b02ecae7e975990697f15",
"versionType": "git"
},
{
"lessThan": "4a4c8482e370d697738a78dcd7bf2780832cb712",
"status": "affected",
"version": "f3d9478b2ce468c3115b02ecae7e975990697f15",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/aoa/soundbus/i2sbus/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.18"
},
{
"lessThan": "2.6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.332",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.298",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.264",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.223",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.332",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.298",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.264",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.223",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.153",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.77",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.7",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "2.6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: aoa: i2sbus: fix possible memory leak in i2sbus_add_dev()\n\ndev_set_name() in soundbus_add_one() allocates memory for name, it need be\nfreed when of_device_register() fails, call soundbus_dev_put() to give up\nthe reference that hold in device_initialize(), so that it can be freed in\nkobject_cleanup() when the refcount hit to 0. And other resources are also\nfreed in i2sbus_release_dev(), so it can return 0 directly."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:09.700Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fd410d24665e4efb3c1796797181265efe553e9c"
},
{
"url": "https://git.kernel.org/stable/c/802532a50acf501fdafe38a84ca2aa886d68af68"
},
{
"url": "https://git.kernel.org/stable/c/027fee10e3a400cf6f3237374a1248da1082807b"
},
{
"url": "https://git.kernel.org/stable/c/5bdea674534153110b90d70b02f2fbaf48b2c0eb"
},
{
"url": "https://git.kernel.org/stable/c/ce6fd1c382a38b75557db85a2fe99d285540a03d"
},
{
"url": "https://git.kernel.org/stable/c/e81d7826b8f40430a1ea1b330e24d9a9eb4512c4"
},
{
"url": "https://git.kernel.org/stable/c/c7524279c8ddc7dbf3463bec70e0289097959944"
},
{
"url": "https://git.kernel.org/stable/c/4a4c8482e370d697738a78dcd7bf2780832cb712"
}
],
"title": "ALSA: aoa: i2sbus: fix possible memory leak in i2sbus_add_dev()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50431",
"datePublished": "2025-10-01T11:42:09.700Z",
"dateReserved": "2025-09-17T14:53:07.009Z",
"dateUpdated": "2025-10-01T11:42:09.700Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50367 (GCVE-0-2022-50367)
Vulnerability from cvelistv5 – Published: 2025-09-17 14:56 – Updated: 2026-01-14 18:42
VLAI?
EPSS
Title
fs: fix UAF/GPF bug in nilfs_mdt_destroy
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs: fix UAF/GPF bug in nilfs_mdt_destroy
In alloc_inode, inode_init_always() could return -ENOMEM if
security_inode_alloc() fails, which causes inode->i_private
uninitialized. Then nilfs_is_metadata_file_inode() returns
true and nilfs_free_inode() wrongly calls nilfs_mdt_destroy(),
which frees the uninitialized inode->i_private
and leads to crashes(e.g., UAF/GPF).
Fix this by moving security_inode_alloc just prior to
this_cpu_inc(nr_inodes)
Severity ?
7.8 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d1ff475d7c83289d0a7faef346ea3bbf90818bad
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c0aa76b0f17f59dd9c9d3463550a2986a1d592e4 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ec2aab115eb38ac4992ea2fcc2a02fbe7af5cf48 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 70e4f70d54e0225f91814e8610477d65f33cefe4 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1e555c3ed1fce4b278aaebe18a64a934cece57d8 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 64b79e632869ad3ef6c098a4731d559381da1115 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 81de80330fa6907aec32eb54c5619059e6e36452 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2a96b532098284ecf8e4849b8b9e5fc7a28bdee9 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2e488f13755ffbb60f307e991b27024716a33b29 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-50367",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:35:10.102018Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:42:59.212Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d1ff475d7c83289d0a7faef346ea3bbf90818bad",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c0aa76b0f17f59dd9c9d3463550a2986a1d592e4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ec2aab115eb38ac4992ea2fcc2a02fbe7af5cf48",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "70e4f70d54e0225f91814e8610477d65f33cefe4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1e555c3ed1fce4b278aaebe18a64a934cece57d8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "64b79e632869ad3ef6c098a4731d559381da1115",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "81de80330fa6907aec32eb54c5619059e6e36452",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2a96b532098284ecf8e4849b8b9e5fc7a28bdee9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2e488f13755ffbb60f307e991b27024716a33b29",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.331",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.218",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.73",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.331",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.296",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.262",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.218",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.148",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.73",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.15",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.1",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: fix UAF/GPF bug in nilfs_mdt_destroy\n\nIn alloc_inode, inode_init_always() could return -ENOMEM if\nsecurity_inode_alloc() fails, which causes inode-\u003ei_private\nuninitialized. Then nilfs_is_metadata_file_inode() returns\ntrue and nilfs_free_inode() wrongly calls nilfs_mdt_destroy(),\nwhich frees the uninitialized inode-\u003ei_private\nand leads to crashes(e.g., UAF/GPF).\n\nFix this by moving security_inode_alloc just prior to\nthis_cpu_inc(nr_inodes)"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:29:06.406Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d1ff475d7c83289d0a7faef346ea3bbf90818bad"
},
{
"url": "https://git.kernel.org/stable/c/c0aa76b0f17f59dd9c9d3463550a2986a1d592e4"
},
{
"url": "https://git.kernel.org/stable/c/ec2aab115eb38ac4992ea2fcc2a02fbe7af5cf48"
},
{
"url": "https://git.kernel.org/stable/c/70e4f70d54e0225f91814e8610477d65f33cefe4"
},
{
"url": "https://git.kernel.org/stable/c/1e555c3ed1fce4b278aaebe18a64a934cece57d8"
},
{
"url": "https://git.kernel.org/stable/c/64b79e632869ad3ef6c098a4731d559381da1115"
},
{
"url": "https://git.kernel.org/stable/c/81de80330fa6907aec32eb54c5619059e6e36452"
},
{
"url": "https://git.kernel.org/stable/c/2a96b532098284ecf8e4849b8b9e5fc7a28bdee9"
},
{
"url": "https://git.kernel.org/stable/c/2e488f13755ffbb60f307e991b27024716a33b29"
}
],
"title": "fs: fix UAF/GPF bug in nilfs_mdt_destroy",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50367",
"datePublished": "2025-09-17T14:56:23.190Z",
"dateReserved": "2025-09-17T14:53:06.995Z",
"dateUpdated": "2026-01-14T18:42:59.212Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49138 (GCVE-0-2022-49138)
Vulnerability from cvelistv5 – Published: 2025-02-26 01:55 – Updated: 2025-12-23 13:22
VLAI?
EPSS
Title
Bluetooth: hci_event: Ignore multiple conn complete events
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_event: Ignore multiple conn complete events
When one of the three connection complete events is received multiple
times for the same handle, the device is registered multiple times which
leads to memory corruptions. Therefore, consequent events for a single
connection are ignored.
The conn->state can hold different values, therefore HCI_CONN_HANDLE_UNSET
is introduced to identify new connections. To make sure the events do not
contain this or another invalid handle HCI_CONN_HANDLE_MAX and checks
are introduced.
Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=215497
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/bluetooth/hci_core.h",
"net/bluetooth/hci_conn.c",
"net/bluetooth/hci_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "aa1ca580e3ffe62a2c5ea1c095b609b2943c5269",
"status": "affected",
"version": "7d0db0a373195385a2e0b19d1f5e4b186fdcffac",
"versionType": "git"
},
{
"lessThan": "d5ebaa7c5f6f688959e8d40840b2249ede63b8ed",
"status": "affected",
"version": "7d0db0a373195385a2e0b19d1f5e4b186fdcffac",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/bluetooth/hci_core.h",
"net/bluetooth/hci_conn.c",
"net/bluetooth/hci_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.27"
},
{
"lessThan": "2.6.27",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "2.6.27",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: Ignore multiple conn complete events\n\nWhen one of the three connection complete events is received multiple\ntimes for the same handle, the device is registered multiple times which\nleads to memory corruptions. Therefore, consequent events for a single\nconnection are ignored.\n\nThe conn-\u003estate can hold different values, therefore HCI_CONN_HANDLE_UNSET\nis introduced to identify new connections. To make sure the events do not\ncontain this or another invalid handle HCI_CONN_HANDLE_MAX and checks\nare introduced.\n\nBuglink: https://bugzilla.kernel.org/show_bug.cgi?id=215497"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:22:10.838Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/aa1ca580e3ffe62a2c5ea1c095b609b2943c5269"
},
{
"url": "https://git.kernel.org/stable/c/d5ebaa7c5f6f688959e8d40840b2249ede63b8ed"
}
],
"title": "Bluetooth: hci_event: Ignore multiple conn complete events",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49138",
"datePublished": "2025-02-26T01:55:10.632Z",
"dateReserved": "2025-02-26T01:49:39.268Z",
"dateUpdated": "2025-12-23T13:22:10.838Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53443 (GCVE-0-2023-53443)
Vulnerability from cvelistv5 – Published: 2025-09-18 16:04 – Updated: 2026-01-14 19:23
VLAI?
EPSS
Title
mfd: arizona: Use pm_runtime_resume_and_get() to prevent refcnt leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
mfd: arizona: Use pm_runtime_resume_and_get() to prevent refcnt leak
In arizona_clk32k_enable(), we should use pm_runtime_resume_and_get()
as pm_runtime_get_sync() will increase the refcnt even when it
returns an error.
Severity ?
5.5 (Medium)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
247fa1920deeb1064e36c0a34410f4d63503b3d4 , < 7195e642b49af60d4120fa1b45bd812ba528174f
(git)
Affected: 247fa1920deeb1064e36c0a34410f4d63503b3d4 , < 754e81ff44061dda68da0fd4ef51bd1aa9fbf2cf (git) Affected: 247fa1920deeb1064e36c0a34410f4d63503b3d4 , < 5a47bb71b1a94a279144fc3031d3c4591b38dd16 (git) Affected: 247fa1920deeb1064e36c0a34410f4d63503b3d4 , < 9893771097b22a8743a446e45994a177795ca4da (git) Affected: 247fa1920deeb1064e36c0a34410f4d63503b3d4 , < dc9437e9889c3dacf1f320e3cf08da74127573fe (git) Affected: 247fa1920deeb1064e36c0a34410f4d63503b3d4 , < 4414a7ab80cebf715045e3c4d465feefbad21139 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53443",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T19:18:43.230462Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T19:23:11.241Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mfd/arizona-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7195e642b49af60d4120fa1b45bd812ba528174f",
"status": "affected",
"version": "247fa1920deeb1064e36c0a34410f4d63503b3d4",
"versionType": "git"
},
{
"lessThan": "754e81ff44061dda68da0fd4ef51bd1aa9fbf2cf",
"status": "affected",
"version": "247fa1920deeb1064e36c0a34410f4d63503b3d4",
"versionType": "git"
},
{
"lessThan": "5a47bb71b1a94a279144fc3031d3c4591b38dd16",
"status": "affected",
"version": "247fa1920deeb1064e36c0a34410f4d63503b3d4",
"versionType": "git"
},
{
"lessThan": "9893771097b22a8743a446e45994a177795ca4da",
"status": "affected",
"version": "247fa1920deeb1064e36c0a34410f4d63503b3d4",
"versionType": "git"
},
{
"lessThan": "dc9437e9889c3dacf1f320e3cf08da74127573fe",
"status": "affected",
"version": "247fa1920deeb1064e36c0a34410f4d63503b3d4",
"versionType": "git"
},
{
"lessThan": "4414a7ab80cebf715045e3c4d465feefbad21139",
"status": "affected",
"version": "247fa1920deeb1064e36c0a34410f4d63503b3d4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mfd/arizona-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.100",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.18",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.5",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmfd: arizona: Use pm_runtime_resume_and_get() to prevent refcnt leak\n\nIn arizona_clk32k_enable(), we should use pm_runtime_resume_and_get()\nas pm_runtime_get_sync() will increase the refcnt even when it\nreturns an error."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:20:29.352Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7195e642b49af60d4120fa1b45bd812ba528174f"
},
{
"url": "https://git.kernel.org/stable/c/754e81ff44061dda68da0fd4ef51bd1aa9fbf2cf"
},
{
"url": "https://git.kernel.org/stable/c/5a47bb71b1a94a279144fc3031d3c4591b38dd16"
},
{
"url": "https://git.kernel.org/stable/c/9893771097b22a8743a446e45994a177795ca4da"
},
{
"url": "https://git.kernel.org/stable/c/dc9437e9889c3dacf1f320e3cf08da74127573fe"
},
{
"url": "https://git.kernel.org/stable/c/4414a7ab80cebf715045e3c4d465feefbad21139"
}
],
"title": "mfd: arizona: Use pm_runtime_resume_and_get() to prevent refcnt leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53443",
"datePublished": "2025-09-18T16:04:19.884Z",
"dateReserved": "2025-09-17T14:54:09.752Z",
"dateUpdated": "2026-01-14T19:23:11.241Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38735 (GCVE-0-2025-38735)
Vulnerability from cvelistv5 – Published: 2025-09-05 17:20 – Updated: 2025-11-03 17:42
VLAI?
EPSS
Title
gve: prevent ethtool ops after shutdown
Summary
In the Linux kernel, the following vulnerability has been resolved:
gve: prevent ethtool ops after shutdown
A crash can occur if an ethtool operation is invoked
after shutdown() is called.
shutdown() is invoked during system shutdown to stop DMA operations
without performing expensive deallocations. It is discouraged to
unregister the netdev in this path, so the device may still be visible
to userspace and kernel helpers.
In gve, shutdown() tears down most internal data structures. If an
ethtool operation is dispatched after shutdown(), it will dereference
freed or NULL pointers, leading to a kernel panic. While graceful
shutdown normally quiesces userspace before invoking the reboot
syscall, forced shutdowns (as observed on GCP VMs) can still trigger
this path.
Fix by calling netif_device_detach() in shutdown().
This marks the device as detached so the ethtool ioctl handler
will skip dispatching operations to the driver.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
974365e518617c9ce917f61aacbba07e4bedcca0 , < 48a4e89d50e8ea52e800bc7865970b92fcf4647c
(git)
Affected: 974365e518617c9ce917f61aacbba07e4bedcca0 , < ba51d73408edf815cbaeab148625576c2dd90192 (git) Affected: 974365e518617c9ce917f61aacbba07e4bedcca0 , < a7efffeecb881b4649fdc30de020ef910f35d646 (git) Affected: 974365e518617c9ce917f61aacbba07e4bedcca0 , < 9d8a41e9a4ff83ff666de811e7f012167cdc00e9 (git) Affected: 974365e518617c9ce917f61aacbba07e4bedcca0 , < 75a9a46d67f46d608205888f9b34e315c1786345 (git) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:42:05.176Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/google/gve/gve_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "48a4e89d50e8ea52e800bc7865970b92fcf4647c",
"status": "affected",
"version": "974365e518617c9ce917f61aacbba07e4bedcca0",
"versionType": "git"
},
{
"lessThan": "ba51d73408edf815cbaeab148625576c2dd90192",
"status": "affected",
"version": "974365e518617c9ce917f61aacbba07e4bedcca0",
"versionType": "git"
},
{
"lessThan": "a7efffeecb881b4649fdc30de020ef910f35d646",
"status": "affected",
"version": "974365e518617c9ce917f61aacbba07e4bedcca0",
"versionType": "git"
},
{
"lessThan": "9d8a41e9a4ff83ff666de811e7f012167cdc00e9",
"status": "affected",
"version": "974365e518617c9ce917f61aacbba07e4bedcca0",
"versionType": "git"
},
{
"lessThan": "75a9a46d67f46d608205888f9b34e315c1786345",
"status": "affected",
"version": "974365e518617c9ce917f61aacbba07e4bedcca0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/google/gve/gve_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngve: prevent ethtool ops after shutdown\n\nA crash can occur if an ethtool operation is invoked\nafter shutdown() is called.\n\nshutdown() is invoked during system shutdown to stop DMA operations\nwithout performing expensive deallocations. It is discouraged to\nunregister the netdev in this path, so the device may still be visible\nto userspace and kernel helpers.\n\nIn gve, shutdown() tears down most internal data structures. If an\nethtool operation is dispatched after shutdown(), it will dereference\nfreed or NULL pointers, leading to a kernel panic. While graceful\nshutdown normally quiesces userspace before invoking the reboot\nsyscall, forced shutdowns (as observed on GCP VMs) can still trigger\nthis path.\n\nFix by calling netif_device_detach() in shutdown().\nThis marks the device as detached so the ethtool ioctl handler\nwill skip dispatching operations to the driver."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:57:04.320Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/48a4e89d50e8ea52e800bc7865970b92fcf4647c"
},
{
"url": "https://git.kernel.org/stable/c/ba51d73408edf815cbaeab148625576c2dd90192"
},
{
"url": "https://git.kernel.org/stable/c/a7efffeecb881b4649fdc30de020ef910f35d646"
},
{
"url": "https://git.kernel.org/stable/c/9d8a41e9a4ff83ff666de811e7f012167cdc00e9"
},
{
"url": "https://git.kernel.org/stable/c/75a9a46d67f46d608205888f9b34e315c1786345"
}
],
"title": "gve: prevent ethtool ops after shutdown",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38735",
"datePublished": "2025-09-05T17:20:35.459Z",
"dateReserved": "2025-04-16T04:51:24.034Z",
"dateUpdated": "2025-11-03T17:42:05.176Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50250 (GCVE-0-2022-50250)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:02 – Updated: 2025-12-23 13:27
VLAI?
EPSS
Title
regulator: core: fix use_count leakage when handling boot-on
Summary
In the Linux kernel, the following vulnerability has been resolved:
regulator: core: fix use_count leakage when handling boot-on
I found a use_count leakage towards supply regulator of rdev with
boot-on option.
┌───────────────────┐ ┌───────────────────┐
│ regulator_dev A │ │ regulator_dev B │
│ (boot-on) │ │ (boot-on) │
│ use_count=0 │◀──supply──│ use_count=1 │
│ │ │ │
└───────────────────┘ └───────────────────┘
In case of rdev(A) configured with `regulator-boot-on', the use_count
of supplying regulator(B) will increment inside
regulator_enable(rdev->supply).
Thus, B will acts like always-on, and further balanced
regulator_enable/disable cannot actually disable it anymore.
However, B was also configured with `regulator-boot-on', we wish it
could be disabled afterwards.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
dc1b1d7faf616ed663d0bba9be5abb4d1ed35d01 , < dc3391d49479bc2bf8a2b88dbf86fdd800882fee
(git)
Affected: f44b07472f29ae313ce875dc7b9c75b100c608b8 , < 5bfc53df288e8ea54ca6866fb92034214940183f (git) Affected: 089b3f61ecfc43ca4ea26d595e1d31ead6de3f7b , < 4b737246ff50f810d6ab4be13c1388a07f0c14b1 (git) Affected: 089b3f61ecfc43ca4ea26d595e1d31ead6de3f7b , < feb847e6591e8c7a09cc39721cc9ca74fd9a5d80 (git) Affected: 089b3f61ecfc43ca4ea26d595e1d31ead6de3f7b , < 4dd6e1cc9c7403f1ee1b7eee85bc31b797ae8347 (git) Affected: 089b3f61ecfc43ca4ea26d595e1d31ead6de3f7b , < bc6c381df5793ebcf32db88a3e65acf7870379fc (git) Affected: 089b3f61ecfc43ca4ea26d595e1d31ead6de3f7b , < 0591b14ce0398125439c759f889647369aa616a0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/regulator/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dc3391d49479bc2bf8a2b88dbf86fdd800882fee",
"status": "affected",
"version": "dc1b1d7faf616ed663d0bba9be5abb4d1ed35d01",
"versionType": "git"
},
{
"lessThan": "5bfc53df288e8ea54ca6866fb92034214940183f",
"status": "affected",
"version": "f44b07472f29ae313ce875dc7b9c75b100c608b8",
"versionType": "git"
},
{
"lessThan": "4b737246ff50f810d6ab4be13c1388a07f0c14b1",
"status": "affected",
"version": "089b3f61ecfc43ca4ea26d595e1d31ead6de3f7b",
"versionType": "git"
},
{
"lessThan": "feb847e6591e8c7a09cc39721cc9ca74fd9a5d80",
"status": "affected",
"version": "089b3f61ecfc43ca4ea26d595e1d31ead6de3f7b",
"versionType": "git"
},
{
"lessThan": "4dd6e1cc9c7403f1ee1b7eee85bc31b797ae8347",
"status": "affected",
"version": "089b3f61ecfc43ca4ea26d595e1d31ead6de3f7b",
"versionType": "git"
},
{
"lessThan": "bc6c381df5793ebcf32db88a3e65acf7870379fc",
"status": "affected",
"version": "089b3f61ecfc43ca4ea26d595e1d31ead6de3f7b",
"versionType": "git"
},
{
"lessThan": "0591b14ce0398125439c759f889647369aa616a0",
"status": "affected",
"version": "089b3f61ecfc43ca4ea26d595e1d31ead6de3f7b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/regulator/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "4.19.226",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "5.4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: core: fix use_count leakage when handling boot-on\n\nI found a use_count leakage towards supply regulator of rdev with\nboot-on option.\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510 \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 regulator_dev A \u2502 \u2502 regulator_dev B \u2502\n\u2502 (boot-on) \u2502 \u2502 (boot-on) \u2502\n\u2502 use_count=0 \u2502\u25c0\u2500\u2500supply\u2500\u2500\u2502 use_count=1 \u2502\n\u2502 \u2502 \u2502 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518 \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n\nIn case of rdev(A) configured with `regulator-boot-on\u0027, the use_count\nof supplying regulator(B) will increment inside\nregulator_enable(rdev-\u003esupply).\n\nThus, B will acts like always-on, and further balanced\nregulator_enable/disable cannot actually disable it anymore.\n\nHowever, B was also configured with `regulator-boot-on\u0027, we wish it\ncould be disabled afterwards."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:27:27.144Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dc3391d49479bc2bf8a2b88dbf86fdd800882fee"
},
{
"url": "https://git.kernel.org/stable/c/5bfc53df288e8ea54ca6866fb92034214940183f"
},
{
"url": "https://git.kernel.org/stable/c/4b737246ff50f810d6ab4be13c1388a07f0c14b1"
},
{
"url": "https://git.kernel.org/stable/c/feb847e6591e8c7a09cc39721cc9ca74fd9a5d80"
},
{
"url": "https://git.kernel.org/stable/c/4dd6e1cc9c7403f1ee1b7eee85bc31b797ae8347"
},
{
"url": "https://git.kernel.org/stable/c/bc6c381df5793ebcf32db88a3e65acf7870379fc"
},
{
"url": "https://git.kernel.org/stable/c/0591b14ce0398125439c759f889647369aa616a0"
}
],
"title": "regulator: core: fix use_count leakage when handling boot-on",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50250",
"datePublished": "2025-09-15T14:02:10.117Z",
"dateReserved": "2025-09-15T13:58:00.973Z",
"dateUpdated": "2025-12-23T13:27:27.144Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39806 (GCVE-0-2025-39806)
Vulnerability from cvelistv5 – Published: 2025-09-16 13:00 – Updated: 2025-11-03 17:43
VLAI?
EPSS
Title
HID: multitouch: fix slab out-of-bounds access in mt_report_fixup()
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: multitouch: fix slab out-of-bounds access in mt_report_fixup()
A malicious HID device can trigger a slab out-of-bounds during
mt_report_fixup() by passing in report descriptor smaller than
607 bytes. mt_report_fixup() attempts to patch byte offset 607
of the descriptor with 0x25 by first checking if byte offset
607 is 0x15 however it lacks bounds checks to verify if the
descriptor is big enough before conducting this check. Fix
this bug by ensuring the descriptor size is at least 608
bytes before accessing it.
Below is the KASAN splat after the out of bounds access happens:
[ 13.671954] ==================================================================
[ 13.672667] BUG: KASAN: slab-out-of-bounds in mt_report_fixup+0x103/0x110
[ 13.673297] Read of size 1 at addr ffff888103df39df by task kworker/0:1/10
[ 13.673297]
[ 13.673297] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0-00005-gec5d573d83f4-dirty #3
[ 13.673297] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/04
[ 13.673297] Call Trace:
[ 13.673297] <TASK>
[ 13.673297] dump_stack_lvl+0x5f/0x80
[ 13.673297] print_report+0xd1/0x660
[ 13.673297] kasan_report+0xe5/0x120
[ 13.673297] __asan_report_load1_noabort+0x18/0x20
[ 13.673297] mt_report_fixup+0x103/0x110
[ 13.673297] hid_open_report+0x1ef/0x810
[ 13.673297] mt_probe+0x422/0x960
[ 13.673297] hid_device_probe+0x2e2/0x6f0
[ 13.673297] really_probe+0x1c6/0x6b0
[ 13.673297] __driver_probe_device+0x24f/0x310
[ 13.673297] driver_probe_device+0x4e/0x220
[ 13.673297] __device_attach_driver+0x169/0x320
[ 13.673297] bus_for_each_drv+0x11d/0x1b0
[ 13.673297] __device_attach+0x1b8/0x3e0
[ 13.673297] device_initial_probe+0x12/0x20
[ 13.673297] bus_probe_device+0x13d/0x180
[ 13.673297] device_add+0xe3a/0x1670
[ 13.673297] hid_add_device+0x31d/0xa40
[...]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7d91a0b2151a9c3b61d44c85c8eba930eddd1dd0 , < 4263e5851779f7d8ebfbc9cc7d2e9b0217adba8d
(git)
Affected: 45ec9f17ce46417fc4eccecf388c99e81fb7fcc1 , < 7ab7311c43ae19c66c53ccd8c5052a9072a4e338 (git) Affected: 1d5c7d0a49ec9d8786f266ac6d1d7c4960e1787b , < d4e6e2680807671e1c73cd6a986b33659ce92f2b (git) Affected: c8000deb68365b461b324d68c7ea89d730f0bb85 , < 3055309821dd3da92888f88bad10f0324c3c89fe (git) Affected: c8000deb68365b461b324d68c7ea89d730f0bb85 , < c13e95587583d018cfbcc277df7e02d41902ac5a (git) Affected: c8000deb68365b461b324d68c7ea89d730f0bb85 , < 0379eb8691b9c4477da0277ae0832036ca4410b4 (git) Affected: d189e24a42b8bd0ece3d28801d751bf66dba8e92 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:32.753Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-multitouch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4263e5851779f7d8ebfbc9cc7d2e9b0217adba8d",
"status": "affected",
"version": "7d91a0b2151a9c3b61d44c85c8eba930eddd1dd0",
"versionType": "git"
},
{
"lessThan": "7ab7311c43ae19c66c53ccd8c5052a9072a4e338",
"status": "affected",
"version": "45ec9f17ce46417fc4eccecf388c99e81fb7fcc1",
"versionType": "git"
},
{
"lessThan": "d4e6e2680807671e1c73cd6a986b33659ce92f2b",
"status": "affected",
"version": "1d5c7d0a49ec9d8786f266ac6d1d7c4960e1787b",
"versionType": "git"
},
{
"lessThan": "3055309821dd3da92888f88bad10f0324c3c89fe",
"status": "affected",
"version": "c8000deb68365b461b324d68c7ea89d730f0bb85",
"versionType": "git"
},
{
"lessThan": "c13e95587583d018cfbcc277df7e02d41902ac5a",
"status": "affected",
"version": "c8000deb68365b461b324d68c7ea89d730f0bb85",
"versionType": "git"
},
{
"lessThan": "0379eb8691b9c4477da0277ae0832036ca4410b4",
"status": "affected",
"version": "c8000deb68365b461b324d68c7ea89d730f0bb85",
"versionType": "git"
},
{
"status": "affected",
"version": "d189e24a42b8bd0ece3d28801d751bf66dba8e92",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-multitouch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.191",
"versionStartIncluding": "5.15.168",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.150",
"versionStartIncluding": "6.1.111",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"versionStartIncluding": "6.6.52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.10.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: multitouch: fix slab out-of-bounds access in mt_report_fixup()\n\nA malicious HID device can trigger a slab out-of-bounds during\nmt_report_fixup() by passing in report descriptor smaller than\n607 bytes. mt_report_fixup() attempts to patch byte offset 607\nof the descriptor with 0x25 by first checking if byte offset\n607 is 0x15 however it lacks bounds checks to verify if the\ndescriptor is big enough before conducting this check. Fix\nthis bug by ensuring the descriptor size is at least 608\nbytes before accessing it.\n\nBelow is the KASAN splat after the out of bounds access happens:\n\n[ 13.671954] ==================================================================\n[ 13.672667] BUG: KASAN: slab-out-of-bounds in mt_report_fixup+0x103/0x110\n[ 13.673297] Read of size 1 at addr ffff888103df39df by task kworker/0:1/10\n[ 13.673297]\n[ 13.673297] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0-00005-gec5d573d83f4-dirty #3\n[ 13.673297] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/04\n[ 13.673297] Call Trace:\n[ 13.673297] \u003cTASK\u003e\n[ 13.673297] dump_stack_lvl+0x5f/0x80\n[ 13.673297] print_report+0xd1/0x660\n[ 13.673297] kasan_report+0xe5/0x120\n[ 13.673297] __asan_report_load1_noabort+0x18/0x20\n[ 13.673297] mt_report_fixup+0x103/0x110\n[ 13.673297] hid_open_report+0x1ef/0x810\n[ 13.673297] mt_probe+0x422/0x960\n[ 13.673297] hid_device_probe+0x2e2/0x6f0\n[ 13.673297] really_probe+0x1c6/0x6b0\n[ 13.673297] __driver_probe_device+0x24f/0x310\n[ 13.673297] driver_probe_device+0x4e/0x220\n[ 13.673297] __device_attach_driver+0x169/0x320\n[ 13.673297] bus_for_each_drv+0x11d/0x1b0\n[ 13.673297] __device_attach+0x1b8/0x3e0\n[ 13.673297] device_initial_probe+0x12/0x20\n[ 13.673297] bus_probe_device+0x13d/0x180\n[ 13.673297] device_add+0xe3a/0x1670\n[ 13.673297] hid_add_device+0x31d/0xa40\n[...]"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:59:48.576Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4263e5851779f7d8ebfbc9cc7d2e9b0217adba8d"
},
{
"url": "https://git.kernel.org/stable/c/7ab7311c43ae19c66c53ccd8c5052a9072a4e338"
},
{
"url": "https://git.kernel.org/stable/c/d4e6e2680807671e1c73cd6a986b33659ce92f2b"
},
{
"url": "https://git.kernel.org/stable/c/3055309821dd3da92888f88bad10f0324c3c89fe"
},
{
"url": "https://git.kernel.org/stable/c/c13e95587583d018cfbcc277df7e02d41902ac5a"
},
{
"url": "https://git.kernel.org/stable/c/0379eb8691b9c4477da0277ae0832036ca4410b4"
}
],
"title": "HID: multitouch: fix slab out-of-bounds access in mt_report_fixup()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39806",
"datePublished": "2025-09-16T13:00:09.524Z",
"dateReserved": "2025-04-16T07:20:57.136Z",
"dateUpdated": "2025-11-03T17:43:32.753Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-3772 (GCVE-0-2023-3772)
Vulnerability from cvelistv5 – Published: 2023-07-25 15:47 – Updated: 2025-11-07 13:03
VLAI?
EPSS
Title
Kernel: xfrm: null pointer dereference in xfrm_update_ae_params()
Summary
A flaw was found in the Linux kernel’s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in xfrm_update_ae_params(), leading to a possible kernel crash and denial of service.
Severity ?
5.5 (Medium)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Red Hat | Red Hat Enterprise Linux 8 |
Unaffected:
0:4.18.0-513.5.1.rt7.307.el8_9 , < *
(rpm)
cpe:/a:redhat:enterprise_linux:8::realtime cpe:/a:redhat:enterprise_linux:8::nfv |
||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
Credits
Red Hat would like to thank Lin Ma (ZJU & Ant Security Light-Year Lab) for reporting this issue.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:08:49.645Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/08/10/1"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/08/10/3"
},
{
"name": "RHSA-2023:6583",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:6583"
},
{
"name": "RHSA-2023:6901",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:6901"
},
{
"name": "RHSA-2023:7077",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:7077"
},
{
"name": "RHSA-2024:0412",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0412"
},
{
"name": "RHSA-2024:0575",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0575"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-3772"
},
{
"name": "RHBZ#2218943",
"tags": [
"issue-tracking",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2218943"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5492"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::realtime",
"cpe:/a:redhat:enterprise_linux:8::nfv"
],
"defaultStatus": "affected",
"packageName": "kernel-rt",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.18.0-513.5.1.rt7.307.el8_9",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8::baseos",
"cpe:/a:redhat:enterprise_linux:8::crb"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.18.0-513.5.1.el8_9",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:rhel_eus:8.6::baseos",
"cpe:/a:redhat:rhel_eus:8.6::crb",
"cpe:/o:redhat:rhev_hypervisor:4.4::el8"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 8.6 Extended Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.18.0-372.87.1.el8_6",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_eus:8.8::crb",
"cpe:/o:redhat:rhel_eus:8.8::baseos"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 8.8 Extended Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.18.0-477.43.1.el8_8",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream",
"cpe:/a:redhat:enterprise_linux:9::nfv",
"cpe:/o:redhat:enterprise_linux:9::baseos",
"cpe:/a:redhat:enterprise_linux:9::crb",
"cpe:/a:redhat:enterprise_linux:9::realtime"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:5.14.0-362.8.1.el9_3",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream",
"cpe:/a:redhat:enterprise_linux:9::nfv",
"cpe:/o:redhat:enterprise_linux:9::baseos",
"cpe:/a:redhat:enterprise_linux:9::crb",
"cpe:/a:redhat:enterprise_linux:9::realtime"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:5.14.0-362.8.1.el9_3",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:rhel_eus:8.6::baseos",
"cpe:/a:redhat:rhel_eus:8.6::crb",
"cpe:/o:redhat:rhev_hypervisor:4.4::el8"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.18.0-372.87.1.el8_6",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unknown",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unknown",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unknown",
"packageName": "kernel-rt",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"packageName": "kernel-rt",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank Lin Ma (ZJU \u0026 Ant Security Light-Year Lab) for reporting this issue."
}
],
"datePublic": "2023-07-21T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u2019s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in xfrm_update_ae_params(), leading to a possible kernel crash and denial of service."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-07T13:03:42.167Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2023:6583",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:6583"
},
{
"name": "RHSA-2023:6901",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:6901"
},
{
"name": "RHSA-2023:7077",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:7077"
},
{
"name": "RHSA-2024:0412",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0412"
},
{
"name": "RHSA-2024:0575",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0575"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-3772"
},
{
"name": "RHBZ#2218943",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2218943"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-06-29T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2023-07-21T00:00:00+00:00",
"value": "Made public."
}
],
"title": "Kernel: xfrm: null pointer dereference in xfrm_update_ae_params()",
"x_redhatCweChain": "CWE-476: NULL Pointer Dereference"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2023-3772",
"datePublished": "2023-07-25T15:47:40.183Z",
"dateReserved": "2023-07-19T13:55:07.799Z",
"dateUpdated": "2025-11-07T13:03:42.167Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38702 (GCVE-0-2025-38702)
Vulnerability from cvelistv5 – Published: 2025-09-04 15:32 – Updated: 2026-01-02 15:31
VLAI?
EPSS
Title
fbdev: fix potential buffer overflow in do_register_framebuffer()
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbdev: fix potential buffer overflow in do_register_framebuffer()
The current implementation may lead to buffer overflow when:
1. Unregistration creates NULL gaps in registered_fb[]
2. All array slots become occupied despite num_registered_fb < FB_MAX
3. The registration loop exceeds array bounds
Add boundary check to prevent registered_fb[FB_MAX] access.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5c3f5a25c62230b7965804ce7a2e9305c3ca3961
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < cbe740de32bb0fb7a5213731ff5f26ea6718fca3 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 806f85bdd3a60187c21437fc51baace11f659f35 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2828a433c7d7a05b6f27c8148502095101dd0b09 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 248b2aab9b2af5ecf89d9d7955a2ff20c4b4a399 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 523b84dc7ccea9c4d79126d6ed1cf9033cf83b05 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:41:34.563Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/core/fbmem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5c3f5a25c62230b7965804ce7a2e9305c3ca3961",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cbe740de32bb0fb7a5213731ff5f26ea6718fca3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "806f85bdd3a60187c21437fc51baace11f659f35",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2828a433c7d7a05b6f27c8148502095101dd0b09",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "248b2aab9b2af5ecf89d9d7955a2ff20c4b4a399",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "523b84dc7ccea9c4d79126d6ed1cf9033cf83b05",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/core/fbmem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: fix potential buffer overflow in do_register_framebuffer()\n\nThe current implementation may lead to buffer overflow when:\n1. Unregistration creates NULL gaps in registered_fb[]\n2. All array slots become occupied despite num_registered_fb \u003c FB_MAX\n3. The registration loop exceeds array bounds\n\nAdd boundary check to prevent registered_fb[FB_MAX] access."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:31:24.690Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5c3f5a25c62230b7965804ce7a2e9305c3ca3961"
},
{
"url": "https://git.kernel.org/stable/c/cbe740de32bb0fb7a5213731ff5f26ea6718fca3"
},
{
"url": "https://git.kernel.org/stable/c/806f85bdd3a60187c21437fc51baace11f659f35"
},
{
"url": "https://git.kernel.org/stable/c/2828a433c7d7a05b6f27c8148502095101dd0b09"
},
{
"url": "https://git.kernel.org/stable/c/248b2aab9b2af5ecf89d9d7955a2ff20c4b4a399"
},
{
"url": "https://git.kernel.org/stable/c/523b84dc7ccea9c4d79126d6ed1cf9033cf83b05"
}
],
"title": "fbdev: fix potential buffer overflow in do_register_framebuffer()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38702",
"datePublished": "2025-09-04T15:32:53.990Z",
"dateReserved": "2025-04-16T04:51:24.032Z",
"dateUpdated": "2026-01-02T15:31:24.690Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53431 (GCVE-0-2023-53431)
Vulnerability from cvelistv5 – Published: 2025-09-18 16:04 – Updated: 2026-01-14 19:23
VLAI?
EPSS
Title
scsi: ses: Handle enclosure with just a primary component gracefully
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: ses: Handle enclosure with just a primary component gracefully
This reverts commit 3fe97ff3d949 ("scsi: ses: Don't attach if enclosure
has no components") and introduces proper handling of case where there are
no detected secondary components, but primary component (enumerated in
num_enclosures) does exist. That fix was originally proposed by Ding Hui
<dinghui@sangfor.com.cn>.
Completely ignoring devices that have one primary enclosure and no
secondary one results in ses_intf_add() bailing completely
scsi 2:0:0:254: enclosure has no enumerated components
scsi 2:0:0:254: Failed to bind enclosure -12ven in valid configurations such
even on valid configurations with 1 primary and 0 secondary enclosures as
below:
# sg_ses /dev/sg0
3PARdata SES 3321
Supported diagnostic pages:
Supported Diagnostic Pages [sdp] [0x0]
Configuration (SES) [cf] [0x1]
Short Enclosure Status (SES) [ses] [0x8]
# sg_ses -p cf /dev/sg0
3PARdata SES 3321
Configuration diagnostic page:
number of secondary subenclosures: 0
generation code: 0x0
enclosure descriptor list
Subenclosure identifier: 0 [primary]
relative ES process id: 0, number of ES processes: 1
number of type descriptor headers: 1
enclosure logical identifier (hex): 20000002ac02068d
enclosure vendor: 3PARdata product: VV rev: 3321
type descriptor header and text list
Element type: Unspecified, subenclosure id: 0
number of possible elements: 1
The changelog for the original fix follows
=====
We can get a crash when disconnecting the iSCSI session,
the call trace like this:
[ffff00002a00fb70] kfree at ffff00000830e224
[ffff00002a00fba0] ses_intf_remove at ffff000001f200e4
[ffff00002a00fbd0] device_del at ffff0000086b6a98
[ffff00002a00fc50] device_unregister at ffff0000086b6d58
[ffff00002a00fc70] __scsi_remove_device at ffff00000870608c
[ffff00002a00fca0] scsi_remove_device at ffff000008706134
[ffff00002a00fcc0] __scsi_remove_target at ffff0000087062e4
[ffff00002a00fd10] scsi_remove_target at ffff0000087064c0
[ffff00002a00fd70] __iscsi_unbind_session at ffff000001c872c4
[ffff00002a00fdb0] process_one_work at ffff00000810f35c
[ffff00002a00fe00] worker_thread at ffff00000810f648
[ffff00002a00fe70] kthread at ffff000008116e98
In ses_intf_add, components count could be 0, and kcalloc 0 size scomp,
but not saved in edev->component[i].scratch
In this situation, edev->component[0].scratch is an invalid pointer,
when kfree it in ses_intf_remove_enclosure, a crash like above would happen
The call trace also could be other random cases when kfree cannot catch
the invalid pointer
We should not use edev->component[] array when the components count is 0
We also need check index when use edev->component[] array in
ses_enclosure_data_process
=====
Severity ?
5.5 (Medium)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9927c68864e9c39cc317b4f559309ba29e642168 , < 4e7c498c3713b09bef20c76c7319555637e8bbd5
(git)
Affected: 9927c68864e9c39cc317b4f559309ba29e642168 , < 110d425cdfb15006f3c4fde5264e786a247b6b36 (git) Affected: 9927c68864e9c39cc317b4f559309ba29e642168 , < 176d7345b89ced72020a313bfa4e7f345d1c3aed (git) Affected: 9927c68864e9c39cc317b4f559309ba29e642168 , < 05143d90ac90b7abc6692285895a1ef460e008ee (git) Affected: 9927c68864e9c39cc317b4f559309ba29e642168 , < f8e702c54413eee2d8f94f61d18adadac7c87e87 (git) Affected: 9927c68864e9c39cc317b4f559309ba29e642168 , < eabc4872f172ecb8dd8536bc366a51868154a450 (git) Affected: 9927c68864e9c39cc317b4f559309ba29e642168 , < c8e22b7a1694bb8d025ea636816472739d859145 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53431",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T19:15:06.852762Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T19:23:09.474Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/ses.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4e7c498c3713b09bef20c76c7319555637e8bbd5",
"status": "affected",
"version": "9927c68864e9c39cc317b4f559309ba29e642168",
"versionType": "git"
},
{
"lessThan": "110d425cdfb15006f3c4fde5264e786a247b6b36",
"status": "affected",
"version": "9927c68864e9c39cc317b4f559309ba29e642168",
"versionType": "git"
},
{
"lessThan": "176d7345b89ced72020a313bfa4e7f345d1c3aed",
"status": "affected",
"version": "9927c68864e9c39cc317b4f559309ba29e642168",
"versionType": "git"
},
{
"lessThan": "05143d90ac90b7abc6692285895a1ef460e008ee",
"status": "affected",
"version": "9927c68864e9c39cc317b4f559309ba29e642168",
"versionType": "git"
},
{
"lessThan": "f8e702c54413eee2d8f94f61d18adadac7c87e87",
"status": "affected",
"version": "9927c68864e9c39cc317b4f559309ba29e642168",
"versionType": "git"
},
{
"lessThan": "eabc4872f172ecb8dd8536bc366a51868154a450",
"status": "affected",
"version": "9927c68864e9c39cc317b4f559309ba29e642168",
"versionType": "git"
},
{
"lessThan": "c8e22b7a1694bb8d025ea636816472739d859145",
"status": "affected",
"version": "9927c68864e9c39cc317b4f559309ba29e642168",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/ses.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.25"
},
{
"lessThan": "2.6.25",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.281",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.178",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.25",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.281",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.241",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.178",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.108",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.25",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.12",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "2.6.25",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ses: Handle enclosure with just a primary component gracefully\n\nThis reverts commit 3fe97ff3d949 (\"scsi: ses: Don\u0027t attach if enclosure\nhas no components\") and introduces proper handling of case where there are\nno detected secondary components, but primary component (enumerated in\nnum_enclosures) does exist. That fix was originally proposed by Ding Hui\n\u003cdinghui@sangfor.com.cn\u003e.\n\nCompletely ignoring devices that have one primary enclosure and no\nsecondary one results in ses_intf_add() bailing completely\n\n\tscsi 2:0:0:254: enclosure has no enumerated components\n scsi 2:0:0:254: Failed to bind enclosure -12ven in valid configurations such\n\neven on valid configurations with 1 primary and 0 secondary enclosures as\nbelow:\n\n\t# sg_ses /dev/sg0\n\t 3PARdata SES 3321\n\tSupported diagnostic pages:\n\t Supported Diagnostic Pages [sdp] [0x0]\n\t Configuration (SES) [cf] [0x1]\n\t Short Enclosure Status (SES) [ses] [0x8]\n\t# sg_ses -p cf /dev/sg0\n\t 3PARdata SES 3321\n\tConfiguration diagnostic page:\n\t number of secondary subenclosures: 0\n\t generation code: 0x0\n\t enclosure descriptor list\n\t Subenclosure identifier: 0 [primary]\n\t relative ES process id: 0, number of ES processes: 1\n\t number of type descriptor headers: 1\n\t enclosure logical identifier (hex): 20000002ac02068d\n\t enclosure vendor: 3PARdata product: VV rev: 3321\n\t type descriptor header and text list\n\t Element type: Unspecified, subenclosure id: 0\n\t number of possible elements: 1\n\nThe changelog for the original fix follows\n\n=====\nWe can get a crash when disconnecting the iSCSI session,\nthe call trace like this:\n\n [ffff00002a00fb70] kfree at ffff00000830e224\n [ffff00002a00fba0] ses_intf_remove at ffff000001f200e4\n [ffff00002a00fbd0] device_del at ffff0000086b6a98\n [ffff00002a00fc50] device_unregister at ffff0000086b6d58\n [ffff00002a00fc70] __scsi_remove_device at ffff00000870608c\n [ffff00002a00fca0] scsi_remove_device at ffff000008706134\n [ffff00002a00fcc0] __scsi_remove_target at ffff0000087062e4\n [ffff00002a00fd10] scsi_remove_target at ffff0000087064c0\n [ffff00002a00fd70] __iscsi_unbind_session at ffff000001c872c4\n [ffff00002a00fdb0] process_one_work at ffff00000810f35c\n [ffff00002a00fe00] worker_thread at ffff00000810f648\n [ffff00002a00fe70] kthread at ffff000008116e98\n\nIn ses_intf_add, components count could be 0, and kcalloc 0 size scomp,\nbut not saved in edev-\u003ecomponent[i].scratch\n\nIn this situation, edev-\u003ecomponent[0].scratch is an invalid pointer,\nwhen kfree it in ses_intf_remove_enclosure, a crash like above would happen\nThe call trace also could be other random cases when kfree cannot catch\nthe invalid pointer\n\nWe should not use edev-\u003ecomponent[] array when the components count is 0\nWe also need check index when use edev-\u003ecomponent[] array in\nses_enclosure_data_process\n====="
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T07:04:20.059Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4e7c498c3713b09bef20c76c7319555637e8bbd5"
},
{
"url": "https://git.kernel.org/stable/c/110d425cdfb15006f3c4fde5264e786a247b6b36"
},
{
"url": "https://git.kernel.org/stable/c/176d7345b89ced72020a313bfa4e7f345d1c3aed"
},
{
"url": "https://git.kernel.org/stable/c/05143d90ac90b7abc6692285895a1ef460e008ee"
},
{
"url": "https://git.kernel.org/stable/c/f8e702c54413eee2d8f94f61d18adadac7c87e87"
},
{
"url": "https://git.kernel.org/stable/c/eabc4872f172ecb8dd8536bc366a51868154a450"
},
{
"url": "https://git.kernel.org/stable/c/c8e22b7a1694bb8d025ea636816472739d859145"
}
],
"title": "scsi: ses: Handle enclosure with just a primary component gracefully",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53431",
"datePublished": "2025-09-18T16:04:11.748Z",
"dateReserved": "2025-09-17T14:54:09.745Z",
"dateUpdated": "2026-01-14T19:23:09.474Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50364 (GCVE-0-2022-50364)
Vulnerability from cvelistv5 – Published: 2025-09-17 14:56 – Updated: 2026-01-14 18:42
VLAI?
EPSS
Title
i2c: mux: reg: check return value after calling platform_get_resource()
Summary
In the Linux kernel, the following vulnerability has been resolved:
i2c: mux: reg: check return value after calling platform_get_resource()
It will cause null-ptr-deref in resource_size(), if platform_get_resource()
returns NULL, move calling resource_size() after devm_ioremap_resource() that
will check 'res' to avoid null-ptr-deref.
And use devm_platform_get_and_ioremap_resource() to simplify code.
Severity ?
5.5 (Medium)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b3fdd32799d834e2626fae087906e886037350c6 , < 61df25c41b8e0d2c988ccf17139f70075a2e1ba4
(git)
Affected: b3fdd32799d834e2626fae087906e886037350c6 , < 8212800943997fab61874550278d653cb378c60c (git) Affected: b3fdd32799d834e2626fae087906e886037350c6 , < f5049b3ad9446203b916ee375f30fa217735f63a (git) Affected: b3fdd32799d834e2626fae087906e886037350c6 , < f7a440c89b6d460154efeb058272760e41bdfea8 (git) Affected: b3fdd32799d834e2626fae087906e886037350c6 , < 2d47b79d2bd39cc6369eccf94a06568d84c906ae (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-50364",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:34:19.727161Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:42:58.769Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/i2c/muxes/i2c-mux-reg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "61df25c41b8e0d2c988ccf17139f70075a2e1ba4",
"status": "affected",
"version": "b3fdd32799d834e2626fae087906e886037350c6",
"versionType": "git"
},
{
"lessThan": "8212800943997fab61874550278d653cb378c60c",
"status": "affected",
"version": "b3fdd32799d834e2626fae087906e886037350c6",
"versionType": "git"
},
{
"lessThan": "f5049b3ad9446203b916ee375f30fa217735f63a",
"status": "affected",
"version": "b3fdd32799d834e2626fae087906e886037350c6",
"versionType": "git"
},
{
"lessThan": "f7a440c89b6d460154efeb058272760e41bdfea8",
"status": "affected",
"version": "b3fdd32799d834e2626fae087906e886037350c6",
"versionType": "git"
},
{
"lessThan": "2d47b79d2bd39cc6369eccf94a06568d84c906ae",
"status": "affected",
"version": "b3fdd32799d834e2626fae087906e886037350c6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/i2c/muxes/i2c-mux-reg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: mux: reg: check return value after calling platform_get_resource()\n\nIt will cause null-ptr-deref in resource_size(), if platform_get_resource()\nreturns NULL, move calling resource_size() after devm_ioremap_resource() that\nwill check \u0027res\u0027 to avoid null-ptr-deref.\nAnd use devm_platform_get_and_ioremap_resource() to simplify code."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T14:56:15.753Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/61df25c41b8e0d2c988ccf17139f70075a2e1ba4"
},
{
"url": "https://git.kernel.org/stable/c/8212800943997fab61874550278d653cb378c60c"
},
{
"url": "https://git.kernel.org/stable/c/f5049b3ad9446203b916ee375f30fa217735f63a"
},
{
"url": "https://git.kernel.org/stable/c/f7a440c89b6d460154efeb058272760e41bdfea8"
},
{
"url": "https://git.kernel.org/stable/c/2d47b79d2bd39cc6369eccf94a06568d84c906ae"
}
],
"title": "i2c: mux: reg: check return value after calling platform_get_resource()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50364",
"datePublished": "2025-09-17T14:56:15.753Z",
"dateReserved": "2025-09-17T14:53:06.994Z",
"dateUpdated": "2026-01-14T18:42:58.769Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53244 (GCVE-0-2023-53244)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:46 – Updated: 2026-01-14 18:02
VLAI?
EPSS
Title
media: pci: tw68: Fix null-ptr-deref bug in buf prepare and finish
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: pci: tw68: Fix null-ptr-deref bug in buf prepare and finish
When the driver calls tw68_risc_buffer() to prepare the buffer, the
function call dma_alloc_coherent may fail, resulting in a empty buffer
buf->cpu. Later when we free the buffer or access the buffer, null ptr
deref is triggered.
This bug is similar to the following one:
https://git.linuxtv.org/media_stage.git/commit/?id=2b064d91440b33fba5b452f2d1b31f13ae911d71.
We believe the bug can be also dynamically triggered from user side.
Similarly, we fix this by checking the return value of tw68_risc_buffer()
and the value of buf->cpu before buffer free.
Severity ?
5.5 (Medium)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e15d1c12c5878b3a80d6573af1721e17264e0286 , < dcf632bca424e6ff8c8eb89c96694e7f05cd29b6
(git)
Affected: e15d1c12c5878b3a80d6573af1721e17264e0286 , < 3c67f49a6643d973e83968ea35806c7b5ae68b56 (git) Affected: e15d1c12c5878b3a80d6573af1721e17264e0286 , < 3715c5e9a8f96b6ed0dcbea06da443efccac1ecc (git) Affected: e15d1c12c5878b3a80d6573af1721e17264e0286 , < 1634b7adcc5bef645b3666fdd564e5952a9e24e0 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53244",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T17:58:42.683691Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:02:51.176Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/pci/tw68/tw68-video.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dcf632bca424e6ff8c8eb89c96694e7f05cd29b6",
"status": "affected",
"version": "e15d1c12c5878b3a80d6573af1721e17264e0286",
"versionType": "git"
},
{
"lessThan": "3c67f49a6643d973e83968ea35806c7b5ae68b56",
"status": "affected",
"version": "e15d1c12c5878b3a80d6573af1721e17264e0286",
"versionType": "git"
},
{
"lessThan": "3715c5e9a8f96b6ed0dcbea06da443efccac1ecc",
"status": "affected",
"version": "e15d1c12c5878b3a80d6573af1721e17264e0286",
"versionType": "git"
},
{
"lessThan": "1634b7adcc5bef645b3666fdd564e5952a9e24e0",
"status": "affected",
"version": "e15d1c12c5878b3a80d6573af1721e17264e0286",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/pci/tw68/tw68-video.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: pci: tw68: Fix null-ptr-deref bug in buf prepare and finish\n\nWhen the driver calls tw68_risc_buffer() to prepare the buffer, the\nfunction call dma_alloc_coherent may fail, resulting in a empty buffer\nbuf-\u003ecpu. Later when we free the buffer or access the buffer, null ptr\nderef is triggered.\n\nThis bug is similar to the following one:\nhttps://git.linuxtv.org/media_stage.git/commit/?id=2b064d91440b33fba5b452f2d1b31f13ae911d71.\n\nWe believe the bug can be also dynamically triggered from user side.\nSimilarly, we fix this by checking the return value of tw68_risc_buffer()\nand the value of buf-\u003ecpu before buffer free."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:18:55.338Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dcf632bca424e6ff8c8eb89c96694e7f05cd29b6"
},
{
"url": "https://git.kernel.org/stable/c/3c67f49a6643d973e83968ea35806c7b5ae68b56"
},
{
"url": "https://git.kernel.org/stable/c/3715c5e9a8f96b6ed0dcbea06da443efccac1ecc"
},
{
"url": "https://git.kernel.org/stable/c/1634b7adcc5bef645b3666fdd564e5952a9e24e0"
}
],
"title": "media: pci: tw68: Fix null-ptr-deref bug in buf prepare and finish",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53244",
"datePublished": "2025-09-15T14:46:12.951Z",
"dateReserved": "2025-09-15T14:19:21.848Z",
"dateUpdated": "2026-01-14T18:02:51.176Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50425 (GCVE-0-2022-50425)
Vulnerability from cvelistv5 – Published: 2025-10-01 11:42 – Updated: 2025-10-01 11:42
VLAI?
EPSS
Title
x86/fpu: Fix copy_xstate_to_uabi() to copy init states correctly
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/fpu: Fix copy_xstate_to_uabi() to copy init states correctly
When an extended state component is not present in fpstate, but in init
state, the function copies from init_fpstate via copy_feature().
But, dynamic states are not present in init_fpstate because of all-zeros
init states. Then retrieving them from init_fpstate will explode like this:
BUG: kernel NULL pointer dereference, address: 0000000000000000
...
RIP: 0010:memcpy_erms+0x6/0x10
? __copy_xstate_to_uabi_buf+0x381/0x870
fpu_copy_guest_fpstate_to_uabi+0x28/0x80
kvm_arch_vcpu_ioctl+0x14c/0x1460 [kvm]
? __this_cpu_preempt_check+0x13/0x20
? vmx_vcpu_put+0x2e/0x260 [kvm_intel]
kvm_vcpu_ioctl+0xea/0x6b0 [kvm]
? kvm_vcpu_ioctl+0xea/0x6b0 [kvm]
? __fget_light+0xd4/0x130
__x64_sys_ioctl+0xe3/0x910
? debug_smp_processor_id+0x17/0x20
? fpregs_assert_state_consistent+0x27/0x50
do_syscall_64+0x3f/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Adjust the 'mask' to zero out the userspace buffer for the features that
are not available both from fpstate and from init_fpstate.
The dynamic features depend on the compacted XSAVE format. Ensure it is
enabled before reading XCOMP_BV in init_fpstate.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/fpu/xstate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6ff29642fd28965a8f8d6d326ac91bf6075f3113",
"status": "affected",
"version": "2308ee57d93d896618dd65c996429c9d3e469fe0",
"versionType": "git"
},
{
"lessThan": "471f0aa7fa64e23766a1473b32d9ec3f0718895a",
"status": "affected",
"version": "2308ee57d93d896618dd65c996429c9d3e469fe0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/fpu/xstate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.7",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fpu: Fix copy_xstate_to_uabi() to copy init states correctly\n\nWhen an extended state component is not present in fpstate, but in init\nstate, the function copies from init_fpstate via copy_feature().\n\nBut, dynamic states are not present in init_fpstate because of all-zeros\ninit states. Then retrieving them from init_fpstate will explode like this:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n ...\n RIP: 0010:memcpy_erms+0x6/0x10\n ? __copy_xstate_to_uabi_buf+0x381/0x870\n fpu_copy_guest_fpstate_to_uabi+0x28/0x80\n kvm_arch_vcpu_ioctl+0x14c/0x1460 [kvm]\n ? __this_cpu_preempt_check+0x13/0x20\n ? vmx_vcpu_put+0x2e/0x260 [kvm_intel]\n kvm_vcpu_ioctl+0xea/0x6b0 [kvm]\n ? kvm_vcpu_ioctl+0xea/0x6b0 [kvm]\n ? __fget_light+0xd4/0x130\n __x64_sys_ioctl+0xe3/0x910\n ? debug_smp_processor_id+0x17/0x20\n ? fpregs_assert_state_consistent+0x27/0x50\n do_syscall_64+0x3f/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nAdjust the \u0027mask\u0027 to zero out the userspace buffer for the features that\nare not available both from fpstate and from init_fpstate.\n\nThe dynamic features depend on the compacted XSAVE format. Ensure it is\nenabled before reading XCOMP_BV in init_fpstate."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:04.776Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6ff29642fd28965a8f8d6d326ac91bf6075f3113"
},
{
"url": "https://git.kernel.org/stable/c/471f0aa7fa64e23766a1473b32d9ec3f0718895a"
}
],
"title": "x86/fpu: Fix copy_xstate_to_uabi() to copy init states correctly",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50425",
"datePublished": "2025-10-01T11:42:04.776Z",
"dateReserved": "2025-09-17T14:53:07.004Z",
"dateUpdated": "2025-10-01T11:42:04.776Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50418 (GCVE-0-2022-50418)
Vulnerability from cvelistv5 – Published: 2025-09-18 16:04 – Updated: 2026-01-14 19:13
VLAI?
EPSS
Title
wifi: ath11k: mhi: fix potential memory leak in ath11k_mhi_register()
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: mhi: fix potential memory leak in ath11k_mhi_register()
mhi_alloc_controller() allocates a memory space for mhi_ctrl. When gets
some error, mhi_ctrl should be freed with mhi_free_controller(). But
when ath11k_mhi_read_addr_from_dt() fails, the function returns without
calling mhi_free_controller(), which will lead to a memory leak.
We can fix it by calling mhi_free_controller() when
ath11k_mhi_read_addr_from_dt() fails.
Severity ?
5.5 (Medium)
CWE
- CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d5c65159f2895379e11ca13f62feabe93278985d , < 72ef896e80b6ec7cdc1dd42577045f8e7c9c32b3
(git)
Affected: d5c65159f2895379e11ca13f62feabe93278985d , < 015ced9eb63b8b19cb725a1d592d150b60494ced (git) Affected: d5c65159f2895379e11ca13f62feabe93278985d , < 43e7c3505ec70db3d3c6458824d5fa40f62e3e7b (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-50418",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T19:11:03.719352Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T19:13:10.081Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/mhi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "72ef896e80b6ec7cdc1dd42577045f8e7c9c32b3",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
},
{
"lessThan": "015ced9eb63b8b19cb725a1d592d150b60494ced",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
},
{
"lessThan": "43e7c3505ec70db3d3c6458824d5fa40f62e3e7b",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/mhi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: mhi: fix potential memory leak in ath11k_mhi_register()\n\nmhi_alloc_controller() allocates a memory space for mhi_ctrl. When gets\nsome error, mhi_ctrl should be freed with mhi_free_controller(). But\nwhen ath11k_mhi_read_addr_from_dt() fails, the function returns without\ncalling mhi_free_controller(), which will lead to a memory leak.\n\nWe can fix it by calling mhi_free_controller() when\nath11k_mhi_read_addr_from_dt() fails."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-19T15:21:29.853Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/72ef896e80b6ec7cdc1dd42577045f8e7c9c32b3"
},
{
"url": "https://git.kernel.org/stable/c/015ced9eb63b8b19cb725a1d592d150b60494ced"
},
{
"url": "https://git.kernel.org/stable/c/43e7c3505ec70db3d3c6458824d5fa40f62e3e7b"
}
],
"title": "wifi: ath11k: mhi: fix potential memory leak in ath11k_mhi_register()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50418",
"datePublished": "2025-09-18T16:04:01.436Z",
"dateReserved": "2025-09-17T14:53:07.003Z",
"dateUpdated": "2026-01-14T19:13:10.081Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39787 (GCVE-0-2025-39787)
Vulnerability from cvelistv5 – Published: 2025-09-11 16:56 – Updated: 2025-11-03 17:43
VLAI?
EPSS
Title
soc: qcom: mdt_loader: Ensure we don't read past the ELF header
Summary
In the Linux kernel, the following vulnerability has been resolved:
soc: qcom: mdt_loader: Ensure we don't read past the ELF header
When the MDT loader is used in remoteproc, the ELF header is sanitized
beforehand, but that's not necessary the case for other clients.
Validate the size of the firmware buffer to ensure that we don't read
past the end as we iterate over the header. e_phentsize and e_shentsize
are validated as well, to ensure that the assumptions about step size in
the traversal are valid.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2aad40d911eeb7dcac91c669f2762a28134f0eb1 , < 1096eb63ecfc8df90b70cd068e6de0c2ff204dfd
(git)
Affected: 2aad40d911eeb7dcac91c669f2762a28134f0eb1 , < e1720eb32acf411c328af6a8c8f556c94535808e (git) Affected: 2aad40d911eeb7dcac91c669f2762a28134f0eb1 , < 0d59ce2bfc3bb13abe6240335a1bf7b96536d022 (git) Affected: 2aad40d911eeb7dcac91c669f2762a28134f0eb1 , < 43d26997d88c4056fce0324e72f62556bc7e8e8d (git) Affected: 2aad40d911eeb7dcac91c669f2762a28134f0eb1 , < 981c845f29838e468a9bfa87f784307193a31297 (git) Affected: 2aad40d911eeb7dcac91c669f2762a28134f0eb1 , < 87bfabb3b2f46827639173f143aa43f7cfc0a7e6 (git) Affected: 2aad40d911eeb7dcac91c669f2762a28134f0eb1 , < 81278be4eb5f08ba2c68c3055893e61cc03727fe (git) Affected: 2aad40d911eeb7dcac91c669f2762a28134f0eb1 , < 9f9967fed9d066ed3dae9372b45ffa4f6fccfeef (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:21.316Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/soc/qcom/mdt_loader.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1096eb63ecfc8df90b70cd068e6de0c2ff204dfd",
"status": "affected",
"version": "2aad40d911eeb7dcac91c669f2762a28134f0eb1",
"versionType": "git"
},
{
"lessThan": "e1720eb32acf411c328af6a8c8f556c94535808e",
"status": "affected",
"version": "2aad40d911eeb7dcac91c669f2762a28134f0eb1",
"versionType": "git"
},
{
"lessThan": "0d59ce2bfc3bb13abe6240335a1bf7b96536d022",
"status": "affected",
"version": "2aad40d911eeb7dcac91c669f2762a28134f0eb1",
"versionType": "git"
},
{
"lessThan": "43d26997d88c4056fce0324e72f62556bc7e8e8d",
"status": "affected",
"version": "2aad40d911eeb7dcac91c669f2762a28134f0eb1",
"versionType": "git"
},
{
"lessThan": "981c845f29838e468a9bfa87f784307193a31297",
"status": "affected",
"version": "2aad40d911eeb7dcac91c669f2762a28134f0eb1",
"versionType": "git"
},
{
"lessThan": "87bfabb3b2f46827639173f143aa43f7cfc0a7e6",
"status": "affected",
"version": "2aad40d911eeb7dcac91c669f2762a28134f0eb1",
"versionType": "git"
},
{
"lessThan": "81278be4eb5f08ba2c68c3055893e61cc03727fe",
"status": "affected",
"version": "2aad40d911eeb7dcac91c669f2762a28134f0eb1",
"versionType": "git"
},
{
"lessThan": "9f9967fed9d066ed3dae9372b45ffa4f6fccfeef",
"status": "affected",
"version": "2aad40d911eeb7dcac91c669f2762a28134f0eb1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/soc/qcom/mdt_loader.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: mdt_loader: Ensure we don\u0027t read past the ELF header\n\nWhen the MDT loader is used in remoteproc, the ELF header is sanitized\nbeforehand, but that\u0027s not necessary the case for other clients.\n\nValidate the size of the firmware buffer to ensure that we don\u0027t read\npast the end as we iterate over the header. e_phentsize and e_shentsize\nare validated as well, to ensure that the assumptions about step size in\nthe traversal are valid."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:59:24.571Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1096eb63ecfc8df90b70cd068e6de0c2ff204dfd"
},
{
"url": "https://git.kernel.org/stable/c/e1720eb32acf411c328af6a8c8f556c94535808e"
},
{
"url": "https://git.kernel.org/stable/c/0d59ce2bfc3bb13abe6240335a1bf7b96536d022"
},
{
"url": "https://git.kernel.org/stable/c/43d26997d88c4056fce0324e72f62556bc7e8e8d"
},
{
"url": "https://git.kernel.org/stable/c/981c845f29838e468a9bfa87f784307193a31297"
},
{
"url": "https://git.kernel.org/stable/c/87bfabb3b2f46827639173f143aa43f7cfc0a7e6"
},
{
"url": "https://git.kernel.org/stable/c/81278be4eb5f08ba2c68c3055893e61cc03727fe"
},
{
"url": "https://git.kernel.org/stable/c/9f9967fed9d066ed3dae9372b45ffa4f6fccfeef"
}
],
"title": "soc: qcom: mdt_loader: Ensure we don\u0027t read past the ELF header",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39787",
"datePublished": "2025-09-11T16:56:36.426Z",
"dateReserved": "2025-04-16T07:20:57.131Z",
"dateUpdated": "2025-11-03T17:43:21.316Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38515 (GCVE-0-2025-38515)
Vulnerability from cvelistv5 – Published: 2025-08-16 10:55 – Updated: 2025-11-03 17:39
VLAI?
EPSS
Title
drm/sched: Increment job count before swapping tail spsc queue
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/sched: Increment job count before swapping tail spsc queue
A small race exists between spsc_queue_push and the run-job worker, in
which spsc_queue_push may return not-first while the run-job worker has
already idled due to the job count being zero. If this race occurs, job
scheduling stops, leading to hangs while waiting on the job’s DMA
fences.
Seal this race by incrementing the job count before appending to the
SPSC queue.
This race was observed on a drm-tip 6.16-rc1 build with the Xe driver in
an SVM test case.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
27105db6c63a571b91d01e749d026105a1e63bcf , < 549a9c78c3ea6807d0dc4162a4f5ba59f217d5a0
(git)
Affected: 27105db6c63a571b91d01e749d026105a1e63bcf , < e62f51d0ec8a9baf324caf9a564f8e318d36a551 (git) Affected: 27105db6c63a571b91d01e749d026105a1e63bcf , < ef841f8e4e1ff67817ca899bedc5ebb00847c0a7 (git) Affected: 27105db6c63a571b91d01e749d026105a1e63bcf , < f9a4f28a4fc4ee453a92a9abbe36e26224d17749 (git) Affected: 27105db6c63a571b91d01e749d026105a1e63bcf , < c64f5310530baf75328292f9b9f3f2961d185183 (git) Affected: 27105db6c63a571b91d01e749d026105a1e63bcf , < e2d6547dc8b9b332f9bc00875197287a6a4db65a (git) Affected: 27105db6c63a571b91d01e749d026105a1e63bcf , < ef58a95457466849fa7b31fd3953801a5af0f58b (git) Affected: 27105db6c63a571b91d01e749d026105a1e63bcf , < 8af39ec5cf2be522c8eb43a3d8005ed59e4daaee (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:39:20.099Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/drm/spsc_queue.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "549a9c78c3ea6807d0dc4162a4f5ba59f217d5a0",
"status": "affected",
"version": "27105db6c63a571b91d01e749d026105a1e63bcf",
"versionType": "git"
},
{
"lessThan": "e62f51d0ec8a9baf324caf9a564f8e318d36a551",
"status": "affected",
"version": "27105db6c63a571b91d01e749d026105a1e63bcf",
"versionType": "git"
},
{
"lessThan": "ef841f8e4e1ff67817ca899bedc5ebb00847c0a7",
"status": "affected",
"version": "27105db6c63a571b91d01e749d026105a1e63bcf",
"versionType": "git"
},
{
"lessThan": "f9a4f28a4fc4ee453a92a9abbe36e26224d17749",
"status": "affected",
"version": "27105db6c63a571b91d01e749d026105a1e63bcf",
"versionType": "git"
},
{
"lessThan": "c64f5310530baf75328292f9b9f3f2961d185183",
"status": "affected",
"version": "27105db6c63a571b91d01e749d026105a1e63bcf",
"versionType": "git"
},
{
"lessThan": "e2d6547dc8b9b332f9bc00875197287a6a4db65a",
"status": "affected",
"version": "27105db6c63a571b91d01e749d026105a1e63bcf",
"versionType": "git"
},
{
"lessThan": "ef58a95457466849fa7b31fd3953801a5af0f58b",
"status": "affected",
"version": "27105db6c63a571b91d01e749d026105a1e63bcf",
"versionType": "git"
},
{
"lessThan": "8af39ec5cf2be522c8eb43a3d8005ed59e4daaee",
"status": "affected",
"version": "27105db6c63a571b91d01e749d026105a1e63bcf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/drm/spsc_queue.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.240",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.146",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.296",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.240",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.189",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.146",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.99",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.39",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.7",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/sched: Increment job count before swapping tail spsc queue\n\nA small race exists between spsc_queue_push and the run-job worker, in\nwhich spsc_queue_push may return not-first while the run-job worker has\nalready idled due to the job count being zero. If this race occurs, job\nscheduling stops, leading to hangs while waiting on the job\u2019s DMA\nfences.\n\nSeal this race by incrementing the job count before appending to the\nSPSC queue.\n\nThis race was observed on a drm-tip 6.16-rc1 build with the Xe driver in\nan SVM test case."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-16T10:55:02.173Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/549a9c78c3ea6807d0dc4162a4f5ba59f217d5a0"
},
{
"url": "https://git.kernel.org/stable/c/e62f51d0ec8a9baf324caf9a564f8e318d36a551"
},
{
"url": "https://git.kernel.org/stable/c/ef841f8e4e1ff67817ca899bedc5ebb00847c0a7"
},
{
"url": "https://git.kernel.org/stable/c/f9a4f28a4fc4ee453a92a9abbe36e26224d17749"
},
{
"url": "https://git.kernel.org/stable/c/c64f5310530baf75328292f9b9f3f2961d185183"
},
{
"url": "https://git.kernel.org/stable/c/e2d6547dc8b9b332f9bc00875197287a6a4db65a"
},
{
"url": "https://git.kernel.org/stable/c/ef58a95457466849fa7b31fd3953801a5af0f58b"
},
{
"url": "https://git.kernel.org/stable/c/8af39ec5cf2be522c8eb43a3d8005ed59e4daaee"
}
],
"title": "drm/sched: Increment job count before swapping tail spsc queue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38515",
"datePublished": "2025-08-16T10:55:02.173Z",
"dateReserved": "2025-04-16T04:51:24.023Z",
"dateUpdated": "2025-11-03T17:39:20.099Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38541 (GCVE-0-2025-38541)
Vulnerability from cvelistv5 – Published: 2025-08-16 11:22 – Updated: 2025-08-16 11:22
VLAI?
EPSS
Title
wifi: mt76: mt7925: Fix null-ptr-deref in mt7925_thermal_init()
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: mt7925: Fix null-ptr-deref in mt7925_thermal_init()
devm_kasprintf() returns NULL on error. Currently, mt7925_thermal_init()
does not check for this case, which results in a NULL pointer
dereference.
Add NULL check after devm_kasprintf() to prevent this issue.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
396e41a74a88654f23e36c46d2995752c91654a5 , < 1bbdf4213711bb6dc365e7628430a63dd3280794
(git)
Affected: 396e41a74a88654f23e36c46d2995752c91654a5 , < 2e99e9b34ece0b6d3e82cb757e9f60fa414da999 (git) Affected: 396e41a74a88654f23e36c46d2995752c91654a5 , < 03ee8f73801a8f46d83dfc2bf73fb9ffa5a21602 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7925/init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1bbdf4213711bb6dc365e7628430a63dd3280794",
"status": "affected",
"version": "396e41a74a88654f23e36c46d2995752c91654a5",
"versionType": "git"
},
{
"lessThan": "2e99e9b34ece0b6d3e82cb757e9f60fa414da999",
"status": "affected",
"version": "396e41a74a88654f23e36c46d2995752c91654a5",
"versionType": "git"
},
{
"lessThan": "03ee8f73801a8f46d83dfc2bf73fb9ffa5a21602",
"status": "affected",
"version": "396e41a74a88654f23e36c46d2995752c91654a5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7925/init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.39",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.7",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7925: Fix null-ptr-deref in mt7925_thermal_init()\n\ndevm_kasprintf() returns NULL on error. Currently, mt7925_thermal_init()\ndoes not check for this case, which results in a NULL pointer\ndereference.\n\nAdd NULL check after devm_kasprintf() to prevent this issue."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-16T11:22:15.776Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1bbdf4213711bb6dc365e7628430a63dd3280794"
},
{
"url": "https://git.kernel.org/stable/c/2e99e9b34ece0b6d3e82cb757e9f60fa414da999"
},
{
"url": "https://git.kernel.org/stable/c/03ee8f73801a8f46d83dfc2bf73fb9ffa5a21602"
}
],
"title": "wifi: mt76: mt7925: Fix null-ptr-deref in mt7925_thermal_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38541",
"datePublished": "2025-08-16T11:22:15.776Z",
"dateReserved": "2025-04-16T04:51:24.024Z",
"dateUpdated": "2025-08-16T11:22:15.776Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53344 (GCVE-0-2023-53344)
Vulnerability from cvelistv5 – Published: 2025-09-17 14:56 – Updated: 2026-01-14 18:43
VLAI?
EPSS
Title
can: bcm: bcm_tx_setup(): fix KMSAN uninit-value in vfs_write
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: bcm: bcm_tx_setup(): fix KMSAN uninit-value in vfs_write
Syzkaller reported the following issue:
=====================================================
BUG: KMSAN: uninit-value in aio_rw_done fs/aio.c:1520 [inline]
BUG: KMSAN: uninit-value in aio_write+0x899/0x950 fs/aio.c:1600
aio_rw_done fs/aio.c:1520 [inline]
aio_write+0x899/0x950 fs/aio.c:1600
io_submit_one+0x1d1c/0x3bf0 fs/aio.c:2019
__do_sys_io_submit fs/aio.c:2078 [inline]
__se_sys_io_submit+0x293/0x770 fs/aio.c:2048
__x64_sys_io_submit+0x92/0xd0 fs/aio.c:2048
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Uninit was created at:
slab_post_alloc_hook mm/slab.h:766 [inline]
slab_alloc_node mm/slub.c:3452 [inline]
__kmem_cache_alloc_node+0x71f/0xce0 mm/slub.c:3491
__do_kmalloc_node mm/slab_common.c:967 [inline]
__kmalloc+0x11d/0x3b0 mm/slab_common.c:981
kmalloc_array include/linux/slab.h:636 [inline]
bcm_tx_setup+0x80e/0x29d0 net/can/bcm.c:930
bcm_sendmsg+0x3a2/0xce0 net/can/bcm.c:1351
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg net/socket.c:734 [inline]
sock_write_iter+0x495/0x5e0 net/socket.c:1108
call_write_iter include/linux/fs.h:2189 [inline]
aio_write+0x63a/0x950 fs/aio.c:1600
io_submit_one+0x1d1c/0x3bf0 fs/aio.c:2019
__do_sys_io_submit fs/aio.c:2078 [inline]
__se_sys_io_submit+0x293/0x770 fs/aio.c:2048
__x64_sys_io_submit+0x92/0xd0 fs/aio.c:2048
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
CPU: 1 PID: 5034 Comm: syz-executor350 Not tainted 6.2.0-rc6-syzkaller-80422-geda666ff2276 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
=====================================================
We can follow the call chain and find that 'bcm_tx_setup' function
calls 'memcpy_from_msg' to copy some content to the newly allocated
frame of 'op->frames'. After that the 'len' field of copied structure
being compared with some constant value (64 or 8). However, if
'memcpy_from_msg' returns an error, we will compare some uninitialized
memory. This triggers 'uninit-value' issue.
This patch will add 'memcpy_from_msg' possible errors processing to
avoid uninit-value issue.
Tested via syzkaller
Severity ?
5.5 (Medium)
CWE
- CWE-908 - Use of Uninitialized Resource
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6f3b911d5f29b98752e5da86a295210c0c4f4e14 , < 3fa0f1e0e31b1b73cdf59d4c36c7242e6ef821be
(git)
Affected: 6f3b911d5f29b98752e5da86a295210c0c4f4e14 , < 618b15d09fed6126356101543451d49860db4388 (git) Affected: 6f3b911d5f29b98752e5da86a295210c0c4f4e14 , < 78bc7f0ab99458221224d3ab97199c0f8e6861f1 (git) Affected: 6f3b911d5f29b98752e5da86a295210c0c4f4e14 , < ab2a55907823f0bca56b6d03ea05e4071ba8535f (git) Affected: 6f3b911d5f29b98752e5da86a295210c0c4f4e14 , < bf70e0eab64c625da84d9fdf4e84466b79418920 (git) Affected: 6f3b911d5f29b98752e5da86a295210c0c4f4e14 , < c11dbc7705b3739974ac31a13f4ab81e61a5fb07 (git) Affected: 6f3b911d5f29b98752e5da86a295210c0c4f4e14 , < 2e6ad51c709fa794e0ce26003c9c9cd944e3383a (git) Affected: 6f3b911d5f29b98752e5da86a295210c0c4f4e14 , < 2b4c99f7d9a57ecd644eda9b1fb0a1072414959f (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53344",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:39:34.603082Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-908",
"description": "CWE-908 Use of Uninitialized Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:43:02.515Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/can/bcm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3fa0f1e0e31b1b73cdf59d4c36c7242e6ef821be",
"status": "affected",
"version": "6f3b911d5f29b98752e5da86a295210c0c4f4e14",
"versionType": "git"
},
{
"lessThan": "618b15d09fed6126356101543451d49860db4388",
"status": "affected",
"version": "6f3b911d5f29b98752e5da86a295210c0c4f4e14",
"versionType": "git"
},
{
"lessThan": "78bc7f0ab99458221224d3ab97199c0f8e6861f1",
"status": "affected",
"version": "6f3b911d5f29b98752e5da86a295210c0c4f4e14",
"versionType": "git"
},
{
"lessThan": "ab2a55907823f0bca56b6d03ea05e4071ba8535f",
"status": "affected",
"version": "6f3b911d5f29b98752e5da86a295210c0c4f4e14",
"versionType": "git"
},
{
"lessThan": "bf70e0eab64c625da84d9fdf4e84466b79418920",
"status": "affected",
"version": "6f3b911d5f29b98752e5da86a295210c0c4f4e14",
"versionType": "git"
},
{
"lessThan": "c11dbc7705b3739974ac31a13f4ab81e61a5fb07",
"status": "affected",
"version": "6f3b911d5f29b98752e5da86a295210c0c4f4e14",
"versionType": "git"
},
{
"lessThan": "2e6ad51c709fa794e0ce26003c9c9cd944e3383a",
"status": "affected",
"version": "6f3b911d5f29b98752e5da86a295210c0c4f4e14",
"versionType": "git"
},
{
"lessThan": "2b4c99f7d9a57ecd644eda9b1fb0a1072414959f",
"status": "affected",
"version": "6f3b911d5f29b98752e5da86a295210c0c4f4e14",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/can/bcm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.312",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.280",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.240",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.177",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.106",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.312",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.280",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.240",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.177",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.106",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.23",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.10",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: bcm: bcm_tx_setup(): fix KMSAN uninit-value in vfs_write\n\nSyzkaller reported the following issue:\n\n=====================================================\nBUG: KMSAN: uninit-value in aio_rw_done fs/aio.c:1520 [inline]\nBUG: KMSAN: uninit-value in aio_write+0x899/0x950 fs/aio.c:1600\n aio_rw_done fs/aio.c:1520 [inline]\n aio_write+0x899/0x950 fs/aio.c:1600\n io_submit_one+0x1d1c/0x3bf0 fs/aio.c:2019\n __do_sys_io_submit fs/aio.c:2078 [inline]\n __se_sys_io_submit+0x293/0x770 fs/aio.c:2048\n __x64_sys_io_submit+0x92/0xd0 fs/aio.c:2048\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nUninit was created at:\n slab_post_alloc_hook mm/slab.h:766 [inline]\n slab_alloc_node mm/slub.c:3452 [inline]\n __kmem_cache_alloc_node+0x71f/0xce0 mm/slub.c:3491\n __do_kmalloc_node mm/slab_common.c:967 [inline]\n __kmalloc+0x11d/0x3b0 mm/slab_common.c:981\n kmalloc_array include/linux/slab.h:636 [inline]\n bcm_tx_setup+0x80e/0x29d0 net/can/bcm.c:930\n bcm_sendmsg+0x3a2/0xce0 net/can/bcm.c:1351\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg net/socket.c:734 [inline]\n sock_write_iter+0x495/0x5e0 net/socket.c:1108\n call_write_iter include/linux/fs.h:2189 [inline]\n aio_write+0x63a/0x950 fs/aio.c:1600\n io_submit_one+0x1d1c/0x3bf0 fs/aio.c:2019\n __do_sys_io_submit fs/aio.c:2078 [inline]\n __se_sys_io_submit+0x293/0x770 fs/aio.c:2048\n __x64_sys_io_submit+0x92/0xd0 fs/aio.c:2048\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nCPU: 1 PID: 5034 Comm: syz-executor350 Not tainted 6.2.0-rc6-syzkaller-80422-geda666ff2276 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023\n=====================================================\n\nWe can follow the call chain and find that \u0027bcm_tx_setup\u0027 function\ncalls \u0027memcpy_from_msg\u0027 to copy some content to the newly allocated\nframe of \u0027op-\u003eframes\u0027. After that the \u0027len\u0027 field of copied structure\nbeing compared with some constant value (64 or 8). However, if\n\u0027memcpy_from_msg\u0027 returns an error, we will compare some uninitialized\nmemory. This triggers \u0027uninit-value\u0027 issue.\n\nThis patch will add \u0027memcpy_from_msg\u0027 possible errors processing to\navoid uninit-value issue.\n\nTested via syzkaller"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T14:56:37.024Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3fa0f1e0e31b1b73cdf59d4c36c7242e6ef821be"
},
{
"url": "https://git.kernel.org/stable/c/618b15d09fed6126356101543451d49860db4388"
},
{
"url": "https://git.kernel.org/stable/c/78bc7f0ab99458221224d3ab97199c0f8e6861f1"
},
{
"url": "https://git.kernel.org/stable/c/ab2a55907823f0bca56b6d03ea05e4071ba8535f"
},
{
"url": "https://git.kernel.org/stable/c/bf70e0eab64c625da84d9fdf4e84466b79418920"
},
{
"url": "https://git.kernel.org/stable/c/c11dbc7705b3739974ac31a13f4ab81e61a5fb07"
},
{
"url": "https://git.kernel.org/stable/c/2e6ad51c709fa794e0ce26003c9c9cd944e3383a"
},
{
"url": "https://git.kernel.org/stable/c/2b4c99f7d9a57ecd644eda9b1fb0a1072414959f"
}
],
"title": "can: bcm: bcm_tx_setup(): fix KMSAN uninit-value in vfs_write",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53344",
"datePublished": "2025-09-17T14:56:37.024Z",
"dateReserved": "2025-09-16T16:08:59.566Z",
"dateUpdated": "2026-01-14T18:43:02.515Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38694 (GCVE-0-2025-38694)
Vulnerability from cvelistv5 – Published: 2025-09-04 15:32 – Updated: 2026-01-02 15:31
VLAI?
EPSS
Title
media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb()
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb()
In dib7090p_rw_on_apb, msg is controlled by user. When msg[0].buf is null and
msg[0].len is zero, former checks on msg[0].buf would be passed. If accessing
msg[0].buf[2] without sanity check, null pointer deref would happen. We add
check on msg[0].len to prevent crash. Similar issue occurs when access
msg[1].buf[0] and msg[1].buf[1].
Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
713d54a8bd812229410a1902cd9b332a2a27af9f , < bc07cae4f36bb18d5b6a9ed835c1278ca44ec82e
(git)
Affected: 713d54a8bd812229410a1902cd9b332a2a27af9f , < ce8b7c711b9c4f040b5419729d0972db8e374324 (git) Affected: 713d54a8bd812229410a1902cd9b332a2a27af9f , < 529fd5593b721e6f4370c591f5086649ed149ff6 (git) Affected: 713d54a8bd812229410a1902cd9b332a2a27af9f , < c33280d6bd668dbdc5a5f07887cc63a52ab4789c (git) Affected: 713d54a8bd812229410a1902cd9b332a2a27af9f , < 09906650484a09b3a4d4b3d3065395856810becd (git) Affected: 713d54a8bd812229410a1902cd9b332a2a27af9f , < 0bb32863426afe0badac25c28d59021f211d0f48 (git) Affected: 713d54a8bd812229410a1902cd9b332a2a27af9f , < a0f744d6cdde81d7382e183f77a4080a39b206cd (git) Affected: 713d54a8bd812229410a1902cd9b332a2a27af9f , < 19eb5d8e6aa1169d368a4d69aae5572950deb89d (git) Affected: 713d54a8bd812229410a1902cd9b332a2a27af9f , < ce5cac69b2edac3e3246fee03e8f4c2a1075238b (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:41:20.959Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/dvb-frontends/dib7000p.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bc07cae4f36bb18d5b6a9ed835c1278ca44ec82e",
"status": "affected",
"version": "713d54a8bd812229410a1902cd9b332a2a27af9f",
"versionType": "git"
},
{
"lessThan": "ce8b7c711b9c4f040b5419729d0972db8e374324",
"status": "affected",
"version": "713d54a8bd812229410a1902cd9b332a2a27af9f",
"versionType": "git"
},
{
"lessThan": "529fd5593b721e6f4370c591f5086649ed149ff6",
"status": "affected",
"version": "713d54a8bd812229410a1902cd9b332a2a27af9f",
"versionType": "git"
},
{
"lessThan": "c33280d6bd668dbdc5a5f07887cc63a52ab4789c",
"status": "affected",
"version": "713d54a8bd812229410a1902cd9b332a2a27af9f",
"versionType": "git"
},
{
"lessThan": "09906650484a09b3a4d4b3d3065395856810becd",
"status": "affected",
"version": "713d54a8bd812229410a1902cd9b332a2a27af9f",
"versionType": "git"
},
{
"lessThan": "0bb32863426afe0badac25c28d59021f211d0f48",
"status": "affected",
"version": "713d54a8bd812229410a1902cd9b332a2a27af9f",
"versionType": "git"
},
{
"lessThan": "a0f744d6cdde81d7382e183f77a4080a39b206cd",
"status": "affected",
"version": "713d54a8bd812229410a1902cd9b332a2a27af9f",
"versionType": "git"
},
{
"lessThan": "19eb5d8e6aa1169d368a4d69aae5572950deb89d",
"status": "affected",
"version": "713d54a8bd812229410a1902cd9b332a2a27af9f",
"versionType": "git"
},
{
"lessThan": "ce5cac69b2edac3e3246fee03e8f4c2a1075238b",
"status": "affected",
"version": "713d54a8bd812229410a1902cd9b332a2a27af9f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/dvb-frontends/dib7000p.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.39"
},
{
"lessThan": "2.6.39",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.39",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb()\n\nIn dib7090p_rw_on_apb, msg is controlled by user. When msg[0].buf is null and\nmsg[0].len is zero, former checks on msg[0].buf would be passed. If accessing\nmsg[0].buf[2] without sanity check, null pointer deref would happen. We add\ncheck on msg[0].len to prevent crash. Similar issue occurs when access\nmsg[1].buf[0] and msg[1].buf[1].\n\nSimilar commit: commit 0ed554fd769a (\"media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()\")"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:31:07.727Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bc07cae4f36bb18d5b6a9ed835c1278ca44ec82e"
},
{
"url": "https://git.kernel.org/stable/c/ce8b7c711b9c4f040b5419729d0972db8e374324"
},
{
"url": "https://git.kernel.org/stable/c/529fd5593b721e6f4370c591f5086649ed149ff6"
},
{
"url": "https://git.kernel.org/stable/c/c33280d6bd668dbdc5a5f07887cc63a52ab4789c"
},
{
"url": "https://git.kernel.org/stable/c/09906650484a09b3a4d4b3d3065395856810becd"
},
{
"url": "https://git.kernel.org/stable/c/0bb32863426afe0badac25c28d59021f211d0f48"
},
{
"url": "https://git.kernel.org/stable/c/a0f744d6cdde81d7382e183f77a4080a39b206cd"
},
{
"url": "https://git.kernel.org/stable/c/19eb5d8e6aa1169d368a4d69aae5572950deb89d"
},
{
"url": "https://git.kernel.org/stable/c/ce5cac69b2edac3e3246fee03e8f4c2a1075238b"
}
],
"title": "media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38694",
"datePublished": "2025-09-04T15:32:47.449Z",
"dateReserved": "2025-04-16T04:51:24.032Z",
"dateUpdated": "2026-01-02T15:31:07.727Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53280 (GCVE-0-2023-53280)
Vulnerability from cvelistv5 – Published: 2025-09-16 08:11 – Updated: 2026-01-14 18:12
VLAI?
EPSS
Title
scsi: qla2xxx: Remove unused nvme_ls_waitq wait queue
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Remove unused nvme_ls_waitq wait queue
System crash when qla2x00_start_sp(sp) returns error code EGAIN and wake_up
gets called for uninitialized wait queue sp->nvme_ls_waitq.
qla2xxx [0000:37:00.1]-2121:5: Returning existing qpair of ffff8ae2c0513400 for idx=0
qla2xxx [0000:37:00.1]-700e:5: qla2x00_start_sp failed = 11
BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
PGD 0 P4D 0
Oops: 0000 [#1] SMP NOPTI
Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021
Workqueue: nvme-wq nvme_fc_connect_ctrl_work [nvme_fc]
RIP: 0010:__wake_up_common+0x4c/0x190
RSP: 0018:ffff95f3e0cb7cd0 EFLAGS: 00010086
RAX: 0000000000000000 RBX: ffff8b08d3b26328 RCX: 0000000000000000
RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffff8b08d3b26320
RBP: 0000000000000001 R08: 0000000000000000 R09: ffffffffffffffe8
R10: 0000000000000000 R11: ffff95f3e0cb7a60 R12: ffff95f3e0cb7d20
R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8b2fdf6c0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000002f1e410002 CR4: 00000000007706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
__wake_up_common_lock+0x7c/0xc0
qla_nvme_ls_req+0x355/0x4c0 [qla2xxx]
? __nvme_fc_send_ls_req+0x260/0x380 [nvme_fc]
? nvme_fc_send_ls_req.constprop.42+0x1a/0x45 [nvme_fc]
? nvme_fc_connect_ctrl_work.cold.63+0x1e3/0xa7d [nvme_fc]
Remove unused nvme_ls_waitq wait queue. nvme_ls_waitq logic was removed
previously in the commits tagged Fixed: below.
Severity ?
5.5 (Medium)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5621b0dd74532c09965264c14958de3f85b498a6 , < b7084ebf4f54d46fed5153112d685f4137334175
(git)
Affected: 5621b0dd74532c09965264c14958de3f85b498a6 , < 0b1ce92fabdb7d02ddf8641230a06e2752ae5baa (git) Affected: 5621b0dd74532c09965264c14958de3f85b498a6 , < 522ee1b3030f3b6b5fd59489d12b4ca767c9e5da (git) Affected: 5621b0dd74532c09965264c14958de3f85b498a6 , < f459d586fdf12c53116c9fddf43065165fdd5969 (git) Affected: 5621b0dd74532c09965264c14958de3f85b498a6 , < 92529387a0066754fd9cda080fb3298b8cca750c (git) Affected: 5621b0dd74532c09965264c14958de3f85b498a6 , < 20fce500b232b970e40312a9c97e7f3b6d7a709c (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53280",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:08:14.786043Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:12:54.688Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_def.h",
"drivers/scsi/qla2xxx/qla_nvme.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b7084ebf4f54d46fed5153112d685f4137334175",
"status": "affected",
"version": "5621b0dd74532c09965264c14958de3f85b498a6",
"versionType": "git"
},
{
"lessThan": "0b1ce92fabdb7d02ddf8641230a06e2752ae5baa",
"status": "affected",
"version": "5621b0dd74532c09965264c14958de3f85b498a6",
"versionType": "git"
},
{
"lessThan": "522ee1b3030f3b6b5fd59489d12b4ca767c9e5da",
"status": "affected",
"version": "5621b0dd74532c09965264c14958de3f85b498a6",
"versionType": "git"
},
{
"lessThan": "f459d586fdf12c53116c9fddf43065165fdd5969",
"status": "affected",
"version": "5621b0dd74532c09965264c14958de3f85b498a6",
"versionType": "git"
},
{
"lessThan": "92529387a0066754fd9cda080fb3298b8cca750c",
"status": "affected",
"version": "5621b0dd74532c09965264c14958de3f85b498a6",
"versionType": "git"
},
{
"lessThan": "20fce500b232b970e40312a9c97e7f3b6d7a709c",
"status": "affected",
"version": "5621b0dd74532c09965264c14958de3f85b498a6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_def.h",
"drivers/scsi/qla2xxx/qla_nvme.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Remove unused nvme_ls_waitq wait queue\n\nSystem crash when qla2x00_start_sp(sp) returns error code EGAIN and wake_up\ngets called for uninitialized wait queue sp-\u003envme_ls_waitq.\n\n qla2xxx [0000:37:00.1]-2121:5: Returning existing qpair of ffff8ae2c0513400 for idx=0\n qla2xxx [0000:37:00.1]-700e:5: qla2x00_start_sp failed = 11\n BUG: unable to handle kernel NULL pointer dereference at 0000000000000000\n PGD 0 P4D 0\n Oops: 0000 [#1] SMP NOPTI\n Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021\n Workqueue: nvme-wq nvme_fc_connect_ctrl_work [nvme_fc]\n RIP: 0010:__wake_up_common+0x4c/0x190\n RSP: 0018:ffff95f3e0cb7cd0 EFLAGS: 00010086\n RAX: 0000000000000000 RBX: ffff8b08d3b26328 RCX: 0000000000000000\n RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffff8b08d3b26320\n RBP: 0000000000000001 R08: 0000000000000000 R09: ffffffffffffffe8\n R10: 0000000000000000 R11: ffff95f3e0cb7a60 R12: ffff95f3e0cb7d20\n R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000000000\n FS: 0000000000000000(0000) GS:ffff8b2fdf6c0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000002f1e410002 CR4: 00000000007706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n __wake_up_common_lock+0x7c/0xc0\n qla_nvme_ls_req+0x355/0x4c0 [qla2xxx]\n ? __nvme_fc_send_ls_req+0x260/0x380 [nvme_fc]\n ? nvme_fc_send_ls_req.constprop.42+0x1a/0x45 [nvme_fc]\n ? nvme_fc_connect_ctrl_work.cold.63+0x1e3/0xa7d [nvme_fc]\n\nRemove unused nvme_ls_waitq wait queue. nvme_ls_waitq logic was removed\npreviously in the commits tagged Fixed: below."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T08:11:14.533Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b7084ebf4f54d46fed5153112d685f4137334175"
},
{
"url": "https://git.kernel.org/stable/c/0b1ce92fabdb7d02ddf8641230a06e2752ae5baa"
},
{
"url": "https://git.kernel.org/stable/c/522ee1b3030f3b6b5fd59489d12b4ca767c9e5da"
},
{
"url": "https://git.kernel.org/stable/c/f459d586fdf12c53116c9fddf43065165fdd5969"
},
{
"url": "https://git.kernel.org/stable/c/92529387a0066754fd9cda080fb3298b8cca750c"
},
{
"url": "https://git.kernel.org/stable/c/20fce500b232b970e40312a9c97e7f3b6d7a709c"
}
],
"title": "scsi: qla2xxx: Remove unused nvme_ls_waitq wait queue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53280",
"datePublished": "2025-09-16T08:11:14.533Z",
"dateReserved": "2025-09-16T08:09:37.991Z",
"dateUpdated": "2026-01-14T18:12:54.688Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39850 (GCVE-0-2025-39850)
Vulnerability from cvelistv5 – Published: 2025-09-19 15:26 – Updated: 2026-01-14 19:23
VLAI?
EPSS
Title
vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects
Summary
In the Linux kernel, the following vulnerability has been resolved:
vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects
When the "proxy" option is enabled on a VXLAN device, the device will
suppress ARP requests and IPv6 Neighbor Solicitation messages if it is
able to reply on behalf of the remote host. That is, if a matching and
valid neighbor entry is configured on the VXLAN device whose MAC address
is not behind the "any" remote (0.0.0.0 / ::).
The code currently assumes that the FDB entry for the neighbor's MAC
address points to a valid remote destination, but this is incorrect if
the entry is associated with an FDB nexthop group. This can result in a
NPD [1][3] which can be reproduced using [2][4].
Fix by checking that the remote destination exists before dereferencing
it.
[1]
BUG: kernel NULL pointer dereference, address: 0000000000000000
[...]
CPU: 4 UID: 0 PID: 365 Comm: arping Not tainted 6.17.0-rc2-virtme-g2a89cb21162c #2 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014
RIP: 0010:vxlan_xmit+0xb58/0x15f0
[...]
Call Trace:
<TASK>
dev_hard_start_xmit+0x5d/0x1c0
__dev_queue_xmit+0x246/0xfd0
packet_sendmsg+0x113a/0x1850
__sock_sendmsg+0x38/0x70
__sys_sendto+0x126/0x180
__x64_sys_sendto+0x24/0x30
do_syscall_64+0xa4/0x260
entry_SYSCALL_64_after_hwframe+0x4b/0x53
[2]
#!/bin/bash
ip address add 192.0.2.1/32 dev lo
ip nexthop add id 1 via 192.0.2.2 fdb
ip nexthop add id 10 group 1 fdb
ip link add name vx0 up type vxlan id 10010 local 192.0.2.1 dstport 4789 proxy
ip neigh add 192.0.2.3 lladdr 00:11:22:33:44:55 nud perm dev vx0
bridge fdb add 00:11:22:33:44:55 dev vx0 self static nhid 10
arping -b -c 1 -s 192.0.2.1 -I vx0 192.0.2.3
[3]
BUG: kernel NULL pointer dereference, address: 0000000000000000
[...]
CPU: 13 UID: 0 PID: 372 Comm: ndisc6 Not tainted 6.17.0-rc2-virtmne-g6ee90cb26014 #3 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1v996), BIOS 1.17.0-4.fc41 04/01/2x014
RIP: 0010:vxlan_xmit+0x803/0x1600
[...]
Call Trace:
<TASK>
dev_hard_start_xmit+0x5d/0x1c0
__dev_queue_xmit+0x246/0xfd0
ip6_finish_output2+0x210/0x6c0
ip6_finish_output+0x1af/0x2b0
ip6_mr_output+0x92/0x3e0
ip6_send_skb+0x30/0x90
rawv6_sendmsg+0xe6e/0x12e0
__sock_sendmsg+0x38/0x70
__sys_sendto+0x126/0x180
__x64_sys_sendto+0x24/0x30
do_syscall_64+0xa4/0x260
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7f383422ec77
[4]
#!/bin/bash
ip address add 2001:db8:1::1/128 dev lo
ip nexthop add id 1 via 2001:db8:1::1 fdb
ip nexthop add id 10 group 1 fdb
ip link add name vx0 up type vxlan id 10010 local 2001:db8:1::1 dstport 4789 proxy
ip neigh add 2001:db8:1::3 lladdr 00:11:22:33:44:55 nud perm dev vx0
bridge fdb add 00:11:22:33:44:55 dev vx0 self static nhid 10
ndisc6 -r 1 -s 2001:db8:1::1 -w 1 2001:db8:1::3 vx0
Severity ?
5.5 (Medium)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1274e1cc42264d4e629841e4f182795cb0becfd2 , < e211e3f4199ac829bd493632efcd131d337cba9d
(git)
Affected: 1274e1cc42264d4e629841e4f182795cb0becfd2 , < 8cfa0f076842f9b3b4eb52ae0e41d16e25cbf8fa (git) Affected: 1274e1cc42264d4e629841e4f182795cb0becfd2 , < 1f5d2fd1ca04a23c18b1bde9a43ce2fa2ffa1bce (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-39850",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T19:20:51.126279Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T19:23:12.307Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/vxlan/vxlan_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e211e3f4199ac829bd493632efcd131d337cba9d",
"status": "affected",
"version": "1274e1cc42264d4e629841e4f182795cb0becfd2",
"versionType": "git"
},
{
"lessThan": "8cfa0f076842f9b3b4eb52ae0e41d16e25cbf8fa",
"status": "affected",
"version": "1274e1cc42264d4e629841e4f182795cb0becfd2",
"versionType": "git"
},
{
"lessThan": "1f5d2fd1ca04a23c18b1bde9a43ce2fa2ffa1bce",
"status": "affected",
"version": "1274e1cc42264d4e629841e4f182795cb0becfd2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/vxlan/vxlan_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects\n\nWhen the \"proxy\" option is enabled on a VXLAN device, the device will\nsuppress ARP requests and IPv6 Neighbor Solicitation messages if it is\nable to reply on behalf of the remote host. That is, if a matching and\nvalid neighbor entry is configured on the VXLAN device whose MAC address\nis not behind the \"any\" remote (0.0.0.0 / ::).\n\nThe code currently assumes that the FDB entry for the neighbor\u0027s MAC\naddress points to a valid remote destination, but this is incorrect if\nthe entry is associated with an FDB nexthop group. This can result in a\nNPD [1][3] which can be reproduced using [2][4].\n\nFix by checking that the remote destination exists before dereferencing\nit.\n\n[1]\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n[...]\nCPU: 4 UID: 0 PID: 365 Comm: arping Not tainted 6.17.0-rc2-virtme-g2a89cb21162c #2 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014\nRIP: 0010:vxlan_xmit+0xb58/0x15f0\n[...]\nCall Trace:\n \u003cTASK\u003e\n dev_hard_start_xmit+0x5d/0x1c0\n __dev_queue_xmit+0x246/0xfd0\n packet_sendmsg+0x113a/0x1850\n __sock_sendmsg+0x38/0x70\n __sys_sendto+0x126/0x180\n __x64_sys_sendto+0x24/0x30\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n[2]\n #!/bin/bash\n\n ip address add 192.0.2.1/32 dev lo\n\n ip nexthop add id 1 via 192.0.2.2 fdb\n ip nexthop add id 10 group 1 fdb\n\n ip link add name vx0 up type vxlan id 10010 local 192.0.2.1 dstport 4789 proxy\n\n ip neigh add 192.0.2.3 lladdr 00:11:22:33:44:55 nud perm dev vx0\n\n bridge fdb add 00:11:22:33:44:55 dev vx0 self static nhid 10\n\n arping -b -c 1 -s 192.0.2.1 -I vx0 192.0.2.3\n\n[3]\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n[...]\nCPU: 13 UID: 0 PID: 372 Comm: ndisc6 Not tainted 6.17.0-rc2-virtmne-g6ee90cb26014 #3 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1v996), BIOS 1.17.0-4.fc41 04/01/2x014\nRIP: 0010:vxlan_xmit+0x803/0x1600\n[...]\nCall Trace:\n \u003cTASK\u003e\n dev_hard_start_xmit+0x5d/0x1c0\n __dev_queue_xmit+0x246/0xfd0\n ip6_finish_output2+0x210/0x6c0\n ip6_finish_output+0x1af/0x2b0\n ip6_mr_output+0x92/0x3e0\n ip6_send_skb+0x30/0x90\n rawv6_sendmsg+0xe6e/0x12e0\n __sock_sendmsg+0x38/0x70\n __sys_sendto+0x126/0x180\n __x64_sys_sendto+0x24/0x30\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\nRIP: 0033:0x7f383422ec77\n\n[4]\n #!/bin/bash\n\n ip address add 2001:db8:1::1/128 dev lo\n\n ip nexthop add id 1 via 2001:db8:1::1 fdb\n ip nexthop add id 10 group 1 fdb\n\n ip link add name vx0 up type vxlan id 10010 local 2001:db8:1::1 dstport 4789 proxy\n\n ip neigh add 2001:db8:1::3 lladdr 00:11:22:33:44:55 nud perm dev vx0\n\n bridge fdb add 00:11:22:33:44:55 dev vx0 self static nhid 10\n\n ndisc6 -r 1 -s 2001:db8:1::1 -w 1 2001:db8:1::3 vx0"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:01.501Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e211e3f4199ac829bd493632efcd131d337cba9d"
},
{
"url": "https://git.kernel.org/stable/c/8cfa0f076842f9b3b4eb52ae0e41d16e25cbf8fa"
},
{
"url": "https://git.kernel.org/stable/c/1f5d2fd1ca04a23c18b1bde9a43ce2fa2ffa1bce"
}
],
"title": "vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39850",
"datePublished": "2025-09-19T15:26:22.803Z",
"dateReserved": "2025-04-16T07:20:57.142Z",
"dateUpdated": "2026-01-14T19:23:12.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50304 (GCVE-0-2022-50304)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:45 – Updated: 2025-09-15 14:45
VLAI?
EPSS
Title
mtd: core: fix possible resource leak in init_mtd()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mtd: core: fix possible resource leak in init_mtd()
I got the error report while inject fault in init_mtd():
sysfs: cannot create duplicate filename '/devices/virtual/bdi/mtd-0'
Call Trace:
<TASK>
dump_stack_lvl+0x67/0x83
sysfs_warn_dup+0x60/0x70
sysfs_create_dir_ns+0x109/0x120
kobject_add_internal+0xce/0x2f0
kobject_add+0x98/0x110
device_add+0x179/0xc00
device_create_groups_vargs+0xf4/0x100
device_create+0x7b/0xb0
bdi_register_va.part.13+0x58/0x2d0
bdi_register+0x9b/0xb0
init_mtd+0x62/0x171 [mtd]
do_one_initcall+0x6c/0x3c0
do_init_module+0x58/0x222
load_module+0x268e/0x27d0
__do_sys_finit_module+0xd5/0x140
do_syscall_64+0x37/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
</TASK>
kobject_add_internal failed for mtd-0 with -EEXIST, don't try to register
things with the same name in the same directory.
Error registering mtd class or bdi: -17
If init_mtdchar() fails in init_mtd(), mtd_bdi will not be unregistered,
as a result, we can't load the mtd module again, to fix this by calling
bdi_unregister(mtd_bdi) after out_procfs label.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
445caaa20c4d6da74f426464f90513b81157ad77 , < 78816504100cbd8e6836df9f58cc4fbb8b262f1c
(git)
Affected: 445caaa20c4d6da74f426464f90513b81157ad77 , < 26c304a3f136009c5a2a04e2bf3ac6aa25aabcb4 (git) Affected: 445caaa20c4d6da74f426464f90513b81157ad77 , < 1aadf01e5076b9ab6bf294b9622335c651314895 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mtd/mtdcore.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "78816504100cbd8e6836df9f58cc4fbb8b262f1c",
"status": "affected",
"version": "445caaa20c4d6da74f426464f90513b81157ad77",
"versionType": "git"
},
{
"lessThan": "26c304a3f136009c5a2a04e2bf3ac6aa25aabcb4",
"status": "affected",
"version": "445caaa20c4d6da74f426464f90513b81157ad77",
"versionType": "git"
},
{
"lessThan": "1aadf01e5076b9ab6bf294b9622335c651314895",
"status": "affected",
"version": "445caaa20c4d6da74f426464f90513b81157ad77",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mtd/mtdcore.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: core: fix possible resource leak in init_mtd()\n\nI got the error report while inject fault in init_mtd():\n\nsysfs: cannot create duplicate filename \u0027/devices/virtual/bdi/mtd-0\u0027\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x67/0x83\n sysfs_warn_dup+0x60/0x70\n sysfs_create_dir_ns+0x109/0x120\n kobject_add_internal+0xce/0x2f0\n kobject_add+0x98/0x110\n device_add+0x179/0xc00\n device_create_groups_vargs+0xf4/0x100\n device_create+0x7b/0xb0\n bdi_register_va.part.13+0x58/0x2d0\n bdi_register+0x9b/0xb0\n init_mtd+0x62/0x171 [mtd]\n do_one_initcall+0x6c/0x3c0\n do_init_module+0x58/0x222\n load_module+0x268e/0x27d0\n __do_sys_finit_module+0xd5/0x140\n do_syscall_64+0x37/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n \u003c/TASK\u003e\nkobject_add_internal failed for mtd-0 with -EEXIST, don\u0027t try to register\n\tthings with the same name in the same directory.\nError registering mtd class or bdi: -17\n\nIf init_mtdchar() fails in init_mtd(), mtd_bdi will not be unregistered,\nas a result, we can\u0027t load the mtd module again, to fix this by calling\nbdi_unregister(mtd_bdi) after out_procfs label."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:45:59.614Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/78816504100cbd8e6836df9f58cc4fbb8b262f1c"
},
{
"url": "https://git.kernel.org/stable/c/26c304a3f136009c5a2a04e2bf3ac6aa25aabcb4"
},
{
"url": "https://git.kernel.org/stable/c/1aadf01e5076b9ab6bf294b9622335c651314895"
}
],
"title": "mtd: core: fix possible resource leak in init_mtd()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50304",
"datePublished": "2025-09-15T14:45:59.614Z",
"dateReserved": "2025-09-15T14:18:36.812Z",
"dateUpdated": "2025-09-15T14:45:59.614Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38456 (GCVE-0-2025-38456)
Vulnerability from cvelistv5 – Published: 2025-07-25 15:27 – Updated: 2025-11-03 17:38
VLAI?
EPSS
Title
ipmi:msghandler: Fix potential memory corruption in ipmi_create_user()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipmi:msghandler: Fix potential memory corruption in ipmi_create_user()
The "intf" list iterator is an invalid pointer if the correct
"intf->intf_num" is not found. Calling atomic_dec(&intf->nr_users) on
and invalid pointer will lead to memory corruption.
We don't really need to call atomic_dec() if we haven't called
atomic_add_return() so update the if (intf->in_shutdown) path as well.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8e76741c3d8b20dfa2d6c30fa10ff927cfd93d82 , < cbc1670297f675854e982d23c8583900ff0cc67a
(git)
Affected: 8e76741c3d8b20dfa2d6c30fa10ff927cfd93d82 , < e2d5c005dfc96fe857676d1d8ac46b29275cb89b (git) Affected: 8e76741c3d8b20dfa2d6c30fa10ff927cfd93d82 , < 9e0d33e75c1604c3fad5586ad4dfa3b2695a3950 (git) Affected: 8e76741c3d8b20dfa2d6c30fa10ff927cfd93d82 , < 7c1a6ddb99858e7d68961f74ae27caeeeca67b6a (git) Affected: 8e76741c3d8b20dfa2d6c30fa10ff927cfd93d82 , < fa332f5dc6fc662ad7d3200048772c96b861cf6b (git) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:38:12.328Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/char/ipmi/ipmi_msghandler.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cbc1670297f675854e982d23c8583900ff0cc67a",
"status": "affected",
"version": "8e76741c3d8b20dfa2d6c30fa10ff927cfd93d82",
"versionType": "git"
},
{
"lessThan": "e2d5c005dfc96fe857676d1d8ac46b29275cb89b",
"status": "affected",
"version": "8e76741c3d8b20dfa2d6c30fa10ff927cfd93d82",
"versionType": "git"
},
{
"lessThan": "9e0d33e75c1604c3fad5586ad4dfa3b2695a3950",
"status": "affected",
"version": "8e76741c3d8b20dfa2d6c30fa10ff927cfd93d82",
"versionType": "git"
},
{
"lessThan": "7c1a6ddb99858e7d68961f74ae27caeeeca67b6a",
"status": "affected",
"version": "8e76741c3d8b20dfa2d6c30fa10ff927cfd93d82",
"versionType": "git"
},
{
"lessThan": "fa332f5dc6fc662ad7d3200048772c96b861cf6b",
"status": "affected",
"version": "8e76741c3d8b20dfa2d6c30fa10ff927cfd93d82",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/char/ipmi/ipmi_msghandler.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.146",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.146",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.99",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.39",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.7",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipmi:msghandler: Fix potential memory corruption in ipmi_create_user()\n\nThe \"intf\" list iterator is an invalid pointer if the correct\n\"intf-\u003eintf_num\" is not found. Calling atomic_dec(\u0026intf-\u003enr_users) on\nand invalid pointer will lead to memory corruption.\n\nWe don\u0027t really need to call atomic_dec() if we haven\u0027t called\natomic_add_return() so update the if (intf-\u003ein_shutdown) path as well."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:22:49.939Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cbc1670297f675854e982d23c8583900ff0cc67a"
},
{
"url": "https://git.kernel.org/stable/c/e2d5c005dfc96fe857676d1d8ac46b29275cb89b"
},
{
"url": "https://git.kernel.org/stable/c/9e0d33e75c1604c3fad5586ad4dfa3b2695a3950"
},
{
"url": "https://git.kernel.org/stable/c/7c1a6ddb99858e7d68961f74ae27caeeeca67b6a"
},
{
"url": "https://git.kernel.org/stable/c/fa332f5dc6fc662ad7d3200048772c96b861cf6b"
}
],
"title": "ipmi:msghandler: Fix potential memory corruption in ipmi_create_user()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38456",
"datePublished": "2025-07-25T15:27:35.559Z",
"dateReserved": "2025-04-16T04:51:24.019Z",
"dateUpdated": "2025-11-03T17:38:12.328Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39742 (GCVE-0-2025-39742)
Vulnerability from cvelistv5 – Published: 2025-09-11 16:52 – Updated: 2026-01-02 15:31
VLAI?
EPSS
Title
RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask()
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask()
The function divides number of online CPUs by num_core_siblings, and
later checks the divider by zero. This implies a possibility to get
and divide-by-zero runtime error. Fix it by moving the check prior to
division. This also helps to save one indentation level.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b094a36f90975373c3a241839869217a65f17d81 , < 9bba1a9994c523b44db64f63b564b4719ea2b7ef
(git)
Affected: b094a36f90975373c3a241839869217a65f17d81 , < 1a7cf828ed861de5be1aff99e10f114b363c19d3 (git) Affected: b094a36f90975373c3a241839869217a65f17d81 , < 9d3211cb61a0773a2440d0a0698c1e6e7429f907 (git) Affected: b094a36f90975373c3a241839869217a65f17d81 , < 4b4317b0d758ff92ba96f4e448a8992a6fe607bf (git) Affected: b094a36f90975373c3a241839869217a65f17d81 , < 89fdac333a17ed990b41565630ef4791782e02f5 (git) Affected: b094a36f90975373c3a241839869217a65f17d81 , < 9b05e91afe948ed819bf87d7ba0fccf451ed79a6 (git) Affected: b094a36f90975373c3a241839869217a65f17d81 , < 31d0599a23efdbfe579bfbd1eb8f8c942f13744d (git) Affected: b094a36f90975373c3a241839869217a65f17d81 , < ac53f377393cc85156afdc90b636e84e544a6f96 (git) Affected: b094a36f90975373c3a241839869217a65f17d81 , < 59f7d2138591ef8f0e4e4ab5f1ab674e8181ad3a (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:42:57.252Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/hfi1/affinity.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9bba1a9994c523b44db64f63b564b4719ea2b7ef",
"status": "affected",
"version": "b094a36f90975373c3a241839869217a65f17d81",
"versionType": "git"
},
{
"lessThan": "1a7cf828ed861de5be1aff99e10f114b363c19d3",
"status": "affected",
"version": "b094a36f90975373c3a241839869217a65f17d81",
"versionType": "git"
},
{
"lessThan": "9d3211cb61a0773a2440d0a0698c1e6e7429f907",
"status": "affected",
"version": "b094a36f90975373c3a241839869217a65f17d81",
"versionType": "git"
},
{
"lessThan": "4b4317b0d758ff92ba96f4e448a8992a6fe607bf",
"status": "affected",
"version": "b094a36f90975373c3a241839869217a65f17d81",
"versionType": "git"
},
{
"lessThan": "89fdac333a17ed990b41565630ef4791782e02f5",
"status": "affected",
"version": "b094a36f90975373c3a241839869217a65f17d81",
"versionType": "git"
},
{
"lessThan": "9b05e91afe948ed819bf87d7ba0fccf451ed79a6",
"status": "affected",
"version": "b094a36f90975373c3a241839869217a65f17d81",
"versionType": "git"
},
{
"lessThan": "31d0599a23efdbfe579bfbd1eb8f8c942f13744d",
"status": "affected",
"version": "b094a36f90975373c3a241839869217a65f17d81",
"versionType": "git"
},
{
"lessThan": "ac53f377393cc85156afdc90b636e84e544a6f96",
"status": "affected",
"version": "b094a36f90975373c3a241839869217a65f17d81",
"versionType": "git"
},
{
"lessThan": "59f7d2138591ef8f0e4e4ab5f1ab674e8181ad3a",
"status": "affected",
"version": "b094a36f90975373c3a241839869217a65f17d81",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/hfi1/affinity.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask()\n\nThe function divides number of online CPUs by num_core_siblings, and\nlater checks the divider by zero. This implies a possibility to get\nand divide-by-zero runtime error. Fix it by moving the check prior to\ndivision. This also helps to save one indentation level."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:31:53.787Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9bba1a9994c523b44db64f63b564b4719ea2b7ef"
},
{
"url": "https://git.kernel.org/stable/c/1a7cf828ed861de5be1aff99e10f114b363c19d3"
},
{
"url": "https://git.kernel.org/stable/c/9d3211cb61a0773a2440d0a0698c1e6e7429f907"
},
{
"url": "https://git.kernel.org/stable/c/4b4317b0d758ff92ba96f4e448a8992a6fe607bf"
},
{
"url": "https://git.kernel.org/stable/c/89fdac333a17ed990b41565630ef4791782e02f5"
},
{
"url": "https://git.kernel.org/stable/c/9b05e91afe948ed819bf87d7ba0fccf451ed79a6"
},
{
"url": "https://git.kernel.org/stable/c/31d0599a23efdbfe579bfbd1eb8f8c942f13744d"
},
{
"url": "https://git.kernel.org/stable/c/ac53f377393cc85156afdc90b636e84e544a6f96"
},
{
"url": "https://git.kernel.org/stable/c/59f7d2138591ef8f0e4e4ab5f1ab674e8181ad3a"
}
],
"title": "RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39742",
"datePublished": "2025-09-11T16:52:16.339Z",
"dateReserved": "2025-04-16T07:20:57.120Z",
"dateUpdated": "2026-01-02T15:31:53.787Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50285 (GCVE-0-2022-50285)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:21 – Updated: 2025-09-15 14:21
VLAI?
EPSS
Title
mm,hugetlb: take hugetlb_lock before decrementing h->resv_huge_pages
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm,hugetlb: take hugetlb_lock before decrementing h->resv_huge_pages
The h->*_huge_pages counters are protected by the hugetlb_lock, but
alloc_huge_page has a corner case where it can decrement the counter
outside of the lock.
This could lead to a corrupted value of h->resv_huge_pages, which we have
observed on our systems.
Take the hugetlb_lock before decrementing h->resv_huge_pages to avoid a
potential race.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a88c769548047b21f76fd71e04b6a3300ff17160 , < 3e50a07b6a5fcd39df1534d3fdaca4292a65efe6
(git)
Affected: a88c769548047b21f76fd71e04b6a3300ff17160 , < 629c986e19fe9481227c7cdfd9a105bbc104d245 (git) Affected: a88c769548047b21f76fd71e04b6a3300ff17160 , < 2b35432d324898ec41beb27031d2a1a864a4d40e (git) Affected: a88c769548047b21f76fd71e04b6a3300ff17160 , < 11993652d0b49e27272db0a37aa828d8a3a4b92b (git) Affected: a88c769548047b21f76fd71e04b6a3300ff17160 , < 568e3812b1778b4c0c229649b59977d88f400ece (git) Affected: a88c769548047b21f76fd71e04b6a3300ff17160 , < 112a005d1ded04a4b41b6d01833cc0bda90625cc (git) Affected: a88c769548047b21f76fd71e04b6a3300ff17160 , < c828fab903725279aa9dc6ae3d44bb7e4778f92c (git) Affected: a88c769548047b21f76fd71e04b6a3300ff17160 , < 12df140f0bdfae5dcfc81800970dd7f6f632e00c (git) Affected: 3f5fae4d1a3189d95b02b4b45e1218df147122bc (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/hugetlb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3e50a07b6a5fcd39df1534d3fdaca4292a65efe6",
"status": "affected",
"version": "a88c769548047b21f76fd71e04b6a3300ff17160",
"versionType": "git"
},
{
"lessThan": "629c986e19fe9481227c7cdfd9a105bbc104d245",
"status": "affected",
"version": "a88c769548047b21f76fd71e04b6a3300ff17160",
"versionType": "git"
},
{
"lessThan": "2b35432d324898ec41beb27031d2a1a864a4d40e",
"status": "affected",
"version": "a88c769548047b21f76fd71e04b6a3300ff17160",
"versionType": "git"
},
{
"lessThan": "11993652d0b49e27272db0a37aa828d8a3a4b92b",
"status": "affected",
"version": "a88c769548047b21f76fd71e04b6a3300ff17160",
"versionType": "git"
},
{
"lessThan": "568e3812b1778b4c0c229649b59977d88f400ece",
"status": "affected",
"version": "a88c769548047b21f76fd71e04b6a3300ff17160",
"versionType": "git"
},
{
"lessThan": "112a005d1ded04a4b41b6d01833cc0bda90625cc",
"status": "affected",
"version": "a88c769548047b21f76fd71e04b6a3300ff17160",
"versionType": "git"
},
{
"lessThan": "c828fab903725279aa9dc6ae3d44bb7e4778f92c",
"status": "affected",
"version": "a88c769548047b21f76fd71e04b6a3300ff17160",
"versionType": "git"
},
{
"lessThan": "12df140f0bdfae5dcfc81800970dd7f6f632e00c",
"status": "affected",
"version": "a88c769548047b21f76fd71e04b6a3300ff17160",
"versionType": "git"
},
{
"status": "affected",
"version": "3f5fae4d1a3189d95b02b4b45e1218df147122bc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/hugetlb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.332",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.298",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.264",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.223",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.332",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.298",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.264",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.223",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.153",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.76",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.6",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.3.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm,hugetlb: take hugetlb_lock before decrementing h-\u003eresv_huge_pages\n\nThe h-\u003e*_huge_pages counters are protected by the hugetlb_lock, but\nalloc_huge_page has a corner case where it can decrement the counter\noutside of the lock.\n\nThis could lead to a corrupted value of h-\u003eresv_huge_pages, which we have\nobserved on our systems.\n\nTake the hugetlb_lock before decrementing h-\u003eresv_huge_pages to avoid a\npotential race."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:21:21.504Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3e50a07b6a5fcd39df1534d3fdaca4292a65efe6"
},
{
"url": "https://git.kernel.org/stable/c/629c986e19fe9481227c7cdfd9a105bbc104d245"
},
{
"url": "https://git.kernel.org/stable/c/2b35432d324898ec41beb27031d2a1a864a4d40e"
},
{
"url": "https://git.kernel.org/stable/c/11993652d0b49e27272db0a37aa828d8a3a4b92b"
},
{
"url": "https://git.kernel.org/stable/c/568e3812b1778b4c0c229649b59977d88f400ece"
},
{
"url": "https://git.kernel.org/stable/c/112a005d1ded04a4b41b6d01833cc0bda90625cc"
},
{
"url": "https://git.kernel.org/stable/c/c828fab903725279aa9dc6ae3d44bb7e4778f92c"
},
{
"url": "https://git.kernel.org/stable/c/12df140f0bdfae5dcfc81800970dd7f6f632e00c"
}
],
"title": "mm,hugetlb: take hugetlb_lock before decrementing h-\u003eresv_huge_pages",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50285",
"datePublished": "2025-09-15T14:21:21.504Z",
"dateReserved": "2025-09-15T13:58:00.977Z",
"dateUpdated": "2025-09-15T14:21:21.504Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38632 (GCVE-0-2025-38632)
Vulnerability from cvelistv5 – Published: 2025-08-22 16:00 – Updated: 2025-09-29 05:55
VLAI?
EPSS
Title
pinmux: fix race causing mux_owner NULL with active mux_usecount
Summary
In the Linux kernel, the following vulnerability has been resolved:
pinmux: fix race causing mux_owner NULL with active mux_usecount
commit 5a3e85c3c397 ("pinmux: Use sequential access to access
desc->pinmux data") tried to address the issue when two client of the
same gpio calls pinctrl_select_state() for the same functionality, was
resulting in NULL pointer issue while accessing desc->mux_owner.
However, issue was not completely fixed due to the way it was handled
and it can still result in the same NULL pointer.
The issue occurs due to the following interleaving:
cpu0 (process A) cpu1 (process B)
pin_request() { pin_free() {
mutex_lock()
desc->mux_usecount--; //becomes 0
..
mutex_unlock()
mutex_lock(desc->mux)
desc->mux_usecount++; // becomes 1
desc->mux_owner = owner;
mutex_unlock(desc->mux)
mutex_lock(desc->mux)
desc->mux_owner = NULL;
mutex_unlock(desc->mux)
This sequence leads to a state where the pin appears to be in use
(`mux_usecount == 1`) but has no owner (`mux_owner == NULL`), which can
cause NULL pointer on next pin_request on the same pin.
Ensure that updates to mux_usecount and mux_owner are performed
atomically under the same lock. Only clear mux_owner when mux_usecount
reaches zero and no new owner has been assigned.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2da32aed4a97ca1d70fb8b77926f72f30ce5fb4b , < 9b2a3e7189028aa7c4d53a84364f2ea9fb209787
(git)
Affected: c11e2ec9a780f54982a187ee10ffd1b810715c85 , < 9ea3f6b9a67be3476e331ce51cac316c2614a564 (git) Affected: 5a3e85c3c397c781393ea5fb2f45b1f60f8a4e6e , < b7bd6e3971eb7f0e34d2fdce1b18b08094e0c804 (git) Affected: 5a3e85c3c397c781393ea5fb2f45b1f60f8a4e6e , < 22b585cbd67d14df3b91529d1b990661c300faa9 (git) Affected: 5a3e85c3c397c781393ea5fb2f45b1f60f8a4e6e , < 0b075c011032f88d1cfde3b45d6dcf08b44140eb (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pinctrl/pinmux.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9b2a3e7189028aa7c4d53a84364f2ea9fb209787",
"status": "affected",
"version": "2da32aed4a97ca1d70fb8b77926f72f30ce5fb4b",
"versionType": "git"
},
{
"lessThan": "9ea3f6b9a67be3476e331ce51cac316c2614a564",
"status": "affected",
"version": "c11e2ec9a780f54982a187ee10ffd1b810715c85",
"versionType": "git"
},
{
"lessThan": "b7bd6e3971eb7f0e34d2fdce1b18b08094e0c804",
"status": "affected",
"version": "5a3e85c3c397c781393ea5fb2f45b1f60f8a4e6e",
"versionType": "git"
},
{
"lessThan": "22b585cbd67d14df3b91529d1b990661c300faa9",
"status": "affected",
"version": "5a3e85c3c397c781393ea5fb2f45b1f60f8a4e6e",
"versionType": "git"
},
{
"lessThan": "0b075c011032f88d1cfde3b45d6dcf08b44140eb",
"status": "affected",
"version": "5a3e85c3c397c781393ea5fb2f45b1f60f8a4e6e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pinctrl/pinmux.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "6.6.66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "6.12.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npinmux: fix race causing mux_owner NULL with active mux_usecount\n\ncommit 5a3e85c3c397 (\"pinmux: Use sequential access to access\ndesc-\u003epinmux data\") tried to address the issue when two client of the\nsame gpio calls pinctrl_select_state() for the same functionality, was\nresulting in NULL pointer issue while accessing desc-\u003emux_owner.\nHowever, issue was not completely fixed due to the way it was handled\nand it can still result in the same NULL pointer.\n\nThe issue occurs due to the following interleaving:\n\n cpu0 (process A) cpu1 (process B)\n\n pin_request() { pin_free() {\n\n mutex_lock()\n desc-\u003emux_usecount--; //becomes 0\n ..\n mutex_unlock()\n\n mutex_lock(desc-\u003emux)\n desc-\u003emux_usecount++; // becomes 1\n desc-\u003emux_owner = owner;\n mutex_unlock(desc-\u003emux)\n\n mutex_lock(desc-\u003emux)\n desc-\u003emux_owner = NULL;\n mutex_unlock(desc-\u003emux)\n\nThis sequence leads to a state where the pin appears to be in use\n(`mux_usecount == 1`) but has no owner (`mux_owner == NULL`), which can\ncause NULL pointer on next pin_request on the same pin.\n\nEnsure that updates to mux_usecount and mux_owner are performed\natomically under the same lock. Only clear mux_owner when mux_usecount\nreaches zero and no new owner has been assigned."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:55:10.837Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9b2a3e7189028aa7c4d53a84364f2ea9fb209787"
},
{
"url": "https://git.kernel.org/stable/c/9ea3f6b9a67be3476e331ce51cac316c2614a564"
},
{
"url": "https://git.kernel.org/stable/c/b7bd6e3971eb7f0e34d2fdce1b18b08094e0c804"
},
{
"url": "https://git.kernel.org/stable/c/22b585cbd67d14df3b91529d1b990661c300faa9"
},
{
"url": "https://git.kernel.org/stable/c/0b075c011032f88d1cfde3b45d6dcf08b44140eb"
}
],
"title": "pinmux: fix race causing mux_owner NULL with active mux_usecount",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38632",
"datePublished": "2025-08-22T16:00:40.423Z",
"dateReserved": "2025-04-16T04:51:24.029Z",
"dateUpdated": "2025-09-29T05:55:10.837Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53178 (GCVE-0-2023-53178)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:04 – Updated: 2025-09-16 08:02
VLAI?
EPSS
Title
mm: fix zswap writeback race condition
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm: fix zswap writeback race condition
The zswap writeback mechanism can cause a race condition resulting in
memory corruption, where a swapped out page gets swapped in with data that
was written to a different page.
The race unfolds like this:
1. a page with data A and swap offset X is stored in zswap
2. page A is removed off the LRU by zpool driver for writeback in
zswap-shrink work, data for A is mapped by zpool driver
3. user space program faults and invalidates page entry A, offset X is
considered free
4. kswapd stores page B at offset X in zswap (zswap could also be
full, if so, page B would then be IOed to X, then skip step 5.)
5. entry A is replaced by B in tree->rbroot, this doesn't affect the
local reference held by zswap-shrink work
6. zswap-shrink work writes back A at X, and frees zswap entry A
7. swapin of slot X brings A in memory instead of B
The fix:
Once the swap page cache has been allocated (case ZSWAP_SWAPCACHE_NEW),
zswap-shrink work just checks that the local zswap_entry reference is
still the same as the one in the tree. If it's not the same it means that
it's either been invalidated or replaced, in both cases the writeback is
aborted because the local entry contains stale data.
Reproducer:
I originally found this by running `stress` overnight to validate my work
on the zswap writeback mechanism, it manifested after hours on my test
machine. The key to make it happen is having zswap writebacks, so
whatever setup pumps /sys/kernel/debug/zswap/written_back_pages should do
the trick.
In order to reproduce this faster on a vm, I setup a system with ~100M of
available memory and a 500M swap file, then running `stress --vm 1
--vm-bytes 300000000 --vm-stride 4000` makes it happen in matter of tens
of minutes. One can speed things up even more by swinging
/sys/module/zswap/parameters/max_pool_percent up and down between, say, 20
and 1; this makes it reproduce in tens of seconds. It's crucial to set
`--vm-stride` to something other than 4096 otherwise `stress` won't
realize that memory has been corrupted because all pages would have the
same data.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2b2811178e85553405b86e3fe78357b9b95889ce , < 2cab13f500a6333bd2b853783ac76be9e4956f8a
(git)
Affected: 2b2811178e85553405b86e3fe78357b9b95889ce , < ba700ea13bf0105a4773c654f7d3bef8adb64ab2 (git) Affected: 2b2811178e85553405b86e3fe78357b9b95889ce , < 04fc7816089c5a32c29a04ec94b998e219dfb946 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/zswap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2cab13f500a6333bd2b853783ac76be9e4956f8a",
"status": "affected",
"version": "2b2811178e85553405b86e3fe78357b9b95889ce",
"versionType": "git"
},
{
"lessThan": "ba700ea13bf0105a4773c654f7d3bef8adb64ab2",
"status": "affected",
"version": "2b2811178e85553405b86e3fe78357b9b95889ce",
"versionType": "git"
},
{
"lessThan": "04fc7816089c5a32c29a04ec94b998e219dfb946",
"status": "affected",
"version": "2b2811178e85553405b86e3fe78357b9b95889ce",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/zswap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.11"
},
{
"lessThan": "3.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "3.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: fix zswap writeback race condition\n\nThe zswap writeback mechanism can cause a race condition resulting in\nmemory corruption, where a swapped out page gets swapped in with data that\nwas written to a different page.\n\nThe race unfolds like this:\n1. a page with data A and swap offset X is stored in zswap\n2. page A is removed off the LRU by zpool driver for writeback in\n zswap-shrink work, data for A is mapped by zpool driver\n3. user space program faults and invalidates page entry A, offset X is\n considered free\n4. kswapd stores page B at offset X in zswap (zswap could also be\n full, if so, page B would then be IOed to X, then skip step 5.)\n5. entry A is replaced by B in tree-\u003erbroot, this doesn\u0027t affect the\n local reference held by zswap-shrink work\n6. zswap-shrink work writes back A at X, and frees zswap entry A\n7. swapin of slot X brings A in memory instead of B\n\nThe fix:\nOnce the swap page cache has been allocated (case ZSWAP_SWAPCACHE_NEW),\nzswap-shrink work just checks that the local zswap_entry reference is\nstill the same as the one in the tree. If it\u0027s not the same it means that\nit\u0027s either been invalidated or replaced, in both cases the writeback is\naborted because the local entry contains stale data.\n\nReproducer:\nI originally found this by running `stress` overnight to validate my work\non the zswap writeback mechanism, it manifested after hours on my test\nmachine. The key to make it happen is having zswap writebacks, so\nwhatever setup pumps /sys/kernel/debug/zswap/written_back_pages should do\nthe trick.\n\nIn order to reproduce this faster on a vm, I setup a system with ~100M of\navailable memory and a 500M swap file, then running `stress --vm 1\n--vm-bytes 300000000 --vm-stride 4000` makes it happen in matter of tens\nof minutes. One can speed things up even more by swinging\n/sys/module/zswap/parameters/max_pool_percent up and down between, say, 20\nand 1; this makes it reproduce in tens of seconds. It\u0027s crucial to set\n`--vm-stride` to something other than 4096 otherwise `stress` won\u0027t\nrealize that memory has been corrupted because all pages would have the\nsame data."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T08:02:20.669Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2cab13f500a6333bd2b853783ac76be9e4956f8a"
},
{
"url": "https://git.kernel.org/stable/c/ba700ea13bf0105a4773c654f7d3bef8adb64ab2"
},
{
"url": "https://git.kernel.org/stable/c/04fc7816089c5a32c29a04ec94b998e219dfb946"
}
],
"title": "mm: fix zswap writeback race condition",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53178",
"datePublished": "2025-09-15T14:04:23.768Z",
"dateReserved": "2025-09-15T13:59:19.065Z",
"dateUpdated": "2025-09-16T08:02:20.669Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50358 (GCVE-0-2022-50358)
Vulnerability from cvelistv5 – Published: 2025-09-17 14:56 – Updated: 2026-01-14 18:33
VLAI?
EPSS
Title
brcmfmac: return error when getting invalid max_flowrings from dongle
Summary
In the Linux kernel, the following vulnerability has been resolved:
brcmfmac: return error when getting invalid max_flowrings from dongle
When firmware hit trap at initialization, host will read abnormal
max_flowrings number from dongle, and it will cause kernel panic when
doing iowrite to initialize dongle ring.
To detect this error at early stage, we directly return error when getting
invalid max_flowrings(>256).
Severity ?
4.2 (Medium)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9e37f045d5e7f33450515f237c2f6f6bfee137dd , < 3cc9299036bdb647408e11e41de3eb1ff6d428cd
(git)
Affected: 9e37f045d5e7f33450515f237c2f6f6bfee137dd , < 2e8bb402b060a6c22160de3d72cee057698177c8 (git) Affected: 9e37f045d5e7f33450515f237c2f6f6bfee137dd , < 10c4b63d09a5b0ebf1b61af1dae7f25555cf58b6 (git) Affected: 9e37f045d5e7f33450515f237c2f6f6bfee137dd , < 87f126b25fa8562196f0f4c0aa46a446026199bf (git) Affected: 9e37f045d5e7f33450515f237c2f6f6bfee137dd , < 200347eb3b2608cc8b54c13dd1d5e03809ba2eb2 (git) Affected: 9e37f045d5e7f33450515f237c2f6f6bfee137dd , < 2aca4f3734bd717e04943ddf340d49ab62299a00 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-50358",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:32:40.491291Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:33:01.929Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3cc9299036bdb647408e11e41de3eb1ff6d428cd",
"status": "affected",
"version": "9e37f045d5e7f33450515f237c2f6f6bfee137dd",
"versionType": "git"
},
{
"lessThan": "2e8bb402b060a6c22160de3d72cee057698177c8",
"status": "affected",
"version": "9e37f045d5e7f33450515f237c2f6f6bfee137dd",
"versionType": "git"
},
{
"lessThan": "10c4b63d09a5b0ebf1b61af1dae7f25555cf58b6",
"status": "affected",
"version": "9e37f045d5e7f33450515f237c2f6f6bfee137dd",
"versionType": "git"
},
{
"lessThan": "87f126b25fa8562196f0f4c0aa46a446026199bf",
"status": "affected",
"version": "9e37f045d5e7f33450515f237c2f6f6bfee137dd",
"versionType": "git"
},
{
"lessThan": "200347eb3b2608cc8b54c13dd1d5e03809ba2eb2",
"status": "affected",
"version": "9e37f045d5e7f33450515f237c2f6f6bfee137dd",
"versionType": "git"
},
{
"lessThan": "2aca4f3734bd717e04943ddf340d49ab62299a00",
"status": "affected",
"version": "9e37f045d5e7f33450515f237c2f6f6bfee137dd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbrcmfmac: return error when getting invalid max_flowrings from dongle\n\nWhen firmware hit trap at initialization, host will read abnormal\nmax_flowrings number from dongle, and it will cause kernel panic when\ndoing iowrite to initialize dongle ring.\nTo detect this error at early stage, we directly return error when getting\ninvalid max_flowrings(\u003e256)."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:29:02.746Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3cc9299036bdb647408e11e41de3eb1ff6d428cd"
},
{
"url": "https://git.kernel.org/stable/c/2e8bb402b060a6c22160de3d72cee057698177c8"
},
{
"url": "https://git.kernel.org/stable/c/10c4b63d09a5b0ebf1b61af1dae7f25555cf58b6"
},
{
"url": "https://git.kernel.org/stable/c/87f126b25fa8562196f0f4c0aa46a446026199bf"
},
{
"url": "https://git.kernel.org/stable/c/200347eb3b2608cc8b54c13dd1d5e03809ba2eb2"
},
{
"url": "https://git.kernel.org/stable/c/2aca4f3734bd717e04943ddf340d49ab62299a00"
}
],
"title": "brcmfmac: return error when getting invalid max_flowrings from dongle",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50358",
"datePublished": "2025-09-17T14:56:10.688Z",
"dateReserved": "2025-09-17T14:53:06.994Z",
"dateUpdated": "2026-01-14T18:33:01.929Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50396 (GCVE-0-2022-50396)
Vulnerability from cvelistv5 – Published: 2025-09-18 13:33 – Updated: 2026-01-14 18:53
VLAI?
EPSS
Title
net: sched: fix memory leak in tcindex_set_parms
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: sched: fix memory leak in tcindex_set_parms
Syzkaller reports a memory leak as follows:
====================================
BUG: memory leak
unreferenced object 0xffff88810c287f00 (size 256):
comm "syz-executor105", pid 3600, jiffies 4294943292 (age 12.990s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff814cf9f0>] kmalloc_trace+0x20/0x90 mm/slab_common.c:1046
[<ffffffff839c9e07>] kmalloc include/linux/slab.h:576 [inline]
[<ffffffff839c9e07>] kmalloc_array include/linux/slab.h:627 [inline]
[<ffffffff839c9e07>] kcalloc include/linux/slab.h:659 [inline]
[<ffffffff839c9e07>] tcf_exts_init include/net/pkt_cls.h:250 [inline]
[<ffffffff839c9e07>] tcindex_set_parms+0xa7/0xbe0 net/sched/cls_tcindex.c:342
[<ffffffff839caa1f>] tcindex_change+0xdf/0x120 net/sched/cls_tcindex.c:553
[<ffffffff8394db62>] tc_new_tfilter+0x4f2/0x1100 net/sched/cls_api.c:2147
[<ffffffff8389e91c>] rtnetlink_rcv_msg+0x4dc/0x5d0 net/core/rtnetlink.c:6082
[<ffffffff839eba67>] netlink_rcv_skb+0x87/0x1d0 net/netlink/af_netlink.c:2540
[<ffffffff839eab87>] netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
[<ffffffff839eab87>] netlink_unicast+0x397/0x4c0 net/netlink/af_netlink.c:1345
[<ffffffff839eb046>] netlink_sendmsg+0x396/0x710 net/netlink/af_netlink.c:1921
[<ffffffff8383e796>] sock_sendmsg_nosec net/socket.c:714 [inline]
[<ffffffff8383e796>] sock_sendmsg+0x56/0x80 net/socket.c:734
[<ffffffff8383eb08>] ____sys_sendmsg+0x178/0x410 net/socket.c:2482
[<ffffffff83843678>] ___sys_sendmsg+0xa8/0x110 net/socket.c:2536
[<ffffffff838439c5>] __sys_sendmmsg+0x105/0x330 net/socket.c:2622
[<ffffffff83843c14>] __do_sys_sendmmsg net/socket.c:2651 [inline]
[<ffffffff83843c14>] __se_sys_sendmmsg net/socket.c:2648 [inline]
[<ffffffff83843c14>] __x64_sys_sendmmsg+0x24/0x30 net/socket.c:2648
[<ffffffff84605fd5>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84605fd5>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
[<ffffffff84800087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
====================================
Kernel uses tcindex_change() to change an existing
filter properties.
Yet the problem is that, during the process of changing,
if `old_r` is retrieved from `p->perfect`, then
kernel uses tcindex_alloc_perfect_hash() to newly
allocate filter results, uses tcindex_filter_result_init()
to clear the old filter result, without destroying
its tcf_exts structure, which triggers the above memory leak.
To be more specific, there are only two source for the `old_r`,
according to the tcindex_lookup(). `old_r` is retrieved from
`p->perfect`, or `old_r` is retrieved from `p->h`.
* If `old_r` is retrieved from `p->perfect`, kernel uses
tcindex_alloc_perfect_hash() to newly allocate the
filter results. Then `r` is assigned with `cp->perfect + handle`,
which is newly allocated. So condition `old_r && old_r != r` is
true in this situation, and kernel uses tcindex_filter_result_init()
to clear the old filter result, without destroying
its tcf_exts structure
* If `old_r` is retrieved from `p->h`, then `p->perfect` is NULL
according to the tcindex_lookup(). Considering that `cp->h`
is directly copied from `p->h` and `p->perfect` is NULL,
`r` is assigned with `tcindex_lookup(cp, handle)`, whose value
should be the same as `old_r`, so condition `old_r && old_r != r`
is false in this situation, kernel ignores using
tcindex_filter_result_init() to clear the old filter result.
So only when `old_r` is retrieved from `p->perfect` does kernel use
tcindex_filter_result_init() to clear the old filter result, which
triggers the above memory leak.
Considering that there already exists a tc_filter_wq workqueue
to destroy the old tcindex_d
---truncated---
Severity ?
5.5 (Medium)
CWE
- CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b9a24bb76bf611a5268ceffe04219e6ad264559b , < 53af9c793f644d5841d84d8e0ad83bd7ab47f3e0
(git)
Affected: b9a24bb76bf611a5268ceffe04219e6ad264559b , < 01d0d2b8b4e3cf2110baba9371c0c3d04ad5c77b (git) Affected: b9a24bb76bf611a5268ceffe04219e6ad264559b , < 55ac68b53f1cea1926ee2313afc5d66b91daad71 (git) Affected: b9a24bb76bf611a5268ceffe04219e6ad264559b , < 7a6fb69bbcb21e9ce13bdf18c008c268874f0480 (git) Affected: b9a24bb76bf611a5268ceffe04219e6ad264559b , < b314f6c3512108d7a656c5caf07c82d1bbbdc0f1 (git) Affected: b9a24bb76bf611a5268ceffe04219e6ad264559b , < 18c3fa7a7fdbb4d21dafc8a7710ae2c1680930f6 (git) Affected: b9a24bb76bf611a5268ceffe04219e6ad264559b , < 6c55953e232ea668731091d111066521f3b7719b (git) Affected: b9a24bb76bf611a5268ceffe04219e6ad264559b , < 7c183dc0af472dec33d2c0786a5e356baa8cad19 (git) Affected: b9a24bb76bf611a5268ceffe04219e6ad264559b , < c4de6057e7c6654983acb63d939d26ac0d7bbf39 (git) Affected: b9a24bb76bf611a5268ceffe04219e6ad264559b , < facc4405e8b7407e03216207b1d1d640127de0c8 (git) Affected: b9a24bb76bf611a5268ceffe04219e6ad264559b , < 3abebc503a5148072052c229c6b04b329a420ecd (git) Affected: b9a24bb76bf611a5268ceffe04219e6ad264559b , < 399ab7fe0fa0d846881685fd4e57e9a8ef7559f7 (git) Affected: b9a24bb76bf611a5268ceffe04219e6ad264559b , < 372ae77cf11d11fb118cbe2d37def9dd5f826abd (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-50396",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:51:54.692006Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:53:06.184Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/cls_tcindex.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "53af9c793f644d5841d84d8e0ad83bd7ab47f3e0",
"status": "affected",
"version": "b9a24bb76bf611a5268ceffe04219e6ad264559b",
"versionType": "git"
},
{
"lessThan": "01d0d2b8b4e3cf2110baba9371c0c3d04ad5c77b",
"status": "affected",
"version": "b9a24bb76bf611a5268ceffe04219e6ad264559b",
"versionType": "git"
},
{
"lessThan": "55ac68b53f1cea1926ee2313afc5d66b91daad71",
"status": "affected",
"version": "b9a24bb76bf611a5268ceffe04219e6ad264559b",
"versionType": "git"
},
{
"lessThan": "7a6fb69bbcb21e9ce13bdf18c008c268874f0480",
"status": "affected",
"version": "b9a24bb76bf611a5268ceffe04219e6ad264559b",
"versionType": "git"
},
{
"lessThan": "b314f6c3512108d7a656c5caf07c82d1bbbdc0f1",
"status": "affected",
"version": "b9a24bb76bf611a5268ceffe04219e6ad264559b",
"versionType": "git"
},
{
"lessThan": "18c3fa7a7fdbb4d21dafc8a7710ae2c1680930f6",
"status": "affected",
"version": "b9a24bb76bf611a5268ceffe04219e6ad264559b",
"versionType": "git"
},
{
"lessThan": "6c55953e232ea668731091d111066521f3b7719b",
"status": "affected",
"version": "b9a24bb76bf611a5268ceffe04219e6ad264559b",
"versionType": "git"
},
{
"lessThan": "7c183dc0af472dec33d2c0786a5e356baa8cad19",
"status": "affected",
"version": "b9a24bb76bf611a5268ceffe04219e6ad264559b",
"versionType": "git"
},
{
"lessThan": "c4de6057e7c6654983acb63d939d26ac0d7bbf39",
"status": "affected",
"version": "b9a24bb76bf611a5268ceffe04219e6ad264559b",
"versionType": "git"
},
{
"lessThan": "facc4405e8b7407e03216207b1d1d640127de0c8",
"status": "affected",
"version": "b9a24bb76bf611a5268ceffe04219e6ad264559b",
"versionType": "git"
},
{
"lessThan": "3abebc503a5148072052c229c6b04b329a420ecd",
"status": "affected",
"version": "b9a24bb76bf611a5268ceffe04219e6ad264559b",
"versionType": "git"
},
{
"lessThan": "399ab7fe0fa0d846881685fd4e57e9a8ef7559f7",
"status": "affected",
"version": "b9a24bb76bf611a5268ceffe04219e6ad264559b",
"versionType": "git"
},
{
"lessThan": "372ae77cf11d11fb118cbe2d37def9dd5f826abd",
"status": "affected",
"version": "b9a24bb76bf611a5268ceffe04219e6ad264559b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/cls_tcindex.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.308",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.100",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.19",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.5",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.18",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.5",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: fix memory leak in tcindex_set_parms\n\nSyzkaller reports a memory leak as follows:\n====================================\nBUG: memory leak\nunreferenced object 0xffff88810c287f00 (size 256):\n comm \"syz-executor105\", pid 3600, jiffies 4294943292 (age 12.990s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [\u003cffffffff814cf9f0\u003e] kmalloc_trace+0x20/0x90 mm/slab_common.c:1046\n [\u003cffffffff839c9e07\u003e] kmalloc include/linux/slab.h:576 [inline]\n [\u003cffffffff839c9e07\u003e] kmalloc_array include/linux/slab.h:627 [inline]\n [\u003cffffffff839c9e07\u003e] kcalloc include/linux/slab.h:659 [inline]\n [\u003cffffffff839c9e07\u003e] tcf_exts_init include/net/pkt_cls.h:250 [inline]\n [\u003cffffffff839c9e07\u003e] tcindex_set_parms+0xa7/0xbe0 net/sched/cls_tcindex.c:342\n [\u003cffffffff839caa1f\u003e] tcindex_change+0xdf/0x120 net/sched/cls_tcindex.c:553\n [\u003cffffffff8394db62\u003e] tc_new_tfilter+0x4f2/0x1100 net/sched/cls_api.c:2147\n [\u003cffffffff8389e91c\u003e] rtnetlink_rcv_msg+0x4dc/0x5d0 net/core/rtnetlink.c:6082\n [\u003cffffffff839eba67\u003e] netlink_rcv_skb+0x87/0x1d0 net/netlink/af_netlink.c:2540\n [\u003cffffffff839eab87\u003e] netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n [\u003cffffffff839eab87\u003e] netlink_unicast+0x397/0x4c0 net/netlink/af_netlink.c:1345\n [\u003cffffffff839eb046\u003e] netlink_sendmsg+0x396/0x710 net/netlink/af_netlink.c:1921\n [\u003cffffffff8383e796\u003e] sock_sendmsg_nosec net/socket.c:714 [inline]\n [\u003cffffffff8383e796\u003e] sock_sendmsg+0x56/0x80 net/socket.c:734\n [\u003cffffffff8383eb08\u003e] ____sys_sendmsg+0x178/0x410 net/socket.c:2482\n [\u003cffffffff83843678\u003e] ___sys_sendmsg+0xa8/0x110 net/socket.c:2536\n [\u003cffffffff838439c5\u003e] __sys_sendmmsg+0x105/0x330 net/socket.c:2622\n [\u003cffffffff83843c14\u003e] __do_sys_sendmmsg net/socket.c:2651 [inline]\n [\u003cffffffff83843c14\u003e] __se_sys_sendmmsg net/socket.c:2648 [inline]\n [\u003cffffffff83843c14\u003e] __x64_sys_sendmmsg+0x24/0x30 net/socket.c:2648\n [\u003cffffffff84605fd5\u003e] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n [\u003cffffffff84605fd5\u003e] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n [\u003cffffffff84800087\u003e] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n====================================\n\nKernel uses tcindex_change() to change an existing\nfilter properties.\n\nYet the problem is that, during the process of changing,\nif `old_r` is retrieved from `p-\u003eperfect`, then\nkernel uses tcindex_alloc_perfect_hash() to newly\nallocate filter results, uses tcindex_filter_result_init()\nto clear the old filter result, without destroying\nits tcf_exts structure, which triggers the above memory leak.\n\nTo be more specific, there are only two source for the `old_r`,\naccording to the tcindex_lookup(). `old_r` is retrieved from\n`p-\u003eperfect`, or `old_r` is retrieved from `p-\u003eh`.\n\n * If `old_r` is retrieved from `p-\u003eperfect`, kernel uses\ntcindex_alloc_perfect_hash() to newly allocate the\nfilter results. Then `r` is assigned with `cp-\u003eperfect + handle`,\nwhich is newly allocated. So condition `old_r \u0026\u0026 old_r != r` is\ntrue in this situation, and kernel uses tcindex_filter_result_init()\nto clear the old filter result, without destroying\nits tcf_exts structure\n\n * If `old_r` is retrieved from `p-\u003eh`, then `p-\u003eperfect` is NULL\naccording to the tcindex_lookup(). Considering that `cp-\u003eh`\nis directly copied from `p-\u003eh` and `p-\u003eperfect` is NULL,\n`r` is assigned with `tcindex_lookup(cp, handle)`, whose value\nshould be the same as `old_r`, so condition `old_r \u0026\u0026 old_r != r`\nis false in this situation, kernel ignores using\ntcindex_filter_result_init() to clear the old filter result.\n\nSo only when `old_r` is retrieved from `p-\u003eperfect` does kernel use\ntcindex_filter_result_init() to clear the old filter result, which\ntriggers the above memory leak.\n\nConsidering that there already exists a tc_filter_wq workqueue\nto destroy the old tcindex_d\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T11:20:30.719Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/53af9c793f644d5841d84d8e0ad83bd7ab47f3e0"
},
{
"url": "https://git.kernel.org/stable/c/01d0d2b8b4e3cf2110baba9371c0c3d04ad5c77b"
},
{
"url": "https://git.kernel.org/stable/c/55ac68b53f1cea1926ee2313afc5d66b91daad71"
},
{
"url": "https://git.kernel.org/stable/c/7a6fb69bbcb21e9ce13bdf18c008c268874f0480"
},
{
"url": "https://git.kernel.org/stable/c/b314f6c3512108d7a656c5caf07c82d1bbbdc0f1"
},
{
"url": "https://git.kernel.org/stable/c/18c3fa7a7fdbb4d21dafc8a7710ae2c1680930f6"
},
{
"url": "https://git.kernel.org/stable/c/6c55953e232ea668731091d111066521f3b7719b"
},
{
"url": "https://git.kernel.org/stable/c/7c183dc0af472dec33d2c0786a5e356baa8cad19"
},
{
"url": "https://git.kernel.org/stable/c/c4de6057e7c6654983acb63d939d26ac0d7bbf39"
},
{
"url": "https://git.kernel.org/stable/c/facc4405e8b7407e03216207b1d1d640127de0c8"
},
{
"url": "https://git.kernel.org/stable/c/3abebc503a5148072052c229c6b04b329a420ecd"
},
{
"url": "https://git.kernel.org/stable/c/399ab7fe0fa0d846881685fd4e57e9a8ef7559f7"
},
{
"url": "https://git.kernel.org/stable/c/372ae77cf11d11fb118cbe2d37def9dd5f826abd"
}
],
"title": "net: sched: fix memory leak in tcindex_set_parms",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50396",
"datePublished": "2025-09-18T13:33:14.450Z",
"dateReserved": "2025-09-17T14:53:06.998Z",
"dateUpdated": "2026-01-14T18:53:06.184Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-26661 (GCVE-0-2024-26661)
Vulnerability from cvelistv5 – Published: 2024-04-02 06:22 – Updated: 2025-05-04 08:53
VLAI?
EPSS
Title
drm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()'
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()'
In "u32 otg_inst = pipe_ctx->stream_res.tg->inst;"
pipe_ctx->stream_res.tg could be NULL, it is relying on the caller to
ensure the tg is not NULL.
Severity ?
5.5 (Medium)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
474ac4a875ca6fea3fc5183d3ad22ef7523dca53 , < 3f3c237a706580326d3b7a1b97697e5031ca4667
(git)
Affected: 474ac4a875ca6fea3fc5183d3ad22ef7523dca53 , < 39f24c08363af1cd945abad84e3c87fd3e3c845a (git) Affected: 474ac4a875ca6fea3fc5183d3ad22ef7523dca53 , < 66951d98d9bf45ba25acf37fe0747253fafdf298 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-26661",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-02T17:47:14.668657Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T19:20:51.968Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:14:12.654Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/3f3c237a706580326d3b7a1b97697e5031ca4667"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/39f24c08363af1cd945abad84e3c87fd3e3c845a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/66951d98d9bf45ba25acf37fe0747253fafdf298"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/hwss/dcn21/dcn21_hwseq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3f3c237a706580326d3b7a1b97697e5031ca4667",
"status": "affected",
"version": "474ac4a875ca6fea3fc5183d3ad22ef7523dca53",
"versionType": "git"
},
{
"lessThan": "39f24c08363af1cd945abad84e3c87fd3e3c845a",
"status": "affected",
"version": "474ac4a875ca6fea3fc5183d3ad22ef7523dca53",
"versionType": "git"
},
{
"lessThan": "66951d98d9bf45ba25acf37fe0747253fafdf298",
"status": "affected",
"version": "474ac4a875ca6fea3fc5183d3ad22ef7523dca53",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/hwss/dcn21/dcn21_hwseq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.17",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.5",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add NULL test for \u0027timing generator\u0027 in \u0027dcn21_set_pipe()\u0027\n\nIn \"u32 otg_inst = pipe_ctx-\u003estream_res.tg-\u003einst;\"\npipe_ctx-\u003estream_res.tg could be NULL, it is relying on the caller to\nensure the tg is not NULL."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:53:21.527Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3f3c237a706580326d3b7a1b97697e5031ca4667"
},
{
"url": "https://git.kernel.org/stable/c/39f24c08363af1cd945abad84e3c87fd3e3c845a"
},
{
"url": "https://git.kernel.org/stable/c/66951d98d9bf45ba25acf37fe0747253fafdf298"
}
],
"title": "drm/amd/display: Add NULL test for \u0027timing generator\u0027 in \u0027dcn21_set_pipe()\u0027",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26661",
"datePublished": "2024-04-02T06:22:10.989Z",
"dateReserved": "2024-02-19T14:20:24.148Z",
"dateUpdated": "2025-05-04T08:53:21.527Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38535 (GCVE-0-2025-38535)
Vulnerability from cvelistv5 – Published: 2025-08-16 11:12 – Updated: 2025-11-03 17:39
VLAI?
EPSS
Title
phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode
Summary
In the Linux kernel, the following vulnerability has been resolved:
phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode
When transitioning from USB_ROLE_DEVICE to USB_ROLE_NONE, the code
assumed that the regulator should be disabled. However, if the regulator
is marked as always-on, regulator_is_enabled() continues to return true,
leading to an incorrect attempt to disable a regulator which is not
enabled.
This can result in warnings such as:
[ 250.155624] WARNING: CPU: 1 PID: 7326 at drivers/regulator/core.c:3004
_regulator_disable+0xe4/0x1a0
[ 250.155652] unbalanced disables for VIN_SYS_5V0
To fix this, we move the regulator control logic into
tegra186_xusb_padctl_id_override() function since it's directly related
to the ID override state. The regulator is now only disabled when the role
transitions from USB_ROLE_HOST to USB_ROLE_NONE, by checking the VBUS_ID
register. This ensures that regulator enable/disable operations are
properly balanced and only occur when actually transitioning to/from host
mode.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
49d46e3c7e597e8b00c6fc16e6fd7a92044f4371 , < ceb645ac6ce052609ee5c8f819a80e8881789b04
(git)
Affected: 49d46e3c7e597e8b00c6fc16e6fd7a92044f4371 , < cdcb0ffd6448f6be898956913a42bd08e59fb2ae (git) Affected: 49d46e3c7e597e8b00c6fc16e6fd7a92044f4371 , < 1bb85b5c2bd43b687c3d54eb6328917f90dd38fc (git) Affected: 49d46e3c7e597e8b00c6fc16e6fd7a92044f4371 , < 5367cdeb75cb6c687ca468450bceb2602ab239d8 (git) Affected: 49d46e3c7e597e8b00c6fc16e6fd7a92044f4371 , < ec7f98ff05f0649af0adeb4808c7ba23d6111ef9 (git) Affected: 49d46e3c7e597e8b00c6fc16e6fd7a92044f4371 , < eaa420339658615d26c1cc95cd6cf720b9aebfca (git) Affected: 49d46e3c7e597e8b00c6fc16e6fd7a92044f4371 , < cefc1caee9dd06c69e2d807edc5949b329f52b22 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:39:30.613Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/phy/tegra/xusb-tegra186.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ceb645ac6ce052609ee5c8f819a80e8881789b04",
"status": "affected",
"version": "49d46e3c7e597e8b00c6fc16e6fd7a92044f4371",
"versionType": "git"
},
{
"lessThan": "cdcb0ffd6448f6be898956913a42bd08e59fb2ae",
"status": "affected",
"version": "49d46e3c7e597e8b00c6fc16e6fd7a92044f4371",
"versionType": "git"
},
{
"lessThan": "1bb85b5c2bd43b687c3d54eb6328917f90dd38fc",
"status": "affected",
"version": "49d46e3c7e597e8b00c6fc16e6fd7a92044f4371",
"versionType": "git"
},
{
"lessThan": "5367cdeb75cb6c687ca468450bceb2602ab239d8",
"status": "affected",
"version": "49d46e3c7e597e8b00c6fc16e6fd7a92044f4371",
"versionType": "git"
},
{
"lessThan": "ec7f98ff05f0649af0adeb4808c7ba23d6111ef9",
"status": "affected",
"version": "49d46e3c7e597e8b00c6fc16e6fd7a92044f4371",
"versionType": "git"
},
{
"lessThan": "eaa420339658615d26c1cc95cd6cf720b9aebfca",
"status": "affected",
"version": "49d46e3c7e597e8b00c6fc16e6fd7a92044f4371",
"versionType": "git"
},
{
"lessThan": "cefc1caee9dd06c69e2d807edc5949b329f52b22",
"status": "affected",
"version": "49d46e3c7e597e8b00c6fc16e6fd7a92044f4371",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/phy/tegra/xusb-tegra186.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.147",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.147",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.100",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.40",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.8",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode\n\nWhen transitioning from USB_ROLE_DEVICE to USB_ROLE_NONE, the code\nassumed that the regulator should be disabled. However, if the regulator\nis marked as always-on, regulator_is_enabled() continues to return true,\nleading to an incorrect attempt to disable a regulator which is not\nenabled.\n\nThis can result in warnings such as:\n\n[ 250.155624] WARNING: CPU: 1 PID: 7326 at drivers/regulator/core.c:3004\n_regulator_disable+0xe4/0x1a0\n[ 250.155652] unbalanced disables for VIN_SYS_5V0\n\nTo fix this, we move the regulator control logic into\ntegra186_xusb_padctl_id_override() function since it\u0027s directly related\nto the ID override state. The regulator is now only disabled when the role\ntransitions from USB_ROLE_HOST to USB_ROLE_NONE, by checking the VBUS_ID\nregister. This ensures that regulator enable/disable operations are\nproperly balanced and only occur when actually transitioning to/from host\nmode."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T14:43:38.656Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ceb645ac6ce052609ee5c8f819a80e8881789b04"
},
{
"url": "https://git.kernel.org/stable/c/cdcb0ffd6448f6be898956913a42bd08e59fb2ae"
},
{
"url": "https://git.kernel.org/stable/c/1bb85b5c2bd43b687c3d54eb6328917f90dd38fc"
},
{
"url": "https://git.kernel.org/stable/c/5367cdeb75cb6c687ca468450bceb2602ab239d8"
},
{
"url": "https://git.kernel.org/stable/c/ec7f98ff05f0649af0adeb4808c7ba23d6111ef9"
},
{
"url": "https://git.kernel.org/stable/c/eaa420339658615d26c1cc95cd6cf720b9aebfca"
},
{
"url": "https://git.kernel.org/stable/c/cefc1caee9dd06c69e2d807edc5949b329f52b22"
}
],
"title": "phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38535",
"datePublished": "2025-08-16T11:12:27.873Z",
"dateReserved": "2025-04-16T04:51:24.024Z",
"dateUpdated": "2025-11-03T17:39:30.613Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53414 (GCVE-0-2023-53414)
Vulnerability from cvelistv5 – Published: 2025-09-18 13:58 – Updated: 2026-01-14 19:13
VLAI?
EPSS
Title
scsi: snic: Fix memory leak with using debugfs_lookup()
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: snic: Fix memory leak with using debugfs_lookup()
When calling debugfs_lookup() the result must have dput() called on it,
otherwise the memory will leak over time. To make things simpler, just
call debugfs_lookup_and_remove() instead which handles all of the logic at
once.
Severity ?
5.5 (Medium)
CWE
- CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1be4ec2456a7d110092ad8cc918eef75b878ec4e , < 5a46d8bdaf03e8a4bb83f0c363326d9aa66cc122
(git)
Affected: 1be4ec2456a7d110092ad8cc918eef75b878ec4e , < 3dec769caf337c55814fbf79ec8c91a3cce23bf3 (git) Affected: 1be4ec2456a7d110092ad8cc918eef75b878ec4e , < 995424f59ab52fb432b26ccb3abced63745ea041 (git) Affected: 1be4ec2456a7d110092ad8cc918eef75b878ec4e , < ad0e4e2fab928477f74d742e6e77d79245d3d3e7 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53414",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T19:05:13.591278Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T19:13:06.954Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/snic/snic_debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5a46d8bdaf03e8a4bb83f0c363326d9aa66cc122",
"status": "affected",
"version": "1be4ec2456a7d110092ad8cc918eef75b878ec4e",
"versionType": "git"
},
{
"lessThan": "3dec769caf337c55814fbf79ec8c91a3cce23bf3",
"status": "affected",
"version": "1be4ec2456a7d110092ad8cc918eef75b878ec4e",
"versionType": "git"
},
{
"lessThan": "995424f59ab52fb432b26ccb3abced63745ea041",
"status": "affected",
"version": "1be4ec2456a7d110092ad8cc918eef75b878ec4e",
"versionType": "git"
},
{
"lessThan": "ad0e4e2fab928477f74d742e6e77d79245d3d3e7",
"status": "affected",
"version": "1be4ec2456a7d110092ad8cc918eef75b878ec4e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/snic/snic_debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: snic: Fix memory leak with using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. To make things simpler, just\ncall debugfs_lookup_and_remove() instead which handles all of the logic at\nonce."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:20:02.492Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5a46d8bdaf03e8a4bb83f0c363326d9aa66cc122"
},
{
"url": "https://git.kernel.org/stable/c/3dec769caf337c55814fbf79ec8c91a3cce23bf3"
},
{
"url": "https://git.kernel.org/stable/c/995424f59ab52fb432b26ccb3abced63745ea041"
},
{
"url": "https://git.kernel.org/stable/c/ad0e4e2fab928477f74d742e6e77d79245d3d3e7"
}
],
"title": "scsi: snic: Fix memory leak with using debugfs_lookup()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53414",
"datePublished": "2025-09-18T13:58:51.063Z",
"dateReserved": "2025-09-17T14:54:09.740Z",
"dateUpdated": "2026-01-14T19:13:06.954Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39860 (GCVE-0-2025-39860)
Vulnerability from cvelistv5 – Published: 2025-09-19 15:26 – Updated: 2025-11-03 17:44
VLAI?
EPSS
Title
Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen()
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen()
syzbot reported the splat below without a repro.
In the splat, a single thread calling bt_accept_dequeue() freed sk
and touched it after that.
The root cause would be the racy l2cap_sock_cleanup_listen() call
added by the cited commit.
bt_accept_dequeue() is called under lock_sock() except for
l2cap_sock_release().
Two threads could see the same socket during the list iteration
in bt_accept_dequeue():
CPU1 CPU2 (close())
---- ----
sock_hold(sk) sock_hold(sk);
lock_sock(sk) <-- block close()
sock_put(sk)
bt_accept_unlink(sk)
sock_put(sk) <-- refcnt by bt_accept_enqueue()
release_sock(sk)
lock_sock(sk)
sock_put(sk)
bt_accept_unlink(sk)
sock_put(sk) <-- last refcnt
bt_accept_unlink(sk) <-- UAF
Depending on the timing, the other thread could show up in the
"Freed by task" part.
Let's call l2cap_sock_cleanup_listen() under lock_sock() in
l2cap_sock_release().
[0]:
BUG: KASAN: slab-use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]
BUG: KASAN: slab-use-after-free in do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115
Read of size 4 at addr ffff88803b7eb1c4 by task syz.5.3276/16995
CPU: 3 UID: 0 PID: 16995 Comm: syz.5.3276 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xcd/0x630 mm/kasan/report.c:482
kasan_report+0xe0/0x110 mm/kasan/report.c:595
debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]
do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115
spin_lock_bh include/linux/spinlock.h:356 [inline]
release_sock+0x21/0x220 net/core/sock.c:3746
bt_accept_dequeue+0x505/0x600 net/bluetooth/af_bluetooth.c:312
l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451
l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425
__sock_release+0xb3/0x270 net/socket.c:649
sock_close+0x1c/0x30 net/socket.c:1439
__fput+0x3ff/0xb70 fs/file_table.c:468
task_work_run+0x14d/0x240 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2accf8ebe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffdb6cb1378 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 00000000000426fb RCX: 00007f2accf8ebe9
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 00007f2acd1b7da0 R08: 0000000000000001 R09: 00000012b6cb166f
R10: 0000001b30e20000 R11: 0000000000000246 R12: 00007f2acd1b609c
R13: 00007f2acd1b6090 R14: ffffffffffffffff R15: 00007ffdb6cb1490
</TASK>
Allocated by task 5326:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4365 [inline]
__kmalloc_nopro
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a2da00d1ea1abfb04f846638e210b5b5166e3c9c , < 964cbb198f9c46c2b2358cd1faffc04c1e8248cf
(git)
Affected: 06f87c96216bc5cd1094c23492274f77f1d5dd3b , < 83e1d9892ef51785cf0760b7681436760dda435a (git) Affected: fbe5a2fed8156cc19eb3b956602b0a1dd46a302d , < 47f6090bcf75c369695d21c3f179db8a56bbbd49 (git) Affected: 29fac18499332211b2615ade356e2bd8b3269f98 , < 2ca99fc3512a8074de20ee52a87b492dfcc41a4d (git) Affected: 1728137b33c00d5a2b5110ed7aafb42e7c32e4a1 , < 6077d16b5c0f65d571eee709de2f0541fb5ef0ca (git) Affected: 1728137b33c00d5a2b5110ed7aafb42e7c32e4a1 , < 306b0991413b482dbf5585b423022123bb505966 (git) Affected: 1728137b33c00d5a2b5110ed7aafb42e7c32e4a1 , < 3dff390f55ccd9ce12e91233849769b5312180c2 (git) Affected: 1728137b33c00d5a2b5110ed7aafb42e7c32e4a1 , < 862c628108562d8c7a516a900034823b381d3cba (git) Affected: 51822644a047eac2310fab0799b64e3430b5a111 (git) Affected: 82cdb2ccbe43337798393369f0ceb98699fe6037 (git) Affected: 10426afe65c8bf7b24dd0c7be4dcc65f86fc99f9 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:12.606Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "964cbb198f9c46c2b2358cd1faffc04c1e8248cf",
"status": "affected",
"version": "a2da00d1ea1abfb04f846638e210b5b5166e3c9c",
"versionType": "git"
},
{
"lessThan": "83e1d9892ef51785cf0760b7681436760dda435a",
"status": "affected",
"version": "06f87c96216bc5cd1094c23492274f77f1d5dd3b",
"versionType": "git"
},
{
"lessThan": "47f6090bcf75c369695d21c3f179db8a56bbbd49",
"status": "affected",
"version": "fbe5a2fed8156cc19eb3b956602b0a1dd46a302d",
"versionType": "git"
},
{
"lessThan": "2ca99fc3512a8074de20ee52a87b492dfcc41a4d",
"status": "affected",
"version": "29fac18499332211b2615ade356e2bd8b3269f98",
"versionType": "git"
},
{
"lessThan": "6077d16b5c0f65d571eee709de2f0541fb5ef0ca",
"status": "affected",
"version": "1728137b33c00d5a2b5110ed7aafb42e7c32e4a1",
"versionType": "git"
},
{
"lessThan": "306b0991413b482dbf5585b423022123bb505966",
"status": "affected",
"version": "1728137b33c00d5a2b5110ed7aafb42e7c32e4a1",
"versionType": "git"
},
{
"lessThan": "3dff390f55ccd9ce12e91233849769b5312180c2",
"status": "affected",
"version": "1728137b33c00d5a2b5110ed7aafb42e7c32e4a1",
"versionType": "git"
},
{
"lessThan": "862c628108562d8c7a516a900034823b381d3cba",
"status": "affected",
"version": "1728137b33c00d5a2b5110ed7aafb42e7c32e4a1",
"versionType": "git"
},
{
"status": "affected",
"version": "51822644a047eac2310fab0799b64e3430b5a111",
"versionType": "git"
},
{
"status": "affected",
"version": "82cdb2ccbe43337798393369f0ceb98699fe6037",
"versionType": "git"
},
{
"status": "affected",
"version": "10426afe65c8bf7b24dd0c7be4dcc65f86fc99f9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.299",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.299",
"versionStartIncluding": "5.4.253",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.243",
"versionStartIncluding": "5.10.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.192",
"versionStartIncluding": "5.15.126",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "6.1.45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.322",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix use-after-free in l2cap_sock_cleanup_listen()\n\nsyzbot reported the splat below without a repro.\n\nIn the splat, a single thread calling bt_accept_dequeue() freed sk\nand touched it after that.\n\nThe root cause would be the racy l2cap_sock_cleanup_listen() call\nadded by the cited commit.\n\nbt_accept_dequeue() is called under lock_sock() except for\nl2cap_sock_release().\n\nTwo threads could see the same socket during the list iteration\nin bt_accept_dequeue():\n\n CPU1 CPU2 (close())\n ---- ----\n sock_hold(sk) sock_hold(sk);\n lock_sock(sk) \u003c-- block close()\n sock_put(sk)\n bt_accept_unlink(sk)\n sock_put(sk) \u003c-- refcnt by bt_accept_enqueue()\n release_sock(sk)\n lock_sock(sk)\n sock_put(sk)\n bt_accept_unlink(sk)\n sock_put(sk) \u003c-- last refcnt\n bt_accept_unlink(sk) \u003c-- UAF\n\nDepending on the timing, the other thread could show up in the\n\"Freed by task\" part.\n\nLet\u0027s call l2cap_sock_cleanup_listen() under lock_sock() in\nl2cap_sock_release().\n\n[0]:\nBUG: KASAN: slab-use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]\nBUG: KASAN: slab-use-after-free in do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115\nRead of size 4 at addr ffff88803b7eb1c4 by task syz.5.3276/16995\nCPU: 3 UID: 0 PID: 16995 Comm: syz.5.3276 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xcd/0x630 mm/kasan/report.c:482\n kasan_report+0xe0/0x110 mm/kasan/report.c:595\n debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]\n do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115\n spin_lock_bh include/linux/spinlock.h:356 [inline]\n release_sock+0x21/0x220 net/core/sock.c:3746\n bt_accept_dequeue+0x505/0x600 net/bluetooth/af_bluetooth.c:312\n l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451\n l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425\n __sock_release+0xb3/0x270 net/socket.c:649\n sock_close+0x1c/0x30 net/socket.c:1439\n __fput+0x3ff/0xb70 fs/file_table.c:468\n task_work_run+0x14d/0x240 kernel/task_work.c:227\n resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]\n exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43\n exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]\n syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]\n syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]\n do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f2accf8ebe9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffdb6cb1378 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4\nRAX: 0000000000000000 RBX: 00000000000426fb RCX: 00007f2accf8ebe9\nRDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003\nRBP: 00007f2acd1b7da0 R08: 0000000000000001 R09: 00000012b6cb166f\nR10: 0000001b30e20000 R11: 0000000000000246 R12: 00007f2acd1b609c\nR13: 00007f2acd1b6090 R14: ffffffffffffffff R15: 00007ffdb6cb1490\n \u003c/TASK\u003e\n\nAllocated by task 5326:\n kasan_save_stack+0x33/0x60 mm/kasan/common.c:47\n kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:388 [inline]\n __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __do_kmalloc_node mm/slub.c:4365 [inline]\n __kmalloc_nopro\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:14.857Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/964cbb198f9c46c2b2358cd1faffc04c1e8248cf"
},
{
"url": "https://git.kernel.org/stable/c/83e1d9892ef51785cf0760b7681436760dda435a"
},
{
"url": "https://git.kernel.org/stable/c/47f6090bcf75c369695d21c3f179db8a56bbbd49"
},
{
"url": "https://git.kernel.org/stable/c/2ca99fc3512a8074de20ee52a87b492dfcc41a4d"
},
{
"url": "https://git.kernel.org/stable/c/6077d16b5c0f65d571eee709de2f0541fb5ef0ca"
},
{
"url": "https://git.kernel.org/stable/c/306b0991413b482dbf5585b423022123bb505966"
},
{
"url": "https://git.kernel.org/stable/c/3dff390f55ccd9ce12e91233849769b5312180c2"
},
{
"url": "https://git.kernel.org/stable/c/862c628108562d8c7a516a900034823b381d3cba"
}
],
"title": "Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39860",
"datePublished": "2025-09-19T15:26:30.767Z",
"dateReserved": "2025-04-16T07:20:57.143Z",
"dateUpdated": "2025-11-03T17:44:12.606Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39761 (GCVE-0-2025-39761)
Vulnerability from cvelistv5 – Published: 2025-09-11 16:52 – Updated: 2025-09-29 05:58
VLAI?
EPSS
Title
wifi: ath12k: Decrement TID on RX peer frag setup error handling
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath12k: Decrement TID on RX peer frag setup error handling
Currently, TID is not decremented before peer cleanup, during error
handling path of ath12k_dp_rx_peer_frag_setup(). This could lead to
out-of-bounds access in peer->rx_tid[].
Hence, add a decrement operation for TID, before peer cleanup to
ensures proper cleanup and prevents out-of-bounds access issues when
the RX peer frag setup fails.
Found during code review. Compile tested only.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < eb1e1526b82b8cf31f1ef9ca86a2647fb6cd89c6
(git)
Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < 7c3e99fd4a66a5ac9c7dd32db07359666efe0002 (git) Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < a3b73c72c42348bf1555fd2b00f32f941324b242 (git) Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < 9530d666f4376c294cdf4348c29fe3542fec980a (git) Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < 7c0884fcd2ddde0544d2e77f297ae461e1f53f58 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath12k/dp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "eb1e1526b82b8cf31f1ef9ca86a2647fb6cd89c6",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
},
{
"lessThan": "7c3e99fd4a66a5ac9c7dd32db07359666efe0002",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
},
{
"lessThan": "a3b73c72c42348bf1555fd2b00f32f941324b242",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
},
{
"lessThan": "9530d666f4376c294cdf4348c29fe3542fec980a",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
},
{
"lessThan": "7c0884fcd2ddde0544d2e77f297ae461e1f53f58",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath12k/dp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Decrement TID on RX peer frag setup error handling\n\nCurrently, TID is not decremented before peer cleanup, during error\nhandling path of ath12k_dp_rx_peer_frag_setup(). This could lead to\nout-of-bounds access in peer-\u003erx_tid[].\n\nHence, add a decrement operation for TID, before peer cleanup to\nensures proper cleanup and prevents out-of-bounds access issues when\nthe RX peer frag setup fails.\n\nFound during code review. Compile tested only."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:58:52.710Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/eb1e1526b82b8cf31f1ef9ca86a2647fb6cd89c6"
},
{
"url": "https://git.kernel.org/stable/c/7c3e99fd4a66a5ac9c7dd32db07359666efe0002"
},
{
"url": "https://git.kernel.org/stable/c/a3b73c72c42348bf1555fd2b00f32f941324b242"
},
{
"url": "https://git.kernel.org/stable/c/9530d666f4376c294cdf4348c29fe3542fec980a"
},
{
"url": "https://git.kernel.org/stable/c/7c0884fcd2ddde0544d2e77f297ae461e1f53f58"
}
],
"title": "wifi: ath12k: Decrement TID on RX peer frag setup error handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39761",
"datePublished": "2025-09-11T16:52:29.788Z",
"dateReserved": "2025-04-16T07:20:57.126Z",
"dateUpdated": "2025-09-29T05:58:52.710Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50349 (GCVE-0-2022-50349)
Vulnerability from cvelistv5 – Published: 2025-09-16 16:11 – Updated: 2026-01-14 18:22
VLAI?
EPSS
Title
misc: tifm: fix possible memory leak in tifm_7xx1_switch_media()
Summary
In the Linux kernel, the following vulnerability has been resolved:
misc: tifm: fix possible memory leak in tifm_7xx1_switch_media()
If device_register() returns error in tifm_7xx1_switch_media(),
name of kobject which is allocated in dev_set_name() called in device_add()
is leaked.
Never directly free @dev after calling device_register(), even
if it returned an error! Always use put_device() to give up the
reference initialized.
Severity ?
5.5 (Medium)
CWE
- CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2428a8fe2261e901e058d9ea8b6ed7e1b4268b79 , < 2bbb222a54ff501f77ce593d21b76b79c905045e
(git)
Affected: 2428a8fe2261e901e058d9ea8b6ed7e1b4268b79 , < d861b7d41b17942b337d4b87a70de7cd1dc44d4e (git) Affected: 2428a8fe2261e901e058d9ea8b6ed7e1b4268b79 , < 1695b1adcc3a7d985cd22fa3b55761edf3fab50d (git) Affected: 2428a8fe2261e901e058d9ea8b6ed7e1b4268b79 , < ee2715faf7e7153f5142ed09aacfa89a64d45dcb (git) Affected: 2428a8fe2261e901e058d9ea8b6ed7e1b4268b79 , < 57c857353d5020bdec8284d9c0fee447484fe5e0 (git) Affected: 2428a8fe2261e901e058d9ea8b6ed7e1b4268b79 , < 848c45964ded537107e010aaf353aa30a0855387 (git) Affected: 2428a8fe2261e901e058d9ea8b6ed7e1b4268b79 , < 35abbc8406cc39e72d3ce85f6e869555afe50d54 (git) Affected: 2428a8fe2261e901e058d9ea8b6ed7e1b4268b79 , < ef843ee20576039126d34d6eb5f45d14c3e6ce18 (git) Affected: 2428a8fe2261e901e058d9ea8b6ed7e1b4268b79 , < fd2c930cf6a5b9176382c15f9acb1996e76e25ad (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-50349",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:21:43.723712Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:22:58.755Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/misc/tifm_7xx1.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2bbb222a54ff501f77ce593d21b76b79c905045e",
"status": "affected",
"version": "2428a8fe2261e901e058d9ea8b6ed7e1b4268b79",
"versionType": "git"
},
{
"lessThan": "d861b7d41b17942b337d4b87a70de7cd1dc44d4e",
"status": "affected",
"version": "2428a8fe2261e901e058d9ea8b6ed7e1b4268b79",
"versionType": "git"
},
{
"lessThan": "1695b1adcc3a7d985cd22fa3b55761edf3fab50d",
"status": "affected",
"version": "2428a8fe2261e901e058d9ea8b6ed7e1b4268b79",
"versionType": "git"
},
{
"lessThan": "ee2715faf7e7153f5142ed09aacfa89a64d45dcb",
"status": "affected",
"version": "2428a8fe2261e901e058d9ea8b6ed7e1b4268b79",
"versionType": "git"
},
{
"lessThan": "57c857353d5020bdec8284d9c0fee447484fe5e0",
"status": "affected",
"version": "2428a8fe2261e901e058d9ea8b6ed7e1b4268b79",
"versionType": "git"
},
{
"lessThan": "848c45964ded537107e010aaf353aa30a0855387",
"status": "affected",
"version": "2428a8fe2261e901e058d9ea8b6ed7e1b4268b79",
"versionType": "git"
},
{
"lessThan": "35abbc8406cc39e72d3ce85f6e869555afe50d54",
"status": "affected",
"version": "2428a8fe2261e901e058d9ea8b6ed7e1b4268b79",
"versionType": "git"
},
{
"lessThan": "ef843ee20576039126d34d6eb5f45d14c3e6ce18",
"status": "affected",
"version": "2428a8fe2261e901e058d9ea8b6ed7e1b4268b79",
"versionType": "git"
},
{
"lessThan": "fd2c930cf6a5b9176382c15f9acb1996e76e25ad",
"status": "affected",
"version": "2428a8fe2261e901e058d9ea8b6ed7e1b4268b79",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/misc/tifm_7xx1.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.22"
},
{
"lessThan": "2.6.22",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.22",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: tifm: fix possible memory leak in tifm_7xx1_switch_media()\n\nIf device_register() returns error in tifm_7xx1_switch_media(),\nname of kobject which is allocated in dev_set_name() called in device_add()\nis leaked.\n\nNever directly free @dev after calling device_register(), even\nif it returned an error! Always use put_device() to give up the\nreference initialized."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:41.340Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2bbb222a54ff501f77ce593d21b76b79c905045e"
},
{
"url": "https://git.kernel.org/stable/c/d861b7d41b17942b337d4b87a70de7cd1dc44d4e"
},
{
"url": "https://git.kernel.org/stable/c/1695b1adcc3a7d985cd22fa3b55761edf3fab50d"
},
{
"url": "https://git.kernel.org/stable/c/ee2715faf7e7153f5142ed09aacfa89a64d45dcb"
},
{
"url": "https://git.kernel.org/stable/c/57c857353d5020bdec8284d9c0fee447484fe5e0"
},
{
"url": "https://git.kernel.org/stable/c/848c45964ded537107e010aaf353aa30a0855387"
},
{
"url": "https://git.kernel.org/stable/c/35abbc8406cc39e72d3ce85f6e869555afe50d54"
},
{
"url": "https://git.kernel.org/stable/c/ef843ee20576039126d34d6eb5f45d14c3e6ce18"
},
{
"url": "https://git.kernel.org/stable/c/fd2c930cf6a5b9176382c15f9acb1996e76e25ad"
}
],
"title": "misc: tifm: fix possible memory leak in tifm_7xx1_switch_media()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50349",
"datePublished": "2025-09-16T16:11:41.340Z",
"dateReserved": "2025-09-16T16:03:27.882Z",
"dateUpdated": "2026-01-14T18:22:58.755Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38623 (GCVE-0-2025-38623)
Vulnerability from cvelistv5 – Published: 2025-08-22 16:00 – Updated: 2026-01-02 15:30
VLAI?
EPSS
Title
PCI: pnv_php: Fix surprise plug detection and recovery
Summary
In the Linux kernel, the following vulnerability has been resolved:
PCI: pnv_php: Fix surprise plug detection and recovery
The existing PowerNV hotplug code did not handle surprise plug events
correctly, leading to a complete failure of the hotplug system after device
removal and a required reboot to detect new devices.
This comes down to two issues:
1) When a device is surprise removed, often the bridge upstream
port will cause a PE freeze on the PHB. If this freeze is not
cleared, the MSI interrupts from the bridge hotplug notification
logic will not be received by the kernel, stalling all plug events
on all slots associated with the PE.
2) When a device is removed from a slot, regardless of surprise or
programmatic removal, the associated PHB/PE ls left frozen.
If this freeze is not cleared via a fundamental reset, skiboot
is unable to clear the freeze and cannot retrain / rescan the
slot. This also requires a reboot to clear the freeze and redetect
the device in the slot.
Issue the appropriate unfreeze and rescan commands on hotplug events,
and don't oops on hotplug if pci_bus_to_OF_node() returns NULL.
[bhelgaas: tidy comments]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
360aebd85a4c946764f6301d68de2a817fad5159 , < 6e7b5f922901585b8f11e0d6cda12bda5c59fc8a
(git)
Affected: 360aebd85a4c946764f6301d68de2a817fad5159 , < 2ec8ec57bb8ebde3e2a015eff80e5d66e6634fe3 (git) Affected: 360aebd85a4c946764f6301d68de2a817fad5159 , < 473999ba937eac9776be791deed7c84a21d7880b (git) Affected: 360aebd85a4c946764f6301d68de2a817fad5159 , < 6e7b24c71e530a6c1d656e73d8a30ee081656844 (git) Affected: 360aebd85a4c946764f6301d68de2a817fad5159 , < 48c6935a34981bb56f35be0774ec1f30c6e386f8 (git) Affected: 360aebd85a4c946764f6301d68de2a817fad5159 , < 1d2f63680c5719a5da92639e981c6c9a87fcee08 (git) Affected: 360aebd85a4c946764f6301d68de2a817fad5159 , < 78d20b8c13075eae3d884c21db7a09a6bbdda5b2 (git) Affected: 360aebd85a4c946764f6301d68de2a817fad5159 , < a2a2a6fc2469524caa713036297c542746d148dc (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:40:33.389Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/kernel/pci-hotplug.c",
"drivers/pci/hotplug/pnv_php.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6e7b5f922901585b8f11e0d6cda12bda5c59fc8a",
"status": "affected",
"version": "360aebd85a4c946764f6301d68de2a817fad5159",
"versionType": "git"
},
{
"lessThan": "2ec8ec57bb8ebde3e2a015eff80e5d66e6634fe3",
"status": "affected",
"version": "360aebd85a4c946764f6301d68de2a817fad5159",
"versionType": "git"
},
{
"lessThan": "473999ba937eac9776be791deed7c84a21d7880b",
"status": "affected",
"version": "360aebd85a4c946764f6301d68de2a817fad5159",
"versionType": "git"
},
{
"lessThan": "6e7b24c71e530a6c1d656e73d8a30ee081656844",
"status": "affected",
"version": "360aebd85a4c946764f6301d68de2a817fad5159",
"versionType": "git"
},
{
"lessThan": "48c6935a34981bb56f35be0774ec1f30c6e386f8",
"status": "affected",
"version": "360aebd85a4c946764f6301d68de2a817fad5159",
"versionType": "git"
},
{
"lessThan": "1d2f63680c5719a5da92639e981c6c9a87fcee08",
"status": "affected",
"version": "360aebd85a4c946764f6301d68de2a817fad5159",
"versionType": "git"
},
{
"lessThan": "78d20b8c13075eae3d884c21db7a09a6bbdda5b2",
"status": "affected",
"version": "360aebd85a4c946764f6301d68de2a817fad5159",
"versionType": "git"
},
{
"lessThan": "a2a2a6fc2469524caa713036297c542746d148dc",
"status": "affected",
"version": "360aebd85a4c946764f6301d68de2a817fad5159",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/kernel/pci-hotplug.c",
"drivers/pci/hotplug/pnv_php.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: pnv_php: Fix surprise plug detection and recovery\n\nThe existing PowerNV hotplug code did not handle surprise plug events\ncorrectly, leading to a complete failure of the hotplug system after device\nremoval and a required reboot to detect new devices.\n\nThis comes down to two issues:\n\n 1) When a device is surprise removed, often the bridge upstream\n port will cause a PE freeze on the PHB. If this freeze is not\n cleared, the MSI interrupts from the bridge hotplug notification\n logic will not be received by the kernel, stalling all plug events\n on all slots associated with the PE.\n\n 2) When a device is removed from a slot, regardless of surprise or\n programmatic removal, the associated PHB/PE ls left frozen.\n If this freeze is not cleared via a fundamental reset, skiboot\n is unable to clear the freeze and cannot retrain / rescan the\n slot. This also requires a reboot to clear the freeze and redetect\n the device in the slot.\n\nIssue the appropriate unfreeze and rescan commands on hotplug events,\nand don\u0027t oops on hotplug if pci_bus_to_OF_node() returns NULL.\n\n[bhelgaas: tidy comments]"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:30:59.100Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6e7b5f922901585b8f11e0d6cda12bda5c59fc8a"
},
{
"url": "https://git.kernel.org/stable/c/2ec8ec57bb8ebde3e2a015eff80e5d66e6634fe3"
},
{
"url": "https://git.kernel.org/stable/c/473999ba937eac9776be791deed7c84a21d7880b"
},
{
"url": "https://git.kernel.org/stable/c/6e7b24c71e530a6c1d656e73d8a30ee081656844"
},
{
"url": "https://git.kernel.org/stable/c/48c6935a34981bb56f35be0774ec1f30c6e386f8"
},
{
"url": "https://git.kernel.org/stable/c/1d2f63680c5719a5da92639e981c6c9a87fcee08"
},
{
"url": "https://git.kernel.org/stable/c/78d20b8c13075eae3d884c21db7a09a6bbdda5b2"
},
{
"url": "https://git.kernel.org/stable/c/a2a2a6fc2469524caa713036297c542746d148dc"
}
],
"title": "PCI: pnv_php: Fix surprise plug detection and recovery",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38623",
"datePublished": "2025-08-22T16:00:32.046Z",
"dateReserved": "2025-04-16T04:51:24.029Z",
"dateUpdated": "2026-01-02T15:30:59.100Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38595 (GCVE-0-2025-38595)
Vulnerability from cvelistv5 – Published: 2025-08-19 17:03 – Updated: 2025-09-29 05:54
VLAI?
EPSS
Title
xen: fix UAF in dmabuf_exp_from_pages()
Summary
In the Linux kernel, the following vulnerability has been resolved:
xen: fix UAF in dmabuf_exp_from_pages()
[dma_buf_fd() fixes; no preferences regarding the tree it goes through -
up to xen folks]
As soon as we'd inserted a file reference into descriptor table, another
thread could close it. That's fine for the case when all we are doing is
returning that descriptor to userland (it's a race, but it's a userland
race and there's nothing the kernel can do about it). However, if we
follow fd_install() with any kind of access to objects that would be
destroyed on close (be it the struct file itself or anything destroyed
by its ->release()), we have a UAF.
dma_buf_fd() is a combination of reserving a descriptor and fd_install().
gntdev dmabuf_exp_from_pages() calls it and then proceeds to access the
objects destroyed on close - starting with gntdev_dmabuf itself.
Fix that by doing reserving descriptor before anything else and do
fd_install() only when everything had been set up.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a240d6e42e28c34fdc34b3a98ca838a31c939901 , < e5907885260401bba300d4d18d79875c05b82651
(git)
Affected: a240d6e42e28c34fdc34b3a98ca838a31c939901 , < 3edfd2353f301bfffd5ee41066e37320a59ccc2d (git) Affected: a240d6e42e28c34fdc34b3a98ca838a31c939901 , < d59d49af4aeed9a81e673e37c26c6a3bacf1a181 (git) Affected: a240d6e42e28c34fdc34b3a98ca838a31c939901 , < 532c8b51b3a8676cbf533a291f8156774f30ea87 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/xen/gntdev-dmabuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e5907885260401bba300d4d18d79875c05b82651",
"status": "affected",
"version": "a240d6e42e28c34fdc34b3a98ca838a31c939901",
"versionType": "git"
},
{
"lessThan": "3edfd2353f301bfffd5ee41066e37320a59ccc2d",
"status": "affected",
"version": "a240d6e42e28c34fdc34b3a98ca838a31c939901",
"versionType": "git"
},
{
"lessThan": "d59d49af4aeed9a81e673e37c26c6a3bacf1a181",
"status": "affected",
"version": "a240d6e42e28c34fdc34b3a98ca838a31c939901",
"versionType": "git"
},
{
"lessThan": "532c8b51b3a8676cbf533a291f8156774f30ea87",
"status": "affected",
"version": "a240d6e42e28c34fdc34b3a98ca838a31c939901",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/xen/gntdev-dmabuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen: fix UAF in dmabuf_exp_from_pages()\n\n[dma_buf_fd() fixes; no preferences regarding the tree it goes through -\nup to xen folks]\n\nAs soon as we\u0027d inserted a file reference into descriptor table, another\nthread could close it. That\u0027s fine for the case when all we are doing is\nreturning that descriptor to userland (it\u0027s a race, but it\u0027s a userland\nrace and there\u0027s nothing the kernel can do about it). However, if we\nfollow fd_install() with any kind of access to objects that would be\ndestroyed on close (be it the struct file itself or anything destroyed\nby its -\u003erelease()), we have a UAF.\n\ndma_buf_fd() is a combination of reserving a descriptor and fd_install().\ngntdev dmabuf_exp_from_pages() calls it and then proceeds to access the\nobjects destroyed on close - starting with gntdev_dmabuf itself.\n\nFix that by doing reserving descriptor before anything else and do\nfd_install() only when everything had been set up."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:54:28.767Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e5907885260401bba300d4d18d79875c05b82651"
},
{
"url": "https://git.kernel.org/stable/c/3edfd2353f301bfffd5ee41066e37320a59ccc2d"
},
{
"url": "https://git.kernel.org/stable/c/d59d49af4aeed9a81e673e37c26c6a3bacf1a181"
},
{
"url": "https://git.kernel.org/stable/c/532c8b51b3a8676cbf533a291f8156774f30ea87"
}
],
"title": "xen: fix UAF in dmabuf_exp_from_pages()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38595",
"datePublished": "2025-08-19T17:03:25.527Z",
"dateReserved": "2025-04-16T04:51:24.028Z",
"dateUpdated": "2025-09-29T05:54:28.767Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38006 (GCVE-0-2025-38006)
Vulnerability from cvelistv5 – Published: 2025-06-18 09:28 – Updated: 2025-06-18 09:28
VLAI?
EPSS
Title
net: mctp: Don't access ifa_index when missing
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: mctp: Don't access ifa_index when missing
In mctp_dump_addrinfo, ifa_index can be used to filter interfaces, but
only when the struct ifaddrmsg is provided. Otherwise it will be
comparing to uninitialised memory - reproducible in the syzkaller case from
dhcpd, or busybox "ip addr show".
The kernel MCTP implementation has always filtered by ifa_index, so
existing userspace programs expecting to dump MCTP addresses must
already be passing a valid ifa_index value (either 0 or a real index).
BUG: KMSAN: uninit-value in mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128
mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128
rtnl_dump_all+0x3ec/0x5b0 net/core/rtnetlink.c:4380
rtnl_dumpit+0xd5/0x2f0 net/core/rtnetlink.c:6824
netlink_dump+0x97b/0x1690 net/netlink/af_netlink.c:2309
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
583be982d93479ea3d85091b0fd0b01201ede87d , < acab78ae12c7fefb4f3bfe22e00770a5faa42724
(git)
Affected: 583be982d93479ea3d85091b0fd0b01201ede87d , < d4d1561d17eb72908e4489c0900d96e0484fac20 (git) Affected: 583be982d93479ea3d85091b0fd0b01201ede87d , < 24fa213dffa470166ec014f979f36c6ff44afb45 (git) Affected: 583be982d93479ea3d85091b0fd0b01201ede87d , < f11cf946c0a92c560a890d68e4775723353599e1 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mctp/device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "acab78ae12c7fefb4f3bfe22e00770a5faa42724",
"status": "affected",
"version": "583be982d93479ea3d85091b0fd0b01201ede87d",
"versionType": "git"
},
{
"lessThan": "d4d1561d17eb72908e4489c0900d96e0484fac20",
"status": "affected",
"version": "583be982d93479ea3d85091b0fd0b01201ede87d",
"versionType": "git"
},
{
"lessThan": "24fa213dffa470166ec014f979f36c6ff44afb45",
"status": "affected",
"version": "583be982d93479ea3d85091b0fd0b01201ede87d",
"versionType": "git"
},
{
"lessThan": "f11cf946c0a92c560a890d68e4775723353599e1",
"status": "affected",
"version": "583be982d93479ea3d85091b0fd0b01201ede87d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mctp/device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.92",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.30",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.8",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mctp: Don\u0027t access ifa_index when missing\n\nIn mctp_dump_addrinfo, ifa_index can be used to filter interfaces, but\nonly when the struct ifaddrmsg is provided. Otherwise it will be\ncomparing to uninitialised memory - reproducible in the syzkaller case from\ndhcpd, or busybox \"ip addr show\".\n\nThe kernel MCTP implementation has always filtered by ifa_index, so\nexisting userspace programs expecting to dump MCTP addresses must\nalready be passing a valid ifa_index value (either 0 or a real index).\n\nBUG: KMSAN: uninit-value in mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128\n mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128\n rtnl_dump_all+0x3ec/0x5b0 net/core/rtnetlink.c:4380\n rtnl_dumpit+0xd5/0x2f0 net/core/rtnetlink.c:6824\n netlink_dump+0x97b/0x1690 net/netlink/af_netlink.c:2309"
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T09:28:17.773Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/acab78ae12c7fefb4f3bfe22e00770a5faa42724"
},
{
"url": "https://git.kernel.org/stable/c/d4d1561d17eb72908e4489c0900d96e0484fac20"
},
{
"url": "https://git.kernel.org/stable/c/24fa213dffa470166ec014f979f36c6ff44afb45"
},
{
"url": "https://git.kernel.org/stable/c/f11cf946c0a92c560a890d68e4775723353599e1"
}
],
"title": "net: mctp: Don\u0027t access ifa_index when missing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38006",
"datePublished": "2025-06-18T09:28:17.773Z",
"dateReserved": "2025-04-16T04:51:23.977Z",
"dateUpdated": "2025-06-18T09:28:17.773Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50370 (GCVE-0-2022-50370)
Vulnerability from cvelistv5 – Published: 2025-09-17 14:56 – Updated: 2026-01-14 18:42
VLAI?
EPSS
Title
i2c: designware: Fix handling of real but unexpected device interrupts
Summary
In the Linux kernel, the following vulnerability has been resolved:
i2c: designware: Fix handling of real but unexpected device interrupts
Commit c7b79a752871 ("mfd: intel-lpss: Add Intel Alder Lake PCH-S PCI
IDs") caused a regression on certain Gigabyte motherboards for Intel
Alder Lake-S where system crashes to NULL pointer dereference in
i2c_dw_xfer_msg() when system resumes from S3 sleep state ("deep").
I was able to debug the issue on Gigabyte Z690 AORUS ELITE and made
following notes:
- Issue happens when resuming from S3 but not when resuming from
"s2idle"
- PCI device 00:15.0 == i2c_designware.0 is already in D0 state when
system enters into pci_pm_resume_noirq() while all other i2c_designware
PCI devices are in D3. Devices were runtime suspended and in D3 prior
entering into suspend
- Interrupt comes after pci_pm_resume_noirq() when device interrupts are
re-enabled
- According to register dump the interrupt really comes from the
i2c_designware.0. Controller is enabled, I2C target address register
points to a one detectable I2C device address 0x60 and the
DW_IC_RAW_INTR_STAT register START_DET, STOP_DET, ACTIVITY and
TX_EMPTY bits are set indicating completed I2C transaction.
My guess is that the firmware uses this controller to communicate with
an on-board I2C device during resume but does not disable the controller
before giving control to an operating system.
I was told the UEFI update fixes this but never the less it revealed the
driver is not ready to handle TX_EMPTY (or RX_FULL) interrupt when device
is supposed to be idle and state variables are not set (especially the
dev->msgs pointer which may point to NULL or stale old data).
Introduce a new software status flag STATUS_ACTIVE indicating when the
controller is active in driver point of view. Now treat all interrupts
that occur when is not set as unexpected and mask all interrupts from
the controller.
Severity ?
5.5 (Medium)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c7b79a75287141cef5bbaeaf1c942269c08cd52e , < 7fa5304c4b5b425d4a0b3acf10139a7f6108a85f
(git)
Affected: c7b79a75287141cef5bbaeaf1c942269c08cd52e , < a206f7fbe9589c60fafad12884628c909ecb042f (git) Affected: c7b79a75287141cef5bbaeaf1c942269c08cd52e , < aa59ac81e859006d3a1df035a19b3f2089110f93 (git) Affected: c7b79a75287141cef5bbaeaf1c942269c08cd52e , < 301c8f5c32c8fb79c67539bc23972dc3ef48024c (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-50370",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:35:58.991393Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:42:59.823Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/i2c/busses/i2c-designware-core.h",
"drivers/i2c/busses/i2c-designware-master.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7fa5304c4b5b425d4a0b3acf10139a7f6108a85f",
"status": "affected",
"version": "c7b79a75287141cef5bbaeaf1c942269c08cd52e",
"versionType": "git"
},
{
"lessThan": "a206f7fbe9589c60fafad12884628c909ecb042f",
"status": "affected",
"version": "c7b79a75287141cef5bbaeaf1c942269c08cd52e",
"versionType": "git"
},
{
"lessThan": "aa59ac81e859006d3a1df035a19b3f2089110f93",
"status": "affected",
"version": "c7b79a75287141cef5bbaeaf1c942269c08cd52e",
"versionType": "git"
},
{
"lessThan": "301c8f5c32c8fb79c67539bc23972dc3ef48024c",
"status": "affected",
"version": "c7b79a75287141cef5bbaeaf1c942269c08cd52e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/i2c/busses/i2c-designware-core.h",
"drivers/i2c/busses/i2c-designware-master.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: designware: Fix handling of real but unexpected device interrupts\n\nCommit c7b79a752871 (\"mfd: intel-lpss: Add Intel Alder Lake PCH-S PCI\nIDs\") caused a regression on certain Gigabyte motherboards for Intel\nAlder Lake-S where system crashes to NULL pointer dereference in\ni2c_dw_xfer_msg() when system resumes from S3 sleep state (\"deep\").\n\nI was able to debug the issue on Gigabyte Z690 AORUS ELITE and made\nfollowing notes:\n\n- Issue happens when resuming from S3 but not when resuming from\n \"s2idle\"\n- PCI device 00:15.0 == i2c_designware.0 is already in D0 state when\n system enters into pci_pm_resume_noirq() while all other i2c_designware\n PCI devices are in D3. Devices were runtime suspended and in D3 prior\n entering into suspend\n- Interrupt comes after pci_pm_resume_noirq() when device interrupts are\n re-enabled\n- According to register dump the interrupt really comes from the\n i2c_designware.0. Controller is enabled, I2C target address register\n points to a one detectable I2C device address 0x60 and the\n DW_IC_RAW_INTR_STAT register START_DET, STOP_DET, ACTIVITY and\n TX_EMPTY bits are set indicating completed I2C transaction.\n\nMy guess is that the firmware uses this controller to communicate with\nan on-board I2C device during resume but does not disable the controller\nbefore giving control to an operating system.\n\nI was told the UEFI update fixes this but never the less it revealed the\ndriver is not ready to handle TX_EMPTY (or RX_FULL) interrupt when device\nis supposed to be idle and state variables are not set (especially the\ndev-\u003emsgs pointer which may point to NULL or stale old data).\n\nIntroduce a new software status flag STATUS_ACTIVE indicating when the\ncontroller is active in driver point of view. Now treat all interrupts\nthat occur when is not set as unexpected and mask all interrupts from\nthe controller."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T14:56:26.015Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7fa5304c4b5b425d4a0b3acf10139a7f6108a85f"
},
{
"url": "https://git.kernel.org/stable/c/a206f7fbe9589c60fafad12884628c909ecb042f"
},
{
"url": "https://git.kernel.org/stable/c/aa59ac81e859006d3a1df035a19b3f2089110f93"
},
{
"url": "https://git.kernel.org/stable/c/301c8f5c32c8fb79c67539bc23972dc3ef48024c"
}
],
"title": "i2c: designware: Fix handling of real but unexpected device interrupts",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50370",
"datePublished": "2025-09-17T14:56:26.015Z",
"dateReserved": "2025-09-17T14:53:06.995Z",
"dateUpdated": "2026-01-14T18:42:59.823Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38075 (GCVE-0-2025-38075)
Vulnerability from cvelistv5 – Published: 2025-06-18 09:33 – Updated: 2025-11-03 17:33
VLAI?
EPSS
Title
scsi: target: iscsi: Fix timeout on deleted connection
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: iscsi: Fix timeout on deleted connection
NOPIN response timer may expire on a deleted connection and crash with
such logs:
Did not receive response to NOPIN on CID: 0, failing connection for I_T Nexus (null),i,0x00023d000125,iqn.2017-01.com.iscsi.target,t,0x3d
BUG: Kernel NULL pointer dereference on read at 0x00000000
NIP strlcpy+0x8/0xb0
LR iscsit_fill_cxn_timeout_err_stats+0x5c/0xc0 [iscsi_target_mod]
Call Trace:
iscsit_handle_nopin_response_timeout+0xfc/0x120 [iscsi_target_mod]
call_timer_fn+0x58/0x1f0
run_timer_softirq+0x740/0x860
__do_softirq+0x16c/0x420
irq_exit+0x188/0x1c0
timer_interrupt+0x184/0x410
That is because nopin response timer may be re-started on nopin timer
expiration.
Stop nopin timer before stopping the nopin response timer to be sure
that no one of them will be re-started.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e48354ce078c079996f89d715dfa44814b4eba01 , < 571ce6b6f5cbaf7d24af03cad592fc0e2a54de35
(git)
Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < 2c5081439c7ab8da08427befe427f0d732ebc9f9 (git) Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < 019ca2804f3fb49a7f8e56ea6aeaa1ff32724c27 (git) Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < 6815846e0c3a62116a7da9740e3a7c10edc5c7e9 (git) Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < fe8421e853ef289e1324fcda004751c89dd9c18a (git) Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < 87389bff743c55b6b85282de91109391f43e0814 (git) Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < 3e6429e3707943078240a2c0c0b3ee99ea9b0d9c (git) Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < 7f533cc5ee4c4436cee51dc58e81dfd9c3384418 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:33:44.033Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/target/iscsi/iscsi_target.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "571ce6b6f5cbaf7d24af03cad592fc0e2a54de35",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "2c5081439c7ab8da08427befe427f0d732ebc9f9",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "019ca2804f3fb49a7f8e56ea6aeaa1ff32724c27",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "6815846e0c3a62116a7da9740e3a7c10edc5c7e9",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "fe8421e853ef289e1324fcda004751c89dd9c18a",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "87389bff743c55b6b85282de91109391f43e0814",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "3e6429e3707943078240a2c0c0b3ee99ea9b0d9c",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "7f533cc5ee4c4436cee51dc58e81dfd9c3384418",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/target/iscsi/iscsi_target.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.1"
},
{
"lessThan": "3.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.294",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.185",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.294",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.238",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.185",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.141",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.93",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.31",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.9",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: iscsi: Fix timeout on deleted connection\n\nNOPIN response timer may expire on a deleted connection and crash with\nsuch logs:\n\nDid not receive response to NOPIN on CID: 0, failing connection for I_T Nexus (null),i,0x00023d000125,iqn.2017-01.com.iscsi.target,t,0x3d\n\nBUG: Kernel NULL pointer dereference on read at 0x00000000\nNIP strlcpy+0x8/0xb0\nLR iscsit_fill_cxn_timeout_err_stats+0x5c/0xc0 [iscsi_target_mod]\nCall Trace:\n iscsit_handle_nopin_response_timeout+0xfc/0x120 [iscsi_target_mod]\n call_timer_fn+0x58/0x1f0\n run_timer_softirq+0x740/0x860\n __do_softirq+0x16c/0x420\n irq_exit+0x188/0x1c0\n timer_interrupt+0x184/0x410\n\nThat is because nopin response timer may be re-started on nopin timer\nexpiration.\n\nStop nopin timer before stopping the nopin response timer to be sure\nthat no one of them will be re-started."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T12:59:35.232Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/571ce6b6f5cbaf7d24af03cad592fc0e2a54de35"
},
{
"url": "https://git.kernel.org/stable/c/2c5081439c7ab8da08427befe427f0d732ebc9f9"
},
{
"url": "https://git.kernel.org/stable/c/019ca2804f3fb49a7f8e56ea6aeaa1ff32724c27"
},
{
"url": "https://git.kernel.org/stable/c/6815846e0c3a62116a7da9740e3a7c10edc5c7e9"
},
{
"url": "https://git.kernel.org/stable/c/fe8421e853ef289e1324fcda004751c89dd9c18a"
},
{
"url": "https://git.kernel.org/stable/c/87389bff743c55b6b85282de91109391f43e0814"
},
{
"url": "https://git.kernel.org/stable/c/3e6429e3707943078240a2c0c0b3ee99ea9b0d9c"
},
{
"url": "https://git.kernel.org/stable/c/7f533cc5ee4c4436cee51dc58e81dfd9c3384418"
}
],
"title": "scsi: target: iscsi: Fix timeout on deleted connection",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38075",
"datePublished": "2025-06-18T09:33:50.646Z",
"dateReserved": "2025-04-16T04:51:23.980Z",
"dateUpdated": "2025-11-03T17:33:44.033Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39746 (GCVE-0-2025-39746)
Vulnerability from cvelistv5 – Published: 2025-09-11 16:52 – Updated: 2025-09-29 05:58
VLAI?
EPSS
Title
wifi: ath10k: shutdown driver when hardware is unreliable
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath10k: shutdown driver when hardware is unreliable
In rare cases, ath10k may lose connection with the PCIe bus due to
some unknown reasons, which could further lead to system crashes during
resuming due to watchdog timeout:
ath10k_pci 0000:01:00.0: wmi command 20486 timeout, restarting hardware
ath10k_pci 0000:01:00.0: already restarting
ath10k_pci 0000:01:00.0: failed to stop WMI vdev 0: -11
ath10k_pci 0000:01:00.0: failed to stop vdev 0: -11
ieee80211 phy0: PM: **** DPM device timeout ****
Call Trace:
panic+0x125/0x315
dpm_watchdog_set+0x54/0x54
dpm_watchdog_handler+0x57/0x57
call_timer_fn+0x31/0x13c
At this point, all WMI commands will timeout and attempt to restart
device. So set a threshold for consecutive restart failures. If the
threshold is exceeded, consider the hardware is unreliable and all
ath10k operations should be skipped to avoid system crash.
fail_cont_count and pending_recovery are atomic variables, and
do not involve complex conditional logic. Therefore, even if recovery
check and reconfig complete are executed concurrently, the recovery
mechanism will not be broken.
Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00288-QCARMSWPZ-1
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5 , < 201c9b4485edc618863a60f97a2d88bddd139467
(git)
Affected: 5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5 , < e36991bddf8be63e79659f654cdb1722db4e8132 (git) Affected: 5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5 , < 84ca5632b8d05d1c2e25604d1d63434b2fb61c85 (git) Affected: 5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5 , < c256a94d1b1b15109740306f7f2a7c2173e12072 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath10k/core.c",
"drivers/net/wireless/ath/ath10k/core.h",
"drivers/net/wireless/ath/ath10k/mac.c",
"drivers/net/wireless/ath/ath10k/wmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "201c9b4485edc618863a60f97a2d88bddd139467",
"status": "affected",
"version": "5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5",
"versionType": "git"
},
{
"lessThan": "e36991bddf8be63e79659f654cdb1722db4e8132",
"status": "affected",
"version": "5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5",
"versionType": "git"
},
{
"lessThan": "84ca5632b8d05d1c2e25604d1d63434b2fb61c85",
"status": "affected",
"version": "5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5",
"versionType": "git"
},
{
"lessThan": "c256a94d1b1b15109740306f7f2a7c2173e12072",
"status": "affected",
"version": "5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath10k/core.c",
"drivers/net/wireless/ath/ath10k/core.h",
"drivers/net/wireless/ath/ath10k/mac.c",
"drivers/net/wireless/ath/ath10k/wmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.11"
},
{
"lessThan": "3.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath10k: shutdown driver when hardware is unreliable\n\nIn rare cases, ath10k may lose connection with the PCIe bus due to\nsome unknown reasons, which could further lead to system crashes during\nresuming due to watchdog timeout:\n\nath10k_pci 0000:01:00.0: wmi command 20486 timeout, restarting hardware\nath10k_pci 0000:01:00.0: already restarting\nath10k_pci 0000:01:00.0: failed to stop WMI vdev 0: -11\nath10k_pci 0000:01:00.0: failed to stop vdev 0: -11\nieee80211 phy0: PM: **** DPM device timeout ****\nCall Trace:\n panic+0x125/0x315\n dpm_watchdog_set+0x54/0x54\n dpm_watchdog_handler+0x57/0x57\n call_timer_fn+0x31/0x13c\n\nAt this point, all WMI commands will timeout and attempt to restart\ndevice. So set a threshold for consecutive restart failures. If the\nthreshold is exceeded, consider the hardware is unreliable and all\nath10k operations should be skipped to avoid system crash.\n\nfail_cont_count and pending_recovery are atomic variables, and\ndo not involve complex conditional logic. Therefore, even if recovery\ncheck and reconfig complete are executed concurrently, the recovery\nmechanism will not be broken.\n\nTested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00288-QCARMSWPZ-1"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:58:34.660Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/201c9b4485edc618863a60f97a2d88bddd139467"
},
{
"url": "https://git.kernel.org/stable/c/e36991bddf8be63e79659f654cdb1722db4e8132"
},
{
"url": "https://git.kernel.org/stable/c/84ca5632b8d05d1c2e25604d1d63434b2fb61c85"
},
{
"url": "https://git.kernel.org/stable/c/c256a94d1b1b15109740306f7f2a7c2173e12072"
}
],
"title": "wifi: ath10k: shutdown driver when hardware is unreliable",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39746",
"datePublished": "2025-09-11T16:52:19.112Z",
"dateReserved": "2025-04-16T07:20:57.121Z",
"dateUpdated": "2025-09-29T05:58:34.660Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22022 (GCVE-0-2025-22022)
Vulnerability from cvelistv5 – Published: 2025-04-16 10:23 – Updated: 2026-01-19 12:17
VLAI?
EPSS
Title
usb: xhci: Apply the link chain quirk on NEC isoc endpoints
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: xhci: Apply the link chain quirk on NEC isoc endpoints
Two clearly different specimens of NEC uPD720200 (one with start/stop
bug, one without) were seen to cause IOMMU faults after some Missed
Service Errors. Faulting address is immediately after a transfer ring
segment and patched dynamic debug messages revealed that the MSE was
received when waiting for a TD near the end of that segment:
[ 1.041954] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ffa08fe0
[ 1.042120] xhci_hcd: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0005 address=0xffa09000 flags=0x0000]
[ 1.042146] xhci_hcd: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0005 address=0xffa09040 flags=0x0000]
It gets even funnier if the next page is a ring segment accessible to
the HC. Below, it reports MSE in segment at ff1e8000, plows through a
zero-filled page at ff1e9000 and starts reporting events for TRBs in
page at ff1ea000 every microframe, instead of jumping to seg ff1e6000.
[ 7.041671] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ff1e8fe0
[ 7.041999] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ff1e8fe0
[ 7.042011] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint
[ 7.042028] xhci_hcd: All TDs skipped for slot 1 ep 2. Clear skip flag.
[ 7.042134] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint
[ 7.042138] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 31
[ 7.042144] xhci_hcd: Looking for event-dma 00000000ff1ea040 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820
[ 7.042259] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint
[ 7.042262] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 31
[ 7.042266] xhci_hcd: Looking for event-dma 00000000ff1ea050 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820
At some point completion events change from Isoch Buffer Overrun to
Short Packet and the HC finally finds cycle bit mismatch in ff1ec000.
[ 7.098130] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 13
[ 7.098132] xhci_hcd: Looking for event-dma 00000000ff1ecc50 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820
[ 7.098254] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 13
[ 7.098256] xhci_hcd: Looking for event-dma 00000000ff1ecc60 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820
[ 7.098379] xhci_hcd: Overrun event on slot 1 ep 2
It's possible that data from the isochronous device were written to
random buffers of pending TDs on other endpoints (either IN or OUT),
other devices or even other HCs in the same IOMMU domain.
Lastly, an error from a different USB device on another HC. Was it
caused by the above? I don't know, but it may have been. The disk
was working without any other issues and generated PCIe traffic to
starve the NEC of upstream BW and trigger those MSEs. The two HCs
shared one x1 slot by means of a commercial "PCIe splitter" board.
[ 7.162604] usb 10-2: reset SuperSpeed USB device number 3 using xhci_hcd
[ 7.178990] sd 9:0:0:0: [sdb] tag#0 UNKNOWN(0x2003) Result: hostbyte=0x07 driverbyte=DRIVER_OK cmd_age=0s
[ 7.179001] sd 9:0:0:0: [sdb] tag#0 CDB: opcode=0x28 28 00 04 02 ae 00 00 02 00 00
[ 7.179004] I/O error, dev sdb, sector 67284480 op 0x0:(READ) flags 0x80700 phys_seg 5 prio class 0
Fortunately, it appears that this ridiculous bug is avoided by setting
the chain bit of Link TRBs on isochronous rings. Other ancient HCs are
known which also expect the bit to be set and they ignore Link TRBs if
it's not. Reportedly, 0.95 spec guaranteed that the bit is set.
The bandwidth-starved NEC HC running a 32KB/uframe UVC endpoint reports
tens of MSEs per second and runs into the bug within seconds. Chaining
Link TRBs allows the same workload to run for many minutes, many times.
No ne
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7e393a834b41001174a8fb3ae3bc23a749467760 , < abf2df229b6a9172cc1827749c1a446d28e00a2e
(git)
Affected: 7e393a834b41001174a8fb3ae3bc23a749467760 , < 8b586de6f03c850ff48d42e539b4708d1f3f8f1a (git) Affected: 7e393a834b41001174a8fb3ae3bc23a749467760 , < 1143f790a6316201dc8f067eba4c94ea97ecb6ca (git) Affected: 7e393a834b41001174a8fb3ae3bc23a749467760 , < dbf427663ce272070d3004b5fca63a4a537d781c (git) Affected: 7e393a834b41001174a8fb3ae3bc23a749467760 , < a4931d9fb99eb5462f3eaa231999d279c40afb21 (git) Affected: 7e393a834b41001174a8fb3ae3bc23a749467760 , < 43a18225150ce874d23b37761c302a5dffee1595 (git) Affected: 7e393a834b41001174a8fb3ae3bc23a749467760 , < 061a1683bae6ef56ab8fa392725ba7495515cd1d (git) Affected: 7e393a834b41001174a8fb3ae3bc23a749467760 , < bb0ba4cb1065e87f9cc75db1fa454e56d0894d01 (git) Affected: 5c7a6982e976b381595c9d4ee8e8c94564a40aec (git) Affected: f12ea4a8ca7009fa2d54794c3fcb8e638453bcff (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/xhci.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "abf2df229b6a9172cc1827749c1a446d28e00a2e",
"status": "affected",
"version": "7e393a834b41001174a8fb3ae3bc23a749467760",
"versionType": "git"
},
{
"lessThan": "8b586de6f03c850ff48d42e539b4708d1f3f8f1a",
"status": "affected",
"version": "7e393a834b41001174a8fb3ae3bc23a749467760",
"versionType": "git"
},
{
"lessThan": "1143f790a6316201dc8f067eba4c94ea97ecb6ca",
"status": "affected",
"version": "7e393a834b41001174a8fb3ae3bc23a749467760",
"versionType": "git"
},
{
"lessThan": "dbf427663ce272070d3004b5fca63a4a537d781c",
"status": "affected",
"version": "7e393a834b41001174a8fb3ae3bc23a749467760",
"versionType": "git"
},
{
"lessThan": "a4931d9fb99eb5462f3eaa231999d279c40afb21",
"status": "affected",
"version": "7e393a834b41001174a8fb3ae3bc23a749467760",
"versionType": "git"
},
{
"lessThan": "43a18225150ce874d23b37761c302a5dffee1595",
"status": "affected",
"version": "7e393a834b41001174a8fb3ae3bc23a749467760",
"versionType": "git"
},
{
"lessThan": "061a1683bae6ef56ab8fa392725ba7495515cd1d",
"status": "affected",
"version": "7e393a834b41001174a8fb3ae3bc23a749467760",
"versionType": "git"
},
{
"lessThan": "bb0ba4cb1065e87f9cc75db1fa454e56d0894d01",
"status": "affected",
"version": "7e393a834b41001174a8fb3ae3bc23a749467760",
"versionType": "git"
},
{
"status": "affected",
"version": "5c7a6982e976b381595c9d4ee8e8c94564a40aec",
"versionType": "git"
},
{
"status": "affected",
"version": "f12ea4a8ca7009fa2d54794c3fcb8e638453bcff",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/xhci.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.22",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.10",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.1",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.0.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.1.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Apply the link chain quirk on NEC isoc endpoints\n\nTwo clearly different specimens of NEC uPD720200 (one with start/stop\nbug, one without) were seen to cause IOMMU faults after some Missed\nService Errors. Faulting address is immediately after a transfer ring\nsegment and patched dynamic debug messages revealed that the MSE was\nreceived when waiting for a TD near the end of that segment:\n\n[ 1.041954] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ffa08fe0\n[ 1.042120] xhci_hcd: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0005 address=0xffa09000 flags=0x0000]\n[ 1.042146] xhci_hcd: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0005 address=0xffa09040 flags=0x0000]\n\nIt gets even funnier if the next page is a ring segment accessible to\nthe HC. Below, it reports MSE in segment at ff1e8000, plows through a\nzero-filled page at ff1e9000 and starts reporting events for TRBs in\npage at ff1ea000 every microframe, instead of jumping to seg ff1e6000.\n\n[ 7.041671] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ff1e8fe0\n[ 7.041999] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ff1e8fe0\n[ 7.042011] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint\n[ 7.042028] xhci_hcd: All TDs skipped for slot 1 ep 2. Clear skip flag.\n[ 7.042134] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint\n[ 7.042138] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 31\n[ 7.042144] xhci_hcd: Looking for event-dma 00000000ff1ea040 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820\n[ 7.042259] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint\n[ 7.042262] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 31\n[ 7.042266] xhci_hcd: Looking for event-dma 00000000ff1ea050 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820\n\nAt some point completion events change from Isoch Buffer Overrun to\nShort Packet and the HC finally finds cycle bit mismatch in ff1ec000.\n\n[ 7.098130] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 13\n[ 7.098132] xhci_hcd: Looking for event-dma 00000000ff1ecc50 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820\n[ 7.098254] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 13\n[ 7.098256] xhci_hcd: Looking for event-dma 00000000ff1ecc60 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820\n[ 7.098379] xhci_hcd: Overrun event on slot 1 ep 2\n\nIt\u0027s possible that data from the isochronous device were written to\nrandom buffers of pending TDs on other endpoints (either IN or OUT),\nother devices or even other HCs in the same IOMMU domain.\n\nLastly, an error from a different USB device on another HC. Was it\ncaused by the above? I don\u0027t know, but it may have been. The disk\nwas working without any other issues and generated PCIe traffic to\nstarve the NEC of upstream BW and trigger those MSEs. The two HCs\nshared one x1 slot by means of a commercial \"PCIe splitter\" board.\n\n[ 7.162604] usb 10-2: reset SuperSpeed USB device number 3 using xhci_hcd\n[ 7.178990] sd 9:0:0:0: [sdb] tag#0 UNKNOWN(0x2003) Result: hostbyte=0x07 driverbyte=DRIVER_OK cmd_age=0s\n[ 7.179001] sd 9:0:0:0: [sdb] tag#0 CDB: opcode=0x28 28 00 04 02 ae 00 00 02 00 00\n[ 7.179004] I/O error, dev sdb, sector 67284480 op 0x0:(READ) flags 0x80700 phys_seg 5 prio class 0\n\nFortunately, it appears that this ridiculous bug is avoided by setting\nthe chain bit of Link TRBs on isochronous rings. Other ancient HCs are\nknown which also expect the bit to be set and they ignore Link TRBs if\nit\u0027s not. Reportedly, 0.95 spec guaranteed that the bit is set.\n\nThe bandwidth-starved NEC HC running a 32KB/uframe UVC endpoint reports\ntens of MSEs per second and runs into the bug within seconds. Chaining\nLink TRBs allows the same workload to run for many minutes, many times.\n\nNo ne\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:17:53.138Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/abf2df229b6a9172cc1827749c1a446d28e00a2e"
},
{
"url": "https://git.kernel.org/stable/c/8b586de6f03c850ff48d42e539b4708d1f3f8f1a"
},
{
"url": "https://git.kernel.org/stable/c/1143f790a6316201dc8f067eba4c94ea97ecb6ca"
},
{
"url": "https://git.kernel.org/stable/c/dbf427663ce272070d3004b5fca63a4a537d781c"
},
{
"url": "https://git.kernel.org/stable/c/a4931d9fb99eb5462f3eaa231999d279c40afb21"
},
{
"url": "https://git.kernel.org/stable/c/43a18225150ce874d23b37761c302a5dffee1595"
},
{
"url": "https://git.kernel.org/stable/c/061a1683bae6ef56ab8fa392725ba7495515cd1d"
},
{
"url": "https://git.kernel.org/stable/c/bb0ba4cb1065e87f9cc75db1fa454e56d0894d01"
}
],
"title": "usb: xhci: Apply the link chain quirk on NEC isoc endpoints",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22022",
"datePublished": "2025-04-16T10:23:27.423Z",
"dateReserved": "2024-12-29T08:45:45.807Z",
"dateUpdated": "2026-01-19T12:17:53.138Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38566 (GCVE-0-2025-38566)
Vulnerability from cvelistv5 – Published: 2025-08-19 17:02 – Updated: 2025-09-29 05:53
VLAI?
EPSS
Title
sunrpc: fix handling of server side tls alerts
Summary
In the Linux kernel, the following vulnerability has been resolved:
sunrpc: fix handling of server side tls alerts
Scott Mayhew discovered a security exploit in NFS over TLS in
tls_alert_recv() due to its assumption it can read data from
the msg iterator's kvec..
kTLS implementation splits TLS non-data record payload between
the control message buffer (which includes the type such as TLS
aler or TLS cipher change) and the rest of the payload (say TLS
alert's level/description) which goes into the msg payload buffer.
This patch proposes to rework how control messages are setup and
used by sock_recvmsg().
If no control message structure is setup, kTLS layer will read and
process TLS data record types. As soon as it encounters a TLS control
message, it would return an error. At that point, NFS can setup a
kvec backed msg buffer and read in the control message such as a
TLS alert. Msg iterator can advance the kvec pointer as a part of
the copy process thus we need to revert the iterator before calling
into the tls_alert_recv.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5e052dda121e2870dd87181783da4a95d7d2927b , < b1df394621710b312f0393e3f240fdac0764f968
(git)
Affected: 5e052dda121e2870dd87181783da4a95d7d2927b , < 25bb3647d30a20486b5fe7cff2b0e503c16c9692 (git) Affected: 5e052dda121e2870dd87181783da4a95d7d2927b , < 3b549da875414989f480b66835d514be80a0bd9c (git) Affected: 5e052dda121e2870dd87181783da4a95d7d2927b , < 6b33c31cc788073bfbed9297e1f4486ed73d87da (git) Affected: 5e052dda121e2870dd87181783da4a95d7d2927b , < bee47cb026e762841f3faece47b51f985e215edb (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sunrpc/svcsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b1df394621710b312f0393e3f240fdac0764f968",
"status": "affected",
"version": "5e052dda121e2870dd87181783da4a95d7d2927b",
"versionType": "git"
},
{
"lessThan": "25bb3647d30a20486b5fe7cff2b0e503c16c9692",
"status": "affected",
"version": "5e052dda121e2870dd87181783da4a95d7d2927b",
"versionType": "git"
},
{
"lessThan": "3b549da875414989f480b66835d514be80a0bd9c",
"status": "affected",
"version": "5e052dda121e2870dd87181783da4a95d7d2927b",
"versionType": "git"
},
{
"lessThan": "6b33c31cc788073bfbed9297e1f4486ed73d87da",
"status": "affected",
"version": "5e052dda121e2870dd87181783da4a95d7d2927b",
"versionType": "git"
},
{
"lessThan": "bee47cb026e762841f3faece47b51f985e215edb",
"status": "affected",
"version": "5e052dda121e2870dd87181783da4a95d7d2927b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sunrpc/svcsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsunrpc: fix handling of server side tls alerts\n\nScott Mayhew discovered a security exploit in NFS over TLS in\ntls_alert_recv() due to its assumption it can read data from\nthe msg iterator\u0027s kvec..\n\nkTLS implementation splits TLS non-data record payload between\nthe control message buffer (which includes the type such as TLS\naler or TLS cipher change) and the rest of the payload (say TLS\nalert\u0027s level/description) which goes into the msg payload buffer.\n\nThis patch proposes to rework how control messages are setup and\nused by sock_recvmsg().\n\nIf no control message structure is setup, kTLS layer will read and\nprocess TLS data record types. As soon as it encounters a TLS control\nmessage, it would return an error. At that point, NFS can setup a\nkvec backed msg buffer and read in the control message such as a\nTLS alert. Msg iterator can advance the kvec pointer as a part of\nthe copy process thus we need to revert the iterator before calling\ninto the tls_alert_recv."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:53:54.931Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b1df394621710b312f0393e3f240fdac0764f968"
},
{
"url": "https://git.kernel.org/stable/c/25bb3647d30a20486b5fe7cff2b0e503c16c9692"
},
{
"url": "https://git.kernel.org/stable/c/3b549da875414989f480b66835d514be80a0bd9c"
},
{
"url": "https://git.kernel.org/stable/c/6b33c31cc788073bfbed9297e1f4486ed73d87da"
},
{
"url": "https://git.kernel.org/stable/c/bee47cb026e762841f3faece47b51f985e215edb"
}
],
"title": "sunrpc: fix handling of server side tls alerts",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38566",
"datePublished": "2025-08-19T17:02:42.506Z",
"dateReserved": "2025-04-16T04:51:24.025Z",
"dateUpdated": "2025-09-29T05:53:54.931Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53463 (GCVE-0-2023-53463)
Vulnerability from cvelistv5 – Published: 2025-10-01 11:42 – Updated: 2025-10-01 11:42
VLAI?
EPSS
Title
ibmvnic: Do not reset dql stats on NON_FATAL err
Summary
In the Linux kernel, the following vulnerability has been resolved:
ibmvnic: Do not reset dql stats on NON_FATAL err
All ibmvnic resets, make a call to netdev_tx_reset_queue() when
re-opening the device. netdev_tx_reset_queue() resets the num_queued
and num_completed byte counters. These stats are used in Byte Queue
Limit (BQL) algorithms. The difference between these two stats tracks
the number of bytes currently sitting on the physical NIC. ibmvnic
increases the number of queued bytes though calls to
netdev_tx_sent_queue() in the drivers xmit function. When, VIOS reports
that it is done transmitting bytes, the ibmvnic device increases the
number of completed bytes through calls to netdev_tx_completed_queue().
It is important to note that the driver batches its transmit calls and
num_queued is increased every time that an skb is added to the next
batch, not necessarily when the batch is sent to VIOS for transmission.
Unlike other reset types, a NON FATAL reset will not flush the sub crq
tx buffers. Therefore, it is possible for the batched skb array to be
partially full. So if there is call to netdev_tx_reset_queue() when
re-opening the device, the value of num_queued (0) would not account
for the skb's that are currently batched. Eventually, when the batch
is sent to VIOS, the call to netdev_tx_completed_queue() would increase
num_completed to a value greater than the num_queued. This causes a
BUG_ON crash:
ibmvnic 30000002: Firmware reports error, cause: adapter problem.
Starting recovery...
ibmvnic 30000002: tx error 600
ibmvnic 30000002: tx error 600
ibmvnic 30000002: tx error 600
ibmvnic 30000002: tx error 600
------------[ cut here ]------------
kernel BUG at lib/dynamic_queue_limits.c:27!
Oops: Exception in kernel mode, sig: 5
[....]
NIP dql_completed+0x28/0x1c0
LR ibmvnic_complete_tx.isra.0+0x23c/0x420 [ibmvnic]
Call Trace:
ibmvnic_complete_tx.isra.0+0x3f8/0x420 [ibmvnic] (unreliable)
ibmvnic_interrupt_tx+0x40/0x70 [ibmvnic]
__handle_irq_event_percpu+0x98/0x270
---[ end trace ]---
Therefore, do not reset the dql stats when performing a NON_FATAL reset.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0d973388185d49add56b81ca82fa5e4348019df8 , < b8aedf29db1280c83191fc9579ae605791faf97f
(git)
Affected: 0d973388185d49add56b81ca82fa5e4348019df8 , < f67ef8f9f6776e2b2073cad7c5cf29de850f83d7 (git) Affected: 0d973388185d49add56b81ca82fa5e4348019df8 , < 91a0632e73070928aafeb36b3cc676843c716931 (git) Affected: 0d973388185d49add56b81ca82fa5e4348019df8 , < 48538ccb825b05544ec308a509e2cc9c013402db (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/ibm/ibmvnic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b8aedf29db1280c83191fc9579ae605791faf97f",
"status": "affected",
"version": "0d973388185d49add56b81ca82fa5e4348019df8",
"versionType": "git"
},
{
"lessThan": "f67ef8f9f6776e2b2073cad7c5cf29de850f83d7",
"status": "affected",
"version": "0d973388185d49add56b81ca82fa5e4348019df8",
"versionType": "git"
},
{
"lessThan": "91a0632e73070928aafeb36b3cc676843c716931",
"status": "affected",
"version": "0d973388185d49add56b81ca82fa5e4348019df8",
"versionType": "git"
},
{
"lessThan": "48538ccb825b05544ec308a509e2cc9c013402db",
"status": "affected",
"version": "0d973388185d49add56b81ca82fa5e4348019df8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/ibm/ibmvnic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nibmvnic: Do not reset dql stats on NON_FATAL err\n\nAll ibmvnic resets, make a call to netdev_tx_reset_queue() when\nre-opening the device. netdev_tx_reset_queue() resets the num_queued\nand num_completed byte counters. These stats are used in Byte Queue\nLimit (BQL) algorithms. The difference between these two stats tracks\nthe number of bytes currently sitting on the physical NIC. ibmvnic\nincreases the number of queued bytes though calls to\nnetdev_tx_sent_queue() in the drivers xmit function. When, VIOS reports\nthat it is done transmitting bytes, the ibmvnic device increases the\nnumber of completed bytes through calls to netdev_tx_completed_queue().\nIt is important to note that the driver batches its transmit calls and\nnum_queued is increased every time that an skb is added to the next\nbatch, not necessarily when the batch is sent to VIOS for transmission.\n\nUnlike other reset types, a NON FATAL reset will not flush the sub crq\ntx buffers. Therefore, it is possible for the batched skb array to be\npartially full. So if there is call to netdev_tx_reset_queue() when\nre-opening the device, the value of num_queued (0) would not account\nfor the skb\u0027s that are currently batched. Eventually, when the batch\nis sent to VIOS, the call to netdev_tx_completed_queue() would increase\nnum_completed to a value greater than the num_queued. This causes a\nBUG_ON crash:\n\nibmvnic 30000002: Firmware reports error, cause: adapter problem.\nStarting recovery...\nibmvnic 30000002: tx error 600\nibmvnic 30000002: tx error 600\nibmvnic 30000002: tx error 600\nibmvnic 30000002: tx error 600\n------------[ cut here ]------------\nkernel BUG at lib/dynamic_queue_limits.c:27!\nOops: Exception in kernel mode, sig: 5\n[....]\nNIP dql_completed+0x28/0x1c0\nLR ibmvnic_complete_tx.isra.0+0x23c/0x420 [ibmvnic]\nCall Trace:\nibmvnic_complete_tx.isra.0+0x3f8/0x420 [ibmvnic] (unreliable)\nibmvnic_interrupt_tx+0x40/0x70 [ibmvnic]\n__handle_irq_event_percpu+0x98/0x270\n---[ end trace ]---\n\nTherefore, do not reset the dql stats when performing a NON_FATAL reset."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:34.308Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b8aedf29db1280c83191fc9579ae605791faf97f"
},
{
"url": "https://git.kernel.org/stable/c/f67ef8f9f6776e2b2073cad7c5cf29de850f83d7"
},
{
"url": "https://git.kernel.org/stable/c/91a0632e73070928aafeb36b3cc676843c716931"
},
{
"url": "https://git.kernel.org/stable/c/48538ccb825b05544ec308a509e2cc9c013402db"
}
],
"title": "ibmvnic: Do not reset dql stats on NON_FATAL err",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53463",
"datePublished": "2025-10-01T11:42:34.308Z",
"dateReserved": "2025-10-01T11:39:39.400Z",
"dateUpdated": "2025-10-01T11:42:34.308Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39772 (GCVE-0-2025-39772)
Vulnerability from cvelistv5 – Published: 2025-09-11 16:56 – Updated: 2025-11-03 17:43
VLAI?
EPSS
Title
drm/hisilicon/hibmc: fix the hibmc loaded failed bug
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/hisilicon/hibmc: fix the hibmc loaded failed bug
When hibmc loaded failed, the driver use hibmc_unload to free the
resource, but the mutexes in mode.config are not init, which will
access an NULL pointer. Just change goto statement to return, because
hibnc_hw_init() doesn't need to free anything.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b3df5e65cc03696b0624a877d03a3ddf3ef43f52 , < ddf1691f25345699296e642f0f59f2d464722fa3
(git)
Affected: b3df5e65cc03696b0624a877d03a3ddf3ef43f52 , < c950e1be3a24d021475b56efdb49daa7fbba63a9 (git) Affected: b3df5e65cc03696b0624a877d03a3ddf3ef43f52 , < f93032e5d68f459601c701f6ab087b5feb3382e8 (git) Affected: b3df5e65cc03696b0624a877d03a3ddf3ef43f52 , < a4f1b9c57092c48bdc7958abd23403ccaed437b2 (git) Affected: b3df5e65cc03696b0624a877d03a3ddf3ef43f52 , < d3e774266c28aefab3e9db334fdf568f936cae04 (git) Affected: b3df5e65cc03696b0624a877d03a3ddf3ef43f52 , < 93a08f856fcc5aaeeecad01f71bef3088588216a (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:13.756Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ddf1691f25345699296e642f0f59f2d464722fa3",
"status": "affected",
"version": "b3df5e65cc03696b0624a877d03a3ddf3ef43f52",
"versionType": "git"
},
{
"lessThan": "c950e1be3a24d021475b56efdb49daa7fbba63a9",
"status": "affected",
"version": "b3df5e65cc03696b0624a877d03a3ddf3ef43f52",
"versionType": "git"
},
{
"lessThan": "f93032e5d68f459601c701f6ab087b5feb3382e8",
"status": "affected",
"version": "b3df5e65cc03696b0624a877d03a3ddf3ef43f52",
"versionType": "git"
},
{
"lessThan": "a4f1b9c57092c48bdc7958abd23403ccaed437b2",
"status": "affected",
"version": "b3df5e65cc03696b0624a877d03a3ddf3ef43f52",
"versionType": "git"
},
{
"lessThan": "d3e774266c28aefab3e9db334fdf568f936cae04",
"status": "affected",
"version": "b3df5e65cc03696b0624a877d03a3ddf3ef43f52",
"versionType": "git"
},
{
"lessThan": "93a08f856fcc5aaeeecad01f71bef3088588216a",
"status": "affected",
"version": "b3df5e65cc03696b0624a877d03a3ddf3ef43f52",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/hisilicon/hibmc: fix the hibmc loaded failed bug\n\nWhen hibmc loaded failed, the driver use hibmc_unload to free the\nresource, but the mutexes in mode.config are not init, which will\naccess an NULL pointer. Just change goto statement to return, because\nhibnc_hw_init() doesn\u0027t need to free anything."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:59:06.904Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ddf1691f25345699296e642f0f59f2d464722fa3"
},
{
"url": "https://git.kernel.org/stable/c/c950e1be3a24d021475b56efdb49daa7fbba63a9"
},
{
"url": "https://git.kernel.org/stable/c/f93032e5d68f459601c701f6ab087b5feb3382e8"
},
{
"url": "https://git.kernel.org/stable/c/a4f1b9c57092c48bdc7958abd23403ccaed437b2"
},
{
"url": "https://git.kernel.org/stable/c/d3e774266c28aefab3e9db334fdf568f936cae04"
},
{
"url": "https://git.kernel.org/stable/c/93a08f856fcc5aaeeecad01f71bef3088588216a"
}
],
"title": "drm/hisilicon/hibmc: fix the hibmc loaded failed bug",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39772",
"datePublished": "2025-09-11T16:56:26.130Z",
"dateReserved": "2025-04-16T07:20:57.128Z",
"dateUpdated": "2025-11-03T17:43:13.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50321 (GCVE-0-2022-50321)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:48 – Updated: 2025-09-15 14:48
VLAI?
EPSS
Title
wifi: brcmfmac: fix potential memory leak in brcmf_netdev_start_xmit()
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmfmac: fix potential memory leak in brcmf_netdev_start_xmit()
The brcmf_netdev_start_xmit() returns NETDEV_TX_OK without freeing skb
in case of pskb_expand_head() fails, add dev_kfree_skb() to fix it.
Compile tested only.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
270a6c1f65fe68a28a5d39cd405592c550b496c7 , < 4c55fdebc1c358de96bfab52ed309d58a3ba66ef
(git)
Affected: 270a6c1f65fe68a28a5d39cd405592c550b496c7 , < e5d01e85cf46628647cd696cb72ba4659b18967f (git) Affected: 270a6c1f65fe68a28a5d39cd405592c550b496c7 , < d869a189505224601e310c7769cb90b0e2f60b31 (git) Affected: 270a6c1f65fe68a28a5d39cd405592c550b496c7 , < e08e6812efb6a8c676e733de0518594d1517e0d9 (git) Affected: 270a6c1f65fe68a28a5d39cd405592c550b496c7 , < e8ef89e5b89ee041a94eecfb6c31fcc237f9168c (git) Affected: 270a6c1f65fe68a28a5d39cd405592c550b496c7 , < 7f159116d620615779adbf88a5d94713702216d8 (git) Affected: 270a6c1f65fe68a28a5d39cd405592c550b496c7 , < 3a4d18318f473e97d628f410215b3fac32d07aed (git) Affected: 270a6c1f65fe68a28a5d39cd405592c550b496c7 , < 212fde3fe76e962598ce1d47b97cc78afdfc71b3 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4c55fdebc1c358de96bfab52ed309d58a3ba66ef",
"status": "affected",
"version": "270a6c1f65fe68a28a5d39cd405592c550b496c7",
"versionType": "git"
},
{
"lessThan": "e5d01e85cf46628647cd696cb72ba4659b18967f",
"status": "affected",
"version": "270a6c1f65fe68a28a5d39cd405592c550b496c7",
"versionType": "git"
},
{
"lessThan": "d869a189505224601e310c7769cb90b0e2f60b31",
"status": "affected",
"version": "270a6c1f65fe68a28a5d39cd405592c550b496c7",
"versionType": "git"
},
{
"lessThan": "e08e6812efb6a8c676e733de0518594d1517e0d9",
"status": "affected",
"version": "270a6c1f65fe68a28a5d39cd405592c550b496c7",
"versionType": "git"
},
{
"lessThan": "e8ef89e5b89ee041a94eecfb6c31fcc237f9168c",
"status": "affected",
"version": "270a6c1f65fe68a28a5d39cd405592c550b496c7",
"versionType": "git"
},
{
"lessThan": "7f159116d620615779adbf88a5d94713702216d8",
"status": "affected",
"version": "270a6c1f65fe68a28a5d39cd405592c550b496c7",
"versionType": "git"
},
{
"lessThan": "3a4d18318f473e97d628f410215b3fac32d07aed",
"status": "affected",
"version": "270a6c1f65fe68a28a5d39cd405592c550b496c7",
"versionType": "git"
},
{
"lessThan": "212fde3fe76e962598ce1d47b97cc78afdfc71b3",
"status": "affected",
"version": "270a6c1f65fe68a28a5d39cd405592c550b496c7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.308",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: fix potential memory leak in brcmf_netdev_start_xmit()\n\nThe brcmf_netdev_start_xmit() returns NETDEV_TX_OK without freeing skb\nin case of pskb_expand_head() fails, add dev_kfree_skb() to fix it.\nCompile tested only."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:48:54.808Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4c55fdebc1c358de96bfab52ed309d58a3ba66ef"
},
{
"url": "https://git.kernel.org/stable/c/e5d01e85cf46628647cd696cb72ba4659b18967f"
},
{
"url": "https://git.kernel.org/stable/c/d869a189505224601e310c7769cb90b0e2f60b31"
},
{
"url": "https://git.kernel.org/stable/c/e08e6812efb6a8c676e733de0518594d1517e0d9"
},
{
"url": "https://git.kernel.org/stable/c/e8ef89e5b89ee041a94eecfb6c31fcc237f9168c"
},
{
"url": "https://git.kernel.org/stable/c/7f159116d620615779adbf88a5d94713702216d8"
},
{
"url": "https://git.kernel.org/stable/c/3a4d18318f473e97d628f410215b3fac32d07aed"
},
{
"url": "https://git.kernel.org/stable/c/212fde3fe76e962598ce1d47b97cc78afdfc71b3"
}
],
"title": "wifi: brcmfmac: fix potential memory leak in brcmf_netdev_start_xmit()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50321",
"datePublished": "2025-09-15T14:48:54.808Z",
"dateReserved": "2025-09-15T14:18:36.814Z",
"dateUpdated": "2025-09-15T14:48:54.808Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53343 (GCVE-0-2023-53343)
Vulnerability from cvelistv5 – Published: 2025-09-17 14:56 – Updated: 2026-01-14 18:43
VLAI?
EPSS
Title
icmp6: Fix null-ptr-deref of ip6_null_entry->rt6i_idev in icmp6_dev().
Summary
In the Linux kernel, the following vulnerability has been resolved:
icmp6: Fix null-ptr-deref of ip6_null_entry->rt6i_idev in icmp6_dev().
With some IPv6 Ext Hdr (RPL, SRv6, etc.), we can send a packet that
has the link-local address as src and dst IP and will be forwarded to
an external IP in the IPv6 Ext Hdr.
For example, the script below generates a packet whose src IP is the
link-local address and dst is updated to 11::.
# for f in $(find /proc/sys/net/ -name *seg6_enabled*); do echo 1 > $f; done
# python3
>>> from socket import *
>>> from scapy.all import *
>>>
>>> SRC_ADDR = DST_ADDR = "fe80::5054:ff:fe12:3456"
>>>
>>> pkt = IPv6(src=SRC_ADDR, dst=DST_ADDR)
>>> pkt /= IPv6ExtHdrSegmentRouting(type=4, addresses=["11::", "22::"], segleft=1)
>>>
>>> sk = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW)
>>> sk.sendto(bytes(pkt), (DST_ADDR, 0))
For such a packet, we call ip6_route_input() to look up a route for the
next destination in these three functions depending on the header type.
* ipv6_rthdr_rcv()
* ipv6_rpl_srh_rcv()
* ipv6_srh_rcv()
If no route is found, ip6_null_entry is set to skb, and the following
dst_input(skb) calls ip6_pkt_drop().
Finally, in icmp6_dev(), we dereference skb_rt6_info(skb)->rt6i_idev->dev
as the input device is the loopback interface. Then, we have to check if
skb_rt6_info(skb)->rt6i_idev is NULL or not to avoid NULL pointer deref
for ip6_null_entry.
BUG: kernel NULL pointer dereference, address: 0000000000000000
PF: supervisor read access in kernel mode
PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 0 PID: 157 Comm: python3 Not tainted 6.4.0-11996-gb121d614371c #35
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
RIP: 0010:icmp6_send (net/ipv6/icmp.c:436 net/ipv6/icmp.c:503)
Code: fe ff ff 48 c7 40 30 c0 86 5d 83 e8 c6 44 1c 00 e9 c8 fc ff ff 49 8b 46 58 48 83 e0 fe 0f 84 4a fb ff ff 48 8b 80 d0 00 00 00 <48> 8b 00 44 8b 88 e0 00 00 00 e9 34 fb ff ff 4d 85 ed 0f 85 69 01
RSP: 0018:ffffc90000003c70 EFLAGS: 00000286
RAX: 0000000000000000 RBX: 0000000000000001 RCX: 00000000000000e0
RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff888006d72a18
RBP: ffffc90000003d80 R08: 0000000000000000 R09: 0000000000000001
R10: ffffc90000003d98 R11: 0000000000000040 R12: ffff888006d72a10
R13: 0000000000000000 R14: ffff8880057fb800 R15: ffffffff835d86c0
FS: 00007f9dc72ee740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000057b2000 CR4: 00000000007506f0
PKRU: 55555554
Call Trace:
<IRQ>
ip6_pkt_drop (net/ipv6/route.c:4513)
ipv6_rthdr_rcv (net/ipv6/exthdrs.c:640 net/ipv6/exthdrs.c:686)
ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:437 (discriminator 5))
ip6_input_finish (./include/linux/rcupdate.h:781 net/ipv6/ip6_input.c:483)
__netif_receive_skb_one_core (net/core/dev.c:5455)
process_backlog (./include/linux/rcupdate.h:781 net/core/dev.c:5895)
__napi_poll (net/core/dev.c:6460)
net_rx_action (net/core/dev.c:6529 net/core/dev.c:6660)
__do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554)
do_softirq (kernel/softirq.c:454 kernel/softirq.c:441)
</IRQ>
<TASK>
__local_bh_enable_ip (kernel/softirq.c:381)
__dev_queue_xmit (net/core/dev.c:4231)
ip6_finish_output2 (./include/net/neighbour.h:544 net/ipv6/ip6_output.c:135)
rawv6_sendmsg (./include/net/dst.h:458 ./include/linux/netfilter.h:303 net/ipv6/raw.c:656 net/ipv6/raw.c:914)
sock_sendmsg (net/socket.c:725 net/socket.c:748)
__sys_sendto (net/socket.c:2134)
__x64_sys_sendto (net/socket.c:2146 net/socket.c:2142 net/socket.c:2142)
do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
RIP: 0033:0x7f9dc751baea
Code: d8 64 89 02 48 c7 c0 ff f
---truncated---
Severity ?
5.5 (Medium)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4832c30d5458387ff2533ff66fbde26ad8bb5a2d , < 8803c59fde4dd370a627dfbf7183682fa0cabf70
(git)
Affected: 4832c30d5458387ff2533ff66fbde26ad8bb5a2d , < 61b4c4659746959056450b92a5d7e6bc1243b31b (git) Affected: 4832c30d5458387ff2533ff66fbde26ad8bb5a2d , < d30ddd7ff15df9d91a793ce3f06f0190ff7afacc (git) Affected: 4832c30d5458387ff2533ff66fbde26ad8bb5a2d , < 3fabca5d9cae0140b6aad09a1c6b9aa57089fbb8 (git) Affected: 4832c30d5458387ff2533ff66fbde26ad8bb5a2d , < 1462e9d9aa52d14665eaca6d89d22c4af44ede04 (git) Affected: 4832c30d5458387ff2533ff66fbde26ad8bb5a2d , < aa657d319e6c7502a4eb85cc0ee80cc81b8e5724 (git) Affected: 4832c30d5458387ff2533ff66fbde26ad8bb5a2d , < 2aaa8a15de73874847d62eb595c6683bface80fd (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53343",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:39:18.646220Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:43:02.344Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/icmp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8803c59fde4dd370a627dfbf7183682fa0cabf70",
"status": "affected",
"version": "4832c30d5458387ff2533ff66fbde26ad8bb5a2d",
"versionType": "git"
},
{
"lessThan": "61b4c4659746959056450b92a5d7e6bc1243b31b",
"status": "affected",
"version": "4832c30d5458387ff2533ff66fbde26ad8bb5a2d",
"versionType": "git"
},
{
"lessThan": "d30ddd7ff15df9d91a793ce3f06f0190ff7afacc",
"status": "affected",
"version": "4832c30d5458387ff2533ff66fbde26ad8bb5a2d",
"versionType": "git"
},
{
"lessThan": "3fabca5d9cae0140b6aad09a1c6b9aa57089fbb8",
"status": "affected",
"version": "4832c30d5458387ff2533ff66fbde26ad8bb5a2d",
"versionType": "git"
},
{
"lessThan": "1462e9d9aa52d14665eaca6d89d22c4af44ede04",
"status": "affected",
"version": "4832c30d5458387ff2533ff66fbde26ad8bb5a2d",
"versionType": "git"
},
{
"lessThan": "aa657d319e6c7502a4eb85cc0ee80cc81b8e5724",
"status": "affected",
"version": "4832c30d5458387ff2533ff66fbde26ad8bb5a2d",
"versionType": "git"
},
{
"lessThan": "2aaa8a15de73874847d62eb595c6683bface80fd",
"status": "affected",
"version": "4832c30d5458387ff2533ff66fbde26ad8bb5a2d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/icmp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nicmp6: Fix null-ptr-deref of ip6_null_entry-\u003ert6i_idev in icmp6_dev().\n\nWith some IPv6 Ext Hdr (RPL, SRv6, etc.), we can send a packet that\nhas the link-local address as src and dst IP and will be forwarded to\nan external IP in the IPv6 Ext Hdr.\n\nFor example, the script below generates a packet whose src IP is the\nlink-local address and dst is updated to 11::.\n\n # for f in $(find /proc/sys/net/ -name *seg6_enabled*); do echo 1 \u003e $f; done\n # python3\n \u003e\u003e\u003e from socket import *\n \u003e\u003e\u003e from scapy.all import *\n \u003e\u003e\u003e\n \u003e\u003e\u003e SRC_ADDR = DST_ADDR = \"fe80::5054:ff:fe12:3456\"\n \u003e\u003e\u003e\n \u003e\u003e\u003e pkt = IPv6(src=SRC_ADDR, dst=DST_ADDR)\n \u003e\u003e\u003e pkt /= IPv6ExtHdrSegmentRouting(type=4, addresses=[\"11::\", \"22::\"], segleft=1)\n \u003e\u003e\u003e\n \u003e\u003e\u003e sk = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW)\n \u003e\u003e\u003e sk.sendto(bytes(pkt), (DST_ADDR, 0))\n\nFor such a packet, we call ip6_route_input() to look up a route for the\nnext destination in these three functions depending on the header type.\n\n * ipv6_rthdr_rcv()\n * ipv6_rpl_srh_rcv()\n * ipv6_srh_rcv()\n\nIf no route is found, ip6_null_entry is set to skb, and the following\ndst_input(skb) calls ip6_pkt_drop().\n\nFinally, in icmp6_dev(), we dereference skb_rt6_info(skb)-\u003ert6i_idev-\u003edev\nas the input device is the loopback interface. Then, we have to check if\nskb_rt6_info(skb)-\u003ert6i_idev is NULL or not to avoid NULL pointer deref\nfor ip6_null_entry.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n PF: supervisor read access in kernel mode\n PF: error_code(0x0000) - not-present page\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 0 PID: 157 Comm: python3 Not tainted 6.4.0-11996-gb121d614371c #35\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:icmp6_send (net/ipv6/icmp.c:436 net/ipv6/icmp.c:503)\nCode: fe ff ff 48 c7 40 30 c0 86 5d 83 e8 c6 44 1c 00 e9 c8 fc ff ff 49 8b 46 58 48 83 e0 fe 0f 84 4a fb ff ff 48 8b 80 d0 00 00 00 \u003c48\u003e 8b 00 44 8b 88 e0 00 00 00 e9 34 fb ff ff 4d 85 ed 0f 85 69 01\nRSP: 0018:ffffc90000003c70 EFLAGS: 00000286\nRAX: 0000000000000000 RBX: 0000000000000001 RCX: 00000000000000e0\nRDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff888006d72a18\nRBP: ffffc90000003d80 R08: 0000000000000000 R09: 0000000000000001\nR10: ffffc90000003d98 R11: 0000000000000040 R12: ffff888006d72a10\nR13: 0000000000000000 R14: ffff8880057fb800 R15: ffffffff835d86c0\nFS: 00007f9dc72ee740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000000 CR3: 00000000057b2000 CR4: 00000000007506f0\nPKRU: 55555554\nCall Trace:\n \u003cIRQ\u003e\n ip6_pkt_drop (net/ipv6/route.c:4513)\n ipv6_rthdr_rcv (net/ipv6/exthdrs.c:640 net/ipv6/exthdrs.c:686)\n ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:437 (discriminator 5))\n ip6_input_finish (./include/linux/rcupdate.h:781 net/ipv6/ip6_input.c:483)\n __netif_receive_skb_one_core (net/core/dev.c:5455)\n process_backlog (./include/linux/rcupdate.h:781 net/core/dev.c:5895)\n __napi_poll (net/core/dev.c:6460)\n net_rx_action (net/core/dev.c:6529 net/core/dev.c:6660)\n __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554)\n do_softirq (kernel/softirq.c:454 kernel/softirq.c:441)\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n __local_bh_enable_ip (kernel/softirq.c:381)\n __dev_queue_xmit (net/core/dev.c:4231)\n ip6_finish_output2 (./include/net/neighbour.h:544 net/ipv6/ip6_output.c:135)\n rawv6_sendmsg (./include/net/dst.h:458 ./include/linux/netfilter.h:303 net/ipv6/raw.c:656 net/ipv6/raw.c:914)\n sock_sendmsg (net/socket.c:725 net/socket.c:748)\n __sys_sendto (net/socket.c:2134)\n __x64_sys_sendto (net/socket.c:2146 net/socket.c:2142 net/socket.c:2142)\n do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\nRIP: 0033:0x7f9dc751baea\nCode: d8 64 89 02 48 c7 c0 ff f\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T14:56:36.285Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8803c59fde4dd370a627dfbf7183682fa0cabf70"
},
{
"url": "https://git.kernel.org/stable/c/61b4c4659746959056450b92a5d7e6bc1243b31b"
},
{
"url": "https://git.kernel.org/stable/c/d30ddd7ff15df9d91a793ce3f06f0190ff7afacc"
},
{
"url": "https://git.kernel.org/stable/c/3fabca5d9cae0140b6aad09a1c6b9aa57089fbb8"
},
{
"url": "https://git.kernel.org/stable/c/1462e9d9aa52d14665eaca6d89d22c4af44ede04"
},
{
"url": "https://git.kernel.org/stable/c/aa657d319e6c7502a4eb85cc0ee80cc81b8e5724"
},
{
"url": "https://git.kernel.org/stable/c/2aaa8a15de73874847d62eb595c6683bface80fd"
}
],
"title": "icmp6: Fix null-ptr-deref of ip6_null_entry-\u003ert6i_idev in icmp6_dev().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53343",
"datePublished": "2025-09-17T14:56:36.285Z",
"dateReserved": "2025-09-16T16:08:59.566Z",
"dateUpdated": "2026-01-14T18:43:02.344Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39842 (GCVE-0-2025-39842)
Vulnerability from cvelistv5 – Published: 2025-09-19 15:26 – Updated: 2025-11-03 17:43
VLAI?
EPSS
Title
ocfs2: prevent release journal inode after journal shutdown
Summary
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: prevent release journal inode after journal shutdown
Before calling ocfs2_delete_osb(), ocfs2_journal_shutdown() has already
been executed in ocfs2_dismount_volume(), so osb->journal must be NULL.
Therefore, the following calltrace will inevitably fail when it reaches
jbd2_journal_release_jbd_inode().
ocfs2_dismount_volume()->
ocfs2_delete_osb()->
ocfs2_free_slot_info()->
__ocfs2_free_slot_info()->
evict()->
ocfs2_evict_inode()->
ocfs2_clear_inode()->
jbd2_journal_release_jbd_inode(osb->journal->j_journal,
Adding osb->journal checks will prevent null-ptr-deref during the above
execution path.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
da5e7c87827e8caa6a1eeec6d95dcf74ab592a01 , < 42c415c53ad2065088cc411d08925effa5b3d255
(git)
Affected: da5e7c87827e8caa6a1eeec6d95dcf74ab592a01 , < e9188f66e94955431ddbe2cd1cdf8ff2bb486abf (git) Affected: da5e7c87827e8caa6a1eeec6d95dcf74ab592a01 , < f4a917e6cd6c798f7adf39907f117fc754db1283 (git) Affected: da5e7c87827e8caa6a1eeec6d95dcf74ab592a01 , < 85e66331b60601d903cceaf8c10a234db863cd78 (git) Affected: da5e7c87827e8caa6a1eeec6d95dcf74ab592a01 , < f46e8ef8bb7b452584f2e75337b619ac51a7cadf (git) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:57.858Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "42c415c53ad2065088cc411d08925effa5b3d255",
"status": "affected",
"version": "da5e7c87827e8caa6a1eeec6d95dcf74ab592a01",
"versionType": "git"
},
{
"lessThan": "e9188f66e94955431ddbe2cd1cdf8ff2bb486abf",
"status": "affected",
"version": "da5e7c87827e8caa6a1eeec6d95dcf74ab592a01",
"versionType": "git"
},
{
"lessThan": "f4a917e6cd6c798f7adf39907f117fc754db1283",
"status": "affected",
"version": "da5e7c87827e8caa6a1eeec6d95dcf74ab592a01",
"versionType": "git"
},
{
"lessThan": "85e66331b60601d903cceaf8c10a234db863cd78",
"status": "affected",
"version": "da5e7c87827e8caa6a1eeec6d95dcf74ab592a01",
"versionType": "git"
},
{
"lessThan": "f46e8ef8bb7b452584f2e75337b619ac51a7cadf",
"status": "affected",
"version": "da5e7c87827e8caa6a1eeec6d95dcf74ab592a01",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: prevent release journal inode after journal shutdown\n\nBefore calling ocfs2_delete_osb(), ocfs2_journal_shutdown() has already\nbeen executed in ocfs2_dismount_volume(), so osb-\u003ejournal must be NULL. \nTherefore, the following calltrace will inevitably fail when it reaches\njbd2_journal_release_jbd_inode().\n\nocfs2_dismount_volume()-\u003e\n ocfs2_delete_osb()-\u003e\n ocfs2_free_slot_info()-\u003e\n __ocfs2_free_slot_info()-\u003e\n evict()-\u003e\n ocfs2_evict_inode()-\u003e\n ocfs2_clear_inode()-\u003e\n\t jbd2_journal_release_jbd_inode(osb-\u003ejournal-\u003ej_journal,\n\nAdding osb-\u003ejournal checks will prevent null-ptr-deref during the above\nexecution path."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:50.370Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/42c415c53ad2065088cc411d08925effa5b3d255"
},
{
"url": "https://git.kernel.org/stable/c/e9188f66e94955431ddbe2cd1cdf8ff2bb486abf"
},
{
"url": "https://git.kernel.org/stable/c/f4a917e6cd6c798f7adf39907f117fc754db1283"
},
{
"url": "https://git.kernel.org/stable/c/85e66331b60601d903cceaf8c10a234db863cd78"
},
{
"url": "https://git.kernel.org/stable/c/f46e8ef8bb7b452584f2e75337b619ac51a7cadf"
}
],
"title": "ocfs2: prevent release journal inode after journal shutdown",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39842",
"datePublished": "2025-09-19T15:26:17.075Z",
"dateReserved": "2025-04-16T07:20:57.141Z",
"dateUpdated": "2025-11-03T17:43:57.858Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39684 (GCVE-0-2025-39684)
Vulnerability from cvelistv5 – Published: 2025-09-05 17:20 – Updated: 2025-11-03 17:42
VLAI?
EPSS
Title
comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl()
Summary
In the Linux kernel, the following vulnerability has been resolved:
comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl()
syzbot reports a KMSAN kernel-infoleak in `do_insn_ioctl()`. A kernel
buffer is allocated to hold `insn->n` samples (each of which is an
`unsigned int`). For some instruction types, `insn->n` samples are
copied back to user-space, unless an error code is being returned. The
problem is that not all the instruction handlers that need to return
data to userspace fill in the whole `insn->n` samples, so that there is
an information leak. There is a similar syzbot report for
`do_insnlist_ioctl()`, although it does not have a reproducer for it at
the time of writing.
One culprit is `insn_rw_emulate_bits()` which is used as the handler for
`INSN_READ` or `INSN_WRITE` instructions for subdevices that do not have
a specific handler for that instruction, but do have an `INSN_BITS`
handler. For `INSN_READ` it only fills in at most 1 sample, so if
`insn->n` is greater than 1, the remaining `insn->n - 1` samples copied
to userspace will be uninitialized kernel data.
Another culprit is `vm80xx_ai_insn_read()` in the "vm80xx" driver. It
never returns an error, even if it fails to fill the buffer.
Fix it in `do_insn_ioctl()` and `do_insnlist_ioctl()` by making sure
that uninitialized parts of the allocated buffer are zeroed before
handling each instruction.
Thanks to Arnaud Lecomte for their fix to `do_insn_ioctl()`. That fix
replaced the call to `kmalloc_array()` with `kcalloc()`, but it is not
always necessary to clear the whole buffer.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ed9eccbe8970f6eedc1b978c157caf1251a896d4 , < 868a1b68dcd9f2805bb86aa64862402f785d8c4a
(git)
Affected: ed9eccbe8970f6eedc1b978c157caf1251a896d4 , < ff4a7c18799c7fe999fa56c5cf276e13866b8c1a (git) Affected: ed9eccbe8970f6eedc1b978c157caf1251a896d4 , < d84f6e77ebe3359394df32ecd97e0d76a25283dc (git) Affected: ed9eccbe8970f6eedc1b978c157caf1251a896d4 , < f3b0c9ec54736f3b8118f93a473d22e11ee65743 (git) Affected: ed9eccbe8970f6eedc1b978c157caf1251a896d4 , < aecf0d557ddd95ce68193a5ee1dc4c87415ff08a (git) Affected: ed9eccbe8970f6eedc1b978c157caf1251a896d4 , < 3cd212e895ca2d58963fdc6422502b10dd3966bb (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:42:16.502Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/comedi/comedi_fops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "868a1b68dcd9f2805bb86aa64862402f785d8c4a",
"status": "affected",
"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
"versionType": "git"
},
{
"lessThan": "ff4a7c18799c7fe999fa56c5cf276e13866b8c1a",
"status": "affected",
"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
"versionType": "git"
},
{
"lessThan": "d84f6e77ebe3359394df32ecd97e0d76a25283dc",
"status": "affected",
"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
"versionType": "git"
},
{
"lessThan": "f3b0c9ec54736f3b8118f93a473d22e11ee65743",
"status": "affected",
"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
"versionType": "git"
},
{
"lessThan": "aecf0d557ddd95ce68193a5ee1dc4c87415ff08a",
"status": "affected",
"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
"versionType": "git"
},
{
"lessThan": "3cd212e895ca2d58963fdc6422502b10dd3966bb",
"status": "affected",
"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/comedi/comedi_fops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl()\n\nsyzbot reports a KMSAN kernel-infoleak in `do_insn_ioctl()`. A kernel\nbuffer is allocated to hold `insn-\u003en` samples (each of which is an\n`unsigned int`). For some instruction types, `insn-\u003en` samples are\ncopied back to user-space, unless an error code is being returned. The\nproblem is that not all the instruction handlers that need to return\ndata to userspace fill in the whole `insn-\u003en` samples, so that there is\nan information leak. There is a similar syzbot report for\n`do_insnlist_ioctl()`, although it does not have a reproducer for it at\nthe time of writing.\n\nOne culprit is `insn_rw_emulate_bits()` which is used as the handler for\n`INSN_READ` or `INSN_WRITE` instructions for subdevices that do not have\na specific handler for that instruction, but do have an `INSN_BITS`\nhandler. For `INSN_READ` it only fills in at most 1 sample, so if\n`insn-\u003en` is greater than 1, the remaining `insn-\u003en - 1` samples copied\nto userspace will be uninitialized kernel data.\n\nAnother culprit is `vm80xx_ai_insn_read()` in the \"vm80xx\" driver. It\nnever returns an error, even if it fails to fill the buffer.\n\nFix it in `do_insn_ioctl()` and `do_insnlist_ioctl()` by making sure\nthat uninitialized parts of the allocated buffer are zeroed before\nhandling each instruction.\n\nThanks to Arnaud Lecomte for their fix to `do_insn_ioctl()`. That fix\nreplaced the call to `kmalloc_array()` with `kcalloc()`, but it is not\nalways necessary to clear the whole buffer."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:57:21.980Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/868a1b68dcd9f2805bb86aa64862402f785d8c4a"
},
{
"url": "https://git.kernel.org/stable/c/ff4a7c18799c7fe999fa56c5cf276e13866b8c1a"
},
{
"url": "https://git.kernel.org/stable/c/d84f6e77ebe3359394df32ecd97e0d76a25283dc"
},
{
"url": "https://git.kernel.org/stable/c/f3b0c9ec54736f3b8118f93a473d22e11ee65743"
},
{
"url": "https://git.kernel.org/stable/c/aecf0d557ddd95ce68193a5ee1dc4c87415ff08a"
},
{
"url": "https://git.kernel.org/stable/c/3cd212e895ca2d58963fdc6422502b10dd3966bb"
}
],
"title": "comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39684",
"datePublished": "2025-09-05T17:20:50.827Z",
"dateReserved": "2025-04-16T07:20:57.113Z",
"dateUpdated": "2025-11-03T17:42:16.502Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50344 (GCVE-0-2022-50344)
Vulnerability from cvelistv5 – Published: 2025-09-16 16:11 – Updated: 2026-01-14 18:22
VLAI?
EPSS
Title
ext4: fix null-ptr-deref in ext4_write_info
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix null-ptr-deref in ext4_write_info
I caught a null-ptr-deref bug as follows:
==================================================================
KASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f]
CPU: 1 PID: 1589 Comm: umount Not tainted 5.10.0-02219-dirty #339
RIP: 0010:ext4_write_info+0x53/0x1b0
[...]
Call Trace:
dquot_writeback_dquots+0x341/0x9a0
ext4_sync_fs+0x19e/0x800
__sync_filesystem+0x83/0x100
sync_filesystem+0x89/0xf0
generic_shutdown_super+0x79/0x3e0
kill_block_super+0xa1/0x110
deactivate_locked_super+0xac/0x130
deactivate_super+0xb6/0xd0
cleanup_mnt+0x289/0x400
__cleanup_mnt+0x16/0x20
task_work_run+0x11c/0x1c0
exit_to_user_mode_prepare+0x203/0x210
syscall_exit_to_user_mode+0x5b/0x3a0
do_syscall_64+0x59/0x70
entry_SYSCALL_64_after_hwframe+0x44/0xa9
==================================================================
Above issue may happen as follows:
-------------------------------------
exit_to_user_mode_prepare
task_work_run
__cleanup_mnt
cleanup_mnt
deactivate_super
deactivate_locked_super
kill_block_super
generic_shutdown_super
shrink_dcache_for_umount
dentry = sb->s_root
sb->s_root = NULL <--- Here set NULL
sync_filesystem
__sync_filesystem
sb->s_op->sync_fs > ext4_sync_fs
dquot_writeback_dquots
sb->dq_op->write_info > ext4_write_info
ext4_journal_start(d_inode(sb->s_root), EXT4_HT_QUOTA, 2)
d_inode(sb->s_root)
s_root->d_inode <--- Null pointer dereference
To solve this problem, we use ext4_journal_start_sb directly
to avoid s_root being used.
Severity ?
5.5 (Medium)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a1177825719ccef3f76ef39bbfd5ebb6087d53c7 , < dc451578446afd03c0c21913993c08898a691435
(git)
Affected: a1177825719ccef3f76ef39bbfd5ebb6087d53c7 , < f4b5ff0b794aa94afac7269c494550ca2f66511b (git) Affected: a1177825719ccef3f76ef39bbfd5ebb6087d53c7 , < 947264e00c46de19a016fd81218118c708fed2f3 (git) Affected: a1177825719ccef3f76ef39bbfd5ebb6087d53c7 , < 3638aa1c7d87c0ca0aef23cf58cae2c48e7daca4 (git) Affected: a1177825719ccef3f76ef39bbfd5ebb6087d53c7 , < f34ab95162763cd7352f46df169296eec28b688d (git) Affected: a1177825719ccef3f76ef39bbfd5ebb6087d53c7 , < 533c60a0b97cee5daab376933f486207e6680fb7 (git) Affected: a1177825719ccef3f76ef39bbfd5ebb6087d53c7 , < 4a657319cfabd6199fd0b7b65bbebf6ded7a11c1 (git) Affected: a1177825719ccef3f76ef39bbfd5ebb6087d53c7 , < bb420e8afc854d2a1caaa23a0c129839acfb7888 (git) Affected: a1177825719ccef3f76ef39bbfd5ebb6087d53c7 , < f9c1f248607d5546075d3f731e7607d5571f2b60 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-50344",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:20:39.263791Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:22:58.181Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dc451578446afd03c0c21913993c08898a691435",
"status": "affected",
"version": "a1177825719ccef3f76ef39bbfd5ebb6087d53c7",
"versionType": "git"
},
{
"lessThan": "f4b5ff0b794aa94afac7269c494550ca2f66511b",
"status": "affected",
"version": "a1177825719ccef3f76ef39bbfd5ebb6087d53c7",
"versionType": "git"
},
{
"lessThan": "947264e00c46de19a016fd81218118c708fed2f3",
"status": "affected",
"version": "a1177825719ccef3f76ef39bbfd5ebb6087d53c7",
"versionType": "git"
},
{
"lessThan": "3638aa1c7d87c0ca0aef23cf58cae2c48e7daca4",
"status": "affected",
"version": "a1177825719ccef3f76ef39bbfd5ebb6087d53c7",
"versionType": "git"
},
{
"lessThan": "f34ab95162763cd7352f46df169296eec28b688d",
"status": "affected",
"version": "a1177825719ccef3f76ef39bbfd5ebb6087d53c7",
"versionType": "git"
},
{
"lessThan": "533c60a0b97cee5daab376933f486207e6680fb7",
"status": "affected",
"version": "a1177825719ccef3f76ef39bbfd5ebb6087d53c7",
"versionType": "git"
},
{
"lessThan": "4a657319cfabd6199fd0b7b65bbebf6ded7a11c1",
"status": "affected",
"version": "a1177825719ccef3f76ef39bbfd5ebb6087d53c7",
"versionType": "git"
},
{
"lessThan": "bb420e8afc854d2a1caaa23a0c129839acfb7888",
"status": "affected",
"version": "a1177825719ccef3f76ef39bbfd5ebb6087d53c7",
"versionType": "git"
},
{
"lessThan": "f9c1f248607d5546075d3f731e7607d5571f2b60",
"status": "affected",
"version": "a1177825719ccef3f76ef39bbfd5ebb6087d53c7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.6"
},
{
"lessThan": "3.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.331",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.331",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.296",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.262",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "3.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix null-ptr-deref in ext4_write_info\n\nI caught a null-ptr-deref bug as follows:\n==================================================================\nKASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f]\nCPU: 1 PID: 1589 Comm: umount Not tainted 5.10.0-02219-dirty #339\nRIP: 0010:ext4_write_info+0x53/0x1b0\n[...]\nCall Trace:\n dquot_writeback_dquots+0x341/0x9a0\n ext4_sync_fs+0x19e/0x800\n __sync_filesystem+0x83/0x100\n sync_filesystem+0x89/0xf0\n generic_shutdown_super+0x79/0x3e0\n kill_block_super+0xa1/0x110\n deactivate_locked_super+0xac/0x130\n deactivate_super+0xb6/0xd0\n cleanup_mnt+0x289/0x400\n __cleanup_mnt+0x16/0x20\n task_work_run+0x11c/0x1c0\n exit_to_user_mode_prepare+0x203/0x210\n syscall_exit_to_user_mode+0x5b/0x3a0\n do_syscall_64+0x59/0x70\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n ==================================================================\n\nAbove issue may happen as follows:\n-------------------------------------\nexit_to_user_mode_prepare\n task_work_run\n __cleanup_mnt\n cleanup_mnt\n deactivate_super\n deactivate_locked_super\n kill_block_super\n generic_shutdown_super\n shrink_dcache_for_umount\n dentry = sb-\u003es_root\n sb-\u003es_root = NULL \u003c--- Here set NULL\n sync_filesystem\n __sync_filesystem\n sb-\u003es_op-\u003esync_fs \u003e ext4_sync_fs\n dquot_writeback_dquots\n sb-\u003edq_op-\u003ewrite_info \u003e ext4_write_info\n ext4_journal_start(d_inode(sb-\u003es_root), EXT4_HT_QUOTA, 2)\n d_inode(sb-\u003es_root)\n s_root-\u003ed_inode \u003c--- Null pointer dereference\n\nTo solve this problem, we use ext4_journal_start_sb directly\nto avoid s_root being used."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:28:53.932Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dc451578446afd03c0c21913993c08898a691435"
},
{
"url": "https://git.kernel.org/stable/c/f4b5ff0b794aa94afac7269c494550ca2f66511b"
},
{
"url": "https://git.kernel.org/stable/c/947264e00c46de19a016fd81218118c708fed2f3"
},
{
"url": "https://git.kernel.org/stable/c/3638aa1c7d87c0ca0aef23cf58cae2c48e7daca4"
},
{
"url": "https://git.kernel.org/stable/c/f34ab95162763cd7352f46df169296eec28b688d"
},
{
"url": "https://git.kernel.org/stable/c/533c60a0b97cee5daab376933f486207e6680fb7"
},
{
"url": "https://git.kernel.org/stable/c/4a657319cfabd6199fd0b7b65bbebf6ded7a11c1"
},
{
"url": "https://git.kernel.org/stable/c/bb420e8afc854d2a1caaa23a0c129839acfb7888"
},
{
"url": "https://git.kernel.org/stable/c/f9c1f248607d5546075d3f731e7607d5571f2b60"
}
],
"title": "ext4: fix null-ptr-deref in ext4_write_info",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50344",
"datePublished": "2025-09-16T16:11:23.345Z",
"dateReserved": "2025-09-16T16:03:27.881Z",
"dateUpdated": "2026-01-14T18:22:58.181Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50411 (GCVE-0-2022-50411)
Vulnerability from cvelistv5 – Published: 2025-09-18 16:03 – Updated: 2026-01-14 19:13
VLAI?
EPSS
Title
ACPICA: Fix error code path in acpi_ds_call_control_method()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ACPICA: Fix error code path in acpi_ds_call_control_method()
A use-after-free in acpi_ps_parse_aml() after a failing invocaion of
acpi_ds_call_control_method() is reported by KASAN [1] and code
inspection reveals that next_walk_state pushed to the thread by
acpi_ds_create_walk_state() is freed on errors, but it is not popped
from the thread beforehand. Thus acpi_ds_get_current_walk_state()
called by acpi_ps_parse_aml() subsequently returns it as the new
walk state which is incorrect.
To address this, make acpi_ds_call_control_method() call
acpi_ds_pop_walk_state() to pop next_walk_state from the thread before
returning an error.
Severity ?
7.8 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 38e251d356a01b61a86cb35213cafd7e8fe7090c
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f520d181477ec29a496c0b3bbfbdb7e2606c2713 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2deb42c4f9776e59bee247c14af9c5e8c05ca9a6 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9ef353c92f9d04c88de3af1a46859c1fb76db0f8 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b0b83d3f3ffa96e8395c56b83d6197e184902a34 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5777432ebaaf797e24f059979b42df3139967163 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0462fec709d51762ba486245bc344f44cc6cfa97 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 799881db3e03b5e98fe6a900d9d7de8c7d61e7ee (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 404ec60438add1afadaffaed34bb5fe4ddcadd40 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-50411",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T19:08:58.766332Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T19:13:09.051Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/acpi/acpica/dsmethod.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "38e251d356a01b61a86cb35213cafd7e8fe7090c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f520d181477ec29a496c0b3bbfbdb7e2606c2713",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2deb42c4f9776e59bee247c14af9c5e8c05ca9a6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9ef353c92f9d04c88de3af1a46859c1fb76db0f8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b0b83d3f3ffa96e8395c56b83d6197e184902a34",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5777432ebaaf797e24f059979b42df3139967163",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0462fec709d51762ba486245bc344f44cc6cfa97",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "799881db3e03b5e98fe6a900d9d7de8c7d61e7ee",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "404ec60438add1afadaffaed34bb5fe4ddcadd40",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/acpi/acpica/dsmethod.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: Fix error code path in acpi_ds_call_control_method()\n\nA use-after-free in acpi_ps_parse_aml() after a failing invocaion of\nacpi_ds_call_control_method() is reported by KASAN [1] and code\ninspection reveals that next_walk_state pushed to the thread by\nacpi_ds_create_walk_state() is freed on errors, but it is not popped\nfrom the thread beforehand. Thus acpi_ds_get_current_walk_state()\ncalled by acpi_ps_parse_aml() subsequently returns it as the new\nwalk state which is incorrect.\n\nTo address this, make acpi_ds_call_control_method() call\nacpi_ds_pop_walk_state() to pop next_walk_state from the thread before\nreturning an error."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:29:24.195Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/38e251d356a01b61a86cb35213cafd7e8fe7090c"
},
{
"url": "https://git.kernel.org/stable/c/f520d181477ec29a496c0b3bbfbdb7e2606c2713"
},
{
"url": "https://git.kernel.org/stable/c/2deb42c4f9776e59bee247c14af9c5e8c05ca9a6"
},
{
"url": "https://git.kernel.org/stable/c/9ef353c92f9d04c88de3af1a46859c1fb76db0f8"
},
{
"url": "https://git.kernel.org/stable/c/b0b83d3f3ffa96e8395c56b83d6197e184902a34"
},
{
"url": "https://git.kernel.org/stable/c/5777432ebaaf797e24f059979b42df3139967163"
},
{
"url": "https://git.kernel.org/stable/c/0462fec709d51762ba486245bc344f44cc6cfa97"
},
{
"url": "https://git.kernel.org/stable/c/799881db3e03b5e98fe6a900d9d7de8c7d61e7ee"
},
{
"url": "https://git.kernel.org/stable/c/404ec60438add1afadaffaed34bb5fe4ddcadd40"
}
],
"title": "ACPICA: Fix error code path in acpi_ds_call_control_method()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50411",
"datePublished": "2025-09-18T16:03:55.437Z",
"dateReserved": "2025-09-17T14:53:07.002Z",
"dateUpdated": "2026-01-14T19:13:09.051Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53196 (GCVE-0-2023-53196)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:06 – Updated: 2025-09-15 14:06
VLAI?
EPSS
Title
usb: dwc3: qcom: Fix potential memory leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: dwc3: qcom: Fix potential memory leak
Function dwc3_qcom_probe() allocates memory for resource structure
which is pointed by parent_res pointer. This memory is not
freed. This leads to memory leak. Use stack memory to prevent
memory leak.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2bc02355f8ba2c1f108ec8b16a673b467a17228c , < 648a163cff21ea355c8765e882ba8bf66a870a3e
(git)
Affected: 2bc02355f8ba2c1f108ec8b16a673b467a17228c , < 74f8606ddfa450d2255b4e61472a7632def1e8c4 (git) Affected: 2bc02355f8ba2c1f108ec8b16a673b467a17228c , < b626cd5e4a87a281629e0c2b07519990077c0fbe (git) Affected: 2bc02355f8ba2c1f108ec8b16a673b467a17228c , < c3b322b84ab5dda7eaca9ded763628b7467734f4 (git) Affected: 2bc02355f8ba2c1f108ec8b16a673b467a17228c , < 134a7d4642f11daed6bbc378f930a54dd0322291 (git) Affected: 2bc02355f8ba2c1f108ec8b16a673b467a17228c , < 097fb3ee710d4de83b8d4f5589e8ee13e0f0541e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/dwc3/dwc3-qcom.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "648a163cff21ea355c8765e882ba8bf66a870a3e",
"status": "affected",
"version": "2bc02355f8ba2c1f108ec8b16a673b467a17228c",
"versionType": "git"
},
{
"lessThan": "74f8606ddfa450d2255b4e61472a7632def1e8c4",
"status": "affected",
"version": "2bc02355f8ba2c1f108ec8b16a673b467a17228c",
"versionType": "git"
},
{
"lessThan": "b626cd5e4a87a281629e0c2b07519990077c0fbe",
"status": "affected",
"version": "2bc02355f8ba2c1f108ec8b16a673b467a17228c",
"versionType": "git"
},
{
"lessThan": "c3b322b84ab5dda7eaca9ded763628b7467734f4",
"status": "affected",
"version": "2bc02355f8ba2c1f108ec8b16a673b467a17228c",
"versionType": "git"
},
{
"lessThan": "134a7d4642f11daed6bbc378f930a54dd0322291",
"status": "affected",
"version": "2bc02355f8ba2c1f108ec8b16a673b467a17228c",
"versionType": "git"
},
{
"lessThan": "097fb3ee710d4de83b8d4f5589e8ee13e0f0541e",
"status": "affected",
"version": "2bc02355f8ba2c1f108ec8b16a673b467a17228c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/dwc3/dwc3-qcom.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: qcom: Fix potential memory leak\n\nFunction dwc3_qcom_probe() allocates memory for resource structure\nwhich is pointed by parent_res pointer. This memory is not\nfreed. This leads to memory leak. Use stack memory to prevent\nmemory leak.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:06:43.535Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/648a163cff21ea355c8765e882ba8bf66a870a3e"
},
{
"url": "https://git.kernel.org/stable/c/74f8606ddfa450d2255b4e61472a7632def1e8c4"
},
{
"url": "https://git.kernel.org/stable/c/b626cd5e4a87a281629e0c2b07519990077c0fbe"
},
{
"url": "https://git.kernel.org/stable/c/c3b322b84ab5dda7eaca9ded763628b7467734f4"
},
{
"url": "https://git.kernel.org/stable/c/134a7d4642f11daed6bbc378f930a54dd0322291"
},
{
"url": "https://git.kernel.org/stable/c/097fb3ee710d4de83b8d4f5589e8ee13e0f0541e"
}
],
"title": "usb: dwc3: qcom: Fix potential memory leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53196",
"datePublished": "2025-09-15T14:06:43.535Z",
"dateReserved": "2025-09-15T13:59:19.067Z",
"dateUpdated": "2025-09-15T14:06:43.535Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53311 (GCVE-0-2023-53311)
Vulnerability from cvelistv5 – Published: 2025-09-16 16:11 – Updated: 2026-01-14 18:32
VLAI?
EPSS
Title
nilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput
Summary
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput
During unmount process of nilfs2, nothing holds nilfs_root structure after
nilfs2 detaches its writer in nilfs_detach_log_writer(). Previously,
nilfs_evict_inode() could cause use-after-free read for nilfs_root if
inodes are left in "garbage_list" and released by nilfs_dispose_list at
the end of nilfs_detach_log_writer(), and this bug was fixed by commit
9b5a04ac3ad9 ("nilfs2: fix use-after-free bug of nilfs_root in
nilfs_evict_inode()").
However, it turned out that there is another possibility of UAF in the
call path where mark_inode_dirty_sync() is called from iput():
nilfs_detach_log_writer()
nilfs_dispose_list()
iput()
mark_inode_dirty_sync()
__mark_inode_dirty()
nilfs_dirty_inode()
__nilfs_mark_inode_dirty()
nilfs_load_inode_block() --> causes UAF of nilfs_root struct
This can happen after commit 0ae45f63d4ef ("vfs: add support for a
lazytime mount option"), which changed iput() to call
mark_inode_dirty_sync() on its final reference if i_state has I_DIRTY_TIME
flag and i_nlink is non-zero.
This issue appears after commit 28a65b49eb53 ("nilfs2: do not write dirty
data after degenerating to read-only") when using the syzbot reproducer,
but the issue has potentially existed before.
Fix this issue by adding a "purging flag" to the nilfs structure, setting
that flag while disposing the "garbage_list" and checking it in
__nilfs_mark_inode_dirty().
Unlike commit 9b5a04ac3ad9 ("nilfs2: fix use-after-free bug of nilfs_root
in nilfs_evict_inode()"), this patch does not rely on ns_writer to
determine whether to skip operations, so as not to break recovery on
mount. The nilfs_salvage_orphan_logs routine dirties the buffer of
salvaged data before attaching the log writer, so changing
__nilfs_mark_inode_dirty() to skip the operation when ns_writer is NULL
will cause recovery write to fail. The purpose of using the cleanup-only
flag is to allow for narrowing of such conditions.
Severity ?
7.8 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8 , < 11afd67f1b3c28eb216e50a3ca8dbcb69bb71793
(git)
Affected: 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8 , < a3c3b4cbf9b8554120fb230e6516e980c6277487 (git) Affected: 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8 , < d2c539c216cce74837a9cf5804eb205939b82227 (git) Affected: 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8 , < 37207240872456fbab44a110bde6640445233963 (git) Affected: 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8 , < 3645510cf926e6af2f4d44899370d7e5331c93bd (git) Affected: 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8 , < 7532ff6edbf5242376b24a95a2fefb59bb653e5a (git) Affected: 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8 , < 5828d5f5dc877dcfdd7b23102e978e2ecfd86d82 (git) Affected: 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8 , < f8654743a0e6909dc634cbfad6db6816f10f3399 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53311",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:24:44.425794Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:32:57.096Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nilfs2/inode.c",
"fs/nilfs2/segment.c",
"fs/nilfs2/the_nilfs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "11afd67f1b3c28eb216e50a3ca8dbcb69bb71793",
"status": "affected",
"version": "0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8",
"versionType": "git"
},
{
"lessThan": "a3c3b4cbf9b8554120fb230e6516e980c6277487",
"status": "affected",
"version": "0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8",
"versionType": "git"
},
{
"lessThan": "d2c539c216cce74837a9cf5804eb205939b82227",
"status": "affected",
"version": "0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8",
"versionType": "git"
},
{
"lessThan": "37207240872456fbab44a110bde6640445233963",
"status": "affected",
"version": "0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8",
"versionType": "git"
},
{
"lessThan": "3645510cf926e6af2f4d44899370d7e5331c93bd",
"status": "affected",
"version": "0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8",
"versionType": "git"
},
{
"lessThan": "7532ff6edbf5242376b24a95a2fefb59bb653e5a",
"status": "affected",
"version": "0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8",
"versionType": "git"
},
{
"lessThan": "5828d5f5dc877dcfdd7b23102e978e2ecfd86d82",
"status": "affected",
"version": "0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8",
"versionType": "git"
},
{
"lessThan": "f8654743a0e6909dc634cbfad6db6816f10f3399",
"status": "affected",
"version": "0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nilfs2/inode.c",
"fs/nilfs2/segment.c",
"fs/nilfs2/the_nilfs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.0"
},
{
"lessThan": "4.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.323",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.292",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.323",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.292",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.254",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.191",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.127",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.46",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput\n\nDuring unmount process of nilfs2, nothing holds nilfs_root structure after\nnilfs2 detaches its writer in nilfs_detach_log_writer(). Previously,\nnilfs_evict_inode() could cause use-after-free read for nilfs_root if\ninodes are left in \"garbage_list\" and released by nilfs_dispose_list at\nthe end of nilfs_detach_log_writer(), and this bug was fixed by commit\n9b5a04ac3ad9 (\"nilfs2: fix use-after-free bug of nilfs_root in\nnilfs_evict_inode()\").\n\nHowever, it turned out that there is another possibility of UAF in the\ncall path where mark_inode_dirty_sync() is called from iput():\n\nnilfs_detach_log_writer()\n nilfs_dispose_list()\n iput()\n mark_inode_dirty_sync()\n __mark_inode_dirty()\n nilfs_dirty_inode()\n __nilfs_mark_inode_dirty()\n nilfs_load_inode_block() --\u003e causes UAF of nilfs_root struct\n\nThis can happen after commit 0ae45f63d4ef (\"vfs: add support for a\nlazytime mount option\"), which changed iput() to call\nmark_inode_dirty_sync() on its final reference if i_state has I_DIRTY_TIME\nflag and i_nlink is non-zero.\n\nThis issue appears after commit 28a65b49eb53 (\"nilfs2: do not write dirty\ndata after degenerating to read-only\") when using the syzbot reproducer,\nbut the issue has potentially existed before.\n\nFix this issue by adding a \"purging flag\" to the nilfs structure, setting\nthat flag while disposing the \"garbage_list\" and checking it in\n__nilfs_mark_inode_dirty().\n\nUnlike commit 9b5a04ac3ad9 (\"nilfs2: fix use-after-free bug of nilfs_root\nin nilfs_evict_inode()\"), this patch does not rely on ns_writer to\ndetermine whether to skip operations, so as not to break recovery on\nmount. The nilfs_salvage_orphan_logs routine dirties the buffer of\nsalvaged data before attaching the log writer, so changing\n__nilfs_mark_inode_dirty() to skip the operation when ns_writer is NULL\nwill cause recovery write to fail. The purpose of using the cleanup-only\nflag is to allow for narrowing of such conditions."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:49.099Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/11afd67f1b3c28eb216e50a3ca8dbcb69bb71793"
},
{
"url": "https://git.kernel.org/stable/c/a3c3b4cbf9b8554120fb230e6516e980c6277487"
},
{
"url": "https://git.kernel.org/stable/c/d2c539c216cce74837a9cf5804eb205939b82227"
},
{
"url": "https://git.kernel.org/stable/c/37207240872456fbab44a110bde6640445233963"
},
{
"url": "https://git.kernel.org/stable/c/3645510cf926e6af2f4d44899370d7e5331c93bd"
},
{
"url": "https://git.kernel.org/stable/c/7532ff6edbf5242376b24a95a2fefb59bb653e5a"
},
{
"url": "https://git.kernel.org/stable/c/5828d5f5dc877dcfdd7b23102e978e2ecfd86d82"
},
{
"url": "https://git.kernel.org/stable/c/f8654743a0e6909dc634cbfad6db6816f10f3399"
}
],
"title": "nilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53311",
"datePublished": "2025-09-16T16:11:49.099Z",
"dateReserved": "2025-09-16T16:08:59.562Z",
"dateUpdated": "2026-01-14T18:32:57.096Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53243 (GCVE-0-2023-53243)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:46 – Updated: 2026-01-14 18:02
VLAI?
EPSS
Title
btrfs: add handling for RAID1C23/DUP to btrfs_reduce_alloc_profile
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: add handling for RAID1C23/DUP to btrfs_reduce_alloc_profile
Callers of `btrfs_reduce_alloc_profile` expect it to return exactly
one allocation profile flag, and failing to do so may ultimately
result in a WARN_ON and remount-ro when allocating new blocks, like
the below transaction abort on 6.1.
`btrfs_reduce_alloc_profile` has two ways of determining the profile,
first it checks if a conversion balance is currently running and
uses the profile we're converting to. If no balance is currently
running, it returns the max-redundancy profile which at least one
block in the selected block group has.
This works by simply checking each known allocation profile bit in
redundancy order. However, `btrfs_reduce_alloc_profile` has not been
updated as new flags have been added - first with the `DUP` profile
and later with the RAID1C34 profiles.
Because of the way it checks, if we have blocks with different
profiles and at least one is known, that profile will be selected.
However, if none are known we may return a flag set with multiple
allocation profiles set.
This is currently only possible when a balance from one of the three
unhandled profiles to another of the unhandled profiles is canceled
after allocating at least one block using the new profile.
In that case, a transaction abort like the below will occur and the
filesystem will need to be mounted with -o skip_balance to get it
mounted rw again (but the balance cannot be resumed without a
similar abort).
[770.648] ------------[ cut here ]------------
[770.648] BTRFS: Transaction aborted (error -22)
[770.648] WARNING: CPU: 43 PID: 1159593 at fs/btrfs/extent-tree.c:4122 find_free_extent+0x1d94/0x1e00 [btrfs]
[770.648] CPU: 43 PID: 1159593 Comm: btrfs Tainted: G W 6.1.0-0.deb11.7-powerpc64le #1 Debian 6.1.20-2~bpo11+1a~test
[770.648] Hardware name: T2P9D01 REV 1.00 POWER9 0x4e1202 opal:skiboot-bc106a0 PowerNV
[770.648] NIP: c00800000f6784fc LR: c00800000f6784f8 CTR: c000000000d746c0
[770.648] REGS: c000200089afe9a0 TRAP: 0700 Tainted: G W (6.1.0-0.deb11.7-powerpc64le Debian 6.1.20-2~bpo11+1a~test)
[770.648] MSR: 9000000002029033 <SF,HV,VEC,EE,ME,IR,DR,RI,LE> CR: 28848282 XER: 20040000
[770.648] CFAR: c000000000135110 IRQMASK: 0
GPR00: c00800000f6784f8 c000200089afec40 c00800000f7ea800 0000000000000026
GPR04: 00000001004820c2 c000200089afea00 c000200089afe9f8 0000000000000027
GPR08: c000200ffbfe7f98 c000000002127f90 ffffffffffffffd8 0000000026d6a6e8
GPR12: 0000000028848282 c000200fff7f3800 5deadbeef0000122 c00000002269d000
GPR16: c0002008c7797c40 c000200089afef17 0000000000000000 0000000000000000
GPR20: 0000000000000000 0000000000000001 c000200008bc5a98 0000000000000001
GPR24: 0000000000000000 c0000003c73088d0 c000200089afef17 c000000016d3a800
GPR28: c0000003c7308800 c00000002269d000 ffffffffffffffea 0000000000000001
[770.648] NIP [c00800000f6784fc] find_free_extent+0x1d94/0x1e00 [btrfs]
[770.648] LR [c00800000f6784f8] find_free_extent+0x1d90/0x1e00 [btrfs]
[770.648] Call Trace:
[770.648] [c000200089afec40] [c00800000f6784f8] find_free_extent+0x1d90/0x1e00 [btrfs] (unreliable)
[770.648] [c000200089afed30] [c00800000f681398] btrfs_reserve_extent+0x1a0/0x2f0 [btrfs]
[770.648] [c000200089afeea0] [c00800000f681bf0] btrfs_alloc_tree_block+0x108/0x670 [btrfs]
[770.648] [c000200089afeff0] [c00800000f66bd68] __btrfs_cow_block+0x170/0x850 [btrfs]
[770.648] [c000200089aff100] [c00800000f66c58c] btrfs_cow_block+0x144/0x288 [btrfs]
[770.648] [c000200089aff1b0] [c00800000f67113c] btrfs_search_slot+0x6b4/0xcb0 [btrfs]
[770.648] [c000200089aff2a0] [c00800000f679f60] lookup_inline_extent_backref+0x128/0x7c0 [btrfs]
[770.648] [c000200089aff3b0] [c00800000f67b338] lookup_extent_backref+0x70/0x190 [btrfs]
[770.648] [c000200089aff470] [c00800000f67b54c] __btrfs_free_extent+0xf4/0x1490 [btrfs]
[770.648] [
---truncated---
Severity ?
5.5 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
47e6f7423b9196ad6832d26cae52b7015f81ee7f , < a3fbd156bd2cd16e3c64e250ebce33eb9f2ef612
(git)
Affected: 47e6f7423b9196ad6832d26cae52b7015f81ee7f , < 12b6d68498982a053a4a7e561a04387e57ca6f1a (git) Affected: 47e6f7423b9196ad6832d26cae52b7015f81ee7f , < 4fadf53fa95142f01f215012e97c384529759a72 (git) Affected: 47e6f7423b9196ad6832d26cae52b7015f81ee7f , < 1b532748ba00bd2a1d9b09e0d5e81280582c7770 (git) Affected: 47e6f7423b9196ad6832d26cae52b7015f81ee7f , < 160fe8f6fdb13da6111677be6263e5d65e875987 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53243",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T17:58:24.777557Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:02:50.985Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/block-group.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a3fbd156bd2cd16e3c64e250ebce33eb9f2ef612",
"status": "affected",
"version": "47e6f7423b9196ad6832d26cae52b7015f81ee7f",
"versionType": "git"
},
{
"lessThan": "12b6d68498982a053a4a7e561a04387e57ca6f1a",
"status": "affected",
"version": "47e6f7423b9196ad6832d26cae52b7015f81ee7f",
"versionType": "git"
},
{
"lessThan": "4fadf53fa95142f01f215012e97c384529759a72",
"status": "affected",
"version": "47e6f7423b9196ad6832d26cae52b7015f81ee7f",
"versionType": "git"
},
{
"lessThan": "1b532748ba00bd2a1d9b09e0d5e81280582c7770",
"status": "affected",
"version": "47e6f7423b9196ad6832d26cae52b7015f81ee7f",
"versionType": "git"
},
{
"lessThan": "160fe8f6fdb13da6111677be6263e5d65e875987",
"status": "affected",
"version": "47e6f7423b9196ad6832d26cae52b7015f81ee7f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/block-group.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: add handling for RAID1C23/DUP to btrfs_reduce_alloc_profile\n\nCallers of `btrfs_reduce_alloc_profile` expect it to return exactly\none allocation profile flag, and failing to do so may ultimately\nresult in a WARN_ON and remount-ro when allocating new blocks, like\nthe below transaction abort on 6.1.\n\n`btrfs_reduce_alloc_profile` has two ways of determining the profile,\nfirst it checks if a conversion balance is currently running and\nuses the profile we\u0027re converting to. If no balance is currently\nrunning, it returns the max-redundancy profile which at least one\nblock in the selected block group has.\n\nThis works by simply checking each known allocation profile bit in\nredundancy order. However, `btrfs_reduce_alloc_profile` has not been\nupdated as new flags have been added - first with the `DUP` profile\nand later with the RAID1C34 profiles.\n\nBecause of the way it checks, if we have blocks with different\nprofiles and at least one is known, that profile will be selected.\nHowever, if none are known we may return a flag set with multiple\nallocation profiles set.\n\nThis is currently only possible when a balance from one of the three\nunhandled profiles to another of the unhandled profiles is canceled\nafter allocating at least one block using the new profile.\n\nIn that case, a transaction abort like the below will occur and the\nfilesystem will need to be mounted with -o skip_balance to get it\nmounted rw again (but the balance cannot be resumed without a\nsimilar abort).\n\n [770.648] ------------[ cut here ]------------\n [770.648] BTRFS: Transaction aborted (error -22)\n [770.648] WARNING: CPU: 43 PID: 1159593 at fs/btrfs/extent-tree.c:4122 find_free_extent+0x1d94/0x1e00 [btrfs]\n [770.648] CPU: 43 PID: 1159593 Comm: btrfs Tainted: G W 6.1.0-0.deb11.7-powerpc64le #1 Debian 6.1.20-2~bpo11+1a~test\n [770.648] Hardware name: T2P9D01 REV 1.00 POWER9 0x4e1202 opal:skiboot-bc106a0 PowerNV\n [770.648] NIP: c00800000f6784fc LR: c00800000f6784f8 CTR: c000000000d746c0\n [770.648] REGS: c000200089afe9a0 TRAP: 0700 Tainted: G W (6.1.0-0.deb11.7-powerpc64le Debian 6.1.20-2~bpo11+1a~test)\n [770.648] MSR: 9000000002029033 \u003cSF,HV,VEC,EE,ME,IR,DR,RI,LE\u003e CR: 28848282 XER: 20040000\n [770.648] CFAR: c000000000135110 IRQMASK: 0\n\t GPR00: c00800000f6784f8 c000200089afec40 c00800000f7ea800 0000000000000026\n\t GPR04: 00000001004820c2 c000200089afea00 c000200089afe9f8 0000000000000027\n\t GPR08: c000200ffbfe7f98 c000000002127f90 ffffffffffffffd8 0000000026d6a6e8\n\t GPR12: 0000000028848282 c000200fff7f3800 5deadbeef0000122 c00000002269d000\n\t GPR16: c0002008c7797c40 c000200089afef17 0000000000000000 0000000000000000\n\t GPR20: 0000000000000000 0000000000000001 c000200008bc5a98 0000000000000001\n\t GPR24: 0000000000000000 c0000003c73088d0 c000200089afef17 c000000016d3a800\n\t GPR28: c0000003c7308800 c00000002269d000 ffffffffffffffea 0000000000000001\n [770.648] NIP [c00800000f6784fc] find_free_extent+0x1d94/0x1e00 [btrfs]\n [770.648] LR [c00800000f6784f8] find_free_extent+0x1d90/0x1e00 [btrfs]\n [770.648] Call Trace:\n [770.648] [c000200089afec40] [c00800000f6784f8] find_free_extent+0x1d90/0x1e00 [btrfs] (unreliable)\n [770.648] [c000200089afed30] [c00800000f681398] btrfs_reserve_extent+0x1a0/0x2f0 [btrfs]\n [770.648] [c000200089afeea0] [c00800000f681bf0] btrfs_alloc_tree_block+0x108/0x670 [btrfs]\n [770.648] [c000200089afeff0] [c00800000f66bd68] __btrfs_cow_block+0x170/0x850 [btrfs]\n [770.648] [c000200089aff100] [c00800000f66c58c] btrfs_cow_block+0x144/0x288 [btrfs]\n [770.648] [c000200089aff1b0] [c00800000f67113c] btrfs_search_slot+0x6b4/0xcb0 [btrfs]\n [770.648] [c000200089aff2a0] [c00800000f679f60] lookup_inline_extent_backref+0x128/0x7c0 [btrfs]\n [770.648] [c000200089aff3b0] [c00800000f67b338] lookup_extent_backref+0x70/0x190 [btrfs]\n [770.648] [c000200089aff470] [c00800000f67b54c] __btrfs_free_extent+0xf4/0x1490 [btrfs]\n [770.648] [\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:46:11.637Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a3fbd156bd2cd16e3c64e250ebce33eb9f2ef612"
},
{
"url": "https://git.kernel.org/stable/c/12b6d68498982a053a4a7e561a04387e57ca6f1a"
},
{
"url": "https://git.kernel.org/stable/c/4fadf53fa95142f01f215012e97c384529759a72"
},
{
"url": "https://git.kernel.org/stable/c/1b532748ba00bd2a1d9b09e0d5e81280582c7770"
},
{
"url": "https://git.kernel.org/stable/c/160fe8f6fdb13da6111677be6263e5d65e875987"
}
],
"title": "btrfs: add handling for RAID1C23/DUP to btrfs_reduce_alloc_profile",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53243",
"datePublished": "2025-09-15T14:46:11.637Z",
"dateReserved": "2025-09-15T14:19:21.848Z",
"dateUpdated": "2026-01-14T18:02:50.985Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49975 (GCVE-0-2022-49975)
Vulnerability from cvelistv5 – Published: 2025-06-18 11:00 – Updated: 2025-12-23 13:26
VLAI?
EPSS
Title
bpf: Don't redirect packets with invalid pkt_len
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Don't redirect packets with invalid pkt_len
Syzbot found an issue [1]: fq_codel_drop() try to drop a flow whitout any
skbs, that is, the flow->head is null.
The root cause, as the [2] says, is because that bpf_prog_test_run_skb()
run a bpf prog which redirects empty skbs.
So we should determine whether the length of the packet modified by bpf
prog or others like bpf_prog_test is valid before forwarding it directly.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5293efe62df81908f2e90c9820c7edcc8e61f5e9 , < 8b68e53d56697a59b5c53893b53f508bbdf272a0
(git)
Affected: 5293efe62df81908f2e90c9820c7edcc8e61f5e9 , < 6204bf78b2a903b96ba43afff6abc0b04d6e0462 (git) Affected: 5293efe62df81908f2e90c9820c7edcc8e61f5e9 , < a75987714bd2d8e59840667a28e15c1fa5c47554 (git) Affected: 5293efe62df81908f2e90c9820c7edcc8e61f5e9 , < 72f2dc8993f10262092745a88cb2dd0fef094f23 (git) Affected: 5293efe62df81908f2e90c9820c7edcc8e61f5e9 , < fd1894224407c484f652ad456e1ce423e89bb3eb (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/skbuff.h",
"net/bpf/test_run.c",
"net/core/dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8b68e53d56697a59b5c53893b53f508bbdf272a0",
"status": "affected",
"version": "5293efe62df81908f2e90c9820c7edcc8e61f5e9",
"versionType": "git"
},
{
"lessThan": "6204bf78b2a903b96ba43afff6abc0b04d6e0462",
"status": "affected",
"version": "5293efe62df81908f2e90c9820c7edcc8e61f5e9",
"versionType": "git"
},
{
"lessThan": "a75987714bd2d8e59840667a28e15c1fa5c47554",
"status": "affected",
"version": "5293efe62df81908f2e90c9820c7edcc8e61f5e9",
"versionType": "git"
},
{
"lessThan": "72f2dc8993f10262092745a88cb2dd0fef094f23",
"status": "affected",
"version": "5293efe62df81908f2e90c9820c7edcc8e61f5e9",
"versionType": "git"
},
{
"lessThan": "fd1894224407c484f652ad456e1ce423e89bb3eb",
"status": "affected",
"version": "5293efe62df81908f2e90c9820c7edcc8e61f5e9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/skbuff.h",
"net/bpf/test_run.c",
"net/core/dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.212",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.65",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.212",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.141",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.65",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.7",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Don\u0027t redirect packets with invalid pkt_len\n\nSyzbot found an issue [1]: fq_codel_drop() try to drop a flow whitout any\nskbs, that is, the flow-\u003ehead is null.\nThe root cause, as the [2] says, is because that bpf_prog_test_run_skb()\nrun a bpf prog which redirects empty skbs.\nSo we should determine whether the length of the packet modified by bpf\nprog or others like bpf_prog_test is valid before forwarding it directly."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:26:14.542Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8b68e53d56697a59b5c53893b53f508bbdf272a0"
},
{
"url": "https://git.kernel.org/stable/c/6204bf78b2a903b96ba43afff6abc0b04d6e0462"
},
{
"url": "https://git.kernel.org/stable/c/a75987714bd2d8e59840667a28e15c1fa5c47554"
},
{
"url": "https://git.kernel.org/stable/c/72f2dc8993f10262092745a88cb2dd0fef094f23"
},
{
"url": "https://git.kernel.org/stable/c/fd1894224407c484f652ad456e1ce423e89bb3eb"
}
],
"title": "bpf: Don\u0027t redirect packets with invalid pkt_len",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49975",
"datePublished": "2025-06-18T11:00:38.157Z",
"dateReserved": "2025-06-18T10:57:27.385Z",
"dateUpdated": "2025-12-23T13:26:14.542Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38568 (GCVE-0-2025-38568)
Vulnerability from cvelistv5 – Published: 2025-08-19 17:02 – Updated: 2025-09-29 05:53
VLAI?
EPSS
Title
net/sched: mqprio: fix stack out-of-bounds write in tc entry parsing
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: mqprio: fix stack out-of-bounds write in tc entry parsing
TCA_MQPRIO_TC_ENTRY_INDEX is validated using
NLA_POLICY_MAX(NLA_U32, TC_QOPT_MAX_QUEUE), which allows the value
TC_QOPT_MAX_QUEUE (16). This leads to a 4-byte out-of-bounds stack
write in the fp[] array, which only has room for 16 elements (0–15).
Fix this by changing the policy to allow only up to TC_QOPT_MAX_QUEUE - 1.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f62af20bed2d9e824f51cfc97ff01bc261f40e58 , < 39491e859fd494d0b51adc5c7d54c8a7dcf1d198
(git)
Affected: f62af20bed2d9e824f51cfc97ff01bc261f40e58 , < d00e4125680f7074c4f42ce3c297336f23128e70 (git) Affected: f62af20bed2d9e824f51cfc97ff01bc261f40e58 , < 66fc2ebdd9d5dd6e5a9c7edeace5a61a0ab2cd86 (git) Affected: f62af20bed2d9e824f51cfc97ff01bc261f40e58 , < f1a9dbcb7d17bf0abb325cdc984957cfabc59693 (git) Affected: f62af20bed2d9e824f51cfc97ff01bc261f40e58 , < ffd2dc4c6c49ff4f1e5d34e454a6a55608104c17 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_mqprio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "39491e859fd494d0b51adc5c7d54c8a7dcf1d198",
"status": "affected",
"version": "f62af20bed2d9e824f51cfc97ff01bc261f40e58",
"versionType": "git"
},
{
"lessThan": "d00e4125680f7074c4f42ce3c297336f23128e70",
"status": "affected",
"version": "f62af20bed2d9e824f51cfc97ff01bc261f40e58",
"versionType": "git"
},
{
"lessThan": "66fc2ebdd9d5dd6e5a9c7edeace5a61a0ab2cd86",
"status": "affected",
"version": "f62af20bed2d9e824f51cfc97ff01bc261f40e58",
"versionType": "git"
},
{
"lessThan": "f1a9dbcb7d17bf0abb325cdc984957cfabc59693",
"status": "affected",
"version": "f62af20bed2d9e824f51cfc97ff01bc261f40e58",
"versionType": "git"
},
{
"lessThan": "ffd2dc4c6c49ff4f1e5d34e454a6a55608104c17",
"status": "affected",
"version": "f62af20bed2d9e824f51cfc97ff01bc261f40e58",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_mqprio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: mqprio: fix stack out-of-bounds write in tc entry parsing\n\nTCA_MQPRIO_TC_ENTRY_INDEX is validated using\nNLA_POLICY_MAX(NLA_U32, TC_QOPT_MAX_QUEUE), which allows the value\nTC_QOPT_MAX_QUEUE (16). This leads to a 4-byte out-of-bounds stack\nwrite in the fp[] array, which only has room for 16 elements (0\u201315).\n\nFix this by changing the policy to allow only up to TC_QOPT_MAX_QUEUE - 1."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:53:57.182Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/39491e859fd494d0b51adc5c7d54c8a7dcf1d198"
},
{
"url": "https://git.kernel.org/stable/c/d00e4125680f7074c4f42ce3c297336f23128e70"
},
{
"url": "https://git.kernel.org/stable/c/66fc2ebdd9d5dd6e5a9c7edeace5a61a0ab2cd86"
},
{
"url": "https://git.kernel.org/stable/c/f1a9dbcb7d17bf0abb325cdc984957cfabc59693"
},
{
"url": "https://git.kernel.org/stable/c/ffd2dc4c6c49ff4f1e5d34e454a6a55608104c17"
}
],
"title": "net/sched: mqprio: fix stack out-of-bounds write in tc entry parsing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38568",
"datePublished": "2025-08-19T17:02:49.278Z",
"dateReserved": "2025-04-16T04:51:24.025Z",
"dateUpdated": "2025-09-29T05:53:57.182Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-4460 (GCVE-0-2021-4460)
Vulnerability from cvelistv5 – Published: 2025-10-01 11:45 – Updated: 2026-01-14 17:42
VLAI?
EPSS
Title
drm/amdkfd: Fix UBSAN shift-out-of-bounds warning
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdkfd: Fix UBSAN shift-out-of-bounds warning
If get_num_sdma_queues or get_num_xgmi_sdma_queues is 0, we end up
doing a shift operation where the number of bits shifted equals
number of bits in the operand. This behaviour is undefined.
Set num_sdma_queues or num_xgmi_sdma_queues to ULLONG_MAX, if the
count is >= number of bits in the operand.
Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1472
Severity ?
7.1 (High)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4a488a7ad71401169cecee75dc94bcce642e2c53 , < 0c0356ef2498c1a250fe3846f30293f828737309
(git)
Affected: 4a488a7ad71401169cecee75dc94bcce642e2c53 , < 1874b0ef1426b873de94c61861e38f29a8df714c (git) Affected: 4a488a7ad71401169cecee75dc94bcce642e2c53 , < 3fdc5182700910a685d23df57d65166e8556a266 (git) Affected: 4a488a7ad71401169cecee75dc94bcce642e2c53 , < 9069b1b542de8f3bbffef868aff41521b21485cf (git) Affected: 4a488a7ad71401169cecee75dc94bcce642e2c53 , < 50e2fc36e72d4ad672032ebf646cecb48656efe0 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-4460",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T17:39:30.831800Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T17:42:45.892Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0c0356ef2498c1a250fe3846f30293f828737309",
"status": "affected",
"version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
"versionType": "git"
},
{
"lessThan": "1874b0ef1426b873de94c61861e38f29a8df714c",
"status": "affected",
"version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
"versionType": "git"
},
{
"lessThan": "3fdc5182700910a685d23df57d65166e8556a266",
"status": "affected",
"version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
"versionType": "git"
},
{
"lessThan": "9069b1b542de8f3bbffef868aff41521b21485cf",
"status": "affected",
"version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
"versionType": "git"
},
{
"lessThan": "50e2fc36e72d4ad672032ebf646cecb48656efe0",
"status": "affected",
"version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.11.*",
"status": "unaffected",
"version": "5.11.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.12.*",
"status": "unaffected",
"version": "5.12.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.118",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.36",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.11.20",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.12.3",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.13",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix UBSAN shift-out-of-bounds warning\n\nIf get_num_sdma_queues or get_num_xgmi_sdma_queues is 0, we end up\ndoing a shift operation where the number of bits shifted equals\nnumber of bits in the operand. This behaviour is undefined.\n\nSet num_sdma_queues or num_xgmi_sdma_queues to ULLONG_MAX, if the\ncount is \u003e= number of bits in the operand.\n\nBug: https://gitlab.freedesktop.org/drm/amd/-/issues/1472"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:50:43.244Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0c0356ef2498c1a250fe3846f30293f828737309"
},
{
"url": "https://git.kernel.org/stable/c/1874b0ef1426b873de94c61861e38f29a8df714c"
},
{
"url": "https://git.kernel.org/stable/c/3fdc5182700910a685d23df57d65166e8556a266"
},
{
"url": "https://git.kernel.org/stable/c/9069b1b542de8f3bbffef868aff41521b21485cf"
},
{
"url": "https://git.kernel.org/stable/c/50e2fc36e72d4ad672032ebf646cecb48656efe0"
}
],
"title": "drm/amdkfd: Fix UBSAN shift-out-of-bounds warning",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-4460",
"datePublished": "2025-10-01T11:45:19.050Z",
"dateReserved": "2025-10-01T11:38:13.842Z",
"dateUpdated": "2026-01-14T17:42:45.892Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53226 (GCVE-0-2023-53226)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:21 – Updated: 2026-01-14 17:52
VLAI?
EPSS
Title
wifi: mwifiex: Fix OOB and integer underflow when rx packets
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mwifiex: Fix OOB and integer underflow when rx packets
Make sure mwifiex_process_mgmt_packet,
mwifiex_process_sta_rx_packet and mwifiex_process_uap_rx_packet,
mwifiex_uap_queue_bridged_pkt and mwifiex_process_rx_packet
not out-of-bounds access the skb->data buffer.
Severity ?
5.5 (Medium)
CWE
- CWE-191 - Integer Underflow (Wrap or Wraparound)
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2dbaf751b1dec3a603130a475f94cc4d3f404362 , < f517c97fc129995de77dd06aa5a74f909ebf568f
(git)
Affected: 2dbaf751b1dec3a603130a475f94cc4d3f404362 , < 8824aa4ab62c800f75d96f48e1883a5f56ec5869 (git) Affected: 2dbaf751b1dec3a603130a475f94cc4d3f404362 , < 29eca8b7863d1d7de6c5b746b374e3487d14f154 (git) Affected: 2dbaf751b1dec3a603130a475f94cc4d3f404362 , < 3fe3923d092e22d87d1ed03e2729db444b8c1331 (git) Affected: 2dbaf751b1dec3a603130a475f94cc4d3f404362 , < 7c54b6fc39eb1aac51cf2945f8a25e2a47fdca02 (git) Affected: 2dbaf751b1dec3a603130a475f94cc4d3f404362 , < 3975e21d4d01efaf0296ded40d11c06589c49245 (git) Affected: 2dbaf751b1dec3a603130a475f94cc4d3f404362 , < a7300e3800e9fd5405e88ce67709c1a97783b9c8 (git) Affected: 2dbaf751b1dec3a603130a475f94cc4d3f404362 , < 650d1bc02fba7b42f476d8b6643324abac5921ed (git) Affected: 2dbaf751b1dec3a603130a475f94cc4d3f404362 , < 11958528161731c58e105b501ed60b83a91ea941 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53226",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T17:51:16.557701Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-191",
"description": "CWE-191 Integer Underflow (Wrap or Wraparound)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T17:52:59.853Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/marvell/mwifiex/sta_rx.c",
"drivers/net/wireless/marvell/mwifiex/uap_txrx.c",
"drivers/net/wireless/marvell/mwifiex/util.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f517c97fc129995de77dd06aa5a74f909ebf568f",
"status": "affected",
"version": "2dbaf751b1dec3a603130a475f94cc4d3f404362",
"versionType": "git"
},
{
"lessThan": "8824aa4ab62c800f75d96f48e1883a5f56ec5869",
"status": "affected",
"version": "2dbaf751b1dec3a603130a475f94cc4d3f404362",
"versionType": "git"
},
{
"lessThan": "29eca8b7863d1d7de6c5b746b374e3487d14f154",
"status": "affected",
"version": "2dbaf751b1dec3a603130a475f94cc4d3f404362",
"versionType": "git"
},
{
"lessThan": "3fe3923d092e22d87d1ed03e2729db444b8c1331",
"status": "affected",
"version": "2dbaf751b1dec3a603130a475f94cc4d3f404362",
"versionType": "git"
},
{
"lessThan": "7c54b6fc39eb1aac51cf2945f8a25e2a47fdca02",
"status": "affected",
"version": "2dbaf751b1dec3a603130a475f94cc4d3f404362",
"versionType": "git"
},
{
"lessThan": "3975e21d4d01efaf0296ded40d11c06589c49245",
"status": "affected",
"version": "2dbaf751b1dec3a603130a475f94cc4d3f404362",
"versionType": "git"
},
{
"lessThan": "a7300e3800e9fd5405e88ce67709c1a97783b9c8",
"status": "affected",
"version": "2dbaf751b1dec3a603130a475f94cc4d3f404362",
"versionType": "git"
},
{
"lessThan": "650d1bc02fba7b42f476d8b6643324abac5921ed",
"status": "affected",
"version": "2dbaf751b1dec3a603130a475f94cc4d3f404362",
"versionType": "git"
},
{
"lessThan": "11958528161731c58e105b501ed60b83a91ea941",
"status": "affected",
"version": "2dbaf751b1dec3a603130a475f94cc4d3f404362",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/marvell/mwifiex/sta_rx.c",
"drivers/net/wireless/marvell/mwifiex/uap_txrx.c",
"drivers/net/wireless/marvell/mwifiex/util.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.7"
},
{
"lessThan": "3.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "3.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mwifiex: Fix OOB and integer underflow when rx packets\n\nMake sure mwifiex_process_mgmt_packet,\nmwifiex_process_sta_rx_packet and mwifiex_process_uap_rx_packet,\nmwifiex_uap_queue_bridged_pkt and mwifiex_process_rx_packet\nnot out-of-bounds access the skb-\u003edata buffer."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:21:55.884Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f517c97fc129995de77dd06aa5a74f909ebf568f"
},
{
"url": "https://git.kernel.org/stable/c/8824aa4ab62c800f75d96f48e1883a5f56ec5869"
},
{
"url": "https://git.kernel.org/stable/c/29eca8b7863d1d7de6c5b746b374e3487d14f154"
},
{
"url": "https://git.kernel.org/stable/c/3fe3923d092e22d87d1ed03e2729db444b8c1331"
},
{
"url": "https://git.kernel.org/stable/c/7c54b6fc39eb1aac51cf2945f8a25e2a47fdca02"
},
{
"url": "https://git.kernel.org/stable/c/3975e21d4d01efaf0296ded40d11c06589c49245"
},
{
"url": "https://git.kernel.org/stable/c/a7300e3800e9fd5405e88ce67709c1a97783b9c8"
},
{
"url": "https://git.kernel.org/stable/c/650d1bc02fba7b42f476d8b6643324abac5921ed"
},
{
"url": "https://git.kernel.org/stable/c/11958528161731c58e105b501ed60b83a91ea941"
}
],
"title": "wifi: mwifiex: Fix OOB and integer underflow when rx packets",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53226",
"datePublished": "2025-09-15T14:21:55.884Z",
"dateReserved": "2025-09-15T14:19:21.846Z",
"dateUpdated": "2026-01-14T17:52:59.853Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53331 (GCVE-0-2023-53331)
Vulnerability from cvelistv5 – Published: 2025-09-16 16:12 – Updated: 2026-01-14 18:32
VLAI?
EPSS
Title
pstore/ram: Check start of empty przs during init
Summary
In the Linux kernel, the following vulnerability has been resolved:
pstore/ram: Check start of empty przs during init
After commit 30696378f68a ("pstore/ram: Do not treat empty buffers as
valid"), initialization would assume a prz was valid after seeing that
the buffer_size is zero (regardless of the buffer start position). This
unchecked start value means it could be outside the bounds of the buffer,
leading to future access panics when written to:
sysdump_panic_event+0x3b4/0x5b8
atomic_notifier_call_chain+0x54/0x90
panic+0x1c8/0x42c
die+0x29c/0x2a8
die_kernel_fault+0x68/0x78
__do_kernel_fault+0x1c4/0x1e0
do_bad_area+0x40/0x100
do_translation_fault+0x68/0x80
do_mem_abort+0x68/0xf8
el1_da+0x1c/0xc0
__raw_writeb+0x38/0x174
__memcpy_toio+0x40/0xac
persistent_ram_update+0x44/0x12c
persistent_ram_write+0x1a8/0x1b8
ramoops_pstore_write+0x198/0x1e8
pstore_console_write+0x94/0xe0
...
To avoid this, also check if the prz start is 0 during the initialization
phase. If not, the next prz sanity check case will discover it (start >
size) and zap the buffer back to a sane state.
[kees: update commit log with backtrace and clarifications]
Severity ?
7.8 (High)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e1e3a46706bd4037e8b7407dc660ae6e05b8ac56 , < 89312657337e6e03ad6e9ea1a462bd9c158c85c8
(git)
Affected: 265242d82a3c6a8bd9120d06b4801f8d7ae9a346 , < c807ccdd812d18985860504b503899f3140a9549 (git) Affected: 30696378f68a9e3dad6bfe55938b112e72af00c2 , < e972231db29b5d1dccc13bf9d5ba55b6979a69ed (git) Affected: 30696378f68a9e3dad6bfe55938b112e72af00c2 , < dc2f60de9a7d3efd982440117dab5579898d808c (git) Affected: 30696378f68a9e3dad6bfe55938b112e72af00c2 , < fedecaeef88899d940b69368c996e8b3b0b8650d (git) Affected: 30696378f68a9e3dad6bfe55938b112e72af00c2 , < e95d7a8a6edd14f8fab44c777dd7281db91f6ae2 (git) Affected: 30696378f68a9e3dad6bfe55938b112e72af00c2 , < f77990358628b01bdc03752126ff5f716ea37615 (git) Affected: 30696378f68a9e3dad6bfe55938b112e72af00c2 , < 25fb4e3402d46f425ec135ef6f09792a4c1b3003 (git) Affected: 30696378f68a9e3dad6bfe55938b112e72af00c2 , < fe8c3623ab06603eb760444a032d426542212021 (git) Affected: ec7f99261da9a20d63cbd273511a11a2efe698f2 (git) Affected: f250e4c562a3bd106575032666e9ef46f31231f8 (git) Affected: fffdbf586866e9500b53c9d4b061d3983720375a (git) Affected: 9e969ba431b46b1891c88cea36f722f3bfe8a180 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53331",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:30:13.040006Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:32:59.884Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/pstore/ram_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "89312657337e6e03ad6e9ea1a462bd9c158c85c8",
"status": "affected",
"version": "e1e3a46706bd4037e8b7407dc660ae6e05b8ac56",
"versionType": "git"
},
{
"lessThan": "c807ccdd812d18985860504b503899f3140a9549",
"status": "affected",
"version": "265242d82a3c6a8bd9120d06b4801f8d7ae9a346",
"versionType": "git"
},
{
"lessThan": "e972231db29b5d1dccc13bf9d5ba55b6979a69ed",
"status": "affected",
"version": "30696378f68a9e3dad6bfe55938b112e72af00c2",
"versionType": "git"
},
{
"lessThan": "dc2f60de9a7d3efd982440117dab5579898d808c",
"status": "affected",
"version": "30696378f68a9e3dad6bfe55938b112e72af00c2",
"versionType": "git"
},
{
"lessThan": "fedecaeef88899d940b69368c996e8b3b0b8650d",
"status": "affected",
"version": "30696378f68a9e3dad6bfe55938b112e72af00c2",
"versionType": "git"
},
{
"lessThan": "e95d7a8a6edd14f8fab44c777dd7281db91f6ae2",
"status": "affected",
"version": "30696378f68a9e3dad6bfe55938b112e72af00c2",
"versionType": "git"
},
{
"lessThan": "f77990358628b01bdc03752126ff5f716ea37615",
"status": "affected",
"version": "30696378f68a9e3dad6bfe55938b112e72af00c2",
"versionType": "git"
},
{
"lessThan": "25fb4e3402d46f425ec135ef6f09792a4c1b3003",
"status": "affected",
"version": "30696378f68a9e3dad6bfe55938b112e72af00c2",
"versionType": "git"
},
{
"lessThan": "fe8c3623ab06603eb760444a032d426542212021",
"status": "affected",
"version": "30696378f68a9e3dad6bfe55938b112e72af00c2",
"versionType": "git"
},
{
"status": "affected",
"version": "ec7f99261da9a20d63cbd273511a11a2efe698f2",
"versionType": "git"
},
{
"status": "affected",
"version": "f250e4c562a3bd106575032666e9ef46f31231f8",
"versionType": "git"
},
{
"status": "affected",
"version": "fffdbf586866e9500b53c9d4b061d3983720375a",
"versionType": "git"
},
{
"status": "affected",
"version": "9e969ba431b46b1891c88cea36f722f3bfe8a180",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/pstore/ram_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "4.14.96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "4.19.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.18.133",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.172",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.153",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.20.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npstore/ram: Check start of empty przs during init\n\nAfter commit 30696378f68a (\"pstore/ram: Do not treat empty buffers as\nvalid\"), initialization would assume a prz was valid after seeing that\nthe buffer_size is zero (regardless of the buffer start position). This\nunchecked start value means it could be outside the bounds of the buffer,\nleading to future access panics when written to:\n\n sysdump_panic_event+0x3b4/0x5b8\n atomic_notifier_call_chain+0x54/0x90\n panic+0x1c8/0x42c\n die+0x29c/0x2a8\n die_kernel_fault+0x68/0x78\n __do_kernel_fault+0x1c4/0x1e0\n do_bad_area+0x40/0x100\n do_translation_fault+0x68/0x80\n do_mem_abort+0x68/0xf8\n el1_da+0x1c/0xc0\n __raw_writeb+0x38/0x174\n __memcpy_toio+0x40/0xac\n persistent_ram_update+0x44/0x12c\n persistent_ram_write+0x1a8/0x1b8\n ramoops_pstore_write+0x198/0x1e8\n pstore_console_write+0x94/0xe0\n ...\n\nTo avoid this, also check if the prz start is 0 during the initialization\nphase. If not, the next prz sanity check case will discover it (start \u003e\nsize) and zap the buffer back to a sane state.\n\n[kees: update commit log with backtrace and clarifications]"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:12:06.788Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/89312657337e6e03ad6e9ea1a462bd9c158c85c8"
},
{
"url": "https://git.kernel.org/stable/c/c807ccdd812d18985860504b503899f3140a9549"
},
{
"url": "https://git.kernel.org/stable/c/e972231db29b5d1dccc13bf9d5ba55b6979a69ed"
},
{
"url": "https://git.kernel.org/stable/c/dc2f60de9a7d3efd982440117dab5579898d808c"
},
{
"url": "https://git.kernel.org/stable/c/fedecaeef88899d940b69368c996e8b3b0b8650d"
},
{
"url": "https://git.kernel.org/stable/c/e95d7a8a6edd14f8fab44c777dd7281db91f6ae2"
},
{
"url": "https://git.kernel.org/stable/c/f77990358628b01bdc03752126ff5f716ea37615"
},
{
"url": "https://git.kernel.org/stable/c/25fb4e3402d46f425ec135ef6f09792a4c1b3003"
},
{
"url": "https://git.kernel.org/stable/c/fe8c3623ab06603eb760444a032d426542212021"
}
],
"title": "pstore/ram: Check start of empty przs during init",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53331",
"datePublished": "2025-09-16T16:12:06.788Z",
"dateReserved": "2025-09-16T16:08:59.564Z",
"dateUpdated": "2026-01-14T18:32:59.884Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38506 (GCVE-0-2025-38506)
Vulnerability from cvelistv5 – Published: 2025-08-16 10:54 – Updated: 2025-08-16 10:54
VLAI?
EPSS
Title
KVM: Allow CPU to reschedule while setting per-page memory attributes
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: Allow CPU to reschedule while setting per-page memory attributes
When running an SEV-SNP guest with a sufficiently large amount of memory (1TB+),
the host can experience CPU soft lockups when running an operation in
kvm_vm_set_mem_attributes() to set memory attributes on the whole
range of guest memory.
watchdog: BUG: soft lockup - CPU#8 stuck for 26s! [qemu-kvm:6372]
CPU: 8 UID: 0 PID: 6372 Comm: qemu-kvm Kdump: loaded Not tainted 6.15.0-rc7.20250520.el9uek.rc1.x86_64 #1 PREEMPT(voluntary)
Hardware name: Oracle Corporation ORACLE SERVER E4-2c/Asm,MB Tray,2U,E4-2c, BIOS 78016600 11/13/2024
RIP: 0010:xas_create+0x78/0x1f0
Code: 00 00 00 41 80 fc 01 0f 84 82 00 00 00 ba 06 00 00 00 bd 06 00 00 00 49 8b 45 08 4d 8d 65 08 41 39 d6 73 20 83 ed 06 48 85 c0 <74> 67 48 89 c2 83 e2 03 48 83 fa 02 75 0c 48 3d 00 10 00 00 0f 87
RSP: 0018:ffffad890a34b940 EFLAGS: 00000286
RAX: ffff96f30b261daa RBX: ffffad890a34b9c8 RCX: 0000000000000000
RDX: 000000000000001e RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000018 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffad890a356868
R13: ffffad890a356860 R14: 0000000000000000 R15: ffffad890a356868
FS: 00007f5578a2a400(0000) GS:ffff97ed317e1000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f015c70fb18 CR3: 00000001109fd006 CR4: 0000000000f70ef0
PKRU: 55555554
Call Trace:
<TASK>
xas_store+0x58/0x630
__xa_store+0xa5/0x130
xa_store+0x2c/0x50
kvm_vm_set_mem_attributes+0x343/0x710 [kvm]
kvm_vm_ioctl+0x796/0xab0 [kvm]
__x64_sys_ioctl+0xa3/0xd0
do_syscall_64+0x8c/0x7a0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f5578d031bb
Code: ff ff ff 85 c0 79 9b 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 2d 4c 0f 00 f7 d8 64 89 01 48
RSP: 002b:00007ffe0a742b88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 000000004020aed2 RCX: 00007f5578d031bb
RDX: 00007ffe0a742c80 RSI: 000000004020aed2 RDI: 000000000000000b
RBP: 0000010000000000 R08: 0000010000000000 R09: 0000017680000000
R10: 0000000000000080 R11: 0000000000000246 R12: 00005575e5f95120
R13: 00007ffe0a742c80 R14: 0000000000000008 R15: 00005575e5f961e0
While looping through the range of memory setting the attributes,
call cond_resched() to give the scheduler a chance to run a higher
priority task on the runqueue if necessary and avoid staying in
kernel mode long enough to trigger the lockup.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5a475554db1e476a14216e742ea2bdb77362d5d5 , < d9bd1163c8d8f716f45e54d034ee28757cc85549
(git)
Affected: 5a475554db1e476a14216e742ea2bdb77362d5d5 , < 1ef45ae7a3938f0844032ba670b4f89180a5bffc (git) Affected: 5a475554db1e476a14216e742ea2bdb77362d5d5 , < 47bb584237cc285e3a860b70c01f7bda9dcfb05b (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"virt/kvm/kvm_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d9bd1163c8d8f716f45e54d034ee28757cc85549",
"status": "affected",
"version": "5a475554db1e476a14216e742ea2bdb77362d5d5",
"versionType": "git"
},
{
"lessThan": "1ef45ae7a3938f0844032ba670b4f89180a5bffc",
"status": "affected",
"version": "5a475554db1e476a14216e742ea2bdb77362d5d5",
"versionType": "git"
},
{
"lessThan": "47bb584237cc285e3a860b70c01f7bda9dcfb05b",
"status": "affected",
"version": "5a475554db1e476a14216e742ea2bdb77362d5d5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"virt/kvm/kvm_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.39",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.7",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Allow CPU to reschedule while setting per-page memory attributes\n\nWhen running an SEV-SNP guest with a sufficiently large amount of memory (1TB+),\nthe host can experience CPU soft lockups when running an operation in\nkvm_vm_set_mem_attributes() to set memory attributes on the whole\nrange of guest memory.\n\nwatchdog: BUG: soft lockup - CPU#8 stuck for 26s! [qemu-kvm:6372]\nCPU: 8 UID: 0 PID: 6372 Comm: qemu-kvm Kdump: loaded Not tainted 6.15.0-rc7.20250520.el9uek.rc1.x86_64 #1 PREEMPT(voluntary)\nHardware name: Oracle Corporation ORACLE SERVER E4-2c/Asm,MB Tray,2U,E4-2c, BIOS 78016600 11/13/2024\nRIP: 0010:xas_create+0x78/0x1f0\nCode: 00 00 00 41 80 fc 01 0f 84 82 00 00 00 ba 06 00 00 00 bd 06 00 00 00 49 8b 45 08 4d 8d 65 08 41 39 d6 73 20 83 ed 06 48 85 c0 \u003c74\u003e 67 48 89 c2 83 e2 03 48 83 fa 02 75 0c 48 3d 00 10 00 00 0f 87\nRSP: 0018:ffffad890a34b940 EFLAGS: 00000286\nRAX: ffff96f30b261daa RBX: ffffad890a34b9c8 RCX: 0000000000000000\nRDX: 000000000000001e RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000018 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: ffffad890a356868\nR13: ffffad890a356860 R14: 0000000000000000 R15: ffffad890a356868\nFS: 00007f5578a2a400(0000) GS:ffff97ed317e1000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f015c70fb18 CR3: 00000001109fd006 CR4: 0000000000f70ef0\nPKRU: 55555554\nCall Trace:\n \u003cTASK\u003e\n xas_store+0x58/0x630\n __xa_store+0xa5/0x130\n xa_store+0x2c/0x50\n kvm_vm_set_mem_attributes+0x343/0x710 [kvm]\n kvm_vm_ioctl+0x796/0xab0 [kvm]\n __x64_sys_ioctl+0xa3/0xd0\n do_syscall_64+0x8c/0x7a0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7f5578d031bb\nCode: ff ff ff 85 c0 79 9b 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d 2d 4c 0f 00 f7 d8 64 89 01 48\nRSP: 002b:00007ffe0a742b88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 000000004020aed2 RCX: 00007f5578d031bb\nRDX: 00007ffe0a742c80 RSI: 000000004020aed2 RDI: 000000000000000b\nRBP: 0000010000000000 R08: 0000010000000000 R09: 0000017680000000\nR10: 0000000000000080 R11: 0000000000000246 R12: 00005575e5f95120\nR13: 00007ffe0a742c80 R14: 0000000000000008 R15: 00005575e5f961e0\n\nWhile looping through the range of memory setting the attributes,\ncall cond_resched() to give the scheduler a chance to run a higher\npriority task on the runqueue if necessary and avoid staying in\nkernel mode long enough to trigger the lockup."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-16T10:54:43.826Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d9bd1163c8d8f716f45e54d034ee28757cc85549"
},
{
"url": "https://git.kernel.org/stable/c/1ef45ae7a3938f0844032ba670b4f89180a5bffc"
},
{
"url": "https://git.kernel.org/stable/c/47bb584237cc285e3a860b70c01f7bda9dcfb05b"
}
],
"title": "KVM: Allow CPU to reschedule while setting per-page memory attributes",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38506",
"datePublished": "2025-08-16T10:54:43.826Z",
"dateReserved": "2025-04-16T04:51:24.022Z",
"dateUpdated": "2025-08-16T10:54:43.826Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53165 (GCVE-0-2023-53165)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:03 – Updated: 2025-10-29 10:50
VLAI?
EPSS
Title
udf: Fix uninitialized array access for some pathnames
Summary
In the Linux kernel, the following vulnerability has been resolved:
udf: Fix uninitialized array access for some pathnames
For filenames that begin with . and are between 2 and 5 characters long,
UDF charset conversion code would read uninitialized memory in the
output buffer. The only practical impact is that the name may be prepended a
"unification hash" when it is not actually needed but still it is good
to fix this.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
484a10f49387e4386bf2708532e75bf78ffea2cb , < 008ae78d1e12efa904dc819b1ec83e2bca6b2c56
(git)
Affected: 484a10f49387e4386bf2708532e75bf78ffea2cb , < b37f998d357102e8eb0f8eeb33f03fff22e49cbf (git) Affected: 484a10f49387e4386bf2708532e75bf78ffea2cb , < 3f1368af47acf4d0b2a5fb0d2c0d6919d2234b6d (git) Affected: 484a10f49387e4386bf2708532e75bf78ffea2cb , < 4503f6fc95d6dee85fb2c54785848799e192c51c (git) Affected: 484a10f49387e4386bf2708532e75bf78ffea2cb , < 985f9666698960dfc87a106d6314203fa90fda75 (git) Affected: 484a10f49387e4386bf2708532e75bf78ffea2cb , < a6824149809395dfbb5bc36bc7057cc3cb84e56d (git) Affected: 484a10f49387e4386bf2708532e75bf78ffea2cb , < 4d50988da0db167aed6f38685145cb5cd526c4f8 (git) Affected: 484a10f49387e4386bf2708532e75bf78ffea2cb , < 028f6055c912588e6f72722d89c30b401bbcf013 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/udf/unicode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "008ae78d1e12efa904dc819b1ec83e2bca6b2c56",
"status": "affected",
"version": "484a10f49387e4386bf2708532e75bf78ffea2cb",
"versionType": "git"
},
{
"lessThan": "b37f998d357102e8eb0f8eeb33f03fff22e49cbf",
"status": "affected",
"version": "484a10f49387e4386bf2708532e75bf78ffea2cb",
"versionType": "git"
},
{
"lessThan": "3f1368af47acf4d0b2a5fb0d2c0d6919d2234b6d",
"status": "affected",
"version": "484a10f49387e4386bf2708532e75bf78ffea2cb",
"versionType": "git"
},
{
"lessThan": "4503f6fc95d6dee85fb2c54785848799e192c51c",
"status": "affected",
"version": "484a10f49387e4386bf2708532e75bf78ffea2cb",
"versionType": "git"
},
{
"lessThan": "985f9666698960dfc87a106d6314203fa90fda75",
"status": "affected",
"version": "484a10f49387e4386bf2708532e75bf78ffea2cb",
"versionType": "git"
},
{
"lessThan": "a6824149809395dfbb5bc36bc7057cc3cb84e56d",
"status": "affected",
"version": "484a10f49387e4386bf2708532e75bf78ffea2cb",
"versionType": "git"
},
{
"lessThan": "4d50988da0db167aed6f38685145cb5cd526c4f8",
"status": "affected",
"version": "484a10f49387e4386bf2708532e75bf78ffea2cb",
"versionType": "git"
},
{
"lessThan": "028f6055c912588e6f72722d89c30b401bbcf013",
"status": "affected",
"version": "484a10f49387e4386bf2708532e75bf78ffea2cb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/udf/unicode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.324",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.255",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.324",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.293",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.255",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.192",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.123",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudf: Fix uninitialized array access for some pathnames\n\nFor filenames that begin with . and are between 2 and 5 characters long,\nUDF charset conversion code would read uninitialized memory in the\noutput buffer. The only practical impact is that the name may be prepended a\n\"unification hash\" when it is not actually needed but still it is good\nto fix this."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T10:50:22.490Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/008ae78d1e12efa904dc819b1ec83e2bca6b2c56"
},
{
"url": "https://git.kernel.org/stable/c/b37f998d357102e8eb0f8eeb33f03fff22e49cbf"
},
{
"url": "https://git.kernel.org/stable/c/3f1368af47acf4d0b2a5fb0d2c0d6919d2234b6d"
},
{
"url": "https://git.kernel.org/stable/c/4503f6fc95d6dee85fb2c54785848799e192c51c"
},
{
"url": "https://git.kernel.org/stable/c/985f9666698960dfc87a106d6314203fa90fda75"
},
{
"url": "https://git.kernel.org/stable/c/a6824149809395dfbb5bc36bc7057cc3cb84e56d"
},
{
"url": "https://git.kernel.org/stable/c/4d50988da0db167aed6f38685145cb5cd526c4f8"
},
{
"url": "https://git.kernel.org/stable/c/028f6055c912588e6f72722d89c30b401bbcf013"
}
],
"title": "udf: Fix uninitialized array access for some pathnames",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53165",
"datePublished": "2025-09-15T14:03:53.987Z",
"dateReserved": "2025-09-15T13:59:19.063Z",
"dateUpdated": "2025-10-29T10:50:22.490Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38601 (GCVE-0-2025-38601)
Vulnerability from cvelistv5 – Published: 2025-08-19 17:03 – Updated: 2025-11-03 17:40
VLAI?
EPSS
Title
wifi: ath11k: clear initialized flag for deinit-ed srng lists
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: clear initialized flag for deinit-ed srng lists
In a number of cases we see kernel panics on resume due
to ath11k kernel page fault, which happens under the
following circumstances:
1) First ath11k_hal_dump_srng_stats() call
Last interrupt received for each group:
ath11k_pci 0000:01:00.0: group_id 0 22511ms before
ath11k_pci 0000:01:00.0: group_id 1 14440788ms before
[..]
ath11k_pci 0000:01:00.0: failed to receive control response completion, polling..
ath11k_pci 0000:01:00.0: Service connect timeout
ath11k_pci 0000:01:00.0: failed to connect to HTT: -110
ath11k_pci 0000:01:00.0: failed to start core: -110
ath11k_pci 0000:01:00.0: firmware crashed: MHI_CB_EE_RDDM
ath11k_pci 0000:01:00.0: already resetting count 2
ath11k_pci 0000:01:00.0: failed to wait wlan mode request (mode 4): -110
ath11k_pci 0000:01:00.0: qmi failed to send wlan mode off: -110
ath11k_pci 0000:01:00.0: failed to reconfigure driver on crash recovery
[..]
2) At this point reconfiguration fails (we have 2 resets) and
ath11k_core_reconfigure_on_crash() calls ath11k_hal_srng_deinit()
which destroys srng lists. However, it does not reset per-list
->initialized flag.
3) Second ath11k_hal_dump_srng_stats() call sees stale ->initialized
flag and attempts to dump srng stats:
Last interrupt received for each group:
ath11k_pci 0000:01:00.0: group_id 0 66785ms before
ath11k_pci 0000:01:00.0: group_id 1 14485062ms before
ath11k_pci 0000:01:00.0: group_id 2 14485062ms before
ath11k_pci 0000:01:00.0: group_id 3 14485062ms before
ath11k_pci 0000:01:00.0: group_id 4 14780845ms before
ath11k_pci 0000:01:00.0: group_id 5 14780845ms before
ath11k_pci 0000:01:00.0: group_id 6 14485062ms before
ath11k_pci 0000:01:00.0: group_id 7 66814ms before
ath11k_pci 0000:01:00.0: group_id 8 68997ms before
ath11k_pci 0000:01:00.0: group_id 9 67588ms before
ath11k_pci 0000:01:00.0: group_id 10 69511ms before
BUG: unable to handle page fault for address: ffffa007404eb010
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 100000067 P4D 100000067 PUD 10022d067 PMD 100b01067 PTE 0
Oops: 0000 [#1] PREEMPT SMP NOPTI
RIP: 0010:ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k]
Call Trace:
<TASK>
? __die_body+0xae/0xb0
? page_fault_oops+0x381/0x3e0
? exc_page_fault+0x69/0xa0
? asm_exc_page_fault+0x22/0x30
? ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k (HASH:6cea 4)]
ath11k_qmi_driver_event_work+0xbd/0x1050 [ath11k (HASH:6cea 4)]
worker_thread+0x389/0x930
kthread+0x149/0x170
Clear per-list ->initialized flag in ath11k_hal_srng_deinit().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5118935b1bc28d0bce9427e584e11e905e68ee9a , < 3a6daae987a829534636fd85ed6f84d5f0ad7fa4
(git)
Affected: 5118935b1bc28d0bce9427e584e11e905e68ee9a , < eff3bb53c18c0ed4ab6f43d412b3ed3aecad52d5 (git) Affected: 5118935b1bc28d0bce9427e584e11e905e68ee9a , < 916ac18d526a26f6072866b1a97622cf1351ef1c (git) Affected: 5118935b1bc28d0bce9427e584e11e905e68ee9a , < 5bf201c55fdf303e79005038648dfa1e8af48f54 (git) Affected: 5118935b1bc28d0bce9427e584e11e905e68ee9a , < 72a48be1f53942793f3bc68a37fad1f38b53b082 (git) Affected: 5118935b1bc28d0bce9427e584e11e905e68ee9a , < 0ebb5fe494501c19f31270008b26ab95201af6fd (git) Affected: 5118935b1bc28d0bce9427e584e11e905e68ee9a , < 16872194c80f2724472fc207991712895ac8a230 (git) Affected: 5118935b1bc28d0bce9427e584e11e905e68ee9a , < a5b46aa7cf5f05c213316a018e49a8e086efd98e (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:40:15.658Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/hal.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3a6daae987a829534636fd85ed6f84d5f0ad7fa4",
"status": "affected",
"version": "5118935b1bc28d0bce9427e584e11e905e68ee9a",
"versionType": "git"
},
{
"lessThan": "eff3bb53c18c0ed4ab6f43d412b3ed3aecad52d5",
"status": "affected",
"version": "5118935b1bc28d0bce9427e584e11e905e68ee9a",
"versionType": "git"
},
{
"lessThan": "916ac18d526a26f6072866b1a97622cf1351ef1c",
"status": "affected",
"version": "5118935b1bc28d0bce9427e584e11e905e68ee9a",
"versionType": "git"
},
{
"lessThan": "5bf201c55fdf303e79005038648dfa1e8af48f54",
"status": "affected",
"version": "5118935b1bc28d0bce9427e584e11e905e68ee9a",
"versionType": "git"
},
{
"lessThan": "72a48be1f53942793f3bc68a37fad1f38b53b082",
"status": "affected",
"version": "5118935b1bc28d0bce9427e584e11e905e68ee9a",
"versionType": "git"
},
{
"lessThan": "0ebb5fe494501c19f31270008b26ab95201af6fd",
"status": "affected",
"version": "5118935b1bc28d0bce9427e584e11e905e68ee9a",
"versionType": "git"
},
{
"lessThan": "16872194c80f2724472fc207991712895ac8a230",
"status": "affected",
"version": "5118935b1bc28d0bce9427e584e11e905e68ee9a",
"versionType": "git"
},
{
"lessThan": "a5b46aa7cf5f05c213316a018e49a8e086efd98e",
"status": "affected",
"version": "5118935b1bc28d0bce9427e584e11e905e68ee9a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/hal.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: clear initialized flag for deinit-ed srng lists\n\nIn a number of cases we see kernel panics on resume due\nto ath11k kernel page fault, which happens under the\nfollowing circumstances:\n\n1) First ath11k_hal_dump_srng_stats() call\n\n Last interrupt received for each group:\n ath11k_pci 0000:01:00.0: group_id 0 22511ms before\n ath11k_pci 0000:01:00.0: group_id 1 14440788ms before\n [..]\n ath11k_pci 0000:01:00.0: failed to receive control response completion, polling..\n ath11k_pci 0000:01:00.0: Service connect timeout\n ath11k_pci 0000:01:00.0: failed to connect to HTT: -110\n ath11k_pci 0000:01:00.0: failed to start core: -110\n ath11k_pci 0000:01:00.0: firmware crashed: MHI_CB_EE_RDDM\n ath11k_pci 0000:01:00.0: already resetting count 2\n ath11k_pci 0000:01:00.0: failed to wait wlan mode request (mode 4): -110\n ath11k_pci 0000:01:00.0: qmi failed to send wlan mode off: -110\n ath11k_pci 0000:01:00.0: failed to reconfigure driver on crash recovery\n [..]\n\n2) At this point reconfiguration fails (we have 2 resets) and\n ath11k_core_reconfigure_on_crash() calls ath11k_hal_srng_deinit()\n which destroys srng lists. However, it does not reset per-list\n -\u003einitialized flag.\n\n3) Second ath11k_hal_dump_srng_stats() call sees stale -\u003einitialized\n flag and attempts to dump srng stats:\n\n Last interrupt received for each group:\n ath11k_pci 0000:01:00.0: group_id 0 66785ms before\n ath11k_pci 0000:01:00.0: group_id 1 14485062ms before\n ath11k_pci 0000:01:00.0: group_id 2 14485062ms before\n ath11k_pci 0000:01:00.0: group_id 3 14485062ms before\n ath11k_pci 0000:01:00.0: group_id 4 14780845ms before\n ath11k_pci 0000:01:00.0: group_id 5 14780845ms before\n ath11k_pci 0000:01:00.0: group_id 6 14485062ms before\n ath11k_pci 0000:01:00.0: group_id 7 66814ms before\n ath11k_pci 0000:01:00.0: group_id 8 68997ms before\n ath11k_pci 0000:01:00.0: group_id 9 67588ms before\n ath11k_pci 0000:01:00.0: group_id 10 69511ms before\n BUG: unable to handle page fault for address: ffffa007404eb010\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 100000067 P4D 100000067 PUD 10022d067 PMD 100b01067 PTE 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n RIP: 0010:ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k]\n Call Trace:\n \u003cTASK\u003e\n ? __die_body+0xae/0xb0\n ? page_fault_oops+0x381/0x3e0\n ? exc_page_fault+0x69/0xa0\n ? asm_exc_page_fault+0x22/0x30\n ? ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k (HASH:6cea 4)]\n ath11k_qmi_driver_event_work+0xbd/0x1050 [ath11k (HASH:6cea 4)]\n worker_thread+0x389/0x930\n kthread+0x149/0x170\n\nClear per-list -\u003einitialized flag in ath11k_hal_srng_deinit()."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:54:35.931Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3a6daae987a829534636fd85ed6f84d5f0ad7fa4"
},
{
"url": "https://git.kernel.org/stable/c/eff3bb53c18c0ed4ab6f43d412b3ed3aecad52d5"
},
{
"url": "https://git.kernel.org/stable/c/916ac18d526a26f6072866b1a97622cf1351ef1c"
},
{
"url": "https://git.kernel.org/stable/c/5bf201c55fdf303e79005038648dfa1e8af48f54"
},
{
"url": "https://git.kernel.org/stable/c/72a48be1f53942793f3bc68a37fad1f38b53b082"
},
{
"url": "https://git.kernel.org/stable/c/0ebb5fe494501c19f31270008b26ab95201af6fd"
},
{
"url": "https://git.kernel.org/stable/c/16872194c80f2724472fc207991712895ac8a230"
},
{
"url": "https://git.kernel.org/stable/c/a5b46aa7cf5f05c213316a018e49a8e086efd98e"
}
],
"title": "wifi: ath11k: clear initialized flag for deinit-ed srng lists",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38601",
"datePublished": "2025-08-19T17:03:35.798Z",
"dateReserved": "2025-04-16T04:51:24.028Z",
"dateUpdated": "2025-11-03T17:40:15.658Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53385 (GCVE-0-2023-53385)
Vulnerability from cvelistv5 – Published: 2025-09-18 13:33 – Updated: 2026-01-14 19:03
VLAI?
EPSS
Title
media: mdp3: Fix resource leaks in of_find_device_by_node
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: mdp3: Fix resource leaks in of_find_device_by_node
Use put_device to release the object get through of_find_device_by_node,
avoiding resource leaks.
Severity ?
5.5 (Medium)
CWE
- CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
61890ccaefaff89f5babd2c8412fd222c3f5fe38 , < 8ba9d91c8f21f070af2049f114c206a8f2d5c71e
(git)
Affected: 61890ccaefaff89f5babd2c8412fd222c3f5fe38 , < fa481125bc4ca8edc1a4c62fe53486ac9a817593 (git) Affected: 61890ccaefaff89f5babd2c8412fd222c3f5fe38 , < 35ca8ce495366909b4c2e701d1356570dd40c4e2 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53385",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:57:30.830156Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T19:03:04.810Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/mediatek/mdp3/mtk-mdp3-comp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8ba9d91c8f21f070af2049f114c206a8f2d5c71e",
"status": "affected",
"version": "61890ccaefaff89f5babd2c8412fd222c3f5fe38",
"versionType": "git"
},
{
"lessThan": "fa481125bc4ca8edc1a4c62fe53486ac9a817593",
"status": "affected",
"version": "61890ccaefaff89f5babd2c8412fd222c3f5fe38",
"versionType": "git"
},
{
"lessThan": "35ca8ce495366909b4c2e701d1356570dd40c4e2",
"status": "affected",
"version": "61890ccaefaff89f5babd2c8412fd222c3f5fe38",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/mediatek/mdp3/mtk-mdp3-comp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mdp3: Fix resource leaks in of_find_device_by_node\n\nUse put_device to release the object get through of_find_device_by_node,\navoiding resource leaks."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T10:47:37.027Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8ba9d91c8f21f070af2049f114c206a8f2d5c71e"
},
{
"url": "https://git.kernel.org/stable/c/fa481125bc4ca8edc1a4c62fe53486ac9a817593"
},
{
"url": "https://git.kernel.org/stable/c/35ca8ce495366909b4c2e701d1356570dd40c4e2"
}
],
"title": "media: mdp3: Fix resource leaks in of_find_device_by_node",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53385",
"datePublished": "2025-09-18T13:33:29.175Z",
"dateReserved": "2025-09-17T14:54:09.737Z",
"dateUpdated": "2026-01-14T19:03:04.810Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53204 (GCVE-0-2023-53204)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:21 – Updated: 2025-09-15 14:21
VLAI?
EPSS
Title
af_unix: Fix data-races around user->unix_inflight.
Summary
In the Linux kernel, the following vulnerability has been resolved:
af_unix: Fix data-races around user->unix_inflight.
user->unix_inflight is changed under spin_lock(unix_gc_lock),
but too_many_unix_fds() reads it locklessly.
Let's annotate the write/read accesses to user->unix_inflight.
BUG: KCSAN: data-race in unix_attach_fds / unix_inflight
write to 0xffffffff8546f2d0 of 8 bytes by task 44798 on cpu 1:
unix_inflight+0x157/0x180 net/unix/scm.c:66
unix_attach_fds+0x147/0x1e0 net/unix/scm.c:123
unix_scm_to_skb net/unix/af_unix.c:1827 [inline]
unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1950
unix_seqpacket_sendmsg net/unix/af_unix.c:2308 [inline]
unix_seqpacket_sendmsg+0xba/0x130 net/unix/af_unix.c:2292
sock_sendmsg_nosec net/socket.c:725 [inline]
sock_sendmsg+0x148/0x160 net/socket.c:748
____sys_sendmsg+0x4e4/0x610 net/socket.c:2494
___sys_sendmsg+0xc6/0x140 net/socket.c:2548
__sys_sendmsg+0x94/0x140 net/socket.c:2577
__do_sys_sendmsg net/socket.c:2586 [inline]
__se_sys_sendmsg net/socket.c:2584 [inline]
__x64_sys_sendmsg+0x45/0x50 net/socket.c:2584
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
read to 0xffffffff8546f2d0 of 8 bytes by task 44814 on cpu 0:
too_many_unix_fds net/unix/scm.c:101 [inline]
unix_attach_fds+0x54/0x1e0 net/unix/scm.c:110
unix_scm_to_skb net/unix/af_unix.c:1827 [inline]
unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1950
unix_seqpacket_sendmsg net/unix/af_unix.c:2308 [inline]
unix_seqpacket_sendmsg+0xba/0x130 net/unix/af_unix.c:2292
sock_sendmsg_nosec net/socket.c:725 [inline]
sock_sendmsg+0x148/0x160 net/socket.c:748
____sys_sendmsg+0x4e4/0x610 net/socket.c:2494
___sys_sendmsg+0xc6/0x140 net/socket.c:2548
__sys_sendmsg+0x94/0x140 net/socket.c:2577
__do_sys_sendmsg net/socket.c:2586 [inline]
__se_sys_sendmsg net/socket.c:2584 [inline]
__x64_sys_sendmsg+0x45/0x50 net/socket.c:2584
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
value changed: 0x000000000000000c -> 0x000000000000000d
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 44814 Comm: systemd-coredum Not tainted 6.4.0-11989-g6843306689af #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
712f4aad406bb1ed67f3f98d04c044191f0ff593 , < df97b5ea9f3ac9308c3a633524dab382cd59d9e5
(git)
Affected: 712f4aad406bb1ed67f3f98d04c044191f0ff593 , < 03d133dfbcec9d439729cc64706c7eb6d1663a24 (git) Affected: 712f4aad406bb1ed67f3f98d04c044191f0ff593 , < adcf4e069358cdee8593663650ea447215a1c49e (git) Affected: 712f4aad406bb1ed67f3f98d04c044191f0ff593 , < b401d7e485b0a234cf8fe9a6ae99dbcd20863138 (git) Affected: 712f4aad406bb1ed67f3f98d04c044191f0ff593 , < 9151ed4b006125cba7c06c79df504340ea4e9386 (git) Affected: 712f4aad406bb1ed67f3f98d04c044191f0ff593 , < b9cdbb38e030fc2fe97fe27b54cbb6b4fbff250f (git) Affected: 712f4aad406bb1ed67f3f98d04c044191f0ff593 , < ac92f239a079678a035c0faad9089354a874aede (git) Affected: 712f4aad406bb1ed67f3f98d04c044191f0ff593 , < 0bc36c0650b21df36fbec8136add83936eaf0607 (git) Affected: a5a6cf8c405e826ff7ed1308dde72560c0ed4854 (git) Affected: df87da0783c4492b944badfea9d5c3c56b834697 (git) Affected: 3d024dcef2548028e9f9b7876a544e6e0af00175 (git) Affected: aa51d1c24ec3b6605f7cc7ef500c96cd71d7ef90 (git) Affected: a5b9e44af8d3edaf49d14a91cc519a9fba439e67 (git) Affected: dc6b0ec667f67d4768e72c1b7f1bbc14ea52379c (git) Affected: 9b8b611fe0f86f07a4ff4a5f3bcb0ea7ceb7da3b (git) Affected: 5e226f9689d90ad8ab21b4a969ae3058777f0aff (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/unix/scm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "df97b5ea9f3ac9308c3a633524dab382cd59d9e5",
"status": "affected",
"version": "712f4aad406bb1ed67f3f98d04c044191f0ff593",
"versionType": "git"
},
{
"lessThan": "03d133dfbcec9d439729cc64706c7eb6d1663a24",
"status": "affected",
"version": "712f4aad406bb1ed67f3f98d04c044191f0ff593",
"versionType": "git"
},
{
"lessThan": "adcf4e069358cdee8593663650ea447215a1c49e",
"status": "affected",
"version": "712f4aad406bb1ed67f3f98d04c044191f0ff593",
"versionType": "git"
},
{
"lessThan": "b401d7e485b0a234cf8fe9a6ae99dbcd20863138",
"status": "affected",
"version": "712f4aad406bb1ed67f3f98d04c044191f0ff593",
"versionType": "git"
},
{
"lessThan": "9151ed4b006125cba7c06c79df504340ea4e9386",
"status": "affected",
"version": "712f4aad406bb1ed67f3f98d04c044191f0ff593",
"versionType": "git"
},
{
"lessThan": "b9cdbb38e030fc2fe97fe27b54cbb6b4fbff250f",
"status": "affected",
"version": "712f4aad406bb1ed67f3f98d04c044191f0ff593",
"versionType": "git"
},
{
"lessThan": "ac92f239a079678a035c0faad9089354a874aede",
"status": "affected",
"version": "712f4aad406bb1ed67f3f98d04c044191f0ff593",
"versionType": "git"
},
{
"lessThan": "0bc36c0650b21df36fbec8136add83936eaf0607",
"status": "affected",
"version": "712f4aad406bb1ed67f3f98d04c044191f0ff593",
"versionType": "git"
},
{
"status": "affected",
"version": "a5a6cf8c405e826ff7ed1308dde72560c0ed4854",
"versionType": "git"
},
{
"status": "affected",
"version": "df87da0783c4492b944badfea9d5c3c56b834697",
"versionType": "git"
},
{
"status": "affected",
"version": "3d024dcef2548028e9f9b7876a544e6e0af00175",
"versionType": "git"
},
{
"status": "affected",
"version": "aa51d1c24ec3b6605f7cc7ef500c96cd71d7ef90",
"versionType": "git"
},
{
"status": "affected",
"version": "a5b9e44af8d3edaf49d14a91cc519a9fba439e67",
"versionType": "git"
},
{
"status": "affected",
"version": "dc6b0ec667f67d4768e72c1b7f1bbc14ea52379c",
"versionType": "git"
},
{
"status": "affected",
"version": "9b8b611fe0f86f07a4ff4a5f3bcb0ea7ceb7da3b",
"versionType": "git"
},
{
"status": "affected",
"version": "5e226f9689d90ad8ab21b4a969ae3058777f0aff",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/unix/scm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.2.78",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.10.96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.12.57",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.14.60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.18.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.1.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix data-races around user-\u003eunix_inflight.\n\nuser-\u003eunix_inflight is changed under spin_lock(unix_gc_lock),\nbut too_many_unix_fds() reads it locklessly.\n\nLet\u0027s annotate the write/read accesses to user-\u003eunix_inflight.\n\nBUG: KCSAN: data-race in unix_attach_fds / unix_inflight\n\nwrite to 0xffffffff8546f2d0 of 8 bytes by task 44798 on cpu 1:\n unix_inflight+0x157/0x180 net/unix/scm.c:66\n unix_attach_fds+0x147/0x1e0 net/unix/scm.c:123\n unix_scm_to_skb net/unix/af_unix.c:1827 [inline]\n unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1950\n unix_seqpacket_sendmsg net/unix/af_unix.c:2308 [inline]\n unix_seqpacket_sendmsg+0xba/0x130 net/unix/af_unix.c:2292\n sock_sendmsg_nosec net/socket.c:725 [inline]\n sock_sendmsg+0x148/0x160 net/socket.c:748\n ____sys_sendmsg+0x4e4/0x610 net/socket.c:2494\n ___sys_sendmsg+0xc6/0x140 net/socket.c:2548\n __sys_sendmsg+0x94/0x140 net/socket.c:2577\n __do_sys_sendmsg net/socket.c:2586 [inline]\n __se_sys_sendmsg net/socket.c:2584 [inline]\n __x64_sys_sendmsg+0x45/0x50 net/socket.c:2584\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\nread to 0xffffffff8546f2d0 of 8 bytes by task 44814 on cpu 0:\n too_many_unix_fds net/unix/scm.c:101 [inline]\n unix_attach_fds+0x54/0x1e0 net/unix/scm.c:110\n unix_scm_to_skb net/unix/af_unix.c:1827 [inline]\n unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1950\n unix_seqpacket_sendmsg net/unix/af_unix.c:2308 [inline]\n unix_seqpacket_sendmsg+0xba/0x130 net/unix/af_unix.c:2292\n sock_sendmsg_nosec net/socket.c:725 [inline]\n sock_sendmsg+0x148/0x160 net/socket.c:748\n ____sys_sendmsg+0x4e4/0x610 net/socket.c:2494\n ___sys_sendmsg+0xc6/0x140 net/socket.c:2548\n __sys_sendmsg+0x94/0x140 net/socket.c:2577\n __do_sys_sendmsg net/socket.c:2586 [inline]\n __se_sys_sendmsg net/socket.c:2584 [inline]\n __x64_sys_sendmsg+0x45/0x50 net/socket.c:2584\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\nvalue changed: 0x000000000000000c -\u003e 0x000000000000000d\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 0 PID: 44814 Comm: systemd-coredum Not tainted 6.4.0-11989-g6843306689af #6\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:21:32.696Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/df97b5ea9f3ac9308c3a633524dab382cd59d9e5"
},
{
"url": "https://git.kernel.org/stable/c/03d133dfbcec9d439729cc64706c7eb6d1663a24"
},
{
"url": "https://git.kernel.org/stable/c/adcf4e069358cdee8593663650ea447215a1c49e"
},
{
"url": "https://git.kernel.org/stable/c/b401d7e485b0a234cf8fe9a6ae99dbcd20863138"
},
{
"url": "https://git.kernel.org/stable/c/9151ed4b006125cba7c06c79df504340ea4e9386"
},
{
"url": "https://git.kernel.org/stable/c/b9cdbb38e030fc2fe97fe27b54cbb6b4fbff250f"
},
{
"url": "https://git.kernel.org/stable/c/ac92f239a079678a035c0faad9089354a874aede"
},
{
"url": "https://git.kernel.org/stable/c/0bc36c0650b21df36fbec8136add83936eaf0607"
}
],
"title": "af_unix: Fix data-races around user-\u003eunix_inflight.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53204",
"datePublished": "2025-09-15T14:21:32.696Z",
"dateReserved": "2025-09-15T13:59:19.068Z",
"dateUpdated": "2025-09-15T14:21:32.696Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22023 (GCVE-0-2025-22023)
Vulnerability from cvelistv5 – Published: 2025-04-16 10:23 – Updated: 2025-05-26 05:16
VLAI?
EPSS
Title
usb: xhci: Don't skip on Stopped - Length Invalid
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: xhci: Don't skip on Stopped - Length Invalid
Up until commit d56b0b2ab142 ("usb: xhci: ensure skipped isoc TDs are
returned when isoc ring is stopped") in v6.11, the driver didn't skip
missed isochronous TDs when handling Stoppend and Stopped - Length
Invalid events. Instead, it erroneously cleared the skip flag, which
would cause the ring to get stuck, as future events won't match the
missed TD which is never removed from the queue until it's cancelled.
This buggy logic seems to have been in place substantially unchanged
since the 3.x series over 10 years ago, which probably speaks first
and foremost about relative rarity of this case in normal usage, but
by the spec I see no reason why it shouldn't be possible.
After d56b0b2ab142, TDs are immediately skipped when handling those
Stopped events. This poses a potential problem in case of Stopped -
Length Invalid, which occurs either on completed TDs (likely already
given back) or Link and No-Op TRBs. Such event won't be recognized
as matching any TD (unless it's the rare Link TRB inside a TD) and
will result in skipping all pending TDs, giving them back possibly
before they are done, risking isoc data loss and maybe UAF by HW.
As a compromise, don't skip and don't clear the skip flag on this
kind of event. Then the next event will skip missed TDs. A downside
of not handling Stopped - Length Invalid on a Link inside a TD is
that if the TD is cancelled, its actual length will not be updated
to account for TRBs (silently) completed before the TD was stopped.
I had no luck producing this sequence of completion events so there
is no compelling demonstration of any resulting disaster. It may be
a very rare, obscure condition. The sole motivation for this patch
is that if such unlikely event does occur, I'd rather risk reporting
a cancelled partially done isoc frame as empty than gamble with UAF.
This will be fixed more properly by looking at Stopped event's TRB
pointer when making skipping decisions, but such rework is unlikely
to be backported to v6.12, which will stay around for a few years.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d56b0b2ab142940b06eac56dcb3ab1ab88df38a2 , < 6af20ac254cbd0e1178a3542767c9308e209eee5
(git)
Affected: d56b0b2ab142940b06eac56dcb3ab1ab88df38a2 , < 49cf6f5293aeb706dd672608478336a003f37df6 (git) Affected: d56b0b2ab142940b06eac56dcb3ab1ab88df38a2 , < de9e78167f760a699806793d7c987239e4f6c8c3 (git) Affected: d56b0b2ab142940b06eac56dcb3ab1ab88df38a2 , < 58d0a3fab5f4fdc112c16a4c6d382f62097afd1c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/xhci-ring.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6af20ac254cbd0e1178a3542767c9308e209eee5",
"status": "affected",
"version": "d56b0b2ab142940b06eac56dcb3ab1ab88df38a2",
"versionType": "git"
},
{
"lessThan": "49cf6f5293aeb706dd672608478336a003f37df6",
"status": "affected",
"version": "d56b0b2ab142940b06eac56dcb3ab1ab88df38a2",
"versionType": "git"
},
{
"lessThan": "de9e78167f760a699806793d7c987239e4f6c8c3",
"status": "affected",
"version": "d56b0b2ab142940b06eac56dcb3ab1ab88df38a2",
"versionType": "git"
},
{
"lessThan": "58d0a3fab5f4fdc112c16a4c6d382f62097afd1c",
"status": "affected",
"version": "d56b0b2ab142940b06eac56dcb3ab1ab88df38a2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/xhci-ring.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.22",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.10",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.1",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Don\u0027t skip on Stopped - Length Invalid\n\nUp until commit d56b0b2ab142 (\"usb: xhci: ensure skipped isoc TDs are\nreturned when isoc ring is stopped\") in v6.11, the driver didn\u0027t skip\nmissed isochronous TDs when handling Stoppend and Stopped - Length\nInvalid events. Instead, it erroneously cleared the skip flag, which\nwould cause the ring to get stuck, as future events won\u0027t match the\nmissed TD which is never removed from the queue until it\u0027s cancelled.\n\nThis buggy logic seems to have been in place substantially unchanged\nsince the 3.x series over 10 years ago, which probably speaks first\nand foremost about relative rarity of this case in normal usage, but\nby the spec I see no reason why it shouldn\u0027t be possible.\n\nAfter d56b0b2ab142, TDs are immediately skipped when handling those\nStopped events. This poses a potential problem in case of Stopped -\nLength Invalid, which occurs either on completed TDs (likely already\ngiven back) or Link and No-Op TRBs. Such event won\u0027t be recognized\nas matching any TD (unless it\u0027s the rare Link TRB inside a TD) and\nwill result in skipping all pending TDs, giving them back possibly\nbefore they are done, risking isoc data loss and maybe UAF by HW.\n\nAs a compromise, don\u0027t skip and don\u0027t clear the skip flag on this\nkind of event. Then the next event will skip missed TDs. A downside\nof not handling Stopped - Length Invalid on a Link inside a TD is\nthat if the TD is cancelled, its actual length will not be updated\nto account for TRBs (silently) completed before the TD was stopped.\n\nI had no luck producing this sequence of completion events so there\nis no compelling demonstration of any resulting disaster. It may be\na very rare, obscure condition. The sole motivation for this patch\nis that if such unlikely event does occur, I\u0027d rather risk reporting\na cancelled partially done isoc frame as empty than gamble with UAF.\n\nThis will be fixed more properly by looking at Stopped event\u0027s TRB\npointer when making skipping decisions, but such rework is unlikely\nto be backported to v6.12, which will stay around for a few years."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-26T05:16:49.648Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6af20ac254cbd0e1178a3542767c9308e209eee5"
},
{
"url": "https://git.kernel.org/stable/c/49cf6f5293aeb706dd672608478336a003f37df6"
},
{
"url": "https://git.kernel.org/stable/c/de9e78167f760a699806793d7c987239e4f6c8c3"
},
{
"url": "https://git.kernel.org/stable/c/58d0a3fab5f4fdc112c16a4c6d382f62097afd1c"
}
],
"title": "usb: xhci: Don\u0027t skip on Stopped - Length Invalid",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22023",
"datePublished": "2025-04-16T10:23:28.381Z",
"dateReserved": "2024-12-29T08:45:45.807Z",
"dateUpdated": "2025-05-26T05:16:49.648Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53216 (GCVE-0-2023-53216)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:21 – Updated: 2026-01-14 17:52
VLAI?
EPSS
Title
arm64: efi: Make efi_rt_lock a raw_spinlock
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64: efi: Make efi_rt_lock a raw_spinlock
Running a rt-kernel base on 6.2.0-rc3-rt1 on an Ampere Altra outputs
the following:
BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:46
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 9, name: kworker/u320:0
preempt_count: 2, expected: 0
RCU nest depth: 0, expected: 0
3 locks held by kworker/u320:0/9:
#0: ffff3fff8c27d128 ((wq_completion)efi_rts_wq){+.+.}-{0:0}, at: process_one_work (./include/linux/atomic/atomic-long.h:41)
#1: ffff80000861bdd0 ((work_completion)(&efi_rts_work.work)){+.+.}-{0:0}, at: process_one_work (./include/linux/atomic/atomic-long.h:41)
#2: ffffdf7e1ed3e460 (efi_rt_lock){+.+.}-{3:3}, at: efi_call_rts (drivers/firmware/efi/runtime-wrappers.c:101)
Preemption disabled at:
efi_virtmap_load (./arch/arm64/include/asm/mmu_context.h:248)
CPU: 0 PID: 9 Comm: kworker/u320:0 Tainted: G W 6.2.0-rc3-rt1
Hardware name: WIWYNN Mt.Jade Server System B81.03001.0005/Mt.Jade Motherboard, BIOS 1.08.20220218 (SCP: 1.08.20220218) 2022/02/18
Workqueue: efi_rts_wq efi_call_rts
Call trace:
dump_backtrace (arch/arm64/kernel/stacktrace.c:158)
show_stack (arch/arm64/kernel/stacktrace.c:165)
dump_stack_lvl (lib/dump_stack.c:107 (discriminator 4))
dump_stack (lib/dump_stack.c:114)
__might_resched (kernel/sched/core.c:10134)
rt_spin_lock (kernel/locking/rtmutex.c:1769 (discriminator 4))
efi_call_rts (drivers/firmware/efi/runtime-wrappers.c:101)
[...]
This seems to come from commit ff7a167961d1 ("arm64: efi: Execute
runtime services from a dedicated stack") which adds a spinlock. This
spinlock is taken through:
efi_call_rts()
\-efi_call_virt()
\-efi_call_virt_pointer()
\-arch_efi_call_virt_setup()
Make 'efi_rt_lock' a raw_spinlock to avoid being preempted.
[ardb: The EFI runtime services are called with a different set of
translation tables, and are permitted to use the SIMD registers.
The context switch code preserves/restores neither, and so EFI
calls must be made with preemption disabled, rather than only
disabling migration.]
Severity ?
7.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4012603cbd469223f225637d265a233f034c567a , < 030b1c4217a4f504c7d0795a2bd86b7181e56f11
(git)
Affected: de2af657cab92afc13a4ccd8780370481ed0eb61 , < 6a72729ed6accc86dad5522895e8fa2f96642a2c (git) Affected: f75a91c82dc805af8f718ff106ec9c090234b37b , < 8b38969fa01662ec539a0d08a8ea5ec6f31fa4ed (git) Affected: ff7a167961d1b97e0e205f245f806e564d3505e7 , < 4e8f7d998b582a99aadedd07ae6086e99b89c97a (git) Affected: ff7a167961d1b97e0e205f245f806e564d3505e7 , < 0e68b5517d3767562889f1d83fdb828c26adb24f (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53216",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T17:49:22.962667Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T17:52:57.797Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/include/asm/efi.h",
"arch/arm64/kernel/efi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "030b1c4217a4f504c7d0795a2bd86b7181e56f11",
"status": "affected",
"version": "4012603cbd469223f225637d265a233f034c567a",
"versionType": "git"
},
{
"lessThan": "6a72729ed6accc86dad5522895e8fa2f96642a2c",
"status": "affected",
"version": "de2af657cab92afc13a4ccd8780370481ed0eb61",
"versionType": "git"
},
{
"lessThan": "8b38969fa01662ec539a0d08a8ea5ec6f31fa4ed",
"status": "affected",
"version": "f75a91c82dc805af8f718ff106ec9c090234b37b",
"versionType": "git"
},
{
"lessThan": "4e8f7d998b582a99aadedd07ae6086e99b89c97a",
"status": "affected",
"version": "ff7a167961d1b97e0e205f245f806e564d3505e7",
"versionType": "git"
},
{
"lessThan": "0e68b5517d3767562889f1d83fdb828c26adb24f",
"status": "affected",
"version": "ff7a167961d1b97e0e205f245f806e564d3505e7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/include/asm/efi.h",
"arch/arm64/kernel/efi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.175",
"versionStartIncluding": "5.10.165",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.103",
"versionStartIncluding": "5.15.90",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.18",
"versionStartIncluding": "6.1.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.5",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: efi: Make efi_rt_lock a raw_spinlock\n\nRunning a rt-kernel base on 6.2.0-rc3-rt1 on an Ampere Altra outputs\nthe following:\n BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:46\n in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 9, name: kworker/u320:0\n preempt_count: 2, expected: 0\n RCU nest depth: 0, expected: 0\n 3 locks held by kworker/u320:0/9:\n #0: ffff3fff8c27d128 ((wq_completion)efi_rts_wq){+.+.}-{0:0}, at: process_one_work (./include/linux/atomic/atomic-long.h:41)\n #1: ffff80000861bdd0 ((work_completion)(\u0026efi_rts_work.work)){+.+.}-{0:0}, at: process_one_work (./include/linux/atomic/atomic-long.h:41)\n #2: ffffdf7e1ed3e460 (efi_rt_lock){+.+.}-{3:3}, at: efi_call_rts (drivers/firmware/efi/runtime-wrappers.c:101)\n Preemption disabled at:\n efi_virtmap_load (./arch/arm64/include/asm/mmu_context.h:248)\n CPU: 0 PID: 9 Comm: kworker/u320:0 Tainted: G W 6.2.0-rc3-rt1\n Hardware name: WIWYNN Mt.Jade Server System B81.03001.0005/Mt.Jade Motherboard, BIOS 1.08.20220218 (SCP: 1.08.20220218) 2022/02/18\n Workqueue: efi_rts_wq efi_call_rts\n Call trace:\n dump_backtrace (arch/arm64/kernel/stacktrace.c:158)\n show_stack (arch/arm64/kernel/stacktrace.c:165)\n dump_stack_lvl (lib/dump_stack.c:107 (discriminator 4))\n dump_stack (lib/dump_stack.c:114)\n __might_resched (kernel/sched/core.c:10134)\n rt_spin_lock (kernel/locking/rtmutex.c:1769 (discriminator 4))\n efi_call_rts (drivers/firmware/efi/runtime-wrappers.c:101)\n [...]\n\nThis seems to come from commit ff7a167961d1 (\"arm64: efi: Execute\nruntime services from a dedicated stack\") which adds a spinlock. This\nspinlock is taken through:\nefi_call_rts()\n\\-efi_call_virt()\n \\-efi_call_virt_pointer()\n \\-arch_efi_call_virt_setup()\n\nMake \u0027efi_rt_lock\u0027 a raw_spinlock to avoid being preempted.\n\n[ardb: The EFI runtime services are called with a different set of\n translation tables, and are permitted to use the SIMD registers.\n The context switch code preserves/restores neither, and so EFI\n calls must be made with preemption disabled, rather than only\n disabling migration.]"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:21:43.935Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/030b1c4217a4f504c7d0795a2bd86b7181e56f11"
},
{
"url": "https://git.kernel.org/stable/c/6a72729ed6accc86dad5522895e8fa2f96642a2c"
},
{
"url": "https://git.kernel.org/stable/c/8b38969fa01662ec539a0d08a8ea5ec6f31fa4ed"
},
{
"url": "https://git.kernel.org/stable/c/4e8f7d998b582a99aadedd07ae6086e99b89c97a"
},
{
"url": "https://git.kernel.org/stable/c/0e68b5517d3767562889f1d83fdb828c26adb24f"
}
],
"title": "arm64: efi: Make efi_rt_lock a raw_spinlock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53216",
"datePublished": "2025-09-15T14:21:43.935Z",
"dateReserved": "2025-09-15T14:19:21.845Z",
"dateUpdated": "2026-01-14T17:52:57.797Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38721 (GCVE-0-2025-38721)
Vulnerability from cvelistv5 – Published: 2025-09-04 15:33 – Updated: 2025-11-03 17:41
VLAI?
EPSS
Title
netfilter: ctnetlink: fix refcount leak on table dump
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ctnetlink: fix refcount leak on table dump
There is a reference count leak in ctnetlink_dump_table():
if (res < 0) {
nf_conntrack_get(&ct->ct_general); // HERE
cb->args[1] = (unsigned long)ct;
...
While its very unlikely, its possible that ct == last.
If this happens, then the refcount of ct was already incremented.
This 2nd increment is never undone.
This prevents the conntrack object from being released, which in turn
keeps prevents cnet->count from dropping back to 0.
This will then block the netns dismantle (or conntrack rmmod) as
nf_conntrack_cleanup_net_list() will wait forever.
This can be reproduced by running conntrack_resize.sh selftest in a loop.
It takes ~20 minutes for me on a preemptible kernel on average before
I see a runaway kworker spinning in nf_conntrack_cleanup_net_list.
One fix would to change this to:
if (res < 0) {
if (ct != last)
nf_conntrack_get(&ct->ct_general);
But this reference counting isn't needed in the first place.
We can just store a cookie value instead.
A followup patch will do the same for ctnetlink_exp_dump_table,
it looks to me as if this has the same problem and like
ctnetlink_dump_table, we only need a 'skip hint', not the actual
object so we can apply the same cookie strategy there as well.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d205dc40798d97d63ad348bfaf7394f445d152d4 , < 586892e341fbf698e7cbaca293e1353957db725a
(git)
Affected: d205dc40798d97d63ad348bfaf7394f445d152d4 , < 962518c6ca9f9a13df099cafa429f72f68ad61f0 (git) Affected: d205dc40798d97d63ad348bfaf7394f445d152d4 , < 19b909a4b1452fb97e477d2f08b97f8d04095619 (git) Affected: d205dc40798d97d63ad348bfaf7394f445d152d4 , < 41462f4cfc583513833f87f9ee55d12da651a7e3 (git) Affected: d205dc40798d97d63ad348bfaf7394f445d152d4 , < 30cf811058552b8cd0e98dff677ef3f89d6d34ce (git) Affected: d205dc40798d97d63ad348bfaf7394f445d152d4 , < a2cb4df7872de069f809de2f076ec8e54d649fe3 (git) Affected: d205dc40798d97d63ad348bfaf7394f445d152d4 , < e14f72aa66c029db106921d621edcedef68e065b (git) Affected: d205dc40798d97d63ad348bfaf7394f445d152d4 , < a62d6aa3f31f216b637a4c71b7a8bfc7c57f049b (git) Affected: d205dc40798d97d63ad348bfaf7394f445d152d4 , < de788b2e6227462b6dcd0e07474e72c089008f74 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:41:50.589Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "586892e341fbf698e7cbaca293e1353957db725a",
"status": "affected",
"version": "d205dc40798d97d63ad348bfaf7394f445d152d4",
"versionType": "git"
},
{
"lessThan": "962518c6ca9f9a13df099cafa429f72f68ad61f0",
"status": "affected",
"version": "d205dc40798d97d63ad348bfaf7394f445d152d4",
"versionType": "git"
},
{
"lessThan": "19b909a4b1452fb97e477d2f08b97f8d04095619",
"status": "affected",
"version": "d205dc40798d97d63ad348bfaf7394f445d152d4",
"versionType": "git"
},
{
"lessThan": "41462f4cfc583513833f87f9ee55d12da651a7e3",
"status": "affected",
"version": "d205dc40798d97d63ad348bfaf7394f445d152d4",
"versionType": "git"
},
{
"lessThan": "30cf811058552b8cd0e98dff677ef3f89d6d34ce",
"status": "affected",
"version": "d205dc40798d97d63ad348bfaf7394f445d152d4",
"versionType": "git"
},
{
"lessThan": "a2cb4df7872de069f809de2f076ec8e54d649fe3",
"status": "affected",
"version": "d205dc40798d97d63ad348bfaf7394f445d152d4",
"versionType": "git"
},
{
"lessThan": "e14f72aa66c029db106921d621edcedef68e065b",
"status": "affected",
"version": "d205dc40798d97d63ad348bfaf7394f445d152d4",
"versionType": "git"
},
{
"lessThan": "a62d6aa3f31f216b637a4c71b7a8bfc7c57f049b",
"status": "affected",
"version": "d205dc40798d97d63ad348bfaf7394f445d152d4",
"versionType": "git"
},
{
"lessThan": "de788b2e6227462b6dcd0e07474e72c089008f74",
"status": "affected",
"version": "d205dc40798d97d63ad348bfaf7394f445d152d4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.18"
},
{
"lessThan": "2.6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ctnetlink: fix refcount leak on table dump\n\nThere is a reference count leak in ctnetlink_dump_table():\n if (res \u003c 0) {\n nf_conntrack_get(\u0026ct-\u003ect_general); // HERE\n cb-\u003eargs[1] = (unsigned long)ct;\n ...\n\nWhile its very unlikely, its possible that ct == last.\nIf this happens, then the refcount of ct was already incremented.\nThis 2nd increment is never undone.\n\nThis prevents the conntrack object from being released, which in turn\nkeeps prevents cnet-\u003ecount from dropping back to 0.\n\nThis will then block the netns dismantle (or conntrack rmmod) as\nnf_conntrack_cleanup_net_list() will wait forever.\n\nThis can be reproduced by running conntrack_resize.sh selftest in a loop.\nIt takes ~20 minutes for me on a preemptible kernel on average before\nI see a runaway kworker spinning in nf_conntrack_cleanup_net_list.\n\nOne fix would to change this to:\n if (res \u003c 0) {\n\t\tif (ct != last)\n\t nf_conntrack_get(\u0026ct-\u003ect_general);\n\nBut this reference counting isn\u0027t needed in the first place.\nWe can just store a cookie value instead.\n\nA followup patch will do the same for ctnetlink_exp_dump_table,\nit looks to me as if this has the same problem and like\nctnetlink_dump_table, we only need a \u0027skip hint\u0027, not the actual\nobject so we can apply the same cookie strategy there as well."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:56:45.913Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/586892e341fbf698e7cbaca293e1353957db725a"
},
{
"url": "https://git.kernel.org/stable/c/962518c6ca9f9a13df099cafa429f72f68ad61f0"
},
{
"url": "https://git.kernel.org/stable/c/19b909a4b1452fb97e477d2f08b97f8d04095619"
},
{
"url": "https://git.kernel.org/stable/c/41462f4cfc583513833f87f9ee55d12da651a7e3"
},
{
"url": "https://git.kernel.org/stable/c/30cf811058552b8cd0e98dff677ef3f89d6d34ce"
},
{
"url": "https://git.kernel.org/stable/c/a2cb4df7872de069f809de2f076ec8e54d649fe3"
},
{
"url": "https://git.kernel.org/stable/c/e14f72aa66c029db106921d621edcedef68e065b"
},
{
"url": "https://git.kernel.org/stable/c/a62d6aa3f31f216b637a4c71b7a8bfc7c57f049b"
},
{
"url": "https://git.kernel.org/stable/c/de788b2e6227462b6dcd0e07474e72c089008f74"
}
],
"title": "netfilter: ctnetlink: fix refcount leak on table dump",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38721",
"datePublished": "2025-09-04T15:33:14.891Z",
"dateReserved": "2025-04-16T04:51:24.033Z",
"dateUpdated": "2025-11-03T17:41:50.589Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38612 (GCVE-0-2025-38612)
Vulnerability from cvelistv5 – Published: 2025-08-19 17:03 – Updated: 2025-11-03 17:40
VLAI?
EPSS
Title
staging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc()
Summary
In the Linux kernel, the following vulnerability has been resolved:
staging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc()
In the error paths after fb_info structure is successfully allocated,
the memory allocated in fb_deferred_io_init() for info->pagerefs is not
freed. Fix that by adding the cleanup function on the error path.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c296d5f9957c03994a699d6739c27d4581a9f6c7 , < 83ea0c7b8d12c67f6c4703d6c458627a7fc45fc0
(git)
Affected: c296d5f9957c03994a699d6739c27d4581a9f6c7 , < c3b1c45c48117ed4d8797ee89d1155f16b72d490 (git) Affected: c296d5f9957c03994a699d6739c27d4581a9f6c7 , < 3290f62f23fae05f2ec34085eb86dfb3648ef91f (git) Affected: c296d5f9957c03994a699d6739c27d4581a9f6c7 , < 6f9e2cf9e9c1a891a683329af35bb33ed9d38b5f (git) Affected: c296d5f9957c03994a699d6739c27d4581a9f6c7 , < b31cf6f7716a5d3e4461763f32d812acdaec6e74 (git) Affected: c296d5f9957c03994a699d6739c27d4581a9f6c7 , < a3177955f8da3c826a18b75e54881e2e9a9c96f1 (git) Affected: c296d5f9957c03994a699d6739c27d4581a9f6c7 , < 6771f121ae87490ddc19eabb7450383af9e01b6d (git) Affected: c296d5f9957c03994a699d6739c27d4581a9f6c7 , < 47b3d6e8921bbb7b65c2dab8eaa8864901848c1c (git) Affected: c296d5f9957c03994a699d6739c27d4581a9f6c7 , < eb2cb7dab60f9be0b435ac4a674255429a36d72c (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:40:25.546Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/fbtft/fbtft-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "83ea0c7b8d12c67f6c4703d6c458627a7fc45fc0",
"status": "affected",
"version": "c296d5f9957c03994a699d6739c27d4581a9f6c7",
"versionType": "git"
},
{
"lessThan": "c3b1c45c48117ed4d8797ee89d1155f16b72d490",
"status": "affected",
"version": "c296d5f9957c03994a699d6739c27d4581a9f6c7",
"versionType": "git"
},
{
"lessThan": "3290f62f23fae05f2ec34085eb86dfb3648ef91f",
"status": "affected",
"version": "c296d5f9957c03994a699d6739c27d4581a9f6c7",
"versionType": "git"
},
{
"lessThan": "6f9e2cf9e9c1a891a683329af35bb33ed9d38b5f",
"status": "affected",
"version": "c296d5f9957c03994a699d6739c27d4581a9f6c7",
"versionType": "git"
},
{
"lessThan": "b31cf6f7716a5d3e4461763f32d812acdaec6e74",
"status": "affected",
"version": "c296d5f9957c03994a699d6739c27d4581a9f6c7",
"versionType": "git"
},
{
"lessThan": "a3177955f8da3c826a18b75e54881e2e9a9c96f1",
"status": "affected",
"version": "c296d5f9957c03994a699d6739c27d4581a9f6c7",
"versionType": "git"
},
{
"lessThan": "6771f121ae87490ddc19eabb7450383af9e01b6d",
"status": "affected",
"version": "c296d5f9957c03994a699d6739c27d4581a9f6c7",
"versionType": "git"
},
{
"lessThan": "47b3d6e8921bbb7b65c2dab8eaa8864901848c1c",
"status": "affected",
"version": "c296d5f9957c03994a699d6739c27d4581a9f6c7",
"versionType": "git"
},
{
"lessThan": "eb2cb7dab60f9be0b435ac4a674255429a36d72c",
"status": "affected",
"version": "c296d5f9957c03994a699d6739c27d4581a9f6c7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/fbtft/fbtft-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.0"
},
{
"lessThan": "4.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc()\n\nIn the error paths after fb_info structure is successfully allocated,\nthe memory allocated in fb_deferred_io_init() for info-\u003epagerefs is not\nfreed. Fix that by adding the cleanup function on the error path."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:54:46.364Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/83ea0c7b8d12c67f6c4703d6c458627a7fc45fc0"
},
{
"url": "https://git.kernel.org/stable/c/c3b1c45c48117ed4d8797ee89d1155f16b72d490"
},
{
"url": "https://git.kernel.org/stable/c/3290f62f23fae05f2ec34085eb86dfb3648ef91f"
},
{
"url": "https://git.kernel.org/stable/c/6f9e2cf9e9c1a891a683329af35bb33ed9d38b5f"
},
{
"url": "https://git.kernel.org/stable/c/b31cf6f7716a5d3e4461763f32d812acdaec6e74"
},
{
"url": "https://git.kernel.org/stable/c/a3177955f8da3c826a18b75e54881e2e9a9c96f1"
},
{
"url": "https://git.kernel.org/stable/c/6771f121ae87490ddc19eabb7450383af9e01b6d"
},
{
"url": "https://git.kernel.org/stable/c/47b3d6e8921bbb7b65c2dab8eaa8864901848c1c"
},
{
"url": "https://git.kernel.org/stable/c/eb2cb7dab60f9be0b435ac4a674255429a36d72c"
}
],
"title": "staging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38612",
"datePublished": "2025-08-19T17:03:54.797Z",
"dateReserved": "2025-04-16T04:51:24.029Z",
"dateUpdated": "2025-11-03T17:40:25.546Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50401 (GCVE-0-2022-50401)
Vulnerability from cvelistv5 – Published: 2025-09-18 16:03 – Updated: 2026-01-14 19:13
VLAI?
EPSS
Title
nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure
On error situation `clp->cl_cb_conn.cb_xprt` should not be given
a reference to the xprt otherwise both client cleanup and the
error handling path of the caller call to put it. Better to
delay handing over the reference to a later branch.
[ 72.530665] refcount_t: underflow; use-after-free.
[ 72.531933] WARNING: CPU: 0 PID: 173 at lib/refcount.c:28 refcount_warn_saturate+0xcf/0x120
[ 72.533075] Modules linked in: nfsd(OE) nfsv4(OE) nfsv3(OE) nfs(OE) lockd(OE) compat_nfs_ssc(OE) nfs_acl(OE) rpcsec_gss_krb5(OE) auth_rpcgss(OE) rpcrdma(OE) dns_resolver fscache netfs grace rdma_cm iw_cm ib_cm sunrpc(OE) mlx5_ib mlx5_core mlxfw pci_hyperv_intf ib_uverbs ib_core xt_MASQUERADE nf_conntrack_netlink nft_counter xt_addrtype nft_compat br_netfilter bridge stp llc nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set overlay nf_tables nfnetlink crct10dif_pclmul crc32_pclmul ghash_clmulni_intel xfs serio_raw virtio_net virtio_blk net_failover failover fuse [last unloaded: sunrpc]
[ 72.540389] CPU: 0 PID: 173 Comm: kworker/u16:5 Tainted: G OE 5.15.82-dan #1
[ 72.541511] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-3.module+el8.7.0+1084+97b81f61 04/01/2014
[ 72.542717] Workqueue: nfsd4_callbacks nfsd4_run_cb_work [nfsd]
[ 72.543575] RIP: 0010:refcount_warn_saturate+0xcf/0x120
[ 72.544299] Code: 55 00 0f 0b 5d e9 01 50 98 00 80 3d 75 9e 39 08 00 0f 85 74 ff ff ff 48 c7 c7 e8 d1 60 8e c6 05 61 9e 39 08 01 e8 f6 51 55 00 <0f> 0b 5d e9 d9 4f 98 00 80 3d 4b 9e 39 08 00 0f 85 4c ff ff ff 48
[ 72.546666] RSP: 0018:ffffb3f841157cf0 EFLAGS: 00010286
[ 72.547393] RAX: 0000000000000026 RBX: ffff89ac6231d478 RCX: 0000000000000000
[ 72.548324] RDX: ffff89adb7c2c2c0 RSI: ffff89adb7c205c0 RDI: ffff89adb7c205c0
[ 72.549271] RBP: ffffb3f841157cf0 R08: 0000000000000000 R09: c0000000ffefffff
[ 72.550209] R10: 0000000000000001 R11: ffffb3f841157ad0 R12: ffff89ac6231d180
[ 72.551142] R13: ffff89ac6231d478 R14: ffff89ac40c06180 R15: ffff89ac6231d4b0
[ 72.552089] FS: 0000000000000000(0000) GS:ffff89adb7c00000(0000) knlGS:0000000000000000
[ 72.553175] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 72.553934] CR2: 0000563a310506a8 CR3: 0000000109a66000 CR4: 0000000000350ef0
[ 72.554874] Call Trace:
[ 72.555278] <TASK>
[ 72.555614] svc_xprt_put+0xaf/0xe0 [sunrpc]
[ 72.556276] nfsd4_process_cb_update.isra.11+0xb7/0x410 [nfsd]
[ 72.557087] ? update_load_avg+0x82/0x610
[ 72.557652] ? cpuacct_charge+0x60/0x70
[ 72.558212] ? dequeue_entity+0xdb/0x3e0
[ 72.558765] ? queued_spin_unlock+0x9/0x20
[ 72.559358] nfsd4_run_cb_work+0xfc/0x270 [nfsd]
[ 72.560031] process_one_work+0x1df/0x390
[ 72.560600] worker_thread+0x37/0x3b0
[ 72.561644] ? process_one_work+0x390/0x390
[ 72.562247] kthread+0x12f/0x150
[ 72.562710] ? set_kthread_struct+0x50/0x50
[ 72.563309] ret_from_fork+0x22/0x30
[ 72.563818] </TASK>
[ 72.564189] ---[ end trace 031117b1c72ec616 ]---
[ 72.566019] list_add corruption. next->prev should be prev (ffff89ac4977e538), but was ffff89ac4763e018. (next=ffff89ac4763e018).
[ 72.567647] ------------[ cut here ]------------
Severity ?
7.8 (High)
CWE
- CWE-415 - Double Free
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
69151594c72a1748cf93ae5b5fa68d5084253dce , < 707bcca9616002d204091ca7c4d1d91151104332
(git)
Affected: 0c4fb76c4e711d9e4e70ddc6732310a17076175d , < 15fc60aa5bdcf6d5f93000d3d00579fc67632ee0 (git) Affected: 22c721560ef24003bcb9c3d9c358841dcfa4e212 , < 9b4ae8c42d2ff09ed7c5832ccce5684c55e5ed23 (git) Affected: e8cac2e3067e8587f8271c2177cc5ca924a61b54 , < fddac3b4578d302ac9e51e7f03a9aae6254ae2a3 (git) Affected: a4abc6b12eb1f7a533c2e7484cfa555454ff0977 , < c1207219a4bfa50121c9345d5d165470d0a82531 (git) Affected: a4abc6b12eb1f7a533c2e7484cfa555454ff0977 , < a472f069ced8601979f53c13c0cf20236074ed46 (git) Affected: a4abc6b12eb1f7a533c2e7484cfa555454ff0977 , < e2f9f03e4537f3fcc8fd2bdd3248530c3477a371 (git) Affected: a4abc6b12eb1f7a533c2e7484cfa555454ff0977 , < d843ebd860c58a38e45527e8ec6516059f4c97f3 (git) Affected: a4abc6b12eb1f7a533c2e7484cfa555454ff0977 , < 3bc8edc98bd43540dbe648e4ef91f443d6d20a24 (git) Affected: f5a50e848e4509448b8b91536b5d421722bf154b (git) Affected: c745f9ef3c8cbae70556131eaeaf0f64510243b7 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-50401",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T19:06:37.052651Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-415",
"description": "CWE-415 Double Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T19:13:07.779Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4callback.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "707bcca9616002d204091ca7c4d1d91151104332",
"status": "affected",
"version": "69151594c72a1748cf93ae5b5fa68d5084253dce",
"versionType": "git"
},
{
"lessThan": "15fc60aa5bdcf6d5f93000d3d00579fc67632ee0",
"status": "affected",
"version": "0c4fb76c4e711d9e4e70ddc6732310a17076175d",
"versionType": "git"
},
{
"lessThan": "9b4ae8c42d2ff09ed7c5832ccce5684c55e5ed23",
"status": "affected",
"version": "22c721560ef24003bcb9c3d9c358841dcfa4e212",
"versionType": "git"
},
{
"lessThan": "fddac3b4578d302ac9e51e7f03a9aae6254ae2a3",
"status": "affected",
"version": "e8cac2e3067e8587f8271c2177cc5ca924a61b54",
"versionType": "git"
},
{
"lessThan": "c1207219a4bfa50121c9345d5d165470d0a82531",
"status": "affected",
"version": "a4abc6b12eb1f7a533c2e7484cfa555454ff0977",
"versionType": "git"
},
{
"lessThan": "a472f069ced8601979f53c13c0cf20236074ed46",
"status": "affected",
"version": "a4abc6b12eb1f7a533c2e7484cfa555454ff0977",
"versionType": "git"
},
{
"lessThan": "e2f9f03e4537f3fcc8fd2bdd3248530c3477a371",
"status": "affected",
"version": "a4abc6b12eb1f7a533c2e7484cfa555454ff0977",
"versionType": "git"
},
{
"lessThan": "d843ebd860c58a38e45527e8ec6516059f4c97f3",
"status": "affected",
"version": "a4abc6b12eb1f7a533c2e7484cfa555454ff0977",
"versionType": "git"
},
{
"lessThan": "3bc8edc98bd43540dbe648e4ef91f443d6d20a24",
"status": "affected",
"version": "a4abc6b12eb1f7a533c2e7484cfa555454ff0977",
"versionType": "git"
},
{
"status": "affected",
"version": "f5a50e848e4509448b8b91536b5d421722bf154b",
"versionType": "git"
},
{
"status": "affected",
"version": "c745f9ef3c8cbae70556131eaeaf0f64510243b7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4callback.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "4.9.229",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "4.14.186",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "4.19.130",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "5.4.49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.229",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.7.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure\n\nOn error situation `clp-\u003ecl_cb_conn.cb_xprt` should not be given\na reference to the xprt otherwise both client cleanup and the\nerror handling path of the caller call to put it. Better to\ndelay handing over the reference to a later branch.\n\n[ 72.530665] refcount_t: underflow; use-after-free.\n[ 72.531933] WARNING: CPU: 0 PID: 173 at lib/refcount.c:28 refcount_warn_saturate+0xcf/0x120\n[ 72.533075] Modules linked in: nfsd(OE) nfsv4(OE) nfsv3(OE) nfs(OE) lockd(OE) compat_nfs_ssc(OE) nfs_acl(OE) rpcsec_gss_krb5(OE) auth_rpcgss(OE) rpcrdma(OE) dns_resolver fscache netfs grace rdma_cm iw_cm ib_cm sunrpc(OE) mlx5_ib mlx5_core mlxfw pci_hyperv_intf ib_uverbs ib_core xt_MASQUERADE nf_conntrack_netlink nft_counter xt_addrtype nft_compat br_netfilter bridge stp llc nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set overlay nf_tables nfnetlink crct10dif_pclmul crc32_pclmul ghash_clmulni_intel xfs serio_raw virtio_net virtio_blk net_failover failover fuse [last unloaded: sunrpc]\n[ 72.540389] CPU: 0 PID: 173 Comm: kworker/u16:5 Tainted: G OE 5.15.82-dan #1\n[ 72.541511] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-3.module+el8.7.0+1084+97b81f61 04/01/2014\n[ 72.542717] Workqueue: nfsd4_callbacks nfsd4_run_cb_work [nfsd]\n[ 72.543575] RIP: 0010:refcount_warn_saturate+0xcf/0x120\n[ 72.544299] Code: 55 00 0f 0b 5d e9 01 50 98 00 80 3d 75 9e 39 08 00 0f 85 74 ff ff ff 48 c7 c7 e8 d1 60 8e c6 05 61 9e 39 08 01 e8 f6 51 55 00 \u003c0f\u003e 0b 5d e9 d9 4f 98 00 80 3d 4b 9e 39 08 00 0f 85 4c ff ff ff 48\n[ 72.546666] RSP: 0018:ffffb3f841157cf0 EFLAGS: 00010286\n[ 72.547393] RAX: 0000000000000026 RBX: ffff89ac6231d478 RCX: 0000000000000000\n[ 72.548324] RDX: ffff89adb7c2c2c0 RSI: ffff89adb7c205c0 RDI: ffff89adb7c205c0\n[ 72.549271] RBP: ffffb3f841157cf0 R08: 0000000000000000 R09: c0000000ffefffff\n[ 72.550209] R10: 0000000000000001 R11: ffffb3f841157ad0 R12: ffff89ac6231d180\n[ 72.551142] R13: ffff89ac6231d478 R14: ffff89ac40c06180 R15: ffff89ac6231d4b0\n[ 72.552089] FS: 0000000000000000(0000) GS:ffff89adb7c00000(0000) knlGS:0000000000000000\n[ 72.553175] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 72.553934] CR2: 0000563a310506a8 CR3: 0000000109a66000 CR4: 0000000000350ef0\n[ 72.554874] Call Trace:\n[ 72.555278] \u003cTASK\u003e\n[ 72.555614] svc_xprt_put+0xaf/0xe0 [sunrpc]\n[ 72.556276] nfsd4_process_cb_update.isra.11+0xb7/0x410 [nfsd]\n[ 72.557087] ? update_load_avg+0x82/0x610\n[ 72.557652] ? cpuacct_charge+0x60/0x70\n[ 72.558212] ? dequeue_entity+0xdb/0x3e0\n[ 72.558765] ? queued_spin_unlock+0x9/0x20\n[ 72.559358] nfsd4_run_cb_work+0xfc/0x270 [nfsd]\n[ 72.560031] process_one_work+0x1df/0x390\n[ 72.560600] worker_thread+0x37/0x3b0\n[ 72.561644] ? process_one_work+0x390/0x390\n[ 72.562247] kthread+0x12f/0x150\n[ 72.562710] ? set_kthread_struct+0x50/0x50\n[ 72.563309] ret_from_fork+0x22/0x30\n[ 72.563818] \u003c/TASK\u003e\n[ 72.564189] ---[ end trace 031117b1c72ec616 ]---\n[ 72.566019] list_add corruption. next-\u003eprev should be prev (ffff89ac4977e538), but was ffff89ac4763e018. (next=ffff89ac4763e018).\n[ 72.567647] ------------[ cut here ]------------"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T16:03:47.283Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/707bcca9616002d204091ca7c4d1d91151104332"
},
{
"url": "https://git.kernel.org/stable/c/15fc60aa5bdcf6d5f93000d3d00579fc67632ee0"
},
{
"url": "https://git.kernel.org/stable/c/9b4ae8c42d2ff09ed7c5832ccce5684c55e5ed23"
},
{
"url": "https://git.kernel.org/stable/c/fddac3b4578d302ac9e51e7f03a9aae6254ae2a3"
},
{
"url": "https://git.kernel.org/stable/c/c1207219a4bfa50121c9345d5d165470d0a82531"
},
{
"url": "https://git.kernel.org/stable/c/a472f069ced8601979f53c13c0cf20236074ed46"
},
{
"url": "https://git.kernel.org/stable/c/e2f9f03e4537f3fcc8fd2bdd3248530c3477a371"
},
{
"url": "https://git.kernel.org/stable/c/d843ebd860c58a38e45527e8ec6516059f4c97f3"
},
{
"url": "https://git.kernel.org/stable/c/3bc8edc98bd43540dbe648e4ef91f443d6d20a24"
}
],
"title": "nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50401",
"datePublished": "2025-09-18T16:03:47.283Z",
"dateReserved": "2025-09-17T14:53:06.999Z",
"dateUpdated": "2026-01-14T19:13:07.779Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50465 (GCVE-0-2022-50465)
Vulnerability from cvelistv5 – Published: 2025-10-01 11:45 – Updated: 2025-10-01 11:45
VLAI?
EPSS
Title
ext4: fix leaking uninitialized memory in fast-commit journal
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix leaking uninitialized memory in fast-commit journal
When space at the end of fast-commit journal blocks is unused, make sure
to zero it out so that uninitialized memory is not leaked to disk.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
aa75f4d3daaeb1389b9cce9d6b84401eaf228d4e , < b8b7922374b00a44137e5bcdd46ef86c8b065f27
(git)
Affected: aa75f4d3daaeb1389b9cce9d6b84401eaf228d4e , < 871800770d7f2f952c7249ad52485c3564dab44e (git) Affected: aa75f4d3daaeb1389b9cce9d6b84401eaf228d4e , < d9ba03eb03dc2dccb5450de388ea46bdcaaf8348 (git) Affected: aa75f4d3daaeb1389b9cce9d6b84401eaf228d4e , < 7c1fb65e8ce85c281d2cba9c236f9edbbc4eaca6 (git) Affected: aa75f4d3daaeb1389b9cce9d6b84401eaf228d4e , < 594bc43b410316d70bb42aeff168837888d96810 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/fast_commit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b8b7922374b00a44137e5bcdd46ef86c8b065f27",
"status": "affected",
"version": "aa75f4d3daaeb1389b9cce9d6b84401eaf228d4e",
"versionType": "git"
},
{
"lessThan": "871800770d7f2f952c7249ad52485c3564dab44e",
"status": "affected",
"version": "aa75f4d3daaeb1389b9cce9d6b84401eaf228d4e",
"versionType": "git"
},
{
"lessThan": "d9ba03eb03dc2dccb5450de388ea46bdcaaf8348",
"status": "affected",
"version": "aa75f4d3daaeb1389b9cce9d6b84401eaf228d4e",
"versionType": "git"
},
{
"lessThan": "7c1fb65e8ce85c281d2cba9c236f9edbbc4eaca6",
"status": "affected",
"version": "aa75f4d3daaeb1389b9cce9d6b84401eaf228d4e",
"versionType": "git"
},
{
"lessThan": "594bc43b410316d70bb42aeff168837888d96810",
"status": "affected",
"version": "aa75f4d3daaeb1389b9cce9d6b84401eaf228d4e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/fast_commit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.18",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.4",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix leaking uninitialized memory in fast-commit journal\n\nWhen space at the end of fast-commit journal blocks is unused, make sure\nto zero it out so that uninitialized memory is not leaked to disk."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:36.647Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b8b7922374b00a44137e5bcdd46ef86c8b065f27"
},
{
"url": "https://git.kernel.org/stable/c/871800770d7f2f952c7249ad52485c3564dab44e"
},
{
"url": "https://git.kernel.org/stable/c/d9ba03eb03dc2dccb5450de388ea46bdcaaf8348"
},
{
"url": "https://git.kernel.org/stable/c/7c1fb65e8ce85c281d2cba9c236f9edbbc4eaca6"
},
{
"url": "https://git.kernel.org/stable/c/594bc43b410316d70bb42aeff168837888d96810"
}
],
"title": "ext4: fix leaking uninitialized memory in fast-commit journal",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50465",
"datePublished": "2025-10-01T11:45:36.647Z",
"dateReserved": "2025-10-01T11:38:45.641Z",
"dateUpdated": "2025-10-01T11:45:36.647Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38676 (GCVE-0-2025-38676)
Vulnerability from cvelistv5 – Published: 2025-08-26 13:07 – Updated: 2025-11-03 17:40
VLAI?
EPSS
Title
iommu/amd: Avoid stack buffer overflow from kernel cmdline
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu/amd: Avoid stack buffer overflow from kernel cmdline
While the kernel command line is considered trusted in most environments,
avoid writing 1 byte past the end of "acpiid" if the "str" argument is
maximum length.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f2a5ec7f7b28f9b9cd5fac232ff51019a7f7b9e9 , < a732502bf3bbe859613b6d7b2b0313b11f0474ac
(git)
Affected: c513043e0afe6a8ba79d00af358655afabb576d2 , < 0ad8509b468fa1058f4f400a1829f29e4ccc4de8 (git) Affected: 2ae19ac3ea82a5b87a81c10adbb497c9e58bdd60 , < 9ff52d3af0ef286535749e14e3fe9eceb39a8349 (git) Affected: b6b26d86c61c441144c72f842f7469bb686e1211 , < 8f80c633cba144f721d38d9380f23d23ab7db10e (git) Affected: b6b26d86c61c441144c72f842f7469bb686e1211 , < 4bdb0f78bddbfa77d3ab458a21dd9cec495d317a (git) Affected: b6b26d86c61c441144c72f842f7469bb686e1211 , < 736db11c86f03e717fc4bf771d05efdf10d23acb (git) Affected: b6b26d86c61c441144c72f842f7469bb686e1211 , < 8503d0fcb1086a7cfe26df67ca4bd9bd9e99bdec (git) Affected: 5e97dc748d13fad582136ba0c8cec215c7aeeb17 (git) Affected: 63cd11165e5e0ea2012254c764003eda1f9adb7d (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:40:59.770Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/amd/init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a732502bf3bbe859613b6d7b2b0313b11f0474ac",
"status": "affected",
"version": "f2a5ec7f7b28f9b9cd5fac232ff51019a7f7b9e9",
"versionType": "git"
},
{
"lessThan": "0ad8509b468fa1058f4f400a1829f29e4ccc4de8",
"status": "affected",
"version": "c513043e0afe6a8ba79d00af358655afabb576d2",
"versionType": "git"
},
{
"lessThan": "9ff52d3af0ef286535749e14e3fe9eceb39a8349",
"status": "affected",
"version": "2ae19ac3ea82a5b87a81c10adbb497c9e58bdd60",
"versionType": "git"
},
{
"lessThan": "8f80c633cba144f721d38d9380f23d23ab7db10e",
"status": "affected",
"version": "b6b26d86c61c441144c72f842f7469bb686e1211",
"versionType": "git"
},
{
"lessThan": "4bdb0f78bddbfa77d3ab458a21dd9cec495d317a",
"status": "affected",
"version": "b6b26d86c61c441144c72f842f7469bb686e1211",
"versionType": "git"
},
{
"lessThan": "736db11c86f03e717fc4bf771d05efdf10d23acb",
"status": "affected",
"version": "b6b26d86c61c441144c72f842f7469bb686e1211",
"versionType": "git"
},
{
"lessThan": "8503d0fcb1086a7cfe26df67ca4bd9bd9e99bdec",
"status": "affected",
"version": "b6b26d86c61c441144c72f842f7469bb686e1211",
"versionType": "git"
},
{
"status": "affected",
"version": "5e97dc748d13fad582136ba0c8cec215c7aeeb17",
"versionType": "git"
},
{
"status": "affected",
"version": "63cd11165e5e0ea2012254c764003eda1f9adb7d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/amd/init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "5.10.175",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "5.15.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "6.1.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.237",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/amd: Avoid stack buffer overflow from kernel cmdline\n\nWhile the kernel command line is considered trusted in most environments,\navoid writing 1 byte past the end of \"acpiid\" if the \"str\" argument is\nmaximum length."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:55:46.029Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a732502bf3bbe859613b6d7b2b0313b11f0474ac"
},
{
"url": "https://git.kernel.org/stable/c/0ad8509b468fa1058f4f400a1829f29e4ccc4de8"
},
{
"url": "https://git.kernel.org/stable/c/9ff52d3af0ef286535749e14e3fe9eceb39a8349"
},
{
"url": "https://git.kernel.org/stable/c/8f80c633cba144f721d38d9380f23d23ab7db10e"
},
{
"url": "https://git.kernel.org/stable/c/4bdb0f78bddbfa77d3ab458a21dd9cec495d317a"
},
{
"url": "https://git.kernel.org/stable/c/736db11c86f03e717fc4bf771d05efdf10d23acb"
},
{
"url": "https://git.kernel.org/stable/c/8503d0fcb1086a7cfe26df67ca4bd9bd9e99bdec"
}
],
"title": "iommu/amd: Avoid stack buffer overflow from kernel cmdline",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38676",
"datePublished": "2025-08-26T13:07:48.761Z",
"dateReserved": "2025-04-16T04:51:24.031Z",
"dateUpdated": "2025-11-03T17:40:59.770Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50271 (GCVE-0-2022-50271)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:21 – Updated: 2025-09-15 14:21
VLAI?
EPSS
Title
vhost/vsock: Use kvmalloc/kvfree for larger packets.
Summary
In the Linux kernel, the following vulnerability has been resolved:
vhost/vsock: Use kvmalloc/kvfree for larger packets.
When copying a large file over sftp over vsock, data size is usually 32kB,
and kmalloc seems to fail to try to allocate 32 32kB regions.
vhost-5837: page allocation failure: order:4, mode:0x24040c0
Call Trace:
[<ffffffffb6a0df64>] dump_stack+0x97/0xdb
[<ffffffffb68d6aed>] warn_alloc_failed+0x10f/0x138
[<ffffffffb68d868a>] ? __alloc_pages_direct_compact+0x38/0xc8
[<ffffffffb664619f>] __alloc_pages_nodemask+0x84c/0x90d
[<ffffffffb6646e56>] alloc_kmem_pages+0x17/0x19
[<ffffffffb6653a26>] kmalloc_order_trace+0x2b/0xdb
[<ffffffffb66682f3>] __kmalloc+0x177/0x1f7
[<ffffffffb66e0d94>] ? copy_from_iter+0x8d/0x31d
[<ffffffffc0689ab7>] vhost_vsock_handle_tx_kick+0x1fa/0x301 [vhost_vsock]
[<ffffffffc06828d9>] vhost_worker+0xf7/0x157 [vhost]
[<ffffffffb683ddce>] kthread+0xfd/0x105
[<ffffffffc06827e2>] ? vhost_dev_set_owner+0x22e/0x22e [vhost]
[<ffffffffb683dcd1>] ? flush_kthread_worker+0xf3/0xf3
[<ffffffffb6eb332e>] ret_from_fork+0x4e/0x80
[<ffffffffb683dcd1>] ? flush_kthread_worker+0xf3/0xf3
Work around by doing kvmalloc instead.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
433fc58e6bf2c8bd97e57153ed28e64fd78207b8 , < 0d720c3f0a03e97867deab7e480ba3d3e19837ba
(git)
Affected: 433fc58e6bf2c8bd97e57153ed28e64fd78207b8 , < 7aac8c63f604e6a6a46560c0f0188cd0332cf320 (git) Affected: 433fc58e6bf2c8bd97e57153ed28e64fd78207b8 , < e6d0152c95108651f1880c1ddfab47cb9e3e62d0 (git) Affected: 433fc58e6bf2c8bd97e57153ed28e64fd78207b8 , < b4a5905fd2ef841cd61e969ea692c213c2e5c1f7 (git) Affected: 433fc58e6bf2c8bd97e57153ed28e64fd78207b8 , < e28a4e7f0296824c61a81e7fd54ab48bad3e75ad (git) Affected: 433fc58e6bf2c8bd97e57153ed28e64fd78207b8 , < a99fc6d818161d6f1ff3307de8bf5237f6cc34d8 (git) Affected: 433fc58e6bf2c8bd97e57153ed28e64fd78207b8 , < 36c9f340c60413e28f980c0224c4e9d35851526b (git) Affected: 433fc58e6bf2c8bd97e57153ed28e64fd78207b8 , < 0e3f72931fc47bb81686020cc643cde5d9cd0bb8 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/vhost/vsock.c",
"net/vmw_vsock/virtio_transport_common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0d720c3f0a03e97867deab7e480ba3d3e19837ba",
"status": "affected",
"version": "433fc58e6bf2c8bd97e57153ed28e64fd78207b8",
"versionType": "git"
},
{
"lessThan": "7aac8c63f604e6a6a46560c0f0188cd0332cf320",
"status": "affected",
"version": "433fc58e6bf2c8bd97e57153ed28e64fd78207b8",
"versionType": "git"
},
{
"lessThan": "e6d0152c95108651f1880c1ddfab47cb9e3e62d0",
"status": "affected",
"version": "433fc58e6bf2c8bd97e57153ed28e64fd78207b8",
"versionType": "git"
},
{
"lessThan": "b4a5905fd2ef841cd61e969ea692c213c2e5c1f7",
"status": "affected",
"version": "433fc58e6bf2c8bd97e57153ed28e64fd78207b8",
"versionType": "git"
},
{
"lessThan": "e28a4e7f0296824c61a81e7fd54ab48bad3e75ad",
"status": "affected",
"version": "433fc58e6bf2c8bd97e57153ed28e64fd78207b8",
"versionType": "git"
},
{
"lessThan": "a99fc6d818161d6f1ff3307de8bf5237f6cc34d8",
"status": "affected",
"version": "433fc58e6bf2c8bd97e57153ed28e64fd78207b8",
"versionType": "git"
},
{
"lessThan": "36c9f340c60413e28f980c0224c4e9d35851526b",
"status": "affected",
"version": "433fc58e6bf2c8bd97e57153ed28e64fd78207b8",
"versionType": "git"
},
{
"lessThan": "0e3f72931fc47bb81686020cc643cde5d9cd0bb8",
"status": "affected",
"version": "433fc58e6bf2c8bd97e57153ed28e64fd78207b8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/vhost/vsock.c",
"net/vmw_vsock/virtio_transport_common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.296",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.262",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost/vsock: Use kvmalloc/kvfree for larger packets.\n\nWhen copying a large file over sftp over vsock, data size is usually 32kB,\nand kmalloc seems to fail to try to allocate 32 32kB regions.\n\n vhost-5837: page allocation failure: order:4, mode:0x24040c0\n Call Trace:\n [\u003cffffffffb6a0df64\u003e] dump_stack+0x97/0xdb\n [\u003cffffffffb68d6aed\u003e] warn_alloc_failed+0x10f/0x138\n [\u003cffffffffb68d868a\u003e] ? __alloc_pages_direct_compact+0x38/0xc8\n [\u003cffffffffb664619f\u003e] __alloc_pages_nodemask+0x84c/0x90d\n [\u003cffffffffb6646e56\u003e] alloc_kmem_pages+0x17/0x19\n [\u003cffffffffb6653a26\u003e] kmalloc_order_trace+0x2b/0xdb\n [\u003cffffffffb66682f3\u003e] __kmalloc+0x177/0x1f7\n [\u003cffffffffb66e0d94\u003e] ? copy_from_iter+0x8d/0x31d\n [\u003cffffffffc0689ab7\u003e] vhost_vsock_handle_tx_kick+0x1fa/0x301 [vhost_vsock]\n [\u003cffffffffc06828d9\u003e] vhost_worker+0xf7/0x157 [vhost]\n [\u003cffffffffb683ddce\u003e] kthread+0xfd/0x105\n [\u003cffffffffc06827e2\u003e] ? vhost_dev_set_owner+0x22e/0x22e [vhost]\n [\u003cffffffffb683dcd1\u003e] ? flush_kthread_worker+0xf3/0xf3\n [\u003cffffffffb6eb332e\u003e] ret_from_fork+0x4e/0x80\n [\u003cffffffffb683dcd1\u003e] ? flush_kthread_worker+0xf3/0xf3\n\nWork around by doing kvmalloc instead."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:21:07.563Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0d720c3f0a03e97867deab7e480ba3d3e19837ba"
},
{
"url": "https://git.kernel.org/stable/c/7aac8c63f604e6a6a46560c0f0188cd0332cf320"
},
{
"url": "https://git.kernel.org/stable/c/e6d0152c95108651f1880c1ddfab47cb9e3e62d0"
},
{
"url": "https://git.kernel.org/stable/c/b4a5905fd2ef841cd61e969ea692c213c2e5c1f7"
},
{
"url": "https://git.kernel.org/stable/c/e28a4e7f0296824c61a81e7fd54ab48bad3e75ad"
},
{
"url": "https://git.kernel.org/stable/c/a99fc6d818161d6f1ff3307de8bf5237f6cc34d8"
},
{
"url": "https://git.kernel.org/stable/c/36c9f340c60413e28f980c0224c4e9d35851526b"
},
{
"url": "https://git.kernel.org/stable/c/0e3f72931fc47bb81686020cc643cde5d9cd0bb8"
}
],
"title": "vhost/vsock: Use kvmalloc/kvfree for larger packets.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50271",
"datePublished": "2025-09-15T14:21:07.563Z",
"dateReserved": "2025-09-15T13:58:00.975Z",
"dateUpdated": "2025-09-15T14:21:07.563Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53496 (GCVE-0-2023-53496)
Vulnerability from cvelistv5 – Published: 2025-10-01 11:45 – Updated: 2025-10-01 11:45
VLAI?
EPSS
Title
x86/platform/uv: Use alternate source for socket to node data
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/platform/uv: Use alternate source for socket to node data
The UV code attempts to build a set of tables to allow it to do
bidirectional socket<=>node lookups.
But when nr_cpus is set to a smaller number than actually present, the
cpu_to_node() mapping information for unused CPUs is not available to
build_socket_tables(). This results in skipping some nodes or sockets
when creating the tables and leaving some -1's for later code to trip.
over, causing oopses.
The problem is that the socket<=>node lookups are created by doing a
loop over all CPUs, then looking up the CPU's APICID and socket. But
if a CPU is not present, there is no way to start this lookup.
Instead of looping over all CPUs, take CPUs out of the equation
entirely. Loop over all APICIDs which are mapped to a valid NUMA node.
Then just extract the socket-id from the APICID.
This avoid tripping over disabled CPUs.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/apic/x2apic_uv_x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0d01a0c3046d1545391ef7bb1f114743d00e3793",
"status": "affected",
"version": "8a50c58519271dd24ba760bb282875f6ad66ee71",
"versionType": "git"
},
{
"lessThan": "5290e88ba2c742ca77c5f5b690e5af549cfd8591",
"status": "affected",
"version": "8a50c58519271dd24ba760bb282875f6ad66ee71",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/apic/x2apic_uv_x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/platform/uv: Use alternate source for socket to node data\n\nThe UV code attempts to build a set of tables to allow it to do\nbidirectional socket\u003c=\u003enode lookups.\n\nBut when nr_cpus is set to a smaller number than actually present, the\ncpu_to_node() mapping information for unused CPUs is not available to\nbuild_socket_tables(). This results in skipping some nodes or sockets\nwhen creating the tables and leaving some -1\u0027s for later code to trip.\nover, causing oopses.\n\nThe problem is that the socket\u003c=\u003enode lookups are created by doing a\nloop over all CPUs, then looking up the CPU\u0027s APICID and socket. But\nif a CPU is not present, there is no way to start this lookup.\n\nInstead of looping over all CPUs, take CPUs out of the equation\nentirely. Loop over all APICIDs which are mapped to a valid NUMA node.\nThen just extract the socket-id from the APICID.\n\nThis avoid tripping over disabled CPUs."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:47.807Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0d01a0c3046d1545391ef7bb1f114743d00e3793"
},
{
"url": "https://git.kernel.org/stable/c/5290e88ba2c742ca77c5f5b690e5af549cfd8591"
}
],
"title": "x86/platform/uv: Use alternate source for socket to node data",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53496",
"datePublished": "2025-10-01T11:45:47.807Z",
"dateReserved": "2025-10-01T11:39:39.403Z",
"dateUpdated": "2025-10-01T11:45:47.807Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50394 (GCVE-0-2022-50394)
Vulnerability from cvelistv5 – Published: 2025-09-18 13:33 – Updated: 2026-01-14 18:53
VLAI?
EPSS
Title
i2c: ismt: Fix an out-of-bounds bug in ismt_access()
Summary
In the Linux kernel, the following vulnerability has been resolved:
i2c: ismt: Fix an out-of-bounds bug in ismt_access()
When the driver does not check the data from the user, the variable
'data->block[0]' may be very large to cause an out-of-bounds bug.
The following log can reveal it:
[ 33.995542] i2c i2c-1: ioctl, cmd=0x720, arg=0x7ffcb3dc3a20
[ 33.995978] ismt_smbus 0000:00:05.0: I2C_SMBUS_BLOCK_DATA: WRITE
[ 33.996475] ==================================================================
[ 33.996995] BUG: KASAN: out-of-bounds in ismt_access.cold+0x374/0x214b
[ 33.997473] Read of size 18446744073709551615 at addr ffff88810efcfdb1 by task ismt_poc/485
[ 33.999450] Call Trace:
[ 34.001849] memcpy+0x20/0x60
[ 34.002077] ismt_access.cold+0x374/0x214b
[ 34.003382] __i2c_smbus_xfer+0x44f/0xfb0
[ 34.004007] i2c_smbus_xfer+0x10a/0x390
[ 34.004291] i2cdev_ioctl_smbus+0x2c8/0x710
[ 34.005196] i2cdev_ioctl+0x5ec/0x74c
Fix this bug by checking the size of 'data->block[0]' first.
Severity ?
7.1 (High)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
13f35ac14cd0a9a1c4f0034c4c40d0ae98844ce9 , < 4a7bb1d93addb2f67e36fed00a53cb7f270d7b7a
(git)
Affected: 13f35ac14cd0a9a1c4f0034c4c40d0ae98844ce9 , < 03b7ef7a6c5ca1ff553470166b4919db88b810f6 (git) Affected: 13f35ac14cd0a9a1c4f0034c4c40d0ae98844ce9 , < bfe41d966c860a8ad4c735639d616da270c92735 (git) Affected: 13f35ac14cd0a9a1c4f0034c4c40d0ae98844ce9 , < cdcbae2c5003747ddfd14e29db9c1d5d7e7c44dd (git) Affected: 13f35ac14cd0a9a1c4f0034c4c40d0ae98844ce9 , < 9ac541a0898e8ec187a3fa7024b9701cffae6bf2 (git) Affected: 13f35ac14cd0a9a1c4f0034c4c40d0ae98844ce9 , < 96c12fd0ec74641295e1c3c34dea3dce1b6c3422 (git) Affected: 13f35ac14cd0a9a1c4f0034c4c40d0ae98844ce9 , < a642469d464b2780a25a49b51ae56623c65eac34 (git) Affected: 13f35ac14cd0a9a1c4f0034c4c40d0ae98844ce9 , < 233348a04becf133283f0076e20b317302de21d9 (git) Affected: 13f35ac14cd0a9a1c4f0034c4c40d0ae98844ce9 , < 39244cc754829bf707dccd12e2ce37510f5b1f8d (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-50394",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:51:21.854586Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:53:05.857Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/i2c/busses/i2c-ismt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4a7bb1d93addb2f67e36fed00a53cb7f270d7b7a",
"status": "affected",
"version": "13f35ac14cd0a9a1c4f0034c4c40d0ae98844ce9",
"versionType": "git"
},
{
"lessThan": "03b7ef7a6c5ca1ff553470166b4919db88b810f6",
"status": "affected",
"version": "13f35ac14cd0a9a1c4f0034c4c40d0ae98844ce9",
"versionType": "git"
},
{
"lessThan": "bfe41d966c860a8ad4c735639d616da270c92735",
"status": "affected",
"version": "13f35ac14cd0a9a1c4f0034c4c40d0ae98844ce9",
"versionType": "git"
},
{
"lessThan": "cdcbae2c5003747ddfd14e29db9c1d5d7e7c44dd",
"status": "affected",
"version": "13f35ac14cd0a9a1c4f0034c4c40d0ae98844ce9",
"versionType": "git"
},
{
"lessThan": "9ac541a0898e8ec187a3fa7024b9701cffae6bf2",
"status": "affected",
"version": "13f35ac14cd0a9a1c4f0034c4c40d0ae98844ce9",
"versionType": "git"
},
{
"lessThan": "96c12fd0ec74641295e1c3c34dea3dce1b6c3422",
"status": "affected",
"version": "13f35ac14cd0a9a1c4f0034c4c40d0ae98844ce9",
"versionType": "git"
},
{
"lessThan": "a642469d464b2780a25a49b51ae56623c65eac34",
"status": "affected",
"version": "13f35ac14cd0a9a1c4f0034c4c40d0ae98844ce9",
"versionType": "git"
},
{
"lessThan": "233348a04becf133283f0076e20b317302de21d9",
"status": "affected",
"version": "13f35ac14cd0a9a1c4f0034c4c40d0ae98844ce9",
"versionType": "git"
},
{
"lessThan": "39244cc754829bf707dccd12e2ce37510f5b1f8d",
"status": "affected",
"version": "13f35ac14cd0a9a1c4f0034c4c40d0ae98844ce9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/i2c/busses/i2c-ismt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: ismt: Fix an out-of-bounds bug in ismt_access()\n\nWhen the driver does not check the data from the user, the variable\n\u0027data-\u003eblock[0]\u0027 may be very large to cause an out-of-bounds bug.\n\nThe following log can reveal it:\n\n[ 33.995542] i2c i2c-1: ioctl, cmd=0x720, arg=0x7ffcb3dc3a20\n[ 33.995978] ismt_smbus 0000:00:05.0: I2C_SMBUS_BLOCK_DATA: WRITE\n[ 33.996475] ==================================================================\n[ 33.996995] BUG: KASAN: out-of-bounds in ismt_access.cold+0x374/0x214b\n[ 33.997473] Read of size 18446744073709551615 at addr ffff88810efcfdb1 by task ismt_poc/485\n[ 33.999450] Call Trace:\n[ 34.001849] memcpy+0x20/0x60\n[ 34.002077] ismt_access.cold+0x374/0x214b\n[ 34.003382] __i2c_smbus_xfer+0x44f/0xfb0\n[ 34.004007] i2c_smbus_xfer+0x10a/0x390\n[ 34.004291] i2cdev_ioctl_smbus+0x2c8/0x710\n[ 34.005196] i2cdev_ioctl+0x5ec/0x74c\n\nFix this bug by checking the size of \u0027data-\u003eblock[0]\u0027 first."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T13:33:12.992Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4a7bb1d93addb2f67e36fed00a53cb7f270d7b7a"
},
{
"url": "https://git.kernel.org/stable/c/03b7ef7a6c5ca1ff553470166b4919db88b810f6"
},
{
"url": "https://git.kernel.org/stable/c/bfe41d966c860a8ad4c735639d616da270c92735"
},
{
"url": "https://git.kernel.org/stable/c/cdcbae2c5003747ddfd14e29db9c1d5d7e7c44dd"
},
{
"url": "https://git.kernel.org/stable/c/9ac541a0898e8ec187a3fa7024b9701cffae6bf2"
},
{
"url": "https://git.kernel.org/stable/c/96c12fd0ec74641295e1c3c34dea3dce1b6c3422"
},
{
"url": "https://git.kernel.org/stable/c/a642469d464b2780a25a49b51ae56623c65eac34"
},
{
"url": "https://git.kernel.org/stable/c/233348a04becf133283f0076e20b317302de21d9"
},
{
"url": "https://git.kernel.org/stable/c/39244cc754829bf707dccd12e2ce37510f5b1f8d"
}
],
"title": "i2c: ismt: Fix an out-of-bounds bug in ismt_access()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50394",
"datePublished": "2025-09-18T13:33:12.992Z",
"dateReserved": "2025-09-17T14:53:06.998Z",
"dateUpdated": "2026-01-14T18:53:05.857Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53221 (GCVE-0-2023-53221)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:21 – Updated: 2026-01-14 17:52
VLAI?
EPSS
Title
bpf: Fix memleak due to fentry attach failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix memleak due to fentry attach failure
If it fails to attach fentry, the allocated bpf trampoline image will be
left in the system. That can be verified by checking /proc/kallsyms.
This meamleak can be verified by a simple bpf program as follows:
SEC("fentry/trap_init")
int fentry_run()
{
return 0;
}
It will fail to attach trap_init because this function is freed after
kernel init, and then we can find the trampoline image is left in the
system by checking /proc/kallsyms.
$ tail /proc/kallsyms
ffffffffc0613000 t bpf_trampoline_6442453466_1 [bpf]
ffffffffc06c3000 t bpf_trampoline_6442453466_1 [bpf]
$ bpftool btf dump file /sys/kernel/btf/vmlinux | grep "FUNC 'trap_init'"
[2522] FUNC 'trap_init' type_id=119 linkage=static
$ echo $((6442453466 & 0x7fffffff))
2522
Note that there are two left bpf trampoline images, that is because the
libbpf will fallback to raw tracepoint if -EINVAL is returned.
Severity ?
5.5 (Medium)
CWE
- CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e21aa341785c679dd409c8cb71f864c00fe6c463 , < 20109ddd5bea2c24d790debf5d02584ef24c3f5e
(git)
Affected: e21aa341785c679dd409c8cb71f864c00fe6c463 , < f72c67d1a82dada7d6d504c806e111e913721a30 (git) Affected: e21aa341785c679dd409c8cb71f864c00fe6c463 , < 6aa27775db63ba8c7c73891c7dfb71ddc230c48d (git) Affected: e21aa341785c679dd409c8cb71f864c00fe6c463 , < 108598c39eefbedc9882273ac0df96127a629220 (git) Affected: e21d2b92354b3cd25dd774ebb0f0e52ff04a7861 (git) Affected: 85d177f56e5256e14b74a65940f981f6e3e8bb32 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53221",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T17:50:19.613865Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T17:52:59.043Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/trampoline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "20109ddd5bea2c24d790debf5d02584ef24c3f5e",
"status": "affected",
"version": "e21aa341785c679dd409c8cb71f864c00fe6c463",
"versionType": "git"
},
{
"lessThan": "f72c67d1a82dada7d6d504c806e111e913721a30",
"status": "affected",
"version": "e21aa341785c679dd409c8cb71f864c00fe6c463",
"versionType": "git"
},
{
"lessThan": "6aa27775db63ba8c7c73891c7dfb71ddc230c48d",
"status": "affected",
"version": "e21aa341785c679dd409c8cb71f864c00fe6c463",
"versionType": "git"
},
{
"lessThan": "108598c39eefbedc9882273ac0df96127a629220",
"status": "affected",
"version": "e21aa341785c679dd409c8cb71f864c00fe6c463",
"versionType": "git"
},
{
"status": "affected",
"version": "e21d2b92354b3cd25dd774ebb0f0e52ff04a7861",
"versionType": "git"
},
{
"status": "affected",
"version": "85d177f56e5256e14b74a65940f981f6e3e8bb32",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/trampoline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.11.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix memleak due to fentry attach failure\n\nIf it fails to attach fentry, the allocated bpf trampoline image will be\nleft in the system. That can be verified by checking /proc/kallsyms.\n\nThis meamleak can be verified by a simple bpf program as follows:\n\n SEC(\"fentry/trap_init\")\n int fentry_run()\n {\n return 0;\n }\n\nIt will fail to attach trap_init because this function is freed after\nkernel init, and then we can find the trampoline image is left in the\nsystem by checking /proc/kallsyms.\n\n $ tail /proc/kallsyms\n ffffffffc0613000 t bpf_trampoline_6442453466_1 [bpf]\n ffffffffc06c3000 t bpf_trampoline_6442453466_1 [bpf]\n\n $ bpftool btf dump file /sys/kernel/btf/vmlinux | grep \"FUNC \u0027trap_init\u0027\"\n [2522] FUNC \u0027trap_init\u0027 type_id=119 linkage=static\n\n $ echo $((6442453466 \u0026 0x7fffffff))\n 2522\n\nNote that there are two left bpf trampoline images, that is because the\nlibbpf will fallback to raw tracepoint if -EINVAL is returned."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:21:50.053Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/20109ddd5bea2c24d790debf5d02584ef24c3f5e"
},
{
"url": "https://git.kernel.org/stable/c/f72c67d1a82dada7d6d504c806e111e913721a30"
},
{
"url": "https://git.kernel.org/stable/c/6aa27775db63ba8c7c73891c7dfb71ddc230c48d"
},
{
"url": "https://git.kernel.org/stable/c/108598c39eefbedc9882273ac0df96127a629220"
}
],
"title": "bpf: Fix memleak due to fentry attach failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53221",
"datePublished": "2025-09-15T14:21:50.053Z",
"dateReserved": "2025-09-15T14:19:21.845Z",
"dateUpdated": "2026-01-14T17:52:59.043Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53369 (GCVE-0-2023-53369)
Vulnerability from cvelistv5 – Published: 2025-09-18 13:33 – Updated: 2026-01-14 19:03
VLAI?
EPSS
Title
net: dcb: choose correct policy to parse DCB_ATTR_BCN
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: dcb: choose correct policy to parse DCB_ATTR_BCN
The dcbnl_bcn_setcfg uses erroneous policy to parse tb[DCB_ATTR_BCN],
which is introduced in commit 859ee3c43812 ("DCB: Add support for DCB
BCN"). Please see the comment in below code
static int dcbnl_bcn_setcfg(...)
{
...
ret = nla_parse_nested_deprecated(..., dcbnl_pfc_up_nest, .. )
// !!! dcbnl_pfc_up_nest for attributes
// DCB_PFC_UP_ATTR_0 to DCB_PFC_UP_ATTR_ALL in enum dcbnl_pfc_up_attrs
...
for (i = DCB_BCN_ATTR_RP_0; i <= DCB_BCN_ATTR_RP_7; i++) {
// !!! DCB_BCN_ATTR_RP_0 to DCB_BCN_ATTR_RP_7 in enum dcbnl_bcn_attrs
...
value_byte = nla_get_u8(data[i]);
...
}
...
for (i = DCB_BCN_ATTR_BCNA_0; i <= DCB_BCN_ATTR_RI; i++) {
// !!! DCB_BCN_ATTR_BCNA_0 to DCB_BCN_ATTR_RI in enum dcbnl_bcn_attrs
...
value_int = nla_get_u32(data[i]);
...
}
...
}
That is, the nla_parse_nested_deprecated uses dcbnl_pfc_up_nest
attributes to parse nlattr defined in dcbnl_pfc_up_attrs. But the
following access code fetch each nlattr as dcbnl_bcn_attrs attributes.
By looking up the associated nla_policy for dcbnl_bcn_attrs. We can find
the beginning part of these two policies are "same".
static const struct nla_policy dcbnl_pfc_up_nest[...] = {
[DCB_PFC_UP_ATTR_0] = {.type = NLA_U8},
[DCB_PFC_UP_ATTR_1] = {.type = NLA_U8},
[DCB_PFC_UP_ATTR_2] = {.type = NLA_U8},
[DCB_PFC_UP_ATTR_3] = {.type = NLA_U8},
[DCB_PFC_UP_ATTR_4] = {.type = NLA_U8},
[DCB_PFC_UP_ATTR_5] = {.type = NLA_U8},
[DCB_PFC_UP_ATTR_6] = {.type = NLA_U8},
[DCB_PFC_UP_ATTR_7] = {.type = NLA_U8},
[DCB_PFC_UP_ATTR_ALL] = {.type = NLA_FLAG},
};
static const struct nla_policy dcbnl_bcn_nest[...] = {
[DCB_BCN_ATTR_RP_0] = {.type = NLA_U8},
[DCB_BCN_ATTR_RP_1] = {.type = NLA_U8},
[DCB_BCN_ATTR_RP_2] = {.type = NLA_U8},
[DCB_BCN_ATTR_RP_3] = {.type = NLA_U8},
[DCB_BCN_ATTR_RP_4] = {.type = NLA_U8},
[DCB_BCN_ATTR_RP_5] = {.type = NLA_U8},
[DCB_BCN_ATTR_RP_6] = {.type = NLA_U8},
[DCB_BCN_ATTR_RP_7] = {.type = NLA_U8},
[DCB_BCN_ATTR_RP_ALL] = {.type = NLA_FLAG},
// from here is somewhat different
[DCB_BCN_ATTR_BCNA_0] = {.type = NLA_U32},
...
[DCB_BCN_ATTR_ALL] = {.type = NLA_FLAG},
};
Therefore, the current code is buggy and this
nla_parse_nested_deprecated could overflow the dcbnl_pfc_up_nest and use
the adjacent nla_policy to parse attributes from DCB_BCN_ATTR_BCNA_0.
Hence use the correct policy dcbnl_bcn_nest to parse the nested
tb[DCB_ATTR_BCN] TLV.
Severity ?
5.5 (Medium)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
859ee3c43812051e21816c6d6d4cc04fb7ce9b2e , < 5b3dbedb8d4a0f9f7ce904d76b885438af2a21f9
(git)
Affected: 859ee3c43812051e21816c6d6d4cc04fb7ce9b2e , < 8e309f43d0ca4051d20736c06a6f84bbddd881da (git) Affected: 859ee3c43812051e21816c6d6d4cc04fb7ce9b2e , < a0da2684db18dead3bcee12fb185e596e3d63c2b (git) Affected: 859ee3c43812051e21816c6d6d4cc04fb7ce9b2e , < ecff20e193207b44fdbfe64d7de89890f0a7fe6c (git) Affected: 859ee3c43812051e21816c6d6d4cc04fb7ce9b2e , < 199fde04bd875d28b3a5ca525eaaa004eec6e947 (git) Affected: 859ee3c43812051e21816c6d6d4cc04fb7ce9b2e , < 31d49ba033095f6e8158c60f69714a500922e0c3 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53369",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:53:02.602085Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T19:03:02.451Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/dcb/dcbnl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5b3dbedb8d4a0f9f7ce904d76b885438af2a21f9",
"status": "affected",
"version": "859ee3c43812051e21816c6d6d4cc04fb7ce9b2e",
"versionType": "git"
},
{
"lessThan": "8e309f43d0ca4051d20736c06a6f84bbddd881da",
"status": "affected",
"version": "859ee3c43812051e21816c6d6d4cc04fb7ce9b2e",
"versionType": "git"
},
{
"lessThan": "a0da2684db18dead3bcee12fb185e596e3d63c2b",
"status": "affected",
"version": "859ee3c43812051e21816c6d6d4cc04fb7ce9b2e",
"versionType": "git"
},
{
"lessThan": "ecff20e193207b44fdbfe64d7de89890f0a7fe6c",
"status": "affected",
"version": "859ee3c43812051e21816c6d6d4cc04fb7ce9b2e",
"versionType": "git"
},
{
"lessThan": "199fde04bd875d28b3a5ca525eaaa004eec6e947",
"status": "affected",
"version": "859ee3c43812051e21816c6d6d4cc04fb7ce9b2e",
"versionType": "git"
},
{
"lessThan": "31d49ba033095f6e8158c60f69714a500922e0c3",
"status": "affected",
"version": "859ee3c43812051e21816c6d6d4cc04fb7ce9b2e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/dcb/dcbnl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.126",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.253",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.190",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.126",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.45",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.10",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dcb: choose correct policy to parse DCB_ATTR_BCN\n\nThe dcbnl_bcn_setcfg uses erroneous policy to parse tb[DCB_ATTR_BCN],\nwhich is introduced in commit 859ee3c43812 (\"DCB: Add support for DCB\nBCN\"). Please see the comment in below code\n\nstatic int dcbnl_bcn_setcfg(...)\n{\n ...\n ret = nla_parse_nested_deprecated(..., dcbnl_pfc_up_nest, .. )\n // !!! dcbnl_pfc_up_nest for attributes\n // DCB_PFC_UP_ATTR_0 to DCB_PFC_UP_ATTR_ALL in enum dcbnl_pfc_up_attrs\n ...\n for (i = DCB_BCN_ATTR_RP_0; i \u003c= DCB_BCN_ATTR_RP_7; i++) {\n // !!! DCB_BCN_ATTR_RP_0 to DCB_BCN_ATTR_RP_7 in enum dcbnl_bcn_attrs\n ...\n value_byte = nla_get_u8(data[i]);\n ...\n }\n ...\n for (i = DCB_BCN_ATTR_BCNA_0; i \u003c= DCB_BCN_ATTR_RI; i++) {\n // !!! DCB_BCN_ATTR_BCNA_0 to DCB_BCN_ATTR_RI in enum dcbnl_bcn_attrs\n ...\n value_int = nla_get_u32(data[i]);\n ...\n }\n ...\n}\n\nThat is, the nla_parse_nested_deprecated uses dcbnl_pfc_up_nest\nattributes to parse nlattr defined in dcbnl_pfc_up_attrs. But the\nfollowing access code fetch each nlattr as dcbnl_bcn_attrs attributes.\nBy looking up the associated nla_policy for dcbnl_bcn_attrs. We can find\nthe beginning part of these two policies are \"same\".\n\nstatic const struct nla_policy dcbnl_pfc_up_nest[...] = {\n [DCB_PFC_UP_ATTR_0] = {.type = NLA_U8},\n [DCB_PFC_UP_ATTR_1] = {.type = NLA_U8},\n [DCB_PFC_UP_ATTR_2] = {.type = NLA_U8},\n [DCB_PFC_UP_ATTR_3] = {.type = NLA_U8},\n [DCB_PFC_UP_ATTR_4] = {.type = NLA_U8},\n [DCB_PFC_UP_ATTR_5] = {.type = NLA_U8},\n [DCB_PFC_UP_ATTR_6] = {.type = NLA_U8},\n [DCB_PFC_UP_ATTR_7] = {.type = NLA_U8},\n [DCB_PFC_UP_ATTR_ALL] = {.type = NLA_FLAG},\n};\n\nstatic const struct nla_policy dcbnl_bcn_nest[...] = {\n [DCB_BCN_ATTR_RP_0] = {.type = NLA_U8},\n [DCB_BCN_ATTR_RP_1] = {.type = NLA_U8},\n [DCB_BCN_ATTR_RP_2] = {.type = NLA_U8},\n [DCB_BCN_ATTR_RP_3] = {.type = NLA_U8},\n [DCB_BCN_ATTR_RP_4] = {.type = NLA_U8},\n [DCB_BCN_ATTR_RP_5] = {.type = NLA_U8},\n [DCB_BCN_ATTR_RP_6] = {.type = NLA_U8},\n [DCB_BCN_ATTR_RP_7] = {.type = NLA_U8},\n [DCB_BCN_ATTR_RP_ALL] = {.type = NLA_FLAG},\n // from here is somewhat different\n [DCB_BCN_ATTR_BCNA_0] = {.type = NLA_U32},\n ...\n [DCB_BCN_ATTR_ALL] = {.type = NLA_FLAG},\n};\n\nTherefore, the current code is buggy and this\nnla_parse_nested_deprecated could overflow the dcbnl_pfc_up_nest and use\nthe adjacent nla_policy to parse attributes from DCB_BCN_ATTR_BCNA_0.\n\nHence use the correct policy dcbnl_bcn_nest to parse the nested\ntb[DCB_ATTR_BCN] TLV."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T13:33:17.384Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5b3dbedb8d4a0f9f7ce904d76b885438af2a21f9"
},
{
"url": "https://git.kernel.org/stable/c/8e309f43d0ca4051d20736c06a6f84bbddd881da"
},
{
"url": "https://git.kernel.org/stable/c/a0da2684db18dead3bcee12fb185e596e3d63c2b"
},
{
"url": "https://git.kernel.org/stable/c/ecff20e193207b44fdbfe64d7de89890f0a7fe6c"
},
{
"url": "https://git.kernel.org/stable/c/199fde04bd875d28b3a5ca525eaaa004eec6e947"
},
{
"url": "https://git.kernel.org/stable/c/31d49ba033095f6e8158c60f69714a500922e0c3"
}
],
"title": "net: dcb: choose correct policy to parse DCB_ATTR_BCN",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53369",
"datePublished": "2025-09-18T13:33:17.384Z",
"dateReserved": "2025-09-17T14:54:09.734Z",
"dateUpdated": "2026-01-14T19:03:02.451Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38583 (GCVE-0-2025-38583)
Vulnerability from cvelistv5 – Published: 2025-08-19 17:03 – Updated: 2025-11-03 17:40
VLAI?
EPSS
Title
clk: xilinx: vcu: unregister pll_post only if registered correctly
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: xilinx: vcu: unregister pll_post only if registered correctly
If registration of pll_post is failed, it will be set to NULL or ERR,
unregistering same will fail with following call trace:
Unable to handle kernel NULL pointer dereference at virtual address 008
pc : clk_hw_unregister+0xc/0x20
lr : clk_hw_unregister_fixed_factor+0x18/0x30
sp : ffff800011923850
...
Call trace:
clk_hw_unregister+0xc/0x20
clk_hw_unregister_fixed_factor+0x18/0x30
xvcu_unregister_clock_provider+0xcc/0xf4 [xlnx_vcu]
xvcu_probe+0x2bc/0x53c [xlnx_vcu]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4472e1849db7f719bbf625890096e0269b5849fe , < 7e903da71f8bec4beb7c06707900e1ed8db843ca
(git)
Affected: 4472e1849db7f719bbf625890096e0269b5849fe , < 88bd875b7f9c3652c27d6e4bb7a23701b764f762 (git) Affected: 4472e1849db7f719bbf625890096e0269b5849fe , < 51990eecf22f446550befdfd1a9f54147eafd636 (git) Affected: 4472e1849db7f719bbf625890096e0269b5849fe , < f1a1be99d5ae53d3b404415f1665eb59e8e02a8c (git) Affected: 4472e1849db7f719bbf625890096e0269b5849fe , < 86124c5cfceb5ac04d2fddbf1b6f7147332d96a3 (git) Affected: 4472e1849db7f719bbf625890096e0269b5849fe , < a72b1c2d3b53e088bfaeb593949ff6fbd2cbe8ed (git) Affected: 4472e1849db7f719bbf625890096e0269b5849fe , < 3b0abc443ac22f7d4f61ddbbbbc5dbb06c87139d (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:40:11.610Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/xilinx/xlnx_vcu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7e903da71f8bec4beb7c06707900e1ed8db843ca",
"status": "affected",
"version": "4472e1849db7f719bbf625890096e0269b5849fe",
"versionType": "git"
},
{
"lessThan": "88bd875b7f9c3652c27d6e4bb7a23701b764f762",
"status": "affected",
"version": "4472e1849db7f719bbf625890096e0269b5849fe",
"versionType": "git"
},
{
"lessThan": "51990eecf22f446550befdfd1a9f54147eafd636",
"status": "affected",
"version": "4472e1849db7f719bbf625890096e0269b5849fe",
"versionType": "git"
},
{
"lessThan": "f1a1be99d5ae53d3b404415f1665eb59e8e02a8c",
"status": "affected",
"version": "4472e1849db7f719bbf625890096e0269b5849fe",
"versionType": "git"
},
{
"lessThan": "86124c5cfceb5ac04d2fddbf1b6f7147332d96a3",
"status": "affected",
"version": "4472e1849db7f719bbf625890096e0269b5849fe",
"versionType": "git"
},
{
"lessThan": "a72b1c2d3b53e088bfaeb593949ff6fbd2cbe8ed",
"status": "affected",
"version": "4472e1849db7f719bbf625890096e0269b5849fe",
"versionType": "git"
},
{
"lessThan": "3b0abc443ac22f7d4f61ddbbbbc5dbb06c87139d",
"status": "affected",
"version": "4472e1849db7f719bbf625890096e0269b5849fe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/xilinx/xlnx_vcu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: xilinx: vcu: unregister pll_post only if registered correctly\n\nIf registration of pll_post is failed, it will be set to NULL or ERR,\nunregistering same will fail with following call trace:\n\nUnable to handle kernel NULL pointer dereference at virtual address 008\npc : clk_hw_unregister+0xc/0x20\nlr : clk_hw_unregister_fixed_factor+0x18/0x30\nsp : ffff800011923850\n...\nCall trace:\n clk_hw_unregister+0xc/0x20\n clk_hw_unregister_fixed_factor+0x18/0x30\n xvcu_unregister_clock_provider+0xcc/0xf4 [xlnx_vcu]\n xvcu_probe+0x2bc/0x53c [xlnx_vcu]"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:54:14.851Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7e903da71f8bec4beb7c06707900e1ed8db843ca"
},
{
"url": "https://git.kernel.org/stable/c/88bd875b7f9c3652c27d6e4bb7a23701b764f762"
},
{
"url": "https://git.kernel.org/stable/c/51990eecf22f446550befdfd1a9f54147eafd636"
},
{
"url": "https://git.kernel.org/stable/c/f1a1be99d5ae53d3b404415f1665eb59e8e02a8c"
},
{
"url": "https://git.kernel.org/stable/c/86124c5cfceb5ac04d2fddbf1b6f7147332d96a3"
},
{
"url": "https://git.kernel.org/stable/c/a72b1c2d3b53e088bfaeb593949ff6fbd2cbe8ed"
},
{
"url": "https://git.kernel.org/stable/c/3b0abc443ac22f7d4f61ddbbbbc5dbb06c87139d"
}
],
"title": "clk: xilinx: vcu: unregister pll_post only if registered correctly",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38583",
"datePublished": "2025-08-19T17:03:05.340Z",
"dateReserved": "2025-04-16T04:51:24.026Z",
"dateUpdated": "2025-11-03T17:40:11.610Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53422 (GCVE-0-2023-53422)
Vulnerability from cvelistv5 – Published: 2025-09-18 16:04 – Updated: 2026-01-14 19:13
VLAI?
EPSS
Title
wifi: iwlwifi: fw: fix memory leak in debugfs
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: iwlwifi: fw: fix memory leak in debugfs
Fix a memory leak that occurs when reading the fw_info
file all the way, since we return NULL indicating no
more data, but don't free the status tracking object.
Severity ?
5.5 (Medium)
CWE
- CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
36dfe9ac6e8b8fc2e25733d003a867a40db791da , < 89496d6cff297c88fe0286a440c380ceb172da2b
(git)
Affected: 36dfe9ac6e8b8fc2e25733d003a867a40db791da , < e302e9ca14a86a80eadfb24a34d8675aadaf3ef3 (git) Affected: 36dfe9ac6e8b8fc2e25733d003a867a40db791da , < 37f64bc8e001f216566d17ef9fd5608c762ebcd4 (git) Affected: 36dfe9ac6e8b8fc2e25733d003a867a40db791da , < fe17124282da055cb2e53f0131521459b5c7866c (git) Affected: 36dfe9ac6e8b8fc2e25733d003a867a40db791da , < b830ba20b43be52eae7d4087b61a0079dec56820 (git) Affected: 36dfe9ac6e8b8fc2e25733d003a867a40db791da , < 3d90d2f4a018fe8cfd65068bc6350b6222be4852 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53422",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T19:12:28.963485Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T19:13:10.786Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/intel/iwlwifi/fw/debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "89496d6cff297c88fe0286a440c380ceb172da2b",
"status": "affected",
"version": "36dfe9ac6e8b8fc2e25733d003a867a40db791da",
"versionType": "git"
},
{
"lessThan": "e302e9ca14a86a80eadfb24a34d8675aadaf3ef3",
"status": "affected",
"version": "36dfe9ac6e8b8fc2e25733d003a867a40db791da",
"versionType": "git"
},
{
"lessThan": "37f64bc8e001f216566d17ef9fd5608c762ebcd4",
"status": "affected",
"version": "36dfe9ac6e8b8fc2e25733d003a867a40db791da",
"versionType": "git"
},
{
"lessThan": "fe17124282da055cb2e53f0131521459b5c7866c",
"status": "affected",
"version": "36dfe9ac6e8b8fc2e25733d003a867a40db791da",
"versionType": "git"
},
{
"lessThan": "b830ba20b43be52eae7d4087b61a0079dec56820",
"status": "affected",
"version": "36dfe9ac6e8b8fc2e25733d003a867a40db791da",
"versionType": "git"
},
{
"lessThan": "3d90d2f4a018fe8cfd65068bc6350b6222be4852",
"status": "affected",
"version": "36dfe9ac6e8b8fc2e25733d003a867a40db791da",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/intel/iwlwifi/fw/debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: fw: fix memory leak in debugfs\n\nFix a memory leak that occurs when reading the fw_info\nfile all the way, since we return NULL indicating no\nmore data, but don\u0027t free the status tracking object."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T16:04:05.224Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/89496d6cff297c88fe0286a440c380ceb172da2b"
},
{
"url": "https://git.kernel.org/stable/c/e302e9ca14a86a80eadfb24a34d8675aadaf3ef3"
},
{
"url": "https://git.kernel.org/stable/c/37f64bc8e001f216566d17ef9fd5608c762ebcd4"
},
{
"url": "https://git.kernel.org/stable/c/fe17124282da055cb2e53f0131521459b5c7866c"
},
{
"url": "https://git.kernel.org/stable/c/b830ba20b43be52eae7d4087b61a0079dec56820"
},
{
"url": "https://git.kernel.org/stable/c/3d90d2f4a018fe8cfd65068bc6350b6222be4852"
}
],
"title": "wifi: iwlwifi: fw: fix memory leak in debugfs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53422",
"datePublished": "2025-09-18T16:04:05.224Z",
"dateReserved": "2025-09-17T14:54:09.741Z",
"dateUpdated": "2026-01-14T19:13:10.786Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39848 (GCVE-0-2025-39848)
Vulnerability from cvelistv5 – Published: 2025-09-19 15:26 – Updated: 2025-11-03 17:44
VLAI?
EPSS
Title
ax25: properly unshare skbs in ax25_kiss_rcv()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ax25: properly unshare skbs in ax25_kiss_rcv()
Bernard Pidoux reported a regression apparently caused by commit
c353e8983e0d ("net: introduce per netns packet chains").
skb->dev becomes NULL and we crash in __netif_receive_skb_core().
Before above commit, different kind of bugs or corruptions could happen
without a major crash.
But the root cause is that ax25_kiss_rcv() can queue/mangle input skb
without checking if this skb is shared or not.
Many thanks to Bernard Pidoux for his help, diagnosis and tests.
We had a similar issue years ago fixed with commit 7aaed57c5c28
("phonet: properly unshare skbs in phonet_rcv()").
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 42b46684e2c78ee052d8c2ee8d9c2089233c9094
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5b079be1b9da49ad88fc304c874d4be7085f7883 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2bd0f67212908243ce88e35bf69fa77155b47b14 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 01a2984cb803f2d487b7074f9718db2bf3531f69 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7d449b7a6c8ee434d10a483feed7c5c50108cf56 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 89064cf534bea4bb28c83fe6bbb26657b19dd5fe (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b1c71d674a308d2fbc83efcf88bfc4217a86aa17 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8156210d36a43e76372312c87eb5ea3dbb405a85 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:06.959Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ax25/ax25_in.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "42b46684e2c78ee052d8c2ee8d9c2089233c9094",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5b079be1b9da49ad88fc304c874d4be7085f7883",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2bd0f67212908243ce88e35bf69fa77155b47b14",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "01a2984cb803f2d487b7074f9718db2bf3531f69",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7d449b7a6c8ee434d10a483feed7c5c50108cf56",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "89064cf534bea4bb28c83fe6bbb26657b19dd5fe",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b1c71d674a308d2fbc83efcf88bfc4217a86aa17",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8156210d36a43e76372312c87eb5ea3dbb405a85",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ax25/ax25_in.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.299",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.299",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.243",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.192",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: properly unshare skbs in ax25_kiss_rcv()\n\nBernard Pidoux reported a regression apparently caused by commit\nc353e8983e0d (\"net: introduce per netns packet chains\").\n\nskb-\u003edev becomes NULL and we crash in __netif_receive_skb_core().\n\nBefore above commit, different kind of bugs or corruptions could happen\nwithout a major crash.\n\nBut the root cause is that ax25_kiss_rcv() can queue/mangle input skb\nwithout checking if this skb is shared or not.\n\nMany thanks to Bernard Pidoux for his help, diagnosis and tests.\n\nWe had a similar issue years ago fixed with commit 7aaed57c5c28\n(\"phonet: properly unshare skbs in phonet_rcv()\")."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:58.643Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/42b46684e2c78ee052d8c2ee8d9c2089233c9094"
},
{
"url": "https://git.kernel.org/stable/c/5b079be1b9da49ad88fc304c874d4be7085f7883"
},
{
"url": "https://git.kernel.org/stable/c/2bd0f67212908243ce88e35bf69fa77155b47b14"
},
{
"url": "https://git.kernel.org/stable/c/01a2984cb803f2d487b7074f9718db2bf3531f69"
},
{
"url": "https://git.kernel.org/stable/c/7d449b7a6c8ee434d10a483feed7c5c50108cf56"
},
{
"url": "https://git.kernel.org/stable/c/89064cf534bea4bb28c83fe6bbb26657b19dd5fe"
},
{
"url": "https://git.kernel.org/stable/c/b1c71d674a308d2fbc83efcf88bfc4217a86aa17"
},
{
"url": "https://git.kernel.org/stable/c/8156210d36a43e76372312c87eb5ea3dbb405a85"
}
],
"title": "ax25: properly unshare skbs in ax25_kiss_rcv()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39848",
"datePublished": "2025-09-19T15:26:21.403Z",
"dateReserved": "2025-04-16T07:20:57.142Z",
"dateUpdated": "2025-11-03T17:44:06.959Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39686 (GCVE-0-2025-39686)
Vulnerability from cvelistv5 – Published: 2025-09-05 17:20 – Updated: 2025-11-03 17:42
VLAI?
EPSS
Title
comedi: Make insn_rw_emulate_bits() do insn->n samples
Summary
In the Linux kernel, the following vulnerability has been resolved:
comedi: Make insn_rw_emulate_bits() do insn->n samples
The `insn_rw_emulate_bits()` function is used as a default handler for
`INSN_READ` instructions for subdevices that have a handler for
`INSN_BITS` but not for `INSN_READ`. Similarly, it is used as a default
handler for `INSN_WRITE` instructions for subdevices that have a handler
for `INSN_BITS` but not for `INSN_WRITE`. It works by emulating the
`INSN_READ` or `INSN_WRITE` instruction handling with a constructed
`INSN_BITS` instruction. However, `INSN_READ` and `INSN_WRITE`
instructions are supposed to be able read or write multiple samples,
indicated by the `insn->n` value, but `insn_rw_emulate_bits()` currently
only handles a single sample. For `INSN_READ`, the comedi core will
copy `insn->n` samples back to user-space. (That triggered KASAN
kernel-infoleak errors when `insn->n` was greater than 1, but that is
being fixed more generally elsewhere in the comedi core.)
Make `insn_rw_emulate_bits()` either handle `insn->n` samples, or return
an error, to conform to the general expectation for `INSN_READ` and
`INSN_WRITE` handlers.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ed9eccbe8970f6eedc1b978c157caf1251a896d4 , < ab77e85bd3bc006ef40738f26f446a660813da44
(git)
Affected: ed9eccbe8970f6eedc1b978c157caf1251a896d4 , < ae8bc1f07bcb31b8636420e03d1f9c3df6219a2b (git) Affected: ed9eccbe8970f6eedc1b978c157caf1251a896d4 , < 842f307a1d115b24f2bcb2415c4e344f11f55930 (git) Affected: ed9eccbe8970f6eedc1b978c157caf1251a896d4 , < 92352ed2f9ac422181e381c2430c2d0dfb46faa0 (git) Affected: ed9eccbe8970f6eedc1b978c157caf1251a896d4 , < dc0a2f142d655700db43de90cb6abf141b73d908 (git) Affected: ed9eccbe8970f6eedc1b978c157caf1251a896d4 , < 7afba9221f70d4cbce0f417c558879cba0eb5e66 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:42:18.407Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ab77e85bd3bc006ef40738f26f446a660813da44",
"status": "affected",
"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
"versionType": "git"
},
{
"lessThan": "ae8bc1f07bcb31b8636420e03d1f9c3df6219a2b",
"status": "affected",
"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
"versionType": "git"
},
{
"lessThan": "842f307a1d115b24f2bcb2415c4e344f11f55930",
"status": "affected",
"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
"versionType": "git"
},
{
"lessThan": "92352ed2f9ac422181e381c2430c2d0dfb46faa0",
"status": "affected",
"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
"versionType": "git"
},
{
"lessThan": "dc0a2f142d655700db43de90cb6abf141b73d908",
"status": "affected",
"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
"versionType": "git"
},
{
"lessThan": "7afba9221f70d4cbce0f417c558879cba0eb5e66",
"status": "affected",
"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: Make insn_rw_emulate_bits() do insn-\u003en samples\n\nThe `insn_rw_emulate_bits()` function is used as a default handler for\n`INSN_READ` instructions for subdevices that have a handler for\n`INSN_BITS` but not for `INSN_READ`. Similarly, it is used as a default\nhandler for `INSN_WRITE` instructions for subdevices that have a handler\nfor `INSN_BITS` but not for `INSN_WRITE`. It works by emulating the\n`INSN_READ` or `INSN_WRITE` instruction handling with a constructed\n`INSN_BITS` instruction. However, `INSN_READ` and `INSN_WRITE`\ninstructions are supposed to be able read or write multiple samples,\nindicated by the `insn-\u003en` value, but `insn_rw_emulate_bits()` currently\nonly handles a single sample. For `INSN_READ`, the comedi core will\ncopy `insn-\u003en` samples back to user-space. (That triggered KASAN\nkernel-infoleak errors when `insn-\u003en` was greater than 1, but that is\nbeing fixed more generally elsewhere in the comedi core.)\n\nMake `insn_rw_emulate_bits()` either handle `insn-\u003en` samples, or return\nan error, to conform to the general expectation for `INSN_READ` and\n`INSN_WRITE` handlers."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:57:24.508Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ab77e85bd3bc006ef40738f26f446a660813da44"
},
{
"url": "https://git.kernel.org/stable/c/ae8bc1f07bcb31b8636420e03d1f9c3df6219a2b"
},
{
"url": "https://git.kernel.org/stable/c/842f307a1d115b24f2bcb2415c4e344f11f55930"
},
{
"url": "https://git.kernel.org/stable/c/92352ed2f9ac422181e381c2430c2d0dfb46faa0"
},
{
"url": "https://git.kernel.org/stable/c/dc0a2f142d655700db43de90cb6abf141b73d908"
},
{
"url": "https://git.kernel.org/stable/c/7afba9221f70d4cbce0f417c558879cba0eb5e66"
}
],
"title": "comedi: Make insn_rw_emulate_bits() do insn-\u003en samples",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39686",
"datePublished": "2025-09-05T17:20:53.071Z",
"dateReserved": "2025-04-16T07:20:57.113Z",
"dateUpdated": "2025-11-03T17:42:18.407Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53248 (GCVE-0-2023-53248)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:46 – Updated: 2026-01-14 18:02
VLAI?
EPSS
Title
drm/amdgpu: install stub fence into potential unused fence pointers
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: install stub fence into potential unused fence pointers
When using cpu to update page tables, vm update fences are unused.
Install stub fence into these fence pointers instead of NULL
to avoid NULL dereference when calling dma_fence_wait() on them.
Severity ?
5.5 (Medium)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 78b25110eb8c6990f7f5096bc0136c12a2b4cc99
(git)
Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < aa9e9ba5748c524eb0925a2ef6984b78793646d6 (git) Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 187916e6ed9d0c3b3abc27429f7a5f8c936bd1f0 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53248",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T17:59:31.418206Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:02:51.678Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "78b25110eb8c6990f7f5096bc0136c12a2b4cc99",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "aa9e9ba5748c524eb0925a2ef6984b78793646d6",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "187916e6ed9d0c3b3abc27429f7a5f8c936bd1f0",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: install stub fence into potential unused fence pointers\n\nWhen using cpu to update page tables, vm update fences are unused.\nInstall stub fence into these fence pointers instead of NULL\nto avoid NULL dereference when calling dma_fence_wait() on them."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T08:02:26.382Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/78b25110eb8c6990f7f5096bc0136c12a2b4cc99"
},
{
"url": "https://git.kernel.org/stable/c/aa9e9ba5748c524eb0925a2ef6984b78793646d6"
},
{
"url": "https://git.kernel.org/stable/c/187916e6ed9d0c3b3abc27429f7a5f8c936bd1f0"
}
],
"title": "drm/amdgpu: install stub fence into potential unused fence pointers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53248",
"datePublished": "2025-09-15T14:46:18.349Z",
"dateReserved": "2025-09-15T14:19:21.849Z",
"dateUpdated": "2026-01-14T18:02:51.678Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53386 (GCVE-0-2023-53386)
Vulnerability from cvelistv5 – Published: 2025-09-18 13:33 – Updated: 2026-01-14 19:03
VLAI?
EPSS
Title
Bluetooth: Fix potential use-after-free when clear keys
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: Fix potential use-after-free when clear keys
Similar to commit c5d2b6fa26b5 ("Bluetooth: Fix use-after-free in
hci_remove_ltk/hci_remove_irk"). We can not access k after kfree_rcu()
call.
Severity ?
7.8 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d7d41682efc25d58b5bd8b80e85e3c9ce586635c , < e87da6a0ac6e631454e7da53a76aa9fe44aaa5dd
(git)
Affected: d7d41682efc25d58b5bd8b80e85e3c9ce586635c , < 942d8cefb022f384d5424f8b90c7878f3f93726f (git) Affected: d7d41682efc25d58b5bd8b80e85e3c9ce586635c , < 94617b736c25091b60e514e2e7aeafcbbee6b700 (git) Affected: d7d41682efc25d58b5bd8b80e85e3c9ce586635c , < da19f35868dfbecfff4f81166c054d2656cb1be4 (git) Affected: d7d41682efc25d58b5bd8b80e85e3c9ce586635c , < 35cc42f04bc49f0656f6840cb7451b3df6049649 (git) Affected: d7d41682efc25d58b5bd8b80e85e3c9ce586635c , < 3673952cf0c6cf81b06c66a0b788abeeb02ff3ae (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53386",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:57:47.458319Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T19:03:04.934Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e87da6a0ac6e631454e7da53a76aa9fe44aaa5dd",
"status": "affected",
"version": "d7d41682efc25d58b5bd8b80e85e3c9ce586635c",
"versionType": "git"
},
{
"lessThan": "942d8cefb022f384d5424f8b90c7878f3f93726f",
"status": "affected",
"version": "d7d41682efc25d58b5bd8b80e85e3c9ce586635c",
"versionType": "git"
},
{
"lessThan": "94617b736c25091b60e514e2e7aeafcbbee6b700",
"status": "affected",
"version": "d7d41682efc25d58b5bd8b80e85e3c9ce586635c",
"versionType": "git"
},
{
"lessThan": "da19f35868dfbecfff4f81166c054d2656cb1be4",
"status": "affected",
"version": "d7d41682efc25d58b5bd8b80e85e3c9ce586635c",
"versionType": "git"
},
{
"lessThan": "35cc42f04bc49f0656f6840cb7451b3df6049649",
"status": "affected",
"version": "d7d41682efc25d58b5bd8b80e85e3c9ce586635c",
"versionType": "git"
},
{
"lessThan": "3673952cf0c6cf81b06c66a0b788abeeb02ff3ae",
"status": "affected",
"version": "d7d41682efc25d58b5bd8b80e85e3c9ce586635c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix potential use-after-free when clear keys\n\nSimilar to commit c5d2b6fa26b5 (\"Bluetooth: Fix use-after-free in\nhci_remove_ltk/hci_remove_irk\"). We can not access k after kfree_rcu()\ncall."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T13:33:29.897Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e87da6a0ac6e631454e7da53a76aa9fe44aaa5dd"
},
{
"url": "https://git.kernel.org/stable/c/942d8cefb022f384d5424f8b90c7878f3f93726f"
},
{
"url": "https://git.kernel.org/stable/c/94617b736c25091b60e514e2e7aeafcbbee6b700"
},
{
"url": "https://git.kernel.org/stable/c/da19f35868dfbecfff4f81166c054d2656cb1be4"
},
{
"url": "https://git.kernel.org/stable/c/35cc42f04bc49f0656f6840cb7451b3df6049649"
},
{
"url": "https://git.kernel.org/stable/c/3673952cf0c6cf81b06c66a0b788abeeb02ff3ae"
}
],
"title": "Bluetooth: Fix potential use-after-free when clear keys",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53386",
"datePublished": "2025-09-18T13:33:29.897Z",
"dateReserved": "2025-09-17T14:54:09.737Z",
"dateUpdated": "2026-01-14T19:03:04.934Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53222 (GCVE-0-2023-53222)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:21 – Updated: 2026-01-14 17:52
VLAI?
EPSS
Title
jfs: jfs_dmap: Validate db_l2nbperpage while mounting
Summary
In the Linux kernel, the following vulnerability has been resolved:
jfs: jfs_dmap: Validate db_l2nbperpage while mounting
In jfs_dmap.c at line 381, BLKTODMAP is used to get a logical block
number inside dbFree(). db_l2nbperpage, which is the log2 number of
blocks per page, is passed as an argument to BLKTODMAP which uses it
for shifting.
Syzbot reported a shift out-of-bounds crash because db_l2nbperpage is
too big. This happens because the large value is set without any
validation in dbMount() at line 181.
Thus, make sure that db_l2nbperpage is correct while mounting.
Max number of blocks per page = Page size / Min block size
=> log2(Max num_block per page) = log2(Page size / Min block size)
= log2(Page size) - log2(Min block size)
=> Max db_l2nbperpage = L2PSIZE - L2MINBLOCKSIZE
Severity ?
7.1 (High)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8c1efe3f74a7864461b0dff281c5562154b4aa8e
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ef5c205b6e6f8d1f18ef0b4a9832b1b5fa85f7f2 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a4855aeb13e4ad1f23e16753b68212e180f7d848 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 47b7eaae08e8b2f25bdf37bc14d21be090bcb20f (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < de984faecddb900fa850af4df574a25b32bb93f5 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c7feb54b113802d2aba98708769d3c33fb017254 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2a03c4e683d33d17b667418eb717b13dda1fac6b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 11509910c599cbd04585ec35a6d5e1a0053d84c1 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53222",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T17:50:30.557530Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T17:52:59.269Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/jfs/jfs_dmap.c",
"fs/jfs/jfs_filsys.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8c1efe3f74a7864461b0dff281c5562154b4aa8e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ef5c205b6e6f8d1f18ef0b4a9832b1b5fa85f7f2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a4855aeb13e4ad1f23e16753b68212e180f7d848",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "47b7eaae08e8b2f25bdf37bc14d21be090bcb20f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "de984faecddb900fa850af4df574a25b32bb93f5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c7feb54b113802d2aba98708769d3c33fb017254",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2a03c4e683d33d17b667418eb717b13dda1fac6b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "11509910c599cbd04585ec35a6d5e1a0053d84c1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/jfs/jfs_dmap.c",
"fs/jfs/jfs_filsys.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: jfs_dmap: Validate db_l2nbperpage while mounting\n\nIn jfs_dmap.c at line 381, BLKTODMAP is used to get a logical block\nnumber inside dbFree(). db_l2nbperpage, which is the log2 number of\nblocks per page, is passed as an argument to BLKTODMAP which uses it\nfor shifting.\n\nSyzbot reported a shift out-of-bounds crash because db_l2nbperpage is\ntoo big. This happens because the large value is set without any\nvalidation in dbMount() at line 181.\n\nThus, make sure that db_l2nbperpage is correct while mounting.\n\nMax number of blocks per page = Page size / Min block size\n=\u003e log2(Max num_block per page) = log2(Page size / Min block size)\n\t\t\t\t= log2(Page size) - log2(Min block size)\n\n=\u003e Max db_l2nbperpage = L2PSIZE - L2MINBLOCKSIZE"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:18:47.469Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8c1efe3f74a7864461b0dff281c5562154b4aa8e"
},
{
"url": "https://git.kernel.org/stable/c/ef5c205b6e6f8d1f18ef0b4a9832b1b5fa85f7f2"
},
{
"url": "https://git.kernel.org/stable/c/a4855aeb13e4ad1f23e16753b68212e180f7d848"
},
{
"url": "https://git.kernel.org/stable/c/47b7eaae08e8b2f25bdf37bc14d21be090bcb20f"
},
{
"url": "https://git.kernel.org/stable/c/de984faecddb900fa850af4df574a25b32bb93f5"
},
{
"url": "https://git.kernel.org/stable/c/c7feb54b113802d2aba98708769d3c33fb017254"
},
{
"url": "https://git.kernel.org/stable/c/2a03c4e683d33d17b667418eb717b13dda1fac6b"
},
{
"url": "https://git.kernel.org/stable/c/11509910c599cbd04585ec35a6d5e1a0053d84c1"
}
],
"title": "jfs: jfs_dmap: Validate db_l2nbperpage while mounting",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53222",
"datePublished": "2025-09-15T14:21:50.970Z",
"dateReserved": "2025-09-15T14:19:21.845Z",
"dateUpdated": "2026-01-14T17:52:59.269Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53474 (GCVE-0-2023-53474)
Vulnerability from cvelistv5 – Published: 2025-10-01 11:42 – Updated: 2025-10-01 11:42
VLAI?
EPSS
Title
x86/MCE/AMD: Use an u64 for bank_map
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/MCE/AMD: Use an u64 for bank_map
Thee maximum number of MCA banks is 64 (MAX_NR_BANKS), see
a0bc32b3cacf ("x86/mce: Increase maximum number of banks to 64").
However, the bank_map which contains a bitfield of which banks to
initialize is of type unsigned int and that overflows when those bit
numbers are >= 32, leading to UBSAN complaining correctly:
UBSAN: shift-out-of-bounds in arch/x86/kernel/cpu/mce/amd.c:1365:38
shift exponent 32 is too large for 32-bit type 'int'
Change the bank_map to a u64 and use the proper BIT_ULL() macro when
modifying bits in there.
[ bp: Rewrite commit message. ]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a0bc32b3cacf194dc479b342f006203fd1e1941a , < a9b9ea0e63a0ec5e97bf1219ab6dcbd55e362f83
(git)
Affected: a0bc32b3cacf194dc479b342f006203fd1e1941a , < 11c58a0c1937c157dbdf82d5ab634d68c99f3098 (git) Affected: a0bc32b3cacf194dc479b342f006203fd1e1941a , < ba8ffb1251eb629c2ec35220e3896cf4f7b888a7 (git) Affected: a0bc32b3cacf194dc479b342f006203fd1e1941a , < 9669fa17287c3af2bbd4868d4c8fdd9e57f8332e (git) Affected: a0bc32b3cacf194dc479b342f006203fd1e1941a , < 67bb7521b6420d81dab7538c0686f18f7d6d09f4 (git) Affected: a0bc32b3cacf194dc479b342f006203fd1e1941a , < 4c1cdec319b9aadb65737c3eb1f5cb74bd6aa156 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/cpu/mce/amd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a9b9ea0e63a0ec5e97bf1219ab6dcbd55e362f83",
"status": "affected",
"version": "a0bc32b3cacf194dc479b342f006203fd1e1941a",
"versionType": "git"
},
{
"lessThan": "11c58a0c1937c157dbdf82d5ab634d68c99f3098",
"status": "affected",
"version": "a0bc32b3cacf194dc479b342f006203fd1e1941a",
"versionType": "git"
},
{
"lessThan": "ba8ffb1251eb629c2ec35220e3896cf4f7b888a7",
"status": "affected",
"version": "a0bc32b3cacf194dc479b342f006203fd1e1941a",
"versionType": "git"
},
{
"lessThan": "9669fa17287c3af2bbd4868d4c8fdd9e57f8332e",
"status": "affected",
"version": "a0bc32b3cacf194dc479b342f006203fd1e1941a",
"versionType": "git"
},
{
"lessThan": "67bb7521b6420d81dab7538c0686f18f7d6d09f4",
"status": "affected",
"version": "a0bc32b3cacf194dc479b342f006203fd1e1941a",
"versionType": "git"
},
{
"lessThan": "4c1cdec319b9aadb65737c3eb1f5cb74bd6aa156",
"status": "affected",
"version": "a0bc32b3cacf194dc479b342f006203fd1e1941a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/cpu/mce/amd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/MCE/AMD: Use an u64 for bank_map\n\nThee maximum number of MCA banks is 64 (MAX_NR_BANKS), see\n\n a0bc32b3cacf (\"x86/mce: Increase maximum number of banks to 64\").\n\nHowever, the bank_map which contains a bitfield of which banks to\ninitialize is of type unsigned int and that overflows when those bit\nnumbers are \u003e= 32, leading to UBSAN complaining correctly:\n\n UBSAN: shift-out-of-bounds in arch/x86/kernel/cpu/mce/amd.c:1365:38\n shift exponent 32 is too large for 32-bit type \u0027int\u0027\n\nChange the bank_map to a u64 and use the proper BIT_ULL() macro when\nmodifying bits in there.\n\n [ bp: Rewrite commit message. ]"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:43.798Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a9b9ea0e63a0ec5e97bf1219ab6dcbd55e362f83"
},
{
"url": "https://git.kernel.org/stable/c/11c58a0c1937c157dbdf82d5ab634d68c99f3098"
},
{
"url": "https://git.kernel.org/stable/c/ba8ffb1251eb629c2ec35220e3896cf4f7b888a7"
},
{
"url": "https://git.kernel.org/stable/c/9669fa17287c3af2bbd4868d4c8fdd9e57f8332e"
},
{
"url": "https://git.kernel.org/stable/c/67bb7521b6420d81dab7538c0686f18f7d6d09f4"
},
{
"url": "https://git.kernel.org/stable/c/4c1cdec319b9aadb65737c3eb1f5cb74bd6aa156"
}
],
"title": "x86/MCE/AMD: Use an u64 for bank_map",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53474",
"datePublished": "2025-10-01T11:42:43.798Z",
"dateReserved": "2025-10-01T11:39:39.401Z",
"dateUpdated": "2025-10-01T11:42:43.798Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53523 (GCVE-0-2023-53523)
Vulnerability from cvelistv5 – Published: 2025-10-01 11:46 – Updated: 2025-10-01 11:46
VLAI?
EPSS
Title
can: gs_usb: fix time stamp counter initialization
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: gs_usb: fix time stamp counter initialization
If the gs_usb device driver is unloaded (or unbound) before the
interface is shut down, the USB stack first calls the struct
usb_driver::disconnect and then the struct net_device_ops::ndo_stop
callback.
In gs_usb_disconnect() all pending bulk URBs are killed, i.e. no more
RX'ed CAN frames are send from the USB device to the host. Later in
gs_can_close() a reset control message is send to each CAN channel to
remove the controller from the CAN bus. In this race window the USB
device can still receive CAN frames from the bus and internally queue
them to be send to the host.
At least in the current version of the candlelight firmware, the queue
of received CAN frames is not emptied during the reset command. After
loading (or binding) the gs_usb driver, new URBs are submitted during
the struct net_device_ops::ndo_open callback and the candlelight
firmware starts sending its already queued CAN frames to the host.
However, this scenario was not considered when implementing the
hardware timestamp function. The cycle counter/time counter
infrastructure is set up (gs_usb_timestamp_init()) after the USBs are
submitted, resulting in a NULL pointer dereference if
timecounter_cyc2time() (via the call chain:
gs_usb_receive_bulk_callback() -> gs_usb_set_timestamp() ->
gs_usb_skb_set_timestamp()) is called too early.
Move the gs_usb_timestamp_init() function before the URBs are
submitted to fix this problem.
For a comprehensive solution, we need to consider gs_usb devices with
more than 1 channel. The cycle counter/time counter infrastructure is
setup per channel, but the RX URBs are per device. Once gs_can_open()
of _a_ channel has been called, and URBs have been submitted, the
gs_usb_receive_bulk_callback() can be called for _all_ available
channels, even for channels that are not running, yet. As cycle
counter/time counter has not set up, this will again lead to a NULL
pointer dereference.
Convert the cycle counter/time counter from a "per channel" to a "per
device" functionality. Also set it up, before submitting any URBs to
the device.
Further in gs_usb_receive_bulk_callback(), don't process any URBs for
not started CAN channels, only resubmit the URB.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/gs_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "210a8cffc9c1b044281c0a868485c870c9c11374",
"status": "affected",
"version": "45dfa45f52e66f8eee30a64b16550a9c47915044",
"versionType": "git"
},
{
"lessThan": "5886e4d5ecec3e22844efed90b2dd383ef804b3a",
"status": "affected",
"version": "45dfa45f52e66f8eee30a64b16550a9c47915044",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/gs_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: gs_usb: fix time stamp counter initialization\n\nIf the gs_usb device driver is unloaded (or unbound) before the\ninterface is shut down, the USB stack first calls the struct\nusb_driver::disconnect and then the struct net_device_ops::ndo_stop\ncallback.\n\nIn gs_usb_disconnect() all pending bulk URBs are killed, i.e. no more\nRX\u0027ed CAN frames are send from the USB device to the host. Later in\ngs_can_close() a reset control message is send to each CAN channel to\nremove the controller from the CAN bus. In this race window the USB\ndevice can still receive CAN frames from the bus and internally queue\nthem to be send to the host.\n\nAt least in the current version of the candlelight firmware, the queue\nof received CAN frames is not emptied during the reset command. After\nloading (or binding) the gs_usb driver, new URBs are submitted during\nthe struct net_device_ops::ndo_open callback and the candlelight\nfirmware starts sending its already queued CAN frames to the host.\n\nHowever, this scenario was not considered when implementing the\nhardware timestamp function. The cycle counter/time counter\ninfrastructure is set up (gs_usb_timestamp_init()) after the USBs are\nsubmitted, resulting in a NULL pointer dereference if\ntimecounter_cyc2time() (via the call chain:\ngs_usb_receive_bulk_callback() -\u003e gs_usb_set_timestamp() -\u003e\ngs_usb_skb_set_timestamp()) is called too early.\n\nMove the gs_usb_timestamp_init() function before the URBs are\nsubmitted to fix this problem.\n\nFor a comprehensive solution, we need to consider gs_usb devices with\nmore than 1 channel. The cycle counter/time counter infrastructure is\nsetup per channel, but the RX URBs are per device. Once gs_can_open()\nof _a_ channel has been called, and URBs have been submitted, the\ngs_usb_receive_bulk_callback() can be called for _all_ available\nchannels, even for channels that are not running, yet. As cycle\ncounter/time counter has not set up, this will again lead to a NULL\npointer dereference.\n\nConvert the cycle counter/time counter from a \"per channel\" to a \"per\ndevice\" functionality. Also set it up, before submitting any URBs to\nthe device.\n\nFurther in gs_usb_receive_bulk_callback(), don\u0027t process any URBs for\nnot started CAN channels, only resubmit the URB."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:46:09.632Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/210a8cffc9c1b044281c0a868485c870c9c11374"
},
{
"url": "https://git.kernel.org/stable/c/5886e4d5ecec3e22844efed90b2dd383ef804b3a"
}
],
"title": "can: gs_usb: fix time stamp counter initialization",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53523",
"datePublished": "2025-10-01T11:46:09.632Z",
"dateReserved": "2025-10-01T11:39:39.407Z",
"dateUpdated": "2025-10-01T11:46:09.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53273 (GCVE-0-2023-53273)
Vulnerability from cvelistv5 – Published: 2025-09-16 08:11 – Updated: 2026-01-14 18:12
VLAI?
EPSS
Title
Drivers: vmbus: Check for channel allocation before looking up relids
Summary
In the Linux kernel, the following vulnerability has been resolved:
Drivers: vmbus: Check for channel allocation before looking up relids
relid2channel() assumes vmbus channel array to be allocated when called.
However, in cases such as kdump/kexec, not all relids will be reset by the host.
When the second kernel boots and if the guest receives a vmbus interrupt during
vmbus driver initialization before vmbus_connect() is called, before it finishes,
or if it fails, the vmbus interrupt service routine is called which in turn calls
relid2channel() and can cause a null pointer dereference.
Print a warning and error out in relid2channel() for a channel id that's invalid
in the second kernel.
Severity ?
5.5 (Medium)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8b6a877c060ed6b86878fe66c7c6493a6054cf23 , < 176c6b4889195fbe7016d9401175b48c5c9edf68
(git)
Affected: 8b6a877c060ed6b86878fe66c7c6493a6054cf23 , < c373e49fbb87aa177819866ed9194ebc5414dfd6 (git) Affected: 8b6a877c060ed6b86878fe66c7c6493a6054cf23 , < 8c3f0ae5435fd20bb1e3a8308488aa6ac33151ee (git) Affected: 8b6a877c060ed6b86878fe66c7c6493a6054cf23 , < a5c44f3446a0565139b7d8abc78f58b86c398123 (git) Affected: 8b6a877c060ed6b86878fe66c7c6493a6054cf23 , < 1eb65c8687316c65140b48fad27133d583178e15 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53273",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:06:11.099116Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:12:53.719Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hv/connection.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "176c6b4889195fbe7016d9401175b48c5c9edf68",
"status": "affected",
"version": "8b6a877c060ed6b86878fe66c7c6493a6054cf23",
"versionType": "git"
},
{
"lessThan": "c373e49fbb87aa177819866ed9194ebc5414dfd6",
"status": "affected",
"version": "8b6a877c060ed6b86878fe66c7c6493a6054cf23",
"versionType": "git"
},
{
"lessThan": "8c3f0ae5435fd20bb1e3a8308488aa6ac33151ee",
"status": "affected",
"version": "8b6a877c060ed6b86878fe66c7c6493a6054cf23",
"versionType": "git"
},
{
"lessThan": "a5c44f3446a0565139b7d8abc78f58b86c398123",
"status": "affected",
"version": "8b6a877c060ed6b86878fe66c7c6493a6054cf23",
"versionType": "git"
},
{
"lessThan": "1eb65c8687316c65140b48fad27133d583178e15",
"status": "affected",
"version": "8b6a877c060ed6b86878fe66c7c6493a6054cf23",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hv/connection.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.178",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.178",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.107",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.24",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.11",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nDrivers: vmbus: Check for channel allocation before looking up relids\n\nrelid2channel() assumes vmbus channel array to be allocated when called.\nHowever, in cases such as kdump/kexec, not all relids will be reset by the host.\nWhen the second kernel boots and if the guest receives a vmbus interrupt during\nvmbus driver initialization before vmbus_connect() is called, before it finishes,\nor if it fails, the vmbus interrupt service routine is called which in turn calls\nrelid2channel() and can cause a null pointer dereference.\n\nPrint a warning and error out in relid2channel() for a channel id that\u0027s invalid\nin the second kernel."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T08:11:08.792Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/176c6b4889195fbe7016d9401175b48c5c9edf68"
},
{
"url": "https://git.kernel.org/stable/c/c373e49fbb87aa177819866ed9194ebc5414dfd6"
},
{
"url": "https://git.kernel.org/stable/c/8c3f0ae5435fd20bb1e3a8308488aa6ac33151ee"
},
{
"url": "https://git.kernel.org/stable/c/a5c44f3446a0565139b7d8abc78f58b86c398123"
},
{
"url": "https://git.kernel.org/stable/c/1eb65c8687316c65140b48fad27133d583178e15"
}
],
"title": "Drivers: vmbus: Check for channel allocation before looking up relids",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53273",
"datePublished": "2025-09-16T08:11:08.792Z",
"dateReserved": "2025-09-16T08:09:37.989Z",
"dateUpdated": "2026-01-14T18:12:53.719Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53215 (GCVE-0-2023-53215)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:21 – Updated: 2026-01-14 17:52
VLAI?
EPSS
Title
sched/fair: Don't balance task to its current running CPU
Summary
In the Linux kernel, the following vulnerability has been resolved:
sched/fair: Don't balance task to its current running CPU
We've run into the case that the balancer tries to balance a migration
disabled task and trigger the warning in set_task_cpu() like below:
------------[ cut here ]------------
WARNING: CPU: 7 PID: 0 at kernel/sched/core.c:3115 set_task_cpu+0x188/0x240
Modules linked in: hclgevf xt_CHECKSUM ipt_REJECT nf_reject_ipv4 <...snip>
CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G O 6.1.0-rc4+ #1
Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 CS V5.B221.01 12/09/2021
pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : set_task_cpu+0x188/0x240
lr : load_balance+0x5d0/0xc60
sp : ffff80000803bc70
x29: ffff80000803bc70 x28: ffff004089e190e8 x27: ffff004089e19040
x26: ffff007effcabc38 x25: 0000000000000000 x24: 0000000000000001
x23: ffff80000803be84 x22: 000000000000000c x21: ffffb093e79e2a78
x20: 000000000000000c x19: ffff004089e19040 x18: 0000000000000000
x17: 0000000000001fad x16: 0000000000000030 x15: 0000000000000000
x14: 0000000000000003 x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000000001 x10: 0000000000000400 x9 : ffffb093e4cee530
x8 : 00000000fffffffe x7 : 0000000000ce168a x6 : 000000000000013e
x5 : 00000000ffffffe1 x4 : 0000000000000001 x3 : 0000000000000b2a
x2 : 0000000000000b2a x1 : ffffb093e6d6c510 x0 : 0000000000000001
Call trace:
set_task_cpu+0x188/0x240
load_balance+0x5d0/0xc60
rebalance_domains+0x26c/0x380
_nohz_idle_balance.isra.0+0x1e0/0x370
run_rebalance_domains+0x6c/0x80
__do_softirq+0x128/0x3d8
____do_softirq+0x18/0x24
call_on_irq_stack+0x2c/0x38
do_softirq_own_stack+0x24/0x3c
__irq_exit_rcu+0xcc/0xf4
irq_exit_rcu+0x18/0x24
el1_interrupt+0x4c/0xe4
el1h_64_irq_handler+0x18/0x2c
el1h_64_irq+0x74/0x78
arch_cpu_idle+0x18/0x4c
default_idle_call+0x58/0x194
do_idle+0x244/0x2b0
cpu_startup_entry+0x30/0x3c
secondary_start_kernel+0x14c/0x190
__secondary_switched+0xb0/0xb4
---[ end trace 0000000000000000 ]---
Further investigation shows that the warning is superfluous, the migration
disabled task is just going to be migrated to its current running CPU.
This is because that on load balance if the dst_cpu is not allowed by the
task, we'll re-select a new_dst_cpu as a candidate. If no task can be
balanced to dst_cpu we'll try to balance the task to the new_dst_cpu
instead. In this case when the migration disabled task is not on CPU it
only allows to run on its current CPU, load balance will select its
current CPU as new_dst_cpu and later triggers the warning above.
The new_dst_cpu is chosen from the env->dst_grpmask. Currently it
contains CPUs in sched_group_span() and if we have overlapped groups it's
possible to run into this case. This patch makes env->dst_grpmask of
group_balance_mask() which exclude any CPUs from the busiest group and
solve the issue. For balancing in a domain with no overlapped groups
the behaviour keeps same as before.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
88b8dac0a14c511ff41486b83a8c3d688936eec0 , < 32d937f94b7805d4c9028b8727a7d6241547da54
(git)
Affected: 88b8dac0a14c511ff41486b83a8c3d688936eec0 , < a5286f4655ce2fa28f477c0b957ea7f323fe2fab (git) Affected: 88b8dac0a14c511ff41486b83a8c3d688936eec0 , < cec1857b1ea5cc3ea2b600564f1c95d1a6f27ad1 (git) Affected: 88b8dac0a14c511ff41486b83a8c3d688936eec0 , < 6b0c79aa33075b34c3cdcea4132c0afb3fc42d68 (git) Affected: 88b8dac0a14c511ff41486b83a8c3d688936eec0 , < 3cb43222bab8ab328fc91ed30899b3df2efbccfd (git) Affected: 88b8dac0a14c511ff41486b83a8c3d688936eec0 , < 78a5f711efceb37e32c48cd6b40addb671fea9cc (git) Affected: 88b8dac0a14c511ff41486b83a8c3d688936eec0 , < 34eb902050d473bb2befa15714fb1d30a0991c15 (git) Affected: 88b8dac0a14c511ff41486b83a8c3d688936eec0 , < 0dd37d6dd33a9c23351e6115ae8cdac7863bc7de (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53215",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T17:49:11.026903Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T17:52:57.570Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/sched/fair.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "32d937f94b7805d4c9028b8727a7d6241547da54",
"status": "affected",
"version": "88b8dac0a14c511ff41486b83a8c3d688936eec0",
"versionType": "git"
},
{
"lessThan": "a5286f4655ce2fa28f477c0b957ea7f323fe2fab",
"status": "affected",
"version": "88b8dac0a14c511ff41486b83a8c3d688936eec0",
"versionType": "git"
},
{
"lessThan": "cec1857b1ea5cc3ea2b600564f1c95d1a6f27ad1",
"status": "affected",
"version": "88b8dac0a14c511ff41486b83a8c3d688936eec0",
"versionType": "git"
},
{
"lessThan": "6b0c79aa33075b34c3cdcea4132c0afb3fc42d68",
"status": "affected",
"version": "88b8dac0a14c511ff41486b83a8c3d688936eec0",
"versionType": "git"
},
{
"lessThan": "3cb43222bab8ab328fc91ed30899b3df2efbccfd",
"status": "affected",
"version": "88b8dac0a14c511ff41486b83a8c3d688936eec0",
"versionType": "git"
},
{
"lessThan": "78a5f711efceb37e32c48cd6b40addb671fea9cc",
"status": "affected",
"version": "88b8dac0a14c511ff41486b83a8c3d688936eec0",
"versionType": "git"
},
{
"lessThan": "34eb902050d473bb2befa15714fb1d30a0991c15",
"status": "affected",
"version": "88b8dac0a14c511ff41486b83a8c3d688936eec0",
"versionType": "git"
},
{
"lessThan": "0dd37d6dd33a9c23351e6115ae8cdac7863bc7de",
"status": "affected",
"version": "88b8dac0a14c511ff41486b83a8c3d688936eec0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/sched/fair.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.6"
},
{
"lessThan": "3.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.150",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "3.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/fair: Don\u0027t balance task to its current running CPU\n\nWe\u0027ve run into the case that the balancer tries to balance a migration\ndisabled task and trigger the warning in set_task_cpu() like below:\n\n ------------[ cut here ]------------\n WARNING: CPU: 7 PID: 0 at kernel/sched/core.c:3115 set_task_cpu+0x188/0x240\n Modules linked in: hclgevf xt_CHECKSUM ipt_REJECT nf_reject_ipv4 \u003c...snip\u003e\n CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G O 6.1.0-rc4+ #1\n Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 CS V5.B221.01 12/09/2021\n pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : set_task_cpu+0x188/0x240\n lr : load_balance+0x5d0/0xc60\n sp : ffff80000803bc70\n x29: ffff80000803bc70 x28: ffff004089e190e8 x27: ffff004089e19040\n x26: ffff007effcabc38 x25: 0000000000000000 x24: 0000000000000001\n x23: ffff80000803be84 x22: 000000000000000c x21: ffffb093e79e2a78\n x20: 000000000000000c x19: ffff004089e19040 x18: 0000000000000000\n x17: 0000000000001fad x16: 0000000000000030 x15: 0000000000000000\n x14: 0000000000000003 x13: 0000000000000000 x12: 0000000000000000\n x11: 0000000000000001 x10: 0000000000000400 x9 : ffffb093e4cee530\n x8 : 00000000fffffffe x7 : 0000000000ce168a x6 : 000000000000013e\n x5 : 00000000ffffffe1 x4 : 0000000000000001 x3 : 0000000000000b2a\n x2 : 0000000000000b2a x1 : ffffb093e6d6c510 x0 : 0000000000000001\n Call trace:\n set_task_cpu+0x188/0x240\n load_balance+0x5d0/0xc60\n rebalance_domains+0x26c/0x380\n _nohz_idle_balance.isra.0+0x1e0/0x370\n run_rebalance_domains+0x6c/0x80\n __do_softirq+0x128/0x3d8\n ____do_softirq+0x18/0x24\n call_on_irq_stack+0x2c/0x38\n do_softirq_own_stack+0x24/0x3c\n __irq_exit_rcu+0xcc/0xf4\n irq_exit_rcu+0x18/0x24\n el1_interrupt+0x4c/0xe4\n el1h_64_irq_handler+0x18/0x2c\n el1h_64_irq+0x74/0x78\n arch_cpu_idle+0x18/0x4c\n default_idle_call+0x58/0x194\n do_idle+0x244/0x2b0\n cpu_startup_entry+0x30/0x3c\n secondary_start_kernel+0x14c/0x190\n __secondary_switched+0xb0/0xb4\n ---[ end trace 0000000000000000 ]---\n\nFurther investigation shows that the warning is superfluous, the migration\ndisabled task is just going to be migrated to its current running CPU.\nThis is because that on load balance if the dst_cpu is not allowed by the\ntask, we\u0027ll re-select a new_dst_cpu as a candidate. If no task can be\nbalanced to dst_cpu we\u0027ll try to balance the task to the new_dst_cpu\ninstead. In this case when the migration disabled task is not on CPU it\nonly allows to run on its current CPU, load balance will select its\ncurrent CPU as new_dst_cpu and later triggers the warning above.\n\nThe new_dst_cpu is chosen from the env-\u003edst_grpmask. Currently it\ncontains CPUs in sched_group_span() and if we have overlapped groups it\u0027s\npossible to run into this case. This patch makes env-\u003edst_grpmask of\ngroup_balance_mask() which exclude any CPUs from the busiest group and\nsolve the issue. For balancing in a domain with no overlapped groups\nthe behaviour keeps same as before."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:18:44.612Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/32d937f94b7805d4c9028b8727a7d6241547da54"
},
{
"url": "https://git.kernel.org/stable/c/a5286f4655ce2fa28f477c0b957ea7f323fe2fab"
},
{
"url": "https://git.kernel.org/stable/c/cec1857b1ea5cc3ea2b600564f1c95d1a6f27ad1"
},
{
"url": "https://git.kernel.org/stable/c/6b0c79aa33075b34c3cdcea4132c0afb3fc42d68"
},
{
"url": "https://git.kernel.org/stable/c/3cb43222bab8ab328fc91ed30899b3df2efbccfd"
},
{
"url": "https://git.kernel.org/stable/c/78a5f711efceb37e32c48cd6b40addb671fea9cc"
},
{
"url": "https://git.kernel.org/stable/c/34eb902050d473bb2befa15714fb1d30a0991c15"
},
{
"url": "https://git.kernel.org/stable/c/0dd37d6dd33a9c23351e6115ae8cdac7863bc7de"
}
],
"title": "sched/fair: Don\u0027t balance task to its current running CPU",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53215",
"datePublished": "2025-09-15T14:21:43.107Z",
"dateReserved": "2025-09-15T14:19:21.845Z",
"dateUpdated": "2026-01-14T17:52:57.570Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50309 (GCVE-0-2022-50309)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:46 – Updated: 2025-09-15 14:46
VLAI?
EPSS
Title
media: xilinx: vipp: Fix refcount leak in xvip_graph_dma_init
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: xilinx: vipp: Fix refcount leak in xvip_graph_dma_init
of_get_child_by_name() returns a node pointer with refcount
incremented, we should use of_node_put() on it when not need anymore.
Add missing of_node_put() to avoid refcount leak.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
df3305156f989339529b3d6744b898d498fb1f7b , < 7b0efe7534071e0153708886355d80db69525d50
(git)
Affected: df3305156f989339529b3d6744b898d498fb1f7b , < 6e7b3b1e4e9f739800cd8010b75a9bee8d808cee (git) Affected: df3305156f989339529b3d6744b898d498fb1f7b , < 3c38467c3255c428cdbd3cefaccca4662f302dc9 (git) Affected: df3305156f989339529b3d6744b898d498fb1f7b , < 59b315353252abe7b8fdb8651ca31b8484ce287a (git) Affected: df3305156f989339529b3d6744b898d498fb1f7b , < 2630cc88327a5557aa0d9cc63be95e3c6e0a55b3 (git) Affected: df3305156f989339529b3d6744b898d498fb1f7b , < 2ea7caa9684687cf3adc1467cf4af3653a776192 (git) Affected: df3305156f989339529b3d6744b898d498fb1f7b , < 22b93530bbe6af9dce8e520bb6e978d1bda39d2b (git) Affected: df3305156f989339529b3d6744b898d498fb1f7b , < 3336210948b22c2db43e9df2ea403d251b4d24ab (git) Affected: df3305156f989339529b3d6744b898d498fb1f7b , < 1c78f19c3a0ea312a8178a6bfd8934eb93e9b10a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/xilinx/xilinx-vipp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7b0efe7534071e0153708886355d80db69525d50",
"status": "affected",
"version": "df3305156f989339529b3d6744b898d498fb1f7b",
"versionType": "git"
},
{
"lessThan": "6e7b3b1e4e9f739800cd8010b75a9bee8d808cee",
"status": "affected",
"version": "df3305156f989339529b3d6744b898d498fb1f7b",
"versionType": "git"
},
{
"lessThan": "3c38467c3255c428cdbd3cefaccca4662f302dc9",
"status": "affected",
"version": "df3305156f989339529b3d6744b898d498fb1f7b",
"versionType": "git"
},
{
"lessThan": "59b315353252abe7b8fdb8651ca31b8484ce287a",
"status": "affected",
"version": "df3305156f989339529b3d6744b898d498fb1f7b",
"versionType": "git"
},
{
"lessThan": "2630cc88327a5557aa0d9cc63be95e3c6e0a55b3",
"status": "affected",
"version": "df3305156f989339529b3d6744b898d498fb1f7b",
"versionType": "git"
},
{
"lessThan": "2ea7caa9684687cf3adc1467cf4af3653a776192",
"status": "affected",
"version": "df3305156f989339529b3d6744b898d498fb1f7b",
"versionType": "git"
},
{
"lessThan": "22b93530bbe6af9dce8e520bb6e978d1bda39d2b",
"status": "affected",
"version": "df3305156f989339529b3d6744b898d498fb1f7b",
"versionType": "git"
},
{
"lessThan": "3336210948b22c2db43e9df2ea403d251b4d24ab",
"status": "affected",
"version": "df3305156f989339529b3d6744b898d498fb1f7b",
"versionType": "git"
},
{
"lessThan": "1c78f19c3a0ea312a8178a6bfd8934eb93e9b10a",
"status": "affected",
"version": "df3305156f989339529b3d6744b898d498fb1f7b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/xilinx/xilinx-vipp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.1"
},
{
"lessThan": "4.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.331",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.331",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.296",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.262",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "4.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: xilinx: vipp: Fix refcount leak in xvip_graph_dma_init\n\nof_get_child_by_name() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:46:04.490Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7b0efe7534071e0153708886355d80db69525d50"
},
{
"url": "https://git.kernel.org/stable/c/6e7b3b1e4e9f739800cd8010b75a9bee8d808cee"
},
{
"url": "https://git.kernel.org/stable/c/3c38467c3255c428cdbd3cefaccca4662f302dc9"
},
{
"url": "https://git.kernel.org/stable/c/59b315353252abe7b8fdb8651ca31b8484ce287a"
},
{
"url": "https://git.kernel.org/stable/c/2630cc88327a5557aa0d9cc63be95e3c6e0a55b3"
},
{
"url": "https://git.kernel.org/stable/c/2ea7caa9684687cf3adc1467cf4af3653a776192"
},
{
"url": "https://git.kernel.org/stable/c/22b93530bbe6af9dce8e520bb6e978d1bda39d2b"
},
{
"url": "https://git.kernel.org/stable/c/3336210948b22c2db43e9df2ea403d251b4d24ab"
},
{
"url": "https://git.kernel.org/stable/c/1c78f19c3a0ea312a8178a6bfd8934eb93e9b10a"
}
],
"title": "media: xilinx: vipp: Fix refcount leak in xvip_graph_dma_init",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50309",
"datePublished": "2025-09-15T14:46:04.490Z",
"dateReserved": "2025-09-15T14:18:36.813Z",
"dateUpdated": "2025-09-15T14:46:04.490Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53252 (GCVE-0-2023-53252)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:46 – Updated: 2026-01-14 18:02
VLAI?
EPSS
Title
Bluetooth: use RCU for hci_conn_params and iterate safely in hci_sync
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: use RCU for hci_conn_params and iterate safely in hci_sync
hci_update_accept_list_sync iterates over hdev->pend_le_conns and
hdev->pend_le_reports, and waits for controller events in the loop body,
without holding hdev lock.
Meanwhile, these lists and the items may be modified e.g. by
le_scan_cleanup. This can invalidate the list cursor or any other item
in the list, resulting to invalid behavior (eg use-after-free).
Use RCU for the hci_conn_params action lists. Since the loop bodies in
hci_sync block and we cannot use RCU or hdev->lock for the whole loop,
copy list items first and then iterate on the copy. Only the flags field
is written from elsewhere, so READ_ONCE/WRITE_ONCE should guarantee we
read valid values.
Free params everywhere with hci_conn_params_free so the cleanup is
guaranteed to be done properly.
This fixes the following, which can be triggered e.g. by BlueZ new
mgmt-tester case "Add + Remove Device Nowait - Success", or by changing
hci_le_set_cig_params to always return false, and running iso-tester:
==================================================================
BUG: KASAN: slab-use-after-free in hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
Read of size 8 at addr ffff888001265018 by task kworker/u3:0/32
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
<TASK>
dump_stack_lvl (./arch/x86/include/asm/irqflags.h:134 lib/dump_stack.c:107)
print_report (mm/kasan/report.c:320 mm/kasan/report.c:430)
? __virt_addr_valid (./include/linux/mmzone.h:1915 ./include/linux/mmzone.h:2011 arch/x86/mm/physaddr.c:65)
? hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
kasan_report (mm/kasan/report.c:538)
? hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
? __pfx_hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2780)
? mutex_lock (kernel/locking/mutex.c:282)
? __pfx_mutex_lock (kernel/locking/mutex.c:282)
? __pfx_mutex_unlock (kernel/locking/mutex.c:538)
? __pfx_update_passive_scan_sync (net/bluetooth/hci_sync.c:2861)
hci_cmd_sync_work (net/bluetooth/hci_sync.c:306)
process_one_work (./arch/x86/include/asm/preempt.h:27 kernel/workqueue.c:2399)
worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2538)
? __pfx_worker_thread (kernel/workqueue.c:2480)
kthread (kernel/kthread.c:376)
? __pfx_kthread (kernel/kthread.c:331)
ret_from_fork (arch/x86/entry/entry_64.S:314)
</TASK>
Allocated by task 31:
kasan_save_stack (mm/kasan/common.c:46)
kasan_set_track (mm/kasan/common.c:52)
__kasan_kmalloc (mm/kasan/common.c:374 mm/kasan/common.c:383)
hci_conn_params_add (./include/linux/slab.h:580 ./include/linux/slab.h:720 net/bluetooth/hci_core.c:2277)
hci_connect_le_scan (net/bluetooth/hci_conn.c:1419 net/bluetooth/hci_conn.c:1589)
hci_connect_cis (net/bluetooth/hci_conn.c:2266)
iso_connect_cis (net/bluetooth/iso.c:390)
iso_sock_connect (net/bluetooth/iso.c:899)
__sys_connect (net/socket.c:2003 net/socket.c:2020)
__x64_sys_connect (net/socket.c:2027)
do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
Freed by task 15:
kasan_save_stack (mm/kasan/common.c:46)
kasan_set_track (mm/kasan/common.c:52)
kasan_save_free_info (mm/kasan/generic.c:523)
__kasan_slab_free (mm/kasan/common.c:238 mm/kasan/common.c:200 mm/kasan/common.c:244)
__kmem_cache_free (mm/slub.c:1807 mm/slub.c:3787 mm/slub.c:3800)
hci_conn_params_del (net/bluetooth/hci_core.c:2323)
le_scan_cleanup (net/bluetooth/hci_conn.c:202)
process_one_work (./arch/x86/include/asm/preempt.
---truncated---
Severity ?
7.8 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e8907f76544ffe225ab95d70f7313267b1d0c76d , < 13ad45ad14df992a6754a130a19abc8c142d54e2
(git)
Affected: e8907f76544ffe225ab95d70f7313267b1d0c76d , < cef88a0fd8e9c2e838162fbb742b3e713b811a7e (git) Affected: e8907f76544ffe225ab95d70f7313267b1d0c76d , < 195ef75e19287b4bc413da3e3e3722b030ac881e (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53252",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:00:42.346483Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:02:52.248Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/bluetooth/hci_core.h",
"net/bluetooth/hci_conn.c",
"net/bluetooth/hci_core.c",
"net/bluetooth/hci_event.c",
"net/bluetooth/hci_sync.c",
"net/bluetooth/mgmt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "13ad45ad14df992a6754a130a19abc8c142d54e2",
"status": "affected",
"version": "e8907f76544ffe225ab95d70f7313267b1d0c76d",
"versionType": "git"
},
{
"lessThan": "cef88a0fd8e9c2e838162fbb742b3e713b811a7e",
"status": "affected",
"version": "e8907f76544ffe225ab95d70f7313267b1d0c76d",
"versionType": "git"
},
{
"lessThan": "195ef75e19287b4bc413da3e3e3722b030ac881e",
"status": "affected",
"version": "e8907f76544ffe225ab95d70f7313267b1d0c76d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/bluetooth/hci_core.h",
"net/bluetooth/hci_conn.c",
"net/bluetooth/hci_core.c",
"net/bluetooth/hci_event.c",
"net/bluetooth/hci_sync.c",
"net/bluetooth/mgmt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: use RCU for hci_conn_params and iterate safely in hci_sync\n\nhci_update_accept_list_sync iterates over hdev-\u003epend_le_conns and\nhdev-\u003epend_le_reports, and waits for controller events in the loop body,\nwithout holding hdev lock.\n\nMeanwhile, these lists and the items may be modified e.g. by\nle_scan_cleanup. This can invalidate the list cursor or any other item\nin the list, resulting to invalid behavior (eg use-after-free).\n\nUse RCU for the hci_conn_params action lists. Since the loop bodies in\nhci_sync block and we cannot use RCU or hdev-\u003elock for the whole loop,\ncopy list items first and then iterate on the copy. Only the flags field\nis written from elsewhere, so READ_ONCE/WRITE_ONCE should guarantee we\nread valid values.\n\nFree params everywhere with hci_conn_params_free so the cleanup is\nguaranteed to be done properly.\n\nThis fixes the following, which can be triggered e.g. by BlueZ new\nmgmt-tester case \"Add + Remove Device Nowait - Success\", or by changing\nhci_le_set_cig_params to always return false, and running iso-tester:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)\nRead of size 8 at addr ffff888001265018 by task kworker/u3:0/32\n\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014\nWorkqueue: hci0 hci_cmd_sync_work\nCall Trace:\n\u003cTASK\u003e\ndump_stack_lvl (./arch/x86/include/asm/irqflags.h:134 lib/dump_stack.c:107)\nprint_report (mm/kasan/report.c:320 mm/kasan/report.c:430)\n? __virt_addr_valid (./include/linux/mmzone.h:1915 ./include/linux/mmzone.h:2011 arch/x86/mm/physaddr.c:65)\n? hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)\nkasan_report (mm/kasan/report.c:538)\n? hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)\nhci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)\n? __pfx_hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2780)\n? mutex_lock (kernel/locking/mutex.c:282)\n? __pfx_mutex_lock (kernel/locking/mutex.c:282)\n? __pfx_mutex_unlock (kernel/locking/mutex.c:538)\n? __pfx_update_passive_scan_sync (net/bluetooth/hci_sync.c:2861)\nhci_cmd_sync_work (net/bluetooth/hci_sync.c:306)\nprocess_one_work (./arch/x86/include/asm/preempt.h:27 kernel/workqueue.c:2399)\nworker_thread (./include/linux/list.h:292 kernel/workqueue.c:2538)\n? __pfx_worker_thread (kernel/workqueue.c:2480)\nkthread (kernel/kthread.c:376)\n? __pfx_kthread (kernel/kthread.c:331)\nret_from_fork (arch/x86/entry/entry_64.S:314)\n\u003c/TASK\u003e\n\nAllocated by task 31:\nkasan_save_stack (mm/kasan/common.c:46)\nkasan_set_track (mm/kasan/common.c:52)\n__kasan_kmalloc (mm/kasan/common.c:374 mm/kasan/common.c:383)\nhci_conn_params_add (./include/linux/slab.h:580 ./include/linux/slab.h:720 net/bluetooth/hci_core.c:2277)\nhci_connect_le_scan (net/bluetooth/hci_conn.c:1419 net/bluetooth/hci_conn.c:1589)\nhci_connect_cis (net/bluetooth/hci_conn.c:2266)\niso_connect_cis (net/bluetooth/iso.c:390)\niso_sock_connect (net/bluetooth/iso.c:899)\n__sys_connect (net/socket.c:2003 net/socket.c:2020)\n__x64_sys_connect (net/socket.c:2027)\ndo_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\n\nFreed by task 15:\nkasan_save_stack (mm/kasan/common.c:46)\nkasan_set_track (mm/kasan/common.c:52)\nkasan_save_free_info (mm/kasan/generic.c:523)\n__kasan_slab_free (mm/kasan/common.c:238 mm/kasan/common.c:200 mm/kasan/common.c:244)\n__kmem_cache_free (mm/slub.c:1807 mm/slub.c:3787 mm/slub.c:3800)\nhci_conn_params_del (net/bluetooth/hci_core.c:2323)\nle_scan_cleanup (net/bluetooth/hci_conn.c:202)\nprocess_one_work (./arch/x86/include/asm/preempt.\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:46:21.720Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/13ad45ad14df992a6754a130a19abc8c142d54e2"
},
{
"url": "https://git.kernel.org/stable/c/cef88a0fd8e9c2e838162fbb742b3e713b811a7e"
},
{
"url": "https://git.kernel.org/stable/c/195ef75e19287b4bc413da3e3e3722b030ac881e"
}
],
"title": "Bluetooth: use RCU for hci_conn_params and iterate safely in hci_sync",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53252",
"datePublished": "2025-09-15T14:46:21.720Z",
"dateReserved": "2025-09-15T14:19:21.849Z",
"dateUpdated": "2026-01-14T18:02:52.248Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50390 (GCVE-0-2022-50390)
Vulnerability from cvelistv5 – Published: 2025-09-18 13:33 – Updated: 2026-01-14 18:53
VLAI?
EPSS
Title
drm/ttm: fix undefined behavior in bit shift for TTM_TT_FLAG_PRIV_POPULATED
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/ttm: fix undefined behavior in bit shift for TTM_TT_FLAG_PRIV_POPULATED
Shifting signed 32-bit value by 31 bits is undefined, so changing
significant bit to unsigned. The UBSAN warning calltrace like below:
UBSAN: shift-out-of-bounds in ./include/drm/ttm/ttm_tt.h:122:26
left shift of 1 by 31 places cannot be represented in type 'int'
Call Trace:
<TASK>
dump_stack_lvl+0x7d/0xa5
dump_stack+0x15/0x1b
ubsan_epilogue+0xe/0x4e
__ubsan_handle_shift_out_of_bounds+0x1e7/0x20c
ttm_bo_move_memcpy+0x3b4/0x460 [ttm]
bo_driver_move+0x32/0x40 [drm_vram_helper]
ttm_bo_handle_move_mem+0x118/0x200 [ttm]
ttm_bo_validate+0xfa/0x220 [ttm]
drm_gem_vram_pin_locked+0x70/0x1b0 [drm_vram_helper]
drm_gem_vram_pin+0x48/0xb0 [drm_vram_helper]
drm_gem_vram_plane_helper_prepare_fb+0x53/0xe0 [drm_vram_helper]
drm_gem_vram_simple_display_pipe_prepare_fb+0x26/0x30 [drm_vram_helper]
drm_simple_kms_plane_prepare_fb+0x4d/0xe0 [drm_kms_helper]
drm_atomic_helper_prepare_planes+0xda/0x210 [drm_kms_helper]
drm_atomic_helper_commit+0xc3/0x1e0 [drm_kms_helper]
drm_atomic_commit+0x9c/0x160 [drm]
drm_client_modeset_commit_atomic+0x33a/0x380 [drm]
drm_client_modeset_commit_locked+0x77/0x220 [drm]
drm_client_modeset_commit+0x31/0x60 [drm]
__drm_fb_helper_restore_fbdev_mode_unlocked+0xa7/0x170 [drm_kms_helper]
drm_fb_helper_set_par+0x51/0x90 [drm_kms_helper]
fbcon_init+0x316/0x790
visual_init+0x113/0x1d0
do_bind_con_driver+0x2a3/0x5c0
do_take_over_console+0xa9/0x270
do_fbcon_takeover+0xa1/0x170
do_fb_registered+0x2a8/0x340
fbcon_fb_registered+0x47/0xe0
register_framebuffer+0x294/0x4a0
__drm_fb_helper_initial_config_and_unlock+0x43c/0x880 [drm_kms_helper]
drm_fb_helper_initial_config+0x52/0x80 [drm_kms_helper]
drm_fbdev_client_hotplug+0x156/0x1b0 [drm_kms_helper]
drm_fbdev_generic_setup+0xfc/0x290 [drm_kms_helper]
bochs_pci_probe+0x6ca/0x772 [bochs]
local_pci_probe+0x4d/0xb0
pci_device_probe+0x119/0x320
really_probe+0x181/0x550
__driver_probe_device+0xc6/0x220
driver_probe_device+0x32/0x100
__driver_attach+0x195/0x200
bus_for_each_dev+0xbb/0x120
driver_attach+0x27/0x30
bus_add_driver+0x22e/0x2f0
driver_register+0xa9/0x190
__pci_register_driver+0x90/0xa0
bochs_pci_driver_init+0x52/0x1000 [bochs]
do_one_initcall+0x76/0x430
do_init_module+0x61/0x28a
load_module+0x1f82/0x2e50
__do_sys_finit_module+0xf8/0x190
__x64_sys_finit_module+0x23/0x30
do_syscall_64+0x58/0x80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
</TASK>
Severity ?
5.5 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3312be8f6fc8a8dc7cef01986dbd436eab7af0f7 , < 2ff0309b73d86e8591881ac035af06e01c112e89
(git)
Affected: 3312be8f6fc8a8dc7cef01986dbd436eab7af0f7 , < 6528971fdce0dfc0a28fec42c151a1eccdabadf5 (git) Affected: 3312be8f6fc8a8dc7cef01986dbd436eab7af0f7 , < 387659939c00156f8d6bab0fbc55b4eaf2b6bc5b (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-50390",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:50:13.515022Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:53:05.285Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/drm/ttm/ttm_tt.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2ff0309b73d86e8591881ac035af06e01c112e89",
"status": "affected",
"version": "3312be8f6fc8a8dc7cef01986dbd436eab7af0f7",
"versionType": "git"
},
{
"lessThan": "6528971fdce0dfc0a28fec42c151a1eccdabadf5",
"status": "affected",
"version": "3312be8f6fc8a8dc7cef01986dbd436eab7af0f7",
"versionType": "git"
},
{
"lessThan": "387659939c00156f8d6bab0fbc55b4eaf2b6bc5b",
"status": "affected",
"version": "3312be8f6fc8a8dc7cef01986dbd436eab7af0f7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/drm/ttm/ttm_tt.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/ttm: fix undefined behavior in bit shift for TTM_TT_FLAG_PRIV_POPULATED\n\nShifting signed 32-bit value by 31 bits is undefined, so changing\nsignificant bit to unsigned. The UBSAN warning calltrace like below:\n\nUBSAN: shift-out-of-bounds in ./include/drm/ttm/ttm_tt.h:122:26\nleft shift of 1 by 31 places cannot be represented in type \u0027int\u0027\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x7d/0xa5\n dump_stack+0x15/0x1b\n ubsan_epilogue+0xe/0x4e\n __ubsan_handle_shift_out_of_bounds+0x1e7/0x20c\n ttm_bo_move_memcpy+0x3b4/0x460 [ttm]\n bo_driver_move+0x32/0x40 [drm_vram_helper]\n ttm_bo_handle_move_mem+0x118/0x200 [ttm]\n ttm_bo_validate+0xfa/0x220 [ttm]\n drm_gem_vram_pin_locked+0x70/0x1b0 [drm_vram_helper]\n drm_gem_vram_pin+0x48/0xb0 [drm_vram_helper]\n drm_gem_vram_plane_helper_prepare_fb+0x53/0xe0 [drm_vram_helper]\n drm_gem_vram_simple_display_pipe_prepare_fb+0x26/0x30 [drm_vram_helper]\n drm_simple_kms_plane_prepare_fb+0x4d/0xe0 [drm_kms_helper]\n drm_atomic_helper_prepare_planes+0xda/0x210 [drm_kms_helper]\n drm_atomic_helper_commit+0xc3/0x1e0 [drm_kms_helper]\n drm_atomic_commit+0x9c/0x160 [drm]\n drm_client_modeset_commit_atomic+0x33a/0x380 [drm]\n drm_client_modeset_commit_locked+0x77/0x220 [drm]\n drm_client_modeset_commit+0x31/0x60 [drm]\n __drm_fb_helper_restore_fbdev_mode_unlocked+0xa7/0x170 [drm_kms_helper]\n drm_fb_helper_set_par+0x51/0x90 [drm_kms_helper]\n fbcon_init+0x316/0x790\n visual_init+0x113/0x1d0\n do_bind_con_driver+0x2a3/0x5c0\n do_take_over_console+0xa9/0x270\n do_fbcon_takeover+0xa1/0x170\n do_fb_registered+0x2a8/0x340\n fbcon_fb_registered+0x47/0xe0\n register_framebuffer+0x294/0x4a0\n __drm_fb_helper_initial_config_and_unlock+0x43c/0x880 [drm_kms_helper]\n drm_fb_helper_initial_config+0x52/0x80 [drm_kms_helper]\n drm_fbdev_client_hotplug+0x156/0x1b0 [drm_kms_helper]\n drm_fbdev_generic_setup+0xfc/0x290 [drm_kms_helper]\n bochs_pci_probe+0x6ca/0x772 [bochs]\n local_pci_probe+0x4d/0xb0\n pci_device_probe+0x119/0x320\n really_probe+0x181/0x550\n __driver_probe_device+0xc6/0x220\n driver_probe_device+0x32/0x100\n __driver_attach+0x195/0x200\n bus_for_each_dev+0xbb/0x120\n driver_attach+0x27/0x30\n bus_add_driver+0x22e/0x2f0\n driver_register+0xa9/0x190\n __pci_register_driver+0x90/0xa0\n bochs_pci_driver_init+0x52/0x1000 [bochs]\n do_one_initcall+0x76/0x430\n do_init_module+0x61/0x28a\n load_module+0x1f82/0x2e50\n __do_sys_finit_module+0xf8/0x190\n __x64_sys_finit_module+0x23/0x30\n do_syscall_64+0x58/0x80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T13:33:10.073Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2ff0309b73d86e8591881ac035af06e01c112e89"
},
{
"url": "https://git.kernel.org/stable/c/6528971fdce0dfc0a28fec42c151a1eccdabadf5"
},
{
"url": "https://git.kernel.org/stable/c/387659939c00156f8d6bab0fbc55b4eaf2b6bc5b"
}
],
"title": "drm/ttm: fix undefined behavior in bit shift for TTM_TT_FLAG_PRIV_POPULATED",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50390",
"datePublished": "2025-09-18T13:33:10.073Z",
"dateReserved": "2025-09-17T14:53:06.998Z",
"dateUpdated": "2026-01-14T18:53:05.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38618 (GCVE-0-2025-38618)
Vulnerability from cvelistv5 – Published: 2025-08-22 13:01 – Updated: 2025-11-03 17:40
VLAI?
EPSS
Title
vsock: Do not allow binding to VMADDR_PORT_ANY
Summary
In the Linux kernel, the following vulnerability has been resolved:
vsock: Do not allow binding to VMADDR_PORT_ANY
It is possible for a vsock to autobind to VMADDR_PORT_ANY. This can
cause a use-after-free when a connection is made to the bound socket.
The socket returned by accept() also has port VMADDR_PORT_ANY but is not
on the list of unbound sockets. Binding it will result in an extra
refcount decrement similar to the one fixed in fcdd2242c023 (vsock: Keep
the binding until socket destruction).
Modify the check in __vsock_bind_connectible() to also prevent binding
to VMADDR_PORT_ANY.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d021c344051af91f42c5ba9fdedc176740cbd238 , < c04a2c1ca25b9b23104124d3b2d349d934e302de
(git)
Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < d1a5b1964cef42727668ac0d8532dae4f8c19386 (git) Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < cf86704798c1b9c46fa59dfc2d662f57d1394d79 (git) Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < f138be5d7f301fddad4e65ec66dfc3ceebf79be3 (git) Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < 44bd006d5c93f6a8f28b106cbae2428c5d0275b7 (git) Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < 32950b1907919be86a7a2697d6f93d57068b3865 (git) Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < 8f01093646b49f6330bb2d36761983fd829472b1 (git) Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < d73960f0cf03ef1dc9e96ec7a20e538accc26d87 (git) Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < aba0c94f61ec05315fa7815d21aefa4c87f6a9f4 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:40:30.483Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/vmw_vsock/af_vsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c04a2c1ca25b9b23104124d3b2d349d934e302de",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "d1a5b1964cef42727668ac0d8532dae4f8c19386",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "cf86704798c1b9c46fa59dfc2d662f57d1394d79",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "f138be5d7f301fddad4e65ec66dfc3ceebf79be3",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "44bd006d5c93f6a8f28b106cbae2428c5d0275b7",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "32950b1907919be86a7a2697d6f93d57068b3865",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "8f01093646b49f6330bb2d36761983fd829472b1",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "d73960f0cf03ef1dc9e96ec7a20e538accc26d87",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "aba0c94f61ec05315fa7815d21aefa4c87f6a9f4",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/vmw_vsock/af_vsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: Do not allow binding to VMADDR_PORT_ANY\n\nIt is possible for a vsock to autobind to VMADDR_PORT_ANY. This can\ncause a use-after-free when a connection is made to the bound socket.\nThe socket returned by accept() also has port VMADDR_PORT_ANY but is not\non the list of unbound sockets. Binding it will result in an extra\nrefcount decrement similar to the one fixed in fcdd2242c023 (vsock: Keep\nthe binding until socket destruction).\n\nModify the check in __vsock_bind_connectible() to also prevent binding\nto VMADDR_PORT_ANY."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:54:53.408Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c04a2c1ca25b9b23104124d3b2d349d934e302de"
},
{
"url": "https://git.kernel.org/stable/c/d1a5b1964cef42727668ac0d8532dae4f8c19386"
},
{
"url": "https://git.kernel.org/stable/c/cf86704798c1b9c46fa59dfc2d662f57d1394d79"
},
{
"url": "https://git.kernel.org/stable/c/f138be5d7f301fddad4e65ec66dfc3ceebf79be3"
},
{
"url": "https://git.kernel.org/stable/c/44bd006d5c93f6a8f28b106cbae2428c5d0275b7"
},
{
"url": "https://git.kernel.org/stable/c/32950b1907919be86a7a2697d6f93d57068b3865"
},
{
"url": "https://git.kernel.org/stable/c/8f01093646b49f6330bb2d36761983fd829472b1"
},
{
"url": "https://git.kernel.org/stable/c/d73960f0cf03ef1dc9e96ec7a20e538accc26d87"
},
{
"url": "https://git.kernel.org/stable/c/aba0c94f61ec05315fa7815d21aefa4c87f6a9f4"
}
],
"title": "vsock: Do not allow binding to VMADDR_PORT_ANY",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38618",
"datePublished": "2025-08-22T13:01:24.678Z",
"dateReserved": "2025-04-16T04:51:24.029Z",
"dateUpdated": "2025-11-03T17:40:30.483Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53520 (GCVE-0-2023-53520)
Vulnerability from cvelistv5 – Published: 2025-10-01 11:46 – Updated: 2026-01-05 10:21
VLAI?
EPSS
Title
Bluetooth: Fix hci_suspend_sync crash
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: Fix hci_suspend_sync crash
If hci_unregister_dev() frees the hci_dev object but hci_suspend_notifier
may still be accessing it, it can cause the program to crash.
Here's the call trace:
<4>[102152.653246] Call Trace:
<4>[102152.653254] hci_suspend_sync+0x109/0x301 [bluetooth]
<4>[102152.653259] hci_suspend_dev+0x78/0xcd [bluetooth]
<4>[102152.653263] hci_suspend_notifier+0x42/0x7a [bluetooth]
<4>[102152.653268] notifier_call_chain+0x43/0x6b
<4>[102152.653271] __blocking_notifier_call_chain+0x48/0x69
<4>[102152.653273] __pm_notifier_call_chain+0x22/0x39
<4>[102152.653276] pm_suspend+0x287/0x57c
<4>[102152.653278] state_store+0xae/0xe5
<4>[102152.653281] kernfs_fop_write+0x109/0x173
<4>[102152.653284] __vfs_write+0x16f/0x1a2
<4>[102152.653287] ? selinux_file_permission+0xca/0x16f
<4>[102152.653289] ? security_file_permission+0x36/0x109
<4>[102152.653291] vfs_write+0x114/0x21d
<4>[102152.653293] __x64_sys_write+0x7b/0xdb
<4>[102152.653296] do_syscall_64+0x59/0x194
<4>[102152.653299] entry_SYSCALL_64_after_hwframe+0x5c/0xc1
This patch holds the reference count of the hci_dev object while
processing it in hci_suspend_notifier to avoid potential crash
caused by the race condition.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
9952d90ea2885d7cbf80cd233f694f09a9c0eaec , < 06e2b5ad72b60f90bfe565c201346532e271f484
(git)
Affected: 9952d90ea2885d7cbf80cd233f694f09a9c0eaec , < f9c8ce5d665653e3cf71a76349d41d7a7f7947e6 (git) Affected: 9952d90ea2885d7cbf80cd233f694f09a9c0eaec , < 573ebae162111063eedc6c838a659ba628f66a0f (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "06e2b5ad72b60f90bfe565c201346532e271f484",
"status": "affected",
"version": "9952d90ea2885d7cbf80cd233f694f09a9c0eaec",
"versionType": "git"
},
{
"lessThan": "f9c8ce5d665653e3cf71a76349d41d7a7f7947e6",
"status": "affected",
"version": "9952d90ea2885d7cbf80cd233f694f09a9c0eaec",
"versionType": "git"
},
{
"lessThan": "573ebae162111063eedc6c838a659ba628f66a0f",
"status": "affected",
"version": "9952d90ea2885d7cbf80cd233f694f09a9c0eaec",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix hci_suspend_sync crash\n\nIf hci_unregister_dev() frees the hci_dev object but hci_suspend_notifier\nmay still be accessing it, it can cause the program to crash.\nHere\u0027s the call trace:\n \u003c4\u003e[102152.653246] Call Trace:\n \u003c4\u003e[102152.653254] hci_suspend_sync+0x109/0x301 [bluetooth]\n \u003c4\u003e[102152.653259] hci_suspend_dev+0x78/0xcd [bluetooth]\n \u003c4\u003e[102152.653263] hci_suspend_notifier+0x42/0x7a [bluetooth]\n \u003c4\u003e[102152.653268] notifier_call_chain+0x43/0x6b\n \u003c4\u003e[102152.653271] __blocking_notifier_call_chain+0x48/0x69\n \u003c4\u003e[102152.653273] __pm_notifier_call_chain+0x22/0x39\n \u003c4\u003e[102152.653276] pm_suspend+0x287/0x57c\n \u003c4\u003e[102152.653278] state_store+0xae/0xe5\n \u003c4\u003e[102152.653281] kernfs_fop_write+0x109/0x173\n \u003c4\u003e[102152.653284] __vfs_write+0x16f/0x1a2\n \u003c4\u003e[102152.653287] ? selinux_file_permission+0xca/0x16f\n \u003c4\u003e[102152.653289] ? security_file_permission+0x36/0x109\n \u003c4\u003e[102152.653291] vfs_write+0x114/0x21d\n \u003c4\u003e[102152.653293] __x64_sys_write+0x7b/0xdb\n \u003c4\u003e[102152.653296] do_syscall_64+0x59/0x194\n \u003c4\u003e[102152.653299] entry_SYSCALL_64_after_hwframe+0x5c/0xc1\n\nThis patch holds the reference count of the hci_dev object while\nprocessing it in hci_suspend_notifier to avoid potential crash\ncaused by the race condition."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:21:07.688Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/06e2b5ad72b60f90bfe565c201346532e271f484"
},
{
"url": "https://git.kernel.org/stable/c/f9c8ce5d665653e3cf71a76349d41d7a7f7947e6"
},
{
"url": "https://git.kernel.org/stable/c/573ebae162111063eedc6c838a659ba628f66a0f"
}
],
"title": "Bluetooth: Fix hci_suspend_sync crash",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53520",
"datePublished": "2025-10-01T11:46:07.355Z",
"dateReserved": "2025-10-01T11:39:39.407Z",
"dateUpdated": "2026-01-05T10:21:07.688Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38617 (GCVE-0-2025-38617)
Vulnerability from cvelistv5 – Published: 2025-08-22 13:01 – Updated: 2025-11-03 17:40
VLAI?
EPSS
Title
net/packet: fix a race in packet_set_ring() and packet_notifier()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/packet: fix a race in packet_set_ring() and packet_notifier()
When packet_set_ring() releases po->bind_lock, another thread can
run packet_notifier() and process an NETDEV_UP event.
This race and the fix are both similar to that of commit 15fe076edea7
("net/packet: fix a race in packet_bind() and packet_notifier()").
There too the packet_notifier NETDEV_UP event managed to run while a
po->bind_lock critical section had to be temporarily released. And
the fix was similarly to temporarily set po->num to zero to keep
the socket unhooked until the lock is retaken.
The po->bind_lock in packet_set_ring and packet_notifier precede the
introduction of git history.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 18f13f2a83eb81be349a9757ba2141ff1da9ad73
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7da733f117533e9b2ebbd530a22ae4028713955c (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ba2257034755ae773722f15f4c3ad1dcdad15ca9 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7de07705007c7e34995a5599aaab1d23e762d7ca (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 88caf46db8239e6471413d28aabaa6b8bd552805 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f2e8fcfd2b1bc754920108b7f2cd75082c5a18df (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e50ccfaca9e3c671cae917dcb994831a859cf588 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f1791fd7b845bea0ce9674fcf2febee7bc87a893 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 01d3c8417b9c1b884a8a981a3b886da556512f36 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:40:28.543Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/packet/af_packet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "18f13f2a83eb81be349a9757ba2141ff1da9ad73",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7da733f117533e9b2ebbd530a22ae4028713955c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ba2257034755ae773722f15f4c3ad1dcdad15ca9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7de07705007c7e34995a5599aaab1d23e762d7ca",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "88caf46db8239e6471413d28aabaa6b8bd552805",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f2e8fcfd2b1bc754920108b7f2cd75082c5a18df",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e50ccfaca9e3c671cae917dcb994831a859cf588",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f1791fd7b845bea0ce9674fcf2febee7bc87a893",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "01d3c8417b9c1b884a8a981a3b886da556512f36",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/packet/af_packet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/packet: fix a race in packet_set_ring() and packet_notifier()\n\nWhen packet_set_ring() releases po-\u003ebind_lock, another thread can\nrun packet_notifier() and process an NETDEV_UP event.\n\nThis race and the fix are both similar to that of commit 15fe076edea7\n(\"net/packet: fix a race in packet_bind() and packet_notifier()\").\n\nThere too the packet_notifier NETDEV_UP event managed to run while a\npo-\u003ebind_lock critical section had to be temporarily released. And\nthe fix was similarly to temporarily set po-\u003enum to zero to keep\nthe socket unhooked until the lock is retaken.\n\nThe po-\u003ebind_lock in packet_set_ring and packet_notifier precede the\nintroduction of git history."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:54:52.280Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/18f13f2a83eb81be349a9757ba2141ff1da9ad73"
},
{
"url": "https://git.kernel.org/stable/c/7da733f117533e9b2ebbd530a22ae4028713955c"
},
{
"url": "https://git.kernel.org/stable/c/ba2257034755ae773722f15f4c3ad1dcdad15ca9"
},
{
"url": "https://git.kernel.org/stable/c/7de07705007c7e34995a5599aaab1d23e762d7ca"
},
{
"url": "https://git.kernel.org/stable/c/88caf46db8239e6471413d28aabaa6b8bd552805"
},
{
"url": "https://git.kernel.org/stable/c/f2e8fcfd2b1bc754920108b7f2cd75082c5a18df"
},
{
"url": "https://git.kernel.org/stable/c/e50ccfaca9e3c671cae917dcb994831a859cf588"
},
{
"url": "https://git.kernel.org/stable/c/f1791fd7b845bea0ce9674fcf2febee7bc87a893"
},
{
"url": "https://git.kernel.org/stable/c/01d3c8417b9c1b884a8a981a3b886da556512f36"
}
],
"title": "net/packet: fix a race in packet_set_ring() and packet_notifier()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38617",
"datePublished": "2025-08-22T13:01:23.963Z",
"dateReserved": "2025-04-16T04:51:24.029Z",
"dateUpdated": "2025-11-03T17:40:28.543Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53500 (GCVE-0-2023-53500)
Vulnerability from cvelistv5 – Published: 2025-10-01 11:45 – Updated: 2025-10-01 11:45
VLAI?
EPSS
Title
xfrm: fix slab-use-after-free in decode_session6
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfrm: fix slab-use-after-free in decode_session6
When the xfrm device is set to the qdisc of the sfb type, the cb field
of the sent skb may be modified during enqueuing. Then,
slab-use-after-free may occur when the xfrm device sends IPv6 packets.
The stack information is as follows:
BUG: KASAN: slab-use-after-free in decode_session6+0x103f/0x1890
Read of size 1 at addr ffff8881111458ef by task swapper/3/0
CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.4.0-next-20230707 #409
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014
Call Trace:
<IRQ>
dump_stack_lvl+0xd9/0x150
print_address_description.constprop.0+0x2c/0x3c0
kasan_report+0x11d/0x130
decode_session6+0x103f/0x1890
__xfrm_decode_session+0x54/0xb0
xfrmi_xmit+0x173/0x1ca0
dev_hard_start_xmit+0x187/0x700
sch_direct_xmit+0x1a3/0xc30
__qdisc_run+0x510/0x17a0
__dev_queue_xmit+0x2215/0x3b10
neigh_connected_output+0x3c2/0x550
ip6_finish_output2+0x55a/0x1550
ip6_finish_output+0x6b9/0x1270
ip6_output+0x1f1/0x540
ndisc_send_skb+0xa63/0x1890
ndisc_send_rs+0x132/0x6f0
addrconf_rs_timer+0x3f1/0x870
call_timer_fn+0x1a0/0x580
expire_timers+0x29b/0x4b0
run_timer_softirq+0x326/0x910
__do_softirq+0x1d4/0x905
irq_exit_rcu+0xb7/0x120
sysvec_apic_timer_interrupt+0x97/0xc0
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:intel_idle_hlt+0x23/0x30
Code: 1f 84 00 00 00 00 00 f3 0f 1e fa 41 54 41 89 d4 0f 1f 44 00 00 66 90 0f 1f 44 00 00 0f 00 2d c4 9f ab 00 0f 1f 44 00 00 fb f4 <fa> 44 89 e0 41 5c c3 66 0f 1f 44 00 00 f3 0f 1e fa 41 54 41 89 d4
RSP: 0018:ffffc90000197d78 EFLAGS: 00000246
RAX: 00000000000a83c3 RBX: ffffe8ffffd09c50 RCX: ffffffff8a22d8e5
RDX: 0000000000000001 RSI: ffffffff8d3f8080 RDI: ffffe8ffffd09c50
RBP: ffffffff8d3f8080 R08: 0000000000000001 R09: ffffed1026ba6d9d
R10: ffff888135d36ceb R11: 0000000000000001 R12: 0000000000000001
R13: ffffffff8d3f8100 R14: 0000000000000001 R15: 0000000000000000
cpuidle_enter_state+0xd3/0x6f0
cpuidle_enter+0x4e/0xa0
do_idle+0x2fe/0x3c0
cpu_startup_entry+0x18/0x20
start_secondary+0x200/0x290
secondary_startup_64_no_verify+0x167/0x16b
</TASK>
Allocated by task 939:
kasan_save_stack+0x22/0x40
kasan_set_track+0x25/0x30
__kasan_slab_alloc+0x7f/0x90
kmem_cache_alloc_node+0x1cd/0x410
kmalloc_reserve+0x165/0x270
__alloc_skb+0x129/0x330
inet6_ifa_notify+0x118/0x230
__ipv6_ifa_notify+0x177/0xbe0
addrconf_dad_completed+0x133/0xe00
addrconf_dad_work+0x764/0x1390
process_one_work+0xa32/0x16f0
worker_thread+0x67d/0x10c0
kthread+0x344/0x440
ret_from_fork+0x1f/0x30
The buggy address belongs to the object at ffff888111145800
which belongs to the cache skbuff_small_head of size 640
The buggy address is located 239 bytes inside of
freed 640-byte region [ffff888111145800, ffff888111145a80)
As commit f855691975bb ("xfrm6: Fix the nexthdr offset in
_decode_session6.") showed, xfrm_decode_session was originally intended
only for the receive path. IP6CB(skb)->nhoff is not set during
transmission. Therefore, set the cb field in the skb to 0 before
sending packets.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f855691975bb06373a98711e4cfe2c224244b536 , < da4cbaa75ed088b6d70db77b9103a27e2359e243
(git)
Affected: f855691975bb06373a98711e4cfe2c224244b536 , < db0e50741f0387f388e9ec824ea7ae8456554d5b (git) Affected: f855691975bb06373a98711e4cfe2c224244b536 , < bafa236380816b41b2c4c6970d9067fefa4a6c9e (git) Affected: f855691975bb06373a98711e4cfe2c224244b536 , < 44b3d40967009304617a7a6486490c1d6c12f899 (git) Affected: f855691975bb06373a98711e4cfe2c224244b536 , < 0d27567fde5be5f0edc2db5c110142b7915b8fa8 (git) Affected: f855691975bb06373a98711e4cfe2c224244b536 , < 86f15300a22656db3fa8c8967defbcd24fac4d37 (git) Affected: f855691975bb06373a98711e4cfe2c224244b536 , < 53223f2ed1ef5c90dad814daaaefea4e68a933c8 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_interface_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "da4cbaa75ed088b6d70db77b9103a27e2359e243",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
},
{
"lessThan": "db0e50741f0387f388e9ec824ea7ae8456554d5b",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
},
{
"lessThan": "bafa236380816b41b2c4c6970d9067fefa4a6c9e",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
},
{
"lessThan": "44b3d40967009304617a7a6486490c1d6c12f899",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
},
{
"lessThan": "0d27567fde5be5f0edc2db5c110142b7915b8fa8",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
},
{
"lessThan": "86f15300a22656db3fa8c8967defbcd24fac4d37",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
},
{
"lessThan": "53223f2ed1ef5c90dad814daaaefea4e68a933c8",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_interface_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.255",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.293",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.255",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.192",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.128",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: fix slab-use-after-free in decode_session6\n\nWhen the xfrm device is set to the qdisc of the sfb type, the cb field\nof the sent skb may be modified during enqueuing. Then,\nslab-use-after-free may occur when the xfrm device sends IPv6 packets.\n\nThe stack information is as follows:\nBUG: KASAN: slab-use-after-free in decode_session6+0x103f/0x1890\nRead of size 1 at addr ffff8881111458ef by task swapper/3/0\nCPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.4.0-next-20230707 #409\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014\nCall Trace:\n\u003cIRQ\u003e\ndump_stack_lvl+0xd9/0x150\nprint_address_description.constprop.0+0x2c/0x3c0\nkasan_report+0x11d/0x130\ndecode_session6+0x103f/0x1890\n__xfrm_decode_session+0x54/0xb0\nxfrmi_xmit+0x173/0x1ca0\ndev_hard_start_xmit+0x187/0x700\nsch_direct_xmit+0x1a3/0xc30\n__qdisc_run+0x510/0x17a0\n__dev_queue_xmit+0x2215/0x3b10\nneigh_connected_output+0x3c2/0x550\nip6_finish_output2+0x55a/0x1550\nip6_finish_output+0x6b9/0x1270\nip6_output+0x1f1/0x540\nndisc_send_skb+0xa63/0x1890\nndisc_send_rs+0x132/0x6f0\naddrconf_rs_timer+0x3f1/0x870\ncall_timer_fn+0x1a0/0x580\nexpire_timers+0x29b/0x4b0\nrun_timer_softirq+0x326/0x910\n__do_softirq+0x1d4/0x905\nirq_exit_rcu+0xb7/0x120\nsysvec_apic_timer_interrupt+0x97/0xc0\n\u003c/IRQ\u003e\n\u003cTASK\u003e\nasm_sysvec_apic_timer_interrupt+0x1a/0x20\nRIP: 0010:intel_idle_hlt+0x23/0x30\nCode: 1f 84 00 00 00 00 00 f3 0f 1e fa 41 54 41 89 d4 0f 1f 44 00 00 66 90 0f 1f 44 00 00 0f 00 2d c4 9f ab 00 0f 1f 44 00 00 fb f4 \u003cfa\u003e 44 89 e0 41 5c c3 66 0f 1f 44 00 00 f3 0f 1e fa 41 54 41 89 d4\nRSP: 0018:ffffc90000197d78 EFLAGS: 00000246\nRAX: 00000000000a83c3 RBX: ffffe8ffffd09c50 RCX: ffffffff8a22d8e5\nRDX: 0000000000000001 RSI: ffffffff8d3f8080 RDI: ffffe8ffffd09c50\nRBP: ffffffff8d3f8080 R08: 0000000000000001 R09: ffffed1026ba6d9d\nR10: ffff888135d36ceb R11: 0000000000000001 R12: 0000000000000001\nR13: ffffffff8d3f8100 R14: 0000000000000001 R15: 0000000000000000\ncpuidle_enter_state+0xd3/0x6f0\ncpuidle_enter+0x4e/0xa0\ndo_idle+0x2fe/0x3c0\ncpu_startup_entry+0x18/0x20\nstart_secondary+0x200/0x290\nsecondary_startup_64_no_verify+0x167/0x16b\n\u003c/TASK\u003e\nAllocated by task 939:\nkasan_save_stack+0x22/0x40\nkasan_set_track+0x25/0x30\n__kasan_slab_alloc+0x7f/0x90\nkmem_cache_alloc_node+0x1cd/0x410\nkmalloc_reserve+0x165/0x270\n__alloc_skb+0x129/0x330\ninet6_ifa_notify+0x118/0x230\n__ipv6_ifa_notify+0x177/0xbe0\naddrconf_dad_completed+0x133/0xe00\naddrconf_dad_work+0x764/0x1390\nprocess_one_work+0xa32/0x16f0\nworker_thread+0x67d/0x10c0\nkthread+0x344/0x440\nret_from_fork+0x1f/0x30\nThe buggy address belongs to the object at ffff888111145800\nwhich belongs to the cache skbuff_small_head of size 640\nThe buggy address is located 239 bytes inside of\nfreed 640-byte region [ffff888111145800, ffff888111145a80)\n\nAs commit f855691975bb (\"xfrm6: Fix the nexthdr offset in\n_decode_session6.\") showed, xfrm_decode_session was originally intended\nonly for the receive path. IP6CB(skb)-\u003enhoff is not set during\ntransmission. Therefore, set the cb field in the skb to 0 before\nsending packets."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:51.182Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/da4cbaa75ed088b6d70db77b9103a27e2359e243"
},
{
"url": "https://git.kernel.org/stable/c/db0e50741f0387f388e9ec824ea7ae8456554d5b"
},
{
"url": "https://git.kernel.org/stable/c/bafa236380816b41b2c4c6970d9067fefa4a6c9e"
},
{
"url": "https://git.kernel.org/stable/c/44b3d40967009304617a7a6486490c1d6c12f899"
},
{
"url": "https://git.kernel.org/stable/c/0d27567fde5be5f0edc2db5c110142b7915b8fa8"
},
{
"url": "https://git.kernel.org/stable/c/86f15300a22656db3fa8c8967defbcd24fac4d37"
},
{
"url": "https://git.kernel.org/stable/c/53223f2ed1ef5c90dad814daaaefea4e68a933c8"
}
],
"title": "xfrm: fix slab-use-after-free in decode_session6",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53500",
"datePublished": "2025-10-01T11:45:51.182Z",
"dateReserved": "2025-10-01T11:39:39.404Z",
"dateUpdated": "2025-10-01T11:45:51.182Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38712 (GCVE-0-2025-38712)
Vulnerability from cvelistv5 – Published: 2025-09-04 15:33 – Updated: 2026-01-02 15:31
VLAI?
EPSS
Title
hfsplus: don't use BUG_ON() in hfsplus_create_attributes_file()
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfsplus: don't use BUG_ON() in hfsplus_create_attributes_file()
When the volume header contains erroneous values that do not reflect
the actual state of the filesystem, hfsplus_fill_super() assumes that
the attributes file is not yet created, which later results in hitting
BUG_ON() when hfsplus_create_attributes_file() is called. Replace this
BUG_ON() with -EIO error with a message to suggest running fsck tool.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
95e0d7dbb9b28ab0dfad7c7316066b05e1f1d4cd , < bb0eea8e375677f586ad11c12e2525ed3fc698c2
(git)
Affected: 95e0d7dbb9b28ab0dfad7c7316066b05e1f1d4cd , < 9046566fa692f88954dac8c510f37ee17a15fdb7 (git) Affected: 95e0d7dbb9b28ab0dfad7c7316066b05e1f1d4cd , < 03cd1db1494cf930e2fa042c9c13e32bffdb4eba (git) Affected: 95e0d7dbb9b28ab0dfad7c7316066b05e1f1d4cd , < dee5c668ad71ddbcb4b48d95e8a4f371314ad41d (git) Affected: 95e0d7dbb9b28ab0dfad7c7316066b05e1f1d4cd , < b3359392b75395a31af739a761f48f4041148226 (git) Affected: 95e0d7dbb9b28ab0dfad7c7316066b05e1f1d4cd , < 1bb8da27ff15e346d4bc9e248e819c9a88ebf9d6 (git) Affected: 95e0d7dbb9b28ab0dfad7c7316066b05e1f1d4cd , < d768e3ed430e89a699bf89d3214dcbbf4648c939 (git) Affected: 95e0d7dbb9b28ab0dfad7c7316066b05e1f1d4cd , < ce5e387f396cbb5c061d9837abcac731e9e06f4d (git) Affected: 95e0d7dbb9b28ab0dfad7c7316066b05e1f1d4cd , < c7c6363ca186747ebc2df10c8a1a51e66e0e32d9 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:41:42.137Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bb0eea8e375677f586ad11c12e2525ed3fc698c2",
"status": "affected",
"version": "95e0d7dbb9b28ab0dfad7c7316066b05e1f1d4cd",
"versionType": "git"
},
{
"lessThan": "9046566fa692f88954dac8c510f37ee17a15fdb7",
"status": "affected",
"version": "95e0d7dbb9b28ab0dfad7c7316066b05e1f1d4cd",
"versionType": "git"
},
{
"lessThan": "03cd1db1494cf930e2fa042c9c13e32bffdb4eba",
"status": "affected",
"version": "95e0d7dbb9b28ab0dfad7c7316066b05e1f1d4cd",
"versionType": "git"
},
{
"lessThan": "dee5c668ad71ddbcb4b48d95e8a4f371314ad41d",
"status": "affected",
"version": "95e0d7dbb9b28ab0dfad7c7316066b05e1f1d4cd",
"versionType": "git"
},
{
"lessThan": "b3359392b75395a31af739a761f48f4041148226",
"status": "affected",
"version": "95e0d7dbb9b28ab0dfad7c7316066b05e1f1d4cd",
"versionType": "git"
},
{
"lessThan": "1bb8da27ff15e346d4bc9e248e819c9a88ebf9d6",
"status": "affected",
"version": "95e0d7dbb9b28ab0dfad7c7316066b05e1f1d4cd",
"versionType": "git"
},
{
"lessThan": "d768e3ed430e89a699bf89d3214dcbbf4648c939",
"status": "affected",
"version": "95e0d7dbb9b28ab0dfad7c7316066b05e1f1d4cd",
"versionType": "git"
},
{
"lessThan": "ce5e387f396cbb5c061d9837abcac731e9e06f4d",
"status": "affected",
"version": "95e0d7dbb9b28ab0dfad7c7316066b05e1f1d4cd",
"versionType": "git"
},
{
"lessThan": "c7c6363ca186747ebc2df10c8a1a51e66e0e32d9",
"status": "affected",
"version": "95e0d7dbb9b28ab0dfad7c7316066b05e1f1d4cd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.13"
},
{
"lessThan": "3.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: don\u0027t use BUG_ON() in hfsplus_create_attributes_file()\n\nWhen the volume header contains erroneous values that do not reflect\nthe actual state of the filesystem, hfsplus_fill_super() assumes that\nthe attributes file is not yet created, which later results in hitting\nBUG_ON() when hfsplus_create_attributes_file() is called. Replace this\nBUG_ON() with -EIO error with a message to suggest running fsck tool."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:31:40.456Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bb0eea8e375677f586ad11c12e2525ed3fc698c2"
},
{
"url": "https://git.kernel.org/stable/c/9046566fa692f88954dac8c510f37ee17a15fdb7"
},
{
"url": "https://git.kernel.org/stable/c/03cd1db1494cf930e2fa042c9c13e32bffdb4eba"
},
{
"url": "https://git.kernel.org/stable/c/dee5c668ad71ddbcb4b48d95e8a4f371314ad41d"
},
{
"url": "https://git.kernel.org/stable/c/b3359392b75395a31af739a761f48f4041148226"
},
{
"url": "https://git.kernel.org/stable/c/1bb8da27ff15e346d4bc9e248e819c9a88ebf9d6"
},
{
"url": "https://git.kernel.org/stable/c/d768e3ed430e89a699bf89d3214dcbbf4648c939"
},
{
"url": "https://git.kernel.org/stable/c/ce5e387f396cbb5c061d9837abcac731e9e06f4d"
},
{
"url": "https://git.kernel.org/stable/c/c7c6363ca186747ebc2df10c8a1a51e66e0e32d9"
}
],
"title": "hfsplus: don\u0027t use BUG_ON() in hfsplus_create_attributes_file()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38712",
"datePublished": "2025-09-04T15:33:02.530Z",
"dateReserved": "2025-04-16T04:51:24.033Z",
"dateUpdated": "2026-01-02T15:31:40.456Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53180 (GCVE-0-2023-53180)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:04 – Updated: 2025-09-16 08:02
VLAI?
EPSS
Title
wifi: ath12k: Avoid NULL pointer access during management transmit cleanup
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath12k: Avoid NULL pointer access during management transmit cleanup
Currently 'ar' reference is not added in skb_cb.
Though this is generally not used during transmit completion
callbacks, on interface removal the remaining idr cleanup callback
uses the ar pointer from skb_cb from management txmgmt_idr. Hence fill them
during transmit call for proper usage to avoid NULL pointer dereference.
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath12k/mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7382d02160ef93c806fe1c1d4ef1fec445266747",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
},
{
"lessThan": "054b5580a36e435692c203c19abdcb9f7734320e",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath12k/mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Avoid NULL pointer access during management transmit cleanup\n\nCurrently \u0027ar\u0027 reference is not added in skb_cb.\nThough this is generally not used during transmit completion\ncallbacks, on interface removal the remaining idr cleanup callback\nuses the ar pointer from skb_cb from management txmgmt_idr. Hence fill them\nduring transmit call for proper usage to avoid NULL pointer dereference.\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T08:02:22.024Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7382d02160ef93c806fe1c1d4ef1fec445266747"
},
{
"url": "https://git.kernel.org/stable/c/054b5580a36e435692c203c19abdcb9f7734320e"
}
],
"title": "wifi: ath12k: Avoid NULL pointer access during management transmit cleanup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53180",
"datePublished": "2025-09-15T14:04:31.143Z",
"dateReserved": "2025-09-15T13:59:19.065Z",
"dateUpdated": "2025-09-16T08:02:22.024Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38465 (GCVE-0-2025-38465)
Vulnerability from cvelistv5 – Published: 2025-07-25 15:27 – Updated: 2025-11-03 17:38
VLAI?
EPSS
Title
netlink: Fix wraparounds of sk->sk_rmem_alloc.
Summary
In the Linux kernel, the following vulnerability has been resolved:
netlink: Fix wraparounds of sk->sk_rmem_alloc.
Netlink has this pattern in some places
if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf)
atomic_add(skb->truesize, &sk->sk_rmem_alloc);
, which has the same problem fixed by commit 5a465a0da13e ("udp:
Fix multiple wraparounds of sk->sk_rmem_alloc.").
For example, if we set INT_MAX to SO_RCVBUFFORCE, the condition
is always false as the two operands are of int.
Then, a single socket can eat as many skb as possible until OOM
happens, and we can see multiple wraparounds of sk->sk_rmem_alloc.
Let's fix it by using atomic_add_return() and comparing the two
variables as unsigned int.
Before:
[root@fedora ~]# ss -f netlink
Recv-Q Send-Q Local Address:Port Peer Address:Port
-1668710080 0 rtnl:nl_wraparound/293 *
After:
[root@fedora ~]# ss -f netlink
Recv-Q Send-Q Local Address:Port Peer Address:Port
2147483072 0 rtnl:nl_wraparound/290 *
^
`--- INT_MAX - 576
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9da025150b7c14a8390fc06aea314c0a4011e82c
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c4ceaac5c5ba0b992ee1dc88e2a02421549e5c98 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < fd69af06101090eaa60b3d216ae715f9c0a58e5b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 76602d8e13864524382b0687dc32cd8f19164d5a (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 55baecb9eb90238f60a8350660d6762046ebd3bd (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4b8e18af7bea92f8b7fb92d40aeae729209db250 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < cd7ff61bfffd7000143c42bbffb85eeb792466d6 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ae8f160e7eb24240a2a79fc4c815c6a0d4ee16cc (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:38:27.585Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netlink/af_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9da025150b7c14a8390fc06aea314c0a4011e82c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c4ceaac5c5ba0b992ee1dc88e2a02421549e5c98",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fd69af06101090eaa60b3d216ae715f9c0a58e5b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "76602d8e13864524382b0687dc32cd8f19164d5a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "55baecb9eb90238f60a8350660d6762046ebd3bd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4b8e18af7bea92f8b7fb92d40aeae729209db250",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cd7ff61bfffd7000143c42bbffb85eeb792466d6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ae8f160e7eb24240a2a79fc4c815c6a0d4ee16cc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netlink/af_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.240",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.146",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.296",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.240",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.189",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.146",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.99",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.39",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.7",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: Fix wraparounds of sk-\u003esk_rmem_alloc.\n\nNetlink has this pattern in some places\n\n if (atomic_read(\u0026sk-\u003esk_rmem_alloc) \u003e sk-\u003esk_rcvbuf)\n \tatomic_add(skb-\u003etruesize, \u0026sk-\u003esk_rmem_alloc);\n\n, which has the same problem fixed by commit 5a465a0da13e (\"udp:\nFix multiple wraparounds of sk-\u003esk_rmem_alloc.\").\n\nFor example, if we set INT_MAX to SO_RCVBUFFORCE, the condition\nis always false as the two operands are of int.\n\nThen, a single socket can eat as many skb as possible until OOM\nhappens, and we can see multiple wraparounds of sk-\u003esk_rmem_alloc.\n\nLet\u0027s fix it by using atomic_add_return() and comparing the two\nvariables as unsigned int.\n\nBefore:\n [root@fedora ~]# ss -f netlink\n Recv-Q Send-Q Local Address:Port Peer Address:Port\n -1668710080 0 rtnl:nl_wraparound/293 *\n\nAfter:\n [root@fedora ~]# ss -f netlink\n Recv-Q Send-Q Local Address:Port Peer Address:Port\n 2147483072 0 rtnl:nl_wraparound/290 *\n ^\n `--- INT_MAX - 576"
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:23:13.790Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9da025150b7c14a8390fc06aea314c0a4011e82c"
},
{
"url": "https://git.kernel.org/stable/c/c4ceaac5c5ba0b992ee1dc88e2a02421549e5c98"
},
{
"url": "https://git.kernel.org/stable/c/fd69af06101090eaa60b3d216ae715f9c0a58e5b"
},
{
"url": "https://git.kernel.org/stable/c/76602d8e13864524382b0687dc32cd8f19164d5a"
},
{
"url": "https://git.kernel.org/stable/c/55baecb9eb90238f60a8350660d6762046ebd3bd"
},
{
"url": "https://git.kernel.org/stable/c/4b8e18af7bea92f8b7fb92d40aeae729209db250"
},
{
"url": "https://git.kernel.org/stable/c/cd7ff61bfffd7000143c42bbffb85eeb792466d6"
},
{
"url": "https://git.kernel.org/stable/c/ae8f160e7eb24240a2a79fc4c815c6a0d4ee16cc"
}
],
"title": "netlink: Fix wraparounds of sk-\u003esk_rmem_alloc.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38465",
"datePublished": "2025-07-25T15:27:47.510Z",
"dateReserved": "2025-04-16T04:51:24.020Z",
"dateUpdated": "2025-11-03T17:38:27.585Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38520 (GCVE-0-2025-38520)
Vulnerability from cvelistv5 – Published: 2025-08-16 10:55 – Updated: 2025-11-03 17:39
VLAI?
EPSS
Title
drm/amdkfd: Don't call mmput from MMU notifier callback
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdkfd: Don't call mmput from MMU notifier callback
If the process is exiting, the mmput inside mmu notifier callback from
compactd or fork or numa balancing could release the last reference
of mm struct to call exit_mmap and free_pgtable, this triggers deadlock
with below backtrace.
The deadlock will leak kfd process as mmu notifier release is not called
and cause VRAM leaking.
The fix is to take mm reference mmget_non_zero when adding prange to the
deferred list to pair with mmput in deferred list work.
If prange split and add into pchild list, the pchild work_item.mm is not
used, so remove the mm parameter from svm_range_unmap_split and
svm_range_add_child.
The backtrace of hung task:
INFO: task python:348105 blocked for more than 64512 seconds.
Call Trace:
__schedule+0x1c3/0x550
schedule+0x46/0xb0
rwsem_down_write_slowpath+0x24b/0x4c0
unlink_anon_vmas+0xb1/0x1c0
free_pgtables+0xa9/0x130
exit_mmap+0xbc/0x1a0
mmput+0x5a/0x140
svm_range_cpu_invalidate_pagetables+0x2b/0x40 [amdgpu]
mn_itree_invalidate+0x72/0xc0
__mmu_notifier_invalidate_range_start+0x48/0x60
try_to_unmap_one+0x10fa/0x1400
rmap_walk_anon+0x196/0x460
try_to_unmap+0xbb/0x210
migrate_page_unmap+0x54d/0x7e0
migrate_pages_batch+0x1c3/0xae0
migrate_pages_sync+0x98/0x240
migrate_pages+0x25c/0x520
compact_zone+0x29d/0x590
compact_zone_order+0xb6/0xf0
try_to_compact_pages+0xbe/0x220
__alloc_pages_direct_compact+0x96/0x1a0
__alloc_pages_slowpath+0x410/0x930
__alloc_pages_nodemask+0x3a9/0x3e0
do_huge_pmd_anonymous_page+0xd7/0x3e0
__handle_mm_fault+0x5e3/0x5f0
handle_mm_fault+0xf7/0x2e0
hmm_vma_fault.isra.0+0x4d/0xa0
walk_pmd_range.isra.0+0xa8/0x310
walk_pud_range+0x167/0x240
walk_pgd_range+0x55/0x100
__walk_page_range+0x87/0x90
walk_page_range+0xf6/0x160
hmm_range_fault+0x4f/0x90
amdgpu_hmm_range_get_pages+0x123/0x230 [amdgpu]
amdgpu_ttm_tt_get_user_pages+0xb1/0x150 [amdgpu]
init_user_pages+0xb1/0x2a0 [amdgpu]
amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x543/0x7d0 [amdgpu]
kfd_ioctl_alloc_memory_of_gpu+0x24c/0x4e0 [amdgpu]
kfd_ioctl+0x29d/0x500 [amdgpu]
(cherry picked from commit a29e067bd38946f752b0ef855f3dfff87e77bec7)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
fa582c6f3684ac0098a9d02ddf0ed52a02b37127 , < c1bde9d48e09933c361521720f77a8072083c83a
(git)
Affected: fa582c6f3684ac0098a9d02ddf0ed52a02b37127 , < 145a56bd68f4bff098d59fbc7c263d20dfef4fc4 (git) Affected: fa582c6f3684ac0098a9d02ddf0ed52a02b37127 , < e90ee15ce28c61f6d83a0511c3e02e2662478350 (git) Affected: fa582c6f3684ac0098a9d02ddf0ed52a02b37127 , < a7eb0a25010a674c8fdfbece38353ef7be8c5834 (git) Affected: fa582c6f3684ac0098a9d02ddf0ed52a02b37127 , < cf234231fcbc7d391e2135b9518613218cc5347f (git) Affected: 09c5cdbc62d99fc6306a21b24b60eb11a3bd0963 (git) Affected: 4b29b8d7c20f54eec0ff266b4a3f419bd251ed83 (git) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:39:22.959Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_svm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c1bde9d48e09933c361521720f77a8072083c83a",
"status": "affected",
"version": "fa582c6f3684ac0098a9d02ddf0ed52a02b37127",
"versionType": "git"
},
{
"lessThan": "145a56bd68f4bff098d59fbc7c263d20dfef4fc4",
"status": "affected",
"version": "fa582c6f3684ac0098a9d02ddf0ed52a02b37127",
"versionType": "git"
},
{
"lessThan": "e90ee15ce28c61f6d83a0511c3e02e2662478350",
"status": "affected",
"version": "fa582c6f3684ac0098a9d02ddf0ed52a02b37127",
"versionType": "git"
},
{
"lessThan": "a7eb0a25010a674c8fdfbece38353ef7be8c5834",
"status": "affected",
"version": "fa582c6f3684ac0098a9d02ddf0ed52a02b37127",
"versionType": "git"
},
{
"lessThan": "cf234231fcbc7d391e2135b9518613218cc5347f",
"status": "affected",
"version": "fa582c6f3684ac0098a9d02ddf0ed52a02b37127",
"versionType": "git"
},
{
"status": "affected",
"version": "09c5cdbc62d99fc6306a21b24b60eb11a3bd0963",
"versionType": "git"
},
{
"status": "affected",
"version": "4b29b8d7c20f54eec0ff266b4a3f419bd251ed83",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_svm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.101",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.101",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.39",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.7",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.18.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Don\u0027t call mmput from MMU notifier callback\n\nIf the process is exiting, the mmput inside mmu notifier callback from\ncompactd or fork or numa balancing could release the last reference\nof mm struct to call exit_mmap and free_pgtable, this triggers deadlock\nwith below backtrace.\n\nThe deadlock will leak kfd process as mmu notifier release is not called\nand cause VRAM leaking.\n\nThe fix is to take mm reference mmget_non_zero when adding prange to the\ndeferred list to pair with mmput in deferred list work.\n\nIf prange split and add into pchild list, the pchild work_item.mm is not\nused, so remove the mm parameter from svm_range_unmap_split and\nsvm_range_add_child.\n\nThe backtrace of hung task:\n\n INFO: task python:348105 blocked for more than 64512 seconds.\n Call Trace:\n __schedule+0x1c3/0x550\n schedule+0x46/0xb0\n rwsem_down_write_slowpath+0x24b/0x4c0\n unlink_anon_vmas+0xb1/0x1c0\n free_pgtables+0xa9/0x130\n exit_mmap+0xbc/0x1a0\n mmput+0x5a/0x140\n svm_range_cpu_invalidate_pagetables+0x2b/0x40 [amdgpu]\n mn_itree_invalidate+0x72/0xc0\n __mmu_notifier_invalidate_range_start+0x48/0x60\n try_to_unmap_one+0x10fa/0x1400\n rmap_walk_anon+0x196/0x460\n try_to_unmap+0xbb/0x210\n migrate_page_unmap+0x54d/0x7e0\n migrate_pages_batch+0x1c3/0xae0\n migrate_pages_sync+0x98/0x240\n migrate_pages+0x25c/0x520\n compact_zone+0x29d/0x590\n compact_zone_order+0xb6/0xf0\n try_to_compact_pages+0xbe/0x220\n __alloc_pages_direct_compact+0x96/0x1a0\n __alloc_pages_slowpath+0x410/0x930\n __alloc_pages_nodemask+0x3a9/0x3e0\n do_huge_pmd_anonymous_page+0xd7/0x3e0\n __handle_mm_fault+0x5e3/0x5f0\n handle_mm_fault+0xf7/0x2e0\n hmm_vma_fault.isra.0+0x4d/0xa0\n walk_pmd_range.isra.0+0xa8/0x310\n walk_pud_range+0x167/0x240\n walk_pgd_range+0x55/0x100\n __walk_page_range+0x87/0x90\n walk_page_range+0xf6/0x160\n hmm_range_fault+0x4f/0x90\n amdgpu_hmm_range_get_pages+0x123/0x230 [amdgpu]\n amdgpu_ttm_tt_get_user_pages+0xb1/0x150 [amdgpu]\n init_user_pages+0xb1/0x2a0 [amdgpu]\n amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x543/0x7d0 [amdgpu]\n kfd_ioctl_alloc_memory_of_gpu+0x24c/0x4e0 [amdgpu]\n kfd_ioctl+0x29d/0x500 [amdgpu]\n\n(cherry picked from commit a29e067bd38946f752b0ef855f3dfff87e77bec7)"
}
],
"providerMetadata": {
"dateUpdated": "2025-08-16T10:55:07.114Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c1bde9d48e09933c361521720f77a8072083c83a"
},
{
"url": "https://git.kernel.org/stable/c/145a56bd68f4bff098d59fbc7c263d20dfef4fc4"
},
{
"url": "https://git.kernel.org/stable/c/e90ee15ce28c61f6d83a0511c3e02e2662478350"
},
{
"url": "https://git.kernel.org/stable/c/a7eb0a25010a674c8fdfbece38353ef7be8c5834"
},
{
"url": "https://git.kernel.org/stable/c/cf234231fcbc7d391e2135b9518613218cc5347f"
}
],
"title": "drm/amdkfd: Don\u0027t call mmput from MMU notifier callback",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38520",
"datePublished": "2025-08-16T10:55:07.114Z",
"dateReserved": "2025-04-16T04:51:24.023Z",
"dateUpdated": "2025-11-03T17:39:22.959Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50357 (GCVE-0-2022-50357)
Vulnerability from cvelistv5 – Published: 2025-09-17 14:56 – Updated: 2026-01-14 18:33
VLAI?
EPSS
Title
usb: dwc3: core: fix some leaks in probe
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: dwc3: core: fix some leaks in probe
The dwc3_get_properties() function calls:
dwc->usb_psy = power_supply_get_by_name(usb_psy_name);
so there is some additional clean up required on these error paths.
Severity ?
5.5 (Medium)
CWE
- CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
6f0764b5adea18d70c3fab32d5f940678bcbd865 , < 79c3afb55942368921237d7b5355d48c52bdde20
(git)
Affected: 6f0764b5adea18d70c3fab32d5f940678bcbd865 , < 3a213503f483173e7eea76f2e7e3bdd6df7fd6f8 (git) Affected: 6f0764b5adea18d70c3fab32d5f940678bcbd865 , < 2a735e4b5580a2a6bbd6572109b4c4f163c57462 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-50357",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:32:24.336649Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:33:01.437Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/dwc3/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "79c3afb55942368921237d7b5355d48c52bdde20",
"status": "affected",
"version": "6f0764b5adea18d70c3fab32d5f940678bcbd865",
"versionType": "git"
},
{
"lessThan": "3a213503f483173e7eea76f2e7e3bdd6df7fd6f8",
"status": "affected",
"version": "6f0764b5adea18d70c3fab32d5f940678bcbd865",
"versionType": "git"
},
{
"lessThan": "2a735e4b5580a2a6bbd6572109b4c4f163c57462",
"status": "affected",
"version": "6f0764b5adea18d70c3fab32d5f940678bcbd865",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/dwc3/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: core: fix some leaks in probe\n\nThe dwc3_get_properties() function calls:\n\n\tdwc-\u003eusb_psy = power_supply_get_by_name(usb_psy_name);\n\nso there is some additional clean up required on these error paths."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T14:56:09.991Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/79c3afb55942368921237d7b5355d48c52bdde20"
},
{
"url": "https://git.kernel.org/stable/c/3a213503f483173e7eea76f2e7e3bdd6df7fd6f8"
},
{
"url": "https://git.kernel.org/stable/c/2a735e4b5580a2a6bbd6572109b4c4f163c57462"
}
],
"title": "usb: dwc3: core: fix some leaks in probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50357",
"datePublished": "2025-09-17T14:56:09.991Z",
"dateReserved": "2025-09-17T14:53:06.994Z",
"dateUpdated": "2026-01-14T18:33:01.437Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53489 (GCVE-0-2023-53489)
Vulnerability from cvelistv5 – Published: 2025-10-01 11:45 – Updated: 2025-10-01 11:45
VLAI?
EPSS
Title
tcp/udp: Fix memleaks of sk and zerocopy skbs with TX timestamp.
Summary
In the Linux kernel, the following vulnerability has been resolved:
tcp/udp: Fix memleaks of sk and zerocopy skbs with TX timestamp.
syzkaller reported [0] memory leaks of an UDP socket and ZEROCOPY
skbs. We can reproduce the problem with these sequences:
sk = socket(AF_INET, SOCK_DGRAM, 0)
sk.setsockopt(SOL_SOCKET, SO_TIMESTAMPING, SOF_TIMESTAMPING_TX_SOFTWARE)
sk.setsockopt(SOL_SOCKET, SO_ZEROCOPY, 1)
sk.sendto(b'', MSG_ZEROCOPY, ('127.0.0.1', 53))
sk.close()
sendmsg() calls msg_zerocopy_alloc(), which allocates a skb, sets
skb->cb->ubuf.refcnt to 1, and calls sock_hold(). Here, struct
ubuf_info_msgzc indirectly holds a refcnt of the socket. When the
skb is sent, __skb_tstamp_tx() clones it and puts the clone into
the socket's error queue with the TX timestamp.
When the original skb is received locally, skb_copy_ubufs() calls
skb_unclone(), and pskb_expand_head() increments skb->cb->ubuf.refcnt.
This additional count is decremented while freeing the skb, but struct
ubuf_info_msgzc still has a refcnt, so __msg_zerocopy_callback() is
not called.
The last refcnt is not released unless we retrieve the TX timestamped
skb by recvmsg(). Since we clear the error queue in inet_sock_destruct()
after the socket's refcnt reaches 0, there is a circular dependency.
If we close() the socket holding such skbs, we never call sock_put()
and leak the count, sk, and skb.
TCP has the same problem, and commit e0c8bccd40fc ("net: stream:
purge sk_error_queue in sk_stream_kill_queues()") tried to fix it
by calling skb_queue_purge() during close(). However, there is a
small chance that skb queued in a qdisc or device could be put
into the error queue after the skb_queue_purge() call.
In __skb_tstamp_tx(), the cloned skb should not have a reference
to the ubuf to remove the circular dependency, but skb_clone() does
not call skb_copy_ubufs() for zerocopy skb. So, we need to call
skb_orphan_frags_rx() for the cloned skb to call skb_copy_ubufs().
[0]:
BUG: memory leak
unreferenced object 0xffff88800c6d2d00 (size 1152):
comm "syz-executor392", pid 264, jiffies 4294785440 (age 13.044s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 cd af e8 81 00 00 00 00 ................
02 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............
backtrace:
[<0000000055636812>] sk_prot_alloc+0x64/0x2a0 net/core/sock.c:2024
[<0000000054d77b7a>] sk_alloc+0x3b/0x800 net/core/sock.c:2083
[<0000000066f3c7e0>] inet_create net/ipv4/af_inet.c:319 [inline]
[<0000000066f3c7e0>] inet_create+0x31e/0xe40 net/ipv4/af_inet.c:245
[<000000009b83af97>] __sock_create+0x2ab/0x550 net/socket.c:1515
[<00000000b9b11231>] sock_create net/socket.c:1566 [inline]
[<00000000b9b11231>] __sys_socket_create net/socket.c:1603 [inline]
[<00000000b9b11231>] __sys_socket_create net/socket.c:1588 [inline]
[<00000000b9b11231>] __sys_socket+0x138/0x250 net/socket.c:1636
[<000000004fb45142>] __do_sys_socket net/socket.c:1649 [inline]
[<000000004fb45142>] __se_sys_socket net/socket.c:1647 [inline]
[<000000004fb45142>] __x64_sys_socket+0x73/0xb0 net/socket.c:1647
[<0000000066999e0e>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<0000000066999e0e>] do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80
[<0000000017f238c1>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
BUG: memory leak
unreferenced object 0xffff888017633a00 (size 240):
comm "syz-executor392", pid 264, jiffies 4294785440 (age 13.044s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 2d 6d 0c 80 88 ff ff .........-m.....
backtrace:
[<000000002b1c4368>] __alloc_skb+0x229/0x320 net/core/skbuff.c:497
[<00000000143579a6>] alloc_skb include/linux/skbuff.h:1265 [inline]
[<00000000143579a6>] sock_omalloc+0xaa/0x190 net/core/sock.c:2596
[<00000000be626478>] msg_zerocopy_alloc net/core/skbuff.c:1294 [inline]
[<00000000be626478>]
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f214f915e7db99091f1312c48b30928c1e0c90b7 , < 281072fb2a7294cde7acbf5375b879f40a8001b7
(git)
Affected: f214f915e7db99091f1312c48b30928c1e0c90b7 , < 1f69c086b20e27763af28145981435423f088268 (git) Affected: f214f915e7db99091f1312c48b30928c1e0c90b7 , < 602fa8af44fd55a58f9e94eb673e8adad2c6cc46 (git) Affected: f214f915e7db99091f1312c48b30928c1e0c90b7 , < 230a5ed7d813fb516de81d23f09d7506753e41e9 (git) Affected: f214f915e7db99091f1312c48b30928c1e0c90b7 , < 43e4197dd5f6b474a8b16f8b6a42cd45cf4f9d1a (git) Affected: f214f915e7db99091f1312c48b30928c1e0c90b7 , < cb52e7f24c1d01a536a847dff0d1d95889cc3b5c (git) Affected: f214f915e7db99091f1312c48b30928c1e0c90b7 , < 30290f210ba7426ff7592fe2eb4114b1b5bad219 (git) Affected: f214f915e7db99091f1312c48b30928c1e0c90b7 , < 426384dd4980040651536fef5feac4dcc4d7ee4e (git) Affected: f214f915e7db99091f1312c48b30928c1e0c90b7 , < 50749f2dd6854a41830996ad302aef2ffaf011d8 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/skbuff.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "281072fb2a7294cde7acbf5375b879f40a8001b7",
"status": "affected",
"version": "f214f915e7db99091f1312c48b30928c1e0c90b7",
"versionType": "git"
},
{
"lessThan": "1f69c086b20e27763af28145981435423f088268",
"status": "affected",
"version": "f214f915e7db99091f1312c48b30928c1e0c90b7",
"versionType": "git"
},
{
"lessThan": "602fa8af44fd55a58f9e94eb673e8adad2c6cc46",
"status": "affected",
"version": "f214f915e7db99091f1312c48b30928c1e0c90b7",
"versionType": "git"
},
{
"lessThan": "230a5ed7d813fb516de81d23f09d7506753e41e9",
"status": "affected",
"version": "f214f915e7db99091f1312c48b30928c1e0c90b7",
"versionType": "git"
},
{
"lessThan": "43e4197dd5f6b474a8b16f8b6a42cd45cf4f9d1a",
"status": "affected",
"version": "f214f915e7db99091f1312c48b30928c1e0c90b7",
"versionType": "git"
},
{
"lessThan": "cb52e7f24c1d01a536a847dff0d1d95889cc3b5c",
"status": "affected",
"version": "f214f915e7db99091f1312c48b30928c1e0c90b7",
"versionType": "git"
},
{
"lessThan": "30290f210ba7426ff7592fe2eb4114b1b5bad219",
"status": "affected",
"version": "f214f915e7db99091f1312c48b30928c1e0c90b7",
"versionType": "git"
},
{
"lessThan": "426384dd4980040651536fef5feac4dcc4d7ee4e",
"status": "affected",
"version": "f214f915e7db99091f1312c48b30928c1e0c90b7",
"versionType": "git"
},
{
"lessThan": "50749f2dd6854a41830996ad302aef2ffaf011d8",
"status": "affected",
"version": "f214f915e7db99091f1312c48b30928c1e0c90b7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/skbuff.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.315",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.315",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.283",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.243",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp/udp: Fix memleaks of sk and zerocopy skbs with TX timestamp.\n\nsyzkaller reported [0] memory leaks of an UDP socket and ZEROCOPY\nskbs. We can reproduce the problem with these sequences:\n\n sk = socket(AF_INET, SOCK_DGRAM, 0)\n sk.setsockopt(SOL_SOCKET, SO_TIMESTAMPING, SOF_TIMESTAMPING_TX_SOFTWARE)\n sk.setsockopt(SOL_SOCKET, SO_ZEROCOPY, 1)\n sk.sendto(b\u0027\u0027, MSG_ZEROCOPY, (\u0027127.0.0.1\u0027, 53))\n sk.close()\n\nsendmsg() calls msg_zerocopy_alloc(), which allocates a skb, sets\nskb-\u003ecb-\u003eubuf.refcnt to 1, and calls sock_hold(). Here, struct\nubuf_info_msgzc indirectly holds a refcnt of the socket. When the\nskb is sent, __skb_tstamp_tx() clones it and puts the clone into\nthe socket\u0027s error queue with the TX timestamp.\n\nWhen the original skb is received locally, skb_copy_ubufs() calls\nskb_unclone(), and pskb_expand_head() increments skb-\u003ecb-\u003eubuf.refcnt.\nThis additional count is decremented while freeing the skb, but struct\nubuf_info_msgzc still has a refcnt, so __msg_zerocopy_callback() is\nnot called.\n\nThe last refcnt is not released unless we retrieve the TX timestamped\nskb by recvmsg(). Since we clear the error queue in inet_sock_destruct()\nafter the socket\u0027s refcnt reaches 0, there is a circular dependency.\nIf we close() the socket holding such skbs, we never call sock_put()\nand leak the count, sk, and skb.\n\nTCP has the same problem, and commit e0c8bccd40fc (\"net: stream:\npurge sk_error_queue in sk_stream_kill_queues()\") tried to fix it\nby calling skb_queue_purge() during close(). However, there is a\nsmall chance that skb queued in a qdisc or device could be put\ninto the error queue after the skb_queue_purge() call.\n\nIn __skb_tstamp_tx(), the cloned skb should not have a reference\nto the ubuf to remove the circular dependency, but skb_clone() does\nnot call skb_copy_ubufs() for zerocopy skb. So, we need to call\nskb_orphan_frags_rx() for the cloned skb to call skb_copy_ubufs().\n\n[0]:\nBUG: memory leak\nunreferenced object 0xffff88800c6d2d00 (size 1152):\n comm \"syz-executor392\", pid 264, jiffies 4294785440 (age 13.044s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 cd af e8 81 00 00 00 00 ................\n 02 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............\n backtrace:\n [\u003c0000000055636812\u003e] sk_prot_alloc+0x64/0x2a0 net/core/sock.c:2024\n [\u003c0000000054d77b7a\u003e] sk_alloc+0x3b/0x800 net/core/sock.c:2083\n [\u003c0000000066f3c7e0\u003e] inet_create net/ipv4/af_inet.c:319 [inline]\n [\u003c0000000066f3c7e0\u003e] inet_create+0x31e/0xe40 net/ipv4/af_inet.c:245\n [\u003c000000009b83af97\u003e] __sock_create+0x2ab/0x550 net/socket.c:1515\n [\u003c00000000b9b11231\u003e] sock_create net/socket.c:1566 [inline]\n [\u003c00000000b9b11231\u003e] __sys_socket_create net/socket.c:1603 [inline]\n [\u003c00000000b9b11231\u003e] __sys_socket_create net/socket.c:1588 [inline]\n [\u003c00000000b9b11231\u003e] __sys_socket+0x138/0x250 net/socket.c:1636\n [\u003c000000004fb45142\u003e] __do_sys_socket net/socket.c:1649 [inline]\n [\u003c000000004fb45142\u003e] __se_sys_socket net/socket.c:1647 [inline]\n [\u003c000000004fb45142\u003e] __x64_sys_socket+0x73/0xb0 net/socket.c:1647\n [\u003c0000000066999e0e\u003e] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n [\u003c0000000066999e0e\u003e] do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80\n [\u003c0000000017f238c1\u003e] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nBUG: memory leak\nunreferenced object 0xffff888017633a00 (size 240):\n comm \"syz-executor392\", pid 264, jiffies 4294785440 (age 13.044s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 2d 6d 0c 80 88 ff ff .........-m.....\n backtrace:\n [\u003c000000002b1c4368\u003e] __alloc_skb+0x229/0x320 net/core/skbuff.c:497\n [\u003c00000000143579a6\u003e] alloc_skb include/linux/skbuff.h:1265 [inline]\n [\u003c00000000143579a6\u003e] sock_omalloc+0xaa/0x190 net/core/sock.c:2596\n [\u003c00000000be626478\u003e] msg_zerocopy_alloc net/core/skbuff.c:1294 [inline]\n [\u003c00000000be626478\u003e]\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:41.304Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/281072fb2a7294cde7acbf5375b879f40a8001b7"
},
{
"url": "https://git.kernel.org/stable/c/1f69c086b20e27763af28145981435423f088268"
},
{
"url": "https://git.kernel.org/stable/c/602fa8af44fd55a58f9e94eb673e8adad2c6cc46"
},
{
"url": "https://git.kernel.org/stable/c/230a5ed7d813fb516de81d23f09d7506753e41e9"
},
{
"url": "https://git.kernel.org/stable/c/43e4197dd5f6b474a8b16f8b6a42cd45cf4f9d1a"
},
{
"url": "https://git.kernel.org/stable/c/cb52e7f24c1d01a536a847dff0d1d95889cc3b5c"
},
{
"url": "https://git.kernel.org/stable/c/30290f210ba7426ff7592fe2eb4114b1b5bad219"
},
{
"url": "https://git.kernel.org/stable/c/426384dd4980040651536fef5feac4dcc4d7ee4e"
},
{
"url": "https://git.kernel.org/stable/c/50749f2dd6854a41830996ad302aef2ffaf011d8"
}
],
"title": "tcp/udp: Fix memleaks of sk and zerocopy skbs with TX timestamp.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53489",
"datePublished": "2025-10-01T11:45:41.304Z",
"dateReserved": "2025-10-01T11:39:39.403Z",
"dateUpdated": "2025-10-01T11:45:41.304Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50409 (GCVE-0-2022-50409)
Vulnerability from cvelistv5 – Published: 2025-09-18 16:03 – Updated: 2025-12-23 13:29
VLAI?
EPSS
Title
net: If sock is dead don't access sock's sk_wq in sk_stream_wait_memory
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: If sock is dead don't access sock's sk_wq in sk_stream_wait_memory
Fixes the below NULL pointer dereference:
[...]
[ 14.471200] Call Trace:
[ 14.471562] <TASK>
[ 14.471882] lock_acquire+0x245/0x2e0
[ 14.472416] ? remove_wait_queue+0x12/0x50
[ 14.473014] ? _raw_spin_lock_irqsave+0x17/0x50
[ 14.473681] _raw_spin_lock_irqsave+0x3d/0x50
[ 14.474318] ? remove_wait_queue+0x12/0x50
[ 14.474907] remove_wait_queue+0x12/0x50
[ 14.475480] sk_stream_wait_memory+0x20d/0x340
[ 14.476127] ? do_wait_intr_irq+0x80/0x80
[ 14.476704] do_tcp_sendpages+0x287/0x600
[ 14.477283] tcp_bpf_push+0xab/0x260
[ 14.477817] tcp_bpf_sendmsg_redir+0x297/0x500
[ 14.478461] ? __local_bh_enable_ip+0x77/0xe0
[ 14.479096] tcp_bpf_send_verdict+0x105/0x470
[ 14.479729] tcp_bpf_sendmsg+0x318/0x4f0
[ 14.480311] sock_sendmsg+0x2d/0x40
[ 14.480822] ____sys_sendmsg+0x1b4/0x1c0
[ 14.481390] ? copy_msghdr_from_user+0x62/0x80
[ 14.482048] ___sys_sendmsg+0x78/0xb0
[ 14.482580] ? vmf_insert_pfn_prot+0x91/0x150
[ 14.483215] ? __do_fault+0x2a/0x1a0
[ 14.483738] ? do_fault+0x15e/0x5d0
[ 14.484246] ? __handle_mm_fault+0x56b/0x1040
[ 14.484874] ? lock_is_held_type+0xdf/0x130
[ 14.485474] ? find_held_lock+0x2d/0x90
[ 14.486046] ? __sys_sendmsg+0x41/0x70
[ 14.486587] __sys_sendmsg+0x41/0x70
[ 14.487105] ? intel_pmu_drain_pebs_core+0x350/0x350
[ 14.487822] do_syscall_64+0x34/0x80
[ 14.488345] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[...]
The test scenario has the following flow:
thread1 thread2
----------- ---------------
tcp_bpf_sendmsg
tcp_bpf_send_verdict
tcp_bpf_sendmsg_redir sock_close
tcp_bpf_push_locked __sock_release
tcp_bpf_push //inet_release
do_tcp_sendpages sock->ops->release
sk_stream_wait_memory // tcp_close
sk_wait_event sk->sk_prot->close
release_sock(__sk);
***
lock_sock(sk);
__tcp_close
sock_orphan(sk)
sk->sk_wq = NULL
release_sock
****
lock_sock(__sk);
remove_wait_queue(sk_sleep(sk), &wait);
sk_sleep(sk)
//NULL pointer dereference
&rcu_dereference_raw(sk->sk_wq)->wait
While waiting for memory in thread1, the socket is released with its wait
queue because thread2 has closed it. This caused by tcp_bpf_send_verdict
didn't increase the f_count of psock->sk_redir->sk_socket->file in thread1.
We should check if SOCK_DEAD flag is set on wakeup in sk_stream_wait_memory
before accessing the wait queue.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
604326b41a6fb9b4a78b6179335decee0365cd8c , < a76462dbdd8bddcbeec9463bc9e54e509b860762
(git)
Affected: 604326b41a6fb9b4a78b6179335decee0365cd8c , < 65029aaedd15d9fe5ea1a899134e236d83f627bb (git) Affected: 604326b41a6fb9b4a78b6179335decee0365cd8c , < 124b7c773271f06af5a2cea694b283cdb5275cf5 (git) Affected: 604326b41a6fb9b4a78b6179335decee0365cd8c , < 35f5e70bdfa7432762ac4ffa75e5a7574ac5563e (git) Affected: 604326b41a6fb9b4a78b6179335decee0365cd8c , < 435f5aa4421782af197b98d8525263977be4af5c (git) Affected: 604326b41a6fb9b4a78b6179335decee0365cd8c , < 3f8ef65af927db247418d4e1db49164d7a158fc5 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/stream.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a76462dbdd8bddcbeec9463bc9e54e509b860762",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
},
{
"lessThan": "65029aaedd15d9fe5ea1a899134e236d83f627bb",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
},
{
"lessThan": "124b7c773271f06af5a2cea694b283cdb5275cf5",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
},
{
"lessThan": "35f5e70bdfa7432762ac4ffa75e5a7574ac5563e",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
},
{
"lessThan": "435f5aa4421782af197b98d8525263977be4af5c",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
},
{
"lessThan": "3f8ef65af927db247418d4e1db49164d7a158fc5",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/stream.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: If sock is dead don\u0027t access sock\u0027s sk_wq in sk_stream_wait_memory\n\nFixes the below NULL pointer dereference:\n\n [...]\n [ 14.471200] Call Trace:\n [ 14.471562] \u003cTASK\u003e\n [ 14.471882] lock_acquire+0x245/0x2e0\n [ 14.472416] ? remove_wait_queue+0x12/0x50\n [ 14.473014] ? _raw_spin_lock_irqsave+0x17/0x50\n [ 14.473681] _raw_spin_lock_irqsave+0x3d/0x50\n [ 14.474318] ? remove_wait_queue+0x12/0x50\n [ 14.474907] remove_wait_queue+0x12/0x50\n [ 14.475480] sk_stream_wait_memory+0x20d/0x340\n [ 14.476127] ? do_wait_intr_irq+0x80/0x80\n [ 14.476704] do_tcp_sendpages+0x287/0x600\n [ 14.477283] tcp_bpf_push+0xab/0x260\n [ 14.477817] tcp_bpf_sendmsg_redir+0x297/0x500\n [ 14.478461] ? __local_bh_enable_ip+0x77/0xe0\n [ 14.479096] tcp_bpf_send_verdict+0x105/0x470\n [ 14.479729] tcp_bpf_sendmsg+0x318/0x4f0\n [ 14.480311] sock_sendmsg+0x2d/0x40\n [ 14.480822] ____sys_sendmsg+0x1b4/0x1c0\n [ 14.481390] ? copy_msghdr_from_user+0x62/0x80\n [ 14.482048] ___sys_sendmsg+0x78/0xb0\n [ 14.482580] ? vmf_insert_pfn_prot+0x91/0x150\n [ 14.483215] ? __do_fault+0x2a/0x1a0\n [ 14.483738] ? do_fault+0x15e/0x5d0\n [ 14.484246] ? __handle_mm_fault+0x56b/0x1040\n [ 14.484874] ? lock_is_held_type+0xdf/0x130\n [ 14.485474] ? find_held_lock+0x2d/0x90\n [ 14.486046] ? __sys_sendmsg+0x41/0x70\n [ 14.486587] __sys_sendmsg+0x41/0x70\n [ 14.487105] ? intel_pmu_drain_pebs_core+0x350/0x350\n [ 14.487822] do_syscall_64+0x34/0x80\n [ 14.488345] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n [...]\n\nThe test scenario has the following flow:\n\nthread1 thread2\n----------- ---------------\n tcp_bpf_sendmsg\n tcp_bpf_send_verdict\n tcp_bpf_sendmsg_redir sock_close\n tcp_bpf_push_locked __sock_release\n tcp_bpf_push //inet_release\n do_tcp_sendpages sock-\u003eops-\u003erelease\n sk_stream_wait_memory \t // tcp_close\n sk_wait_event sk-\u003esk_prot-\u003eclose\n release_sock(__sk);\n ***\n lock_sock(sk);\n __tcp_close\n sock_orphan(sk)\n sk-\u003esk_wq = NULL\n release_sock\n ****\n lock_sock(__sk);\n remove_wait_queue(sk_sleep(sk), \u0026wait);\n sk_sleep(sk)\n //NULL pointer dereference\n \u0026rcu_dereference_raw(sk-\u003esk_wq)-\u003ewait\n\nWhile waiting for memory in thread1, the socket is released with its wait\nqueue because thread2 has closed it. This caused by tcp_bpf_send_verdict\ndidn\u0027t increase the f_count of psock-\u003esk_redir-\u003esk_socket-\u003efile in thread1.\n\nWe should check if SOCK_DEAD flag is set on wakeup in sk_stream_wait_memory\nbefore accessing the wait queue."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:29:21.551Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a76462dbdd8bddcbeec9463bc9e54e509b860762"
},
{
"url": "https://git.kernel.org/stable/c/65029aaedd15d9fe5ea1a899134e236d83f627bb"
},
{
"url": "https://git.kernel.org/stable/c/124b7c773271f06af5a2cea694b283cdb5275cf5"
},
{
"url": "https://git.kernel.org/stable/c/35f5e70bdfa7432762ac4ffa75e5a7574ac5563e"
},
{
"url": "https://git.kernel.org/stable/c/435f5aa4421782af197b98d8525263977be4af5c"
},
{
"url": "https://git.kernel.org/stable/c/3f8ef65af927db247418d4e1db49164d7a158fc5"
}
],
"title": "net: If sock is dead don\u0027t access sock\u0027s sk_wq in sk_stream_wait_memory",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50409",
"datePublished": "2025-09-18T16:03:53.902Z",
"dateReserved": "2025-09-17T14:53:07.001Z",
"dateUpdated": "2025-12-23T13:29:21.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53192 (GCVE-0-2023-53192)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:06 – Updated: 2025-09-15 14:06
VLAI?
EPSS
Title
vxlan: Fix nexthop hash size
Summary
In the Linux kernel, the following vulnerability has been resolved:
vxlan: Fix nexthop hash size
The nexthop code expects a 31 bit hash, such as what is returned by
fib_multipath_hash() and rt6_multipath_hash(). Passing the 32 bit hash
returned by skb_get_hash() can lead to problems related to the fact that
'int hash' is a negative number when the MSB is set.
In the case of hash threshold nexthop groups, nexthop_select_path_hthr()
will disproportionately select the first nexthop group entry. In the case
of resilient nexthop groups, nexthop_select_path_res() may do an out of
bounds access in nh_buckets[], for example:
hash = -912054133
num_nh_buckets = 2
bucket_index = 65535
which leads to the following panic:
BUG: unable to handle page fault for address: ffffc900025910c8
PGD 100000067 P4D 100000067 PUD 10026b067 PMD 0
Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI
CPU: 4 PID: 856 Comm: kworker/4:3 Not tainted 6.5.0-rc2+ #34
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Workqueue: ipv6_addrconf addrconf_dad_work
RIP: 0010:nexthop_select_path+0x197/0xbf0
Code: c1 e4 05 be 08 00 00 00 4c 8b 35 a4 14 7e 01 4e 8d 6c 25 00 4a 8d 7c 25 08 48 01 dd e8 c2 25 15 ff 49 8d 7d 08 e8 39 13 15 ff <4d> 89 75 08 48 89 ef e8 7d 12 15 ff 48 8b 5d 00 e8 14 55 2f 00 85
RSP: 0018:ffff88810c36f260 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 00000000002000c0 RCX: ffffffffaf02dd77
RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffffc900025910c8
RBP: ffffc900025910c0 R08: 0000000000000001 R09: fffff520004b2219
R10: ffffc900025910cf R11: 31392d2068736168 R12: 00000000002000c0
R13: ffffc900025910c0 R14: 00000000fffef608 R15: ffff88811840e900
FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc900025910c8 CR3: 0000000129d00000 CR4: 0000000000750ee0
PKRU: 55555554
Call Trace:
<TASK>
? __die+0x23/0x70
? page_fault_oops+0x1ee/0x5c0
? __pfx_is_prefetch.constprop.0+0x10/0x10
? __pfx_page_fault_oops+0x10/0x10
? search_bpf_extables+0xfe/0x1c0
? fixup_exception+0x3b/0x470
? exc_page_fault+0xf6/0x110
? asm_exc_page_fault+0x26/0x30
? nexthop_select_path+0x197/0xbf0
? nexthop_select_path+0x197/0xbf0
? lock_is_held_type+0xe7/0x140
vxlan_xmit+0x5b2/0x2340
? __lock_acquire+0x92b/0x3370
? __pfx_vxlan_xmit+0x10/0x10
? __pfx___lock_acquire+0x10/0x10
? __pfx_register_lock_class+0x10/0x10
? skb_network_protocol+0xce/0x2d0
? dev_hard_start_xmit+0xca/0x350
? __pfx_vxlan_xmit+0x10/0x10
dev_hard_start_xmit+0xca/0x350
__dev_queue_xmit+0x513/0x1e20
? __pfx___dev_queue_xmit+0x10/0x10
? __pfx_lock_release+0x10/0x10
? mark_held_locks+0x44/0x90
? skb_push+0x4c/0x80
? eth_header+0x81/0xe0
? __pfx_eth_header+0x10/0x10
? neigh_resolve_output+0x215/0x310
? ip6_finish_output2+0x2ba/0xc90
ip6_finish_output2+0x2ba/0xc90
? lock_release+0x236/0x3e0
? ip6_mtu+0xbb/0x240
? __pfx_ip6_finish_output2+0x10/0x10
? find_held_lock+0x83/0xa0
? lock_is_held_type+0xe7/0x140
ip6_finish_output+0x1ee/0x780
ip6_output+0x138/0x460
? __pfx_ip6_output+0x10/0x10
? __pfx___lock_acquire+0x10/0x10
? __pfx_ip6_finish_output+0x10/0x10
NF_HOOK.constprop.0+0xc0/0x420
? __pfx_NF_HOOK.constprop.0+0x10/0x10
? ndisc_send_skb+0x2c0/0x960
? __pfx_lock_release+0x10/0x10
? __local_bh_enable_ip+0x93/0x110
? lock_is_held_type+0xe7/0x140
ndisc_send_skb+0x4be/0x960
? __pfx_ndisc_send_skb+0x10/0x10
? mark_held_locks+0x65/0x90
? find_held_lock+0x83/0xa0
ndisc_send_ns+0xb0/0x110
? __pfx_ndisc_send_ns+0x10/0x10
addrconf_dad_work+0x631/0x8e0
? lock_acquire+0x180/0x3f0
? __pfx_addrconf_dad_work+0x10/0x10
? mark_held_locks+0x24/0x90
process_one_work+0x582/0x9c0
? __pfx_process_one_work+0x10/0x10
? __pfx_do_raw_spin_lock+0x10/0x10
? mark_held_locks+0x24/0x90
worker_thread+0x93/0x630
? __kthread_parkme+0xdc/0x100
? __pfx_worker_thread+0x10/0x10
kthread+0x1a5/0x1e0
? __pfx_kthread+0x10/0x10
ret_from_fork+0x34/0x60
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1274e1cc42264d4e629841e4f182795cb0becfd2 , < c650597647ecb318d02372277bdfd866c6829f78
(git)
Affected: 1274e1cc42264d4e629841e4f182795cb0becfd2 , < 32ef2c0c6cf11a076f0280a7866b9abc47821e19 (git) Affected: 1274e1cc42264d4e629841e4f182795cb0becfd2 , < 7b8717658dff8b471cbfc124bf9b5ca4229579ed (git) Affected: 1274e1cc42264d4e629841e4f182795cb0becfd2 , < 23c195ce6f4aec86e1c9e1ea1c800381c4b465c7 (git) Affected: 1274e1cc42264d4e629841e4f182795cb0becfd2 , < 0756384fb1bd38adb2ebcfd1307422f433a1d772 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/vxlan.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c650597647ecb318d02372277bdfd866c6829f78",
"status": "affected",
"version": "1274e1cc42264d4e629841e4f182795cb0becfd2",
"versionType": "git"
},
{
"lessThan": "32ef2c0c6cf11a076f0280a7866b9abc47821e19",
"status": "affected",
"version": "1274e1cc42264d4e629841e4f182795cb0becfd2",
"versionType": "git"
},
{
"lessThan": "7b8717658dff8b471cbfc124bf9b5ca4229579ed",
"status": "affected",
"version": "1274e1cc42264d4e629841e4f182795cb0becfd2",
"versionType": "git"
},
{
"lessThan": "23c195ce6f4aec86e1c9e1ea1c800381c4b465c7",
"status": "affected",
"version": "1274e1cc42264d4e629841e4f182795cb0becfd2",
"versionType": "git"
},
{
"lessThan": "0756384fb1bd38adb2ebcfd1307422f433a1d772",
"status": "affected",
"version": "1274e1cc42264d4e629841e4f182795cb0becfd2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/vxlan.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.126",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.190",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.126",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.45",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.10",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvxlan: Fix nexthop hash size\n\nThe nexthop code expects a 31 bit hash, such as what is returned by\nfib_multipath_hash() and rt6_multipath_hash(). Passing the 32 bit hash\nreturned by skb_get_hash() can lead to problems related to the fact that\n\u0027int hash\u0027 is a negative number when the MSB is set.\n\nIn the case of hash threshold nexthop groups, nexthop_select_path_hthr()\nwill disproportionately select the first nexthop group entry. In the case\nof resilient nexthop groups, nexthop_select_path_res() may do an out of\nbounds access in nh_buckets[], for example:\n hash = -912054133\n num_nh_buckets = 2\n bucket_index = 65535\n\nwhich leads to the following panic:\n\nBUG: unable to handle page fault for address: ffffc900025910c8\nPGD 100000067 P4D 100000067 PUD 10026b067 PMD 0\nOops: 0002 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 4 PID: 856 Comm: kworker/4:3 Not tainted 6.5.0-rc2+ #34\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nWorkqueue: ipv6_addrconf addrconf_dad_work\nRIP: 0010:nexthop_select_path+0x197/0xbf0\nCode: c1 e4 05 be 08 00 00 00 4c 8b 35 a4 14 7e 01 4e 8d 6c 25 00 4a 8d 7c 25 08 48 01 dd e8 c2 25 15 ff 49 8d 7d 08 e8 39 13 15 ff \u003c4d\u003e 89 75 08 48 89 ef e8 7d 12 15 ff 48 8b 5d 00 e8 14 55 2f 00 85\nRSP: 0018:ffff88810c36f260 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 00000000002000c0 RCX: ffffffffaf02dd77\nRDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffffc900025910c8\nRBP: ffffc900025910c0 R08: 0000000000000001 R09: fffff520004b2219\nR10: ffffc900025910cf R11: 31392d2068736168 R12: 00000000002000c0\nR13: ffffc900025910c0 R14: 00000000fffef608 R15: ffff88811840e900\nFS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffc900025910c8 CR3: 0000000129d00000 CR4: 0000000000750ee0\nPKRU: 55555554\nCall Trace:\n \u003cTASK\u003e\n ? __die+0x23/0x70\n ? page_fault_oops+0x1ee/0x5c0\n ? __pfx_is_prefetch.constprop.0+0x10/0x10\n ? __pfx_page_fault_oops+0x10/0x10\n ? search_bpf_extables+0xfe/0x1c0\n ? fixup_exception+0x3b/0x470\n ? exc_page_fault+0xf6/0x110\n ? asm_exc_page_fault+0x26/0x30\n ? nexthop_select_path+0x197/0xbf0\n ? nexthop_select_path+0x197/0xbf0\n ? lock_is_held_type+0xe7/0x140\n vxlan_xmit+0x5b2/0x2340\n ? __lock_acquire+0x92b/0x3370\n ? __pfx_vxlan_xmit+0x10/0x10\n ? __pfx___lock_acquire+0x10/0x10\n ? __pfx_register_lock_class+0x10/0x10\n ? skb_network_protocol+0xce/0x2d0\n ? dev_hard_start_xmit+0xca/0x350\n ? __pfx_vxlan_xmit+0x10/0x10\n dev_hard_start_xmit+0xca/0x350\n __dev_queue_xmit+0x513/0x1e20\n ? __pfx___dev_queue_xmit+0x10/0x10\n ? __pfx_lock_release+0x10/0x10\n ? mark_held_locks+0x44/0x90\n ? skb_push+0x4c/0x80\n ? eth_header+0x81/0xe0\n ? __pfx_eth_header+0x10/0x10\n ? neigh_resolve_output+0x215/0x310\n ? ip6_finish_output2+0x2ba/0xc90\n ip6_finish_output2+0x2ba/0xc90\n ? lock_release+0x236/0x3e0\n ? ip6_mtu+0xbb/0x240\n ? __pfx_ip6_finish_output2+0x10/0x10\n ? find_held_lock+0x83/0xa0\n ? lock_is_held_type+0xe7/0x140\n ip6_finish_output+0x1ee/0x780\n ip6_output+0x138/0x460\n ? __pfx_ip6_output+0x10/0x10\n ? __pfx___lock_acquire+0x10/0x10\n ? __pfx_ip6_finish_output+0x10/0x10\n NF_HOOK.constprop.0+0xc0/0x420\n ? __pfx_NF_HOOK.constprop.0+0x10/0x10\n ? ndisc_send_skb+0x2c0/0x960\n ? __pfx_lock_release+0x10/0x10\n ? __local_bh_enable_ip+0x93/0x110\n ? lock_is_held_type+0xe7/0x140\n ndisc_send_skb+0x4be/0x960\n ? __pfx_ndisc_send_skb+0x10/0x10\n ? mark_held_locks+0x65/0x90\n ? find_held_lock+0x83/0xa0\n ndisc_send_ns+0xb0/0x110\n ? __pfx_ndisc_send_ns+0x10/0x10\n addrconf_dad_work+0x631/0x8e0\n ? lock_acquire+0x180/0x3f0\n ? __pfx_addrconf_dad_work+0x10/0x10\n ? mark_held_locks+0x24/0x90\n process_one_work+0x582/0x9c0\n ? __pfx_process_one_work+0x10/0x10\n ? __pfx_do_raw_spin_lock+0x10/0x10\n ? mark_held_locks+0x24/0x90\n worker_thread+0x93/0x630\n ? __kthread_parkme+0xdc/0x100\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x1a5/0x1e0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x60\n \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:06:37.241Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c650597647ecb318d02372277bdfd866c6829f78"
},
{
"url": "https://git.kernel.org/stable/c/32ef2c0c6cf11a076f0280a7866b9abc47821e19"
},
{
"url": "https://git.kernel.org/stable/c/7b8717658dff8b471cbfc124bf9b5ca4229579ed"
},
{
"url": "https://git.kernel.org/stable/c/23c195ce6f4aec86e1c9e1ea1c800381c4b465c7"
},
{
"url": "https://git.kernel.org/stable/c/0756384fb1bd38adb2ebcfd1307422f433a1d772"
}
],
"title": "vxlan: Fix nexthop hash size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53192",
"datePublished": "2025-09-15T14:06:37.241Z",
"dateReserved": "2025-09-15T13:59:19.066Z",
"dateUpdated": "2025-09-15T14:06:37.241Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39681 (GCVE-0-2025-39681)
Vulnerability from cvelistv5 – Published: 2025-09-05 17:20 – Updated: 2025-11-03 17:42
VLAI?
EPSS
Title
x86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper
Since
923f3a2b48bd ("x86/resctrl: Query LLC monitoring properties once during boot")
resctrl_cpu_detect() has been moved from common CPU initialization code to
the vendor-specific BSP init helper, while Hygon didn't put that call in their
code.
This triggers a division by zero fault during early booting stage on our
machines with X86_FEATURE_CQM* supported, where get_rdt_mon_resources() tries
to calculate mon_l3_config with uninitialized boot_cpu_data.x86_cache_occ_scale.
Add the missing resctrl_cpu_detect() in the Hygon BSP init helper.
[ bp: Massage commit message. ]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9 , < 62f12cde10118253348a7540e85606869bd69432
(git)
Affected: 923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9 , < 873f32201df8876bdb2563e3187e79149427cab4 (git) Affected: 923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9 , < fb81222c1559f89bfe3aa1010f6d112531d55353 (git) Affected: 923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9 , < 7207923d8453ebfb35667c1736169f2dd796772e (git) Affected: 923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9 , < a9e5924daa954c9f585c1ca00358afe71d6781c4 (git) Affected: 923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9 , < d23264c257a70dbe021b43b3bc2ee16134cd2c69 (git) Affected: 923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9 , < d8df126349dad855cdfedd6bbf315bad2e901c2f (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:42:12.739Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/cpu/hygon.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "62f12cde10118253348a7540e85606869bd69432",
"status": "affected",
"version": "923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9",
"versionType": "git"
},
{
"lessThan": "873f32201df8876bdb2563e3187e79149427cab4",
"status": "affected",
"version": "923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9",
"versionType": "git"
},
{
"lessThan": "fb81222c1559f89bfe3aa1010f6d112531d55353",
"status": "affected",
"version": "923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9",
"versionType": "git"
},
{
"lessThan": "7207923d8453ebfb35667c1736169f2dd796772e",
"status": "affected",
"version": "923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9",
"versionType": "git"
},
{
"lessThan": "a9e5924daa954c9f585c1ca00358afe71d6781c4",
"status": "affected",
"version": "923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9",
"versionType": "git"
},
{
"lessThan": "d23264c257a70dbe021b43b3bc2ee16134cd2c69",
"status": "affected",
"version": "923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9",
"versionType": "git"
},
{
"lessThan": "d8df126349dad855cdfedd6bbf315bad2e901c2f",
"status": "affected",
"version": "923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/cpu/hygon.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.242",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.242",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper\n\nSince\n\n 923f3a2b48bd (\"x86/resctrl: Query LLC monitoring properties once during boot\")\n\nresctrl_cpu_detect() has been moved from common CPU initialization code to\nthe vendor-specific BSP init helper, while Hygon didn\u0027t put that call in their\ncode.\n\nThis triggers a division by zero fault during early booting stage on our\nmachines with X86_FEATURE_CQM* supported, where get_rdt_mon_resources() tries\nto calculate mon_l3_config with uninitialized boot_cpu_data.x86_cache_occ_scale.\n\nAdd the missing resctrl_cpu_detect() in the Hygon BSP init helper.\n\n [ bp: Massage commit message. ]"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:57:18.226Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/62f12cde10118253348a7540e85606869bd69432"
},
{
"url": "https://git.kernel.org/stable/c/873f32201df8876bdb2563e3187e79149427cab4"
},
{
"url": "https://git.kernel.org/stable/c/fb81222c1559f89bfe3aa1010f6d112531d55353"
},
{
"url": "https://git.kernel.org/stable/c/7207923d8453ebfb35667c1736169f2dd796772e"
},
{
"url": "https://git.kernel.org/stable/c/a9e5924daa954c9f585c1ca00358afe71d6781c4"
},
{
"url": "https://git.kernel.org/stable/c/d23264c257a70dbe021b43b3bc2ee16134cd2c69"
},
{
"url": "https://git.kernel.org/stable/c/d8df126349dad855cdfedd6bbf315bad2e901c2f"
}
],
"title": "x86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39681",
"datePublished": "2025-09-05T17:20:47.564Z",
"dateReserved": "2025-04-16T07:20:57.113Z",
"dateUpdated": "2025-11-03T17:42:12.739Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38526 (GCVE-0-2025-38526)
Vulnerability from cvelistv5 – Published: 2025-08-16 11:12 – Updated: 2025-08-16 11:12
VLAI?
EPSS
Title
ice: add NULL check in eswitch lag check
Summary
In the Linux kernel, the following vulnerability has been resolved:
ice: add NULL check in eswitch lag check
The function ice_lag_is_switchdev_running() is being called from outside of
the LAG event handler code. This results in the lag->upper_netdev being
NULL sometimes. To avoid a NULL-pointer dereference, there needs to be a
check before it is dereferenced.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
776fe19953b0e0af00399e50fb3b205101d4b3c1 , < 27591d926191e42b2332e4bad3bcd3a49def393b
(git)
Affected: 776fe19953b0e0af00399e50fb3b205101d4b3c1 , < 5a5d64f0eec82076b2c09fee2195d640cfbe3379 (git) Affected: 776fe19953b0e0af00399e50fb3b205101d4b3c1 , < 245917d3c5ed7c6ae720302b64eac5c6f0c85177 (git) Affected: 776fe19953b0e0af00399e50fb3b205101d4b3c1 , < 3ce58b01ada408b372f15b7c992ed0519840e3cf (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_lag.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "27591d926191e42b2332e4bad3bcd3a49def393b",
"status": "affected",
"version": "776fe19953b0e0af00399e50fb3b205101d4b3c1",
"versionType": "git"
},
{
"lessThan": "5a5d64f0eec82076b2c09fee2195d640cfbe3379",
"status": "affected",
"version": "776fe19953b0e0af00399e50fb3b205101d4b3c1",
"versionType": "git"
},
{
"lessThan": "245917d3c5ed7c6ae720302b64eac5c6f0c85177",
"status": "affected",
"version": "776fe19953b0e0af00399e50fb3b205101d4b3c1",
"versionType": "git"
},
{
"lessThan": "3ce58b01ada408b372f15b7c992ed0519840e3cf",
"status": "affected",
"version": "776fe19953b0e0af00399e50fb3b205101d4b3c1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_lag.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.100",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.40",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.8",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: add NULL check in eswitch lag check\n\nThe function ice_lag_is_switchdev_running() is being called from outside of\nthe LAG event handler code. This results in the lag-\u003eupper_netdev being\nNULL sometimes. To avoid a NULL-pointer dereference, there needs to be a\ncheck before it is dereferenced."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-16T11:12:20.036Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/27591d926191e42b2332e4bad3bcd3a49def393b"
},
{
"url": "https://git.kernel.org/stable/c/5a5d64f0eec82076b2c09fee2195d640cfbe3379"
},
{
"url": "https://git.kernel.org/stable/c/245917d3c5ed7c6ae720302b64eac5c6f0c85177"
},
{
"url": "https://git.kernel.org/stable/c/3ce58b01ada408b372f15b7c992ed0519840e3cf"
}
],
"title": "ice: add NULL check in eswitch lag check",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38526",
"datePublished": "2025-08-16T11:12:20.036Z",
"dateReserved": "2025-04-16T04:51:24.023Z",
"dateUpdated": "2025-08-16T11:12:20.036Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53444 (GCVE-0-2023-53444)
Vulnerability from cvelistv5 – Published: 2025-09-18 16:04 – Updated: 2026-01-14 19:23
VLAI?
EPSS
Title
drm/ttm: fix bulk_move corruption when adding a entry
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/ttm: fix bulk_move corruption when adding a entry
When the resource is the first in the bulk_move range, adding it again
(thus moving it to the tail) will corrupt the list since the first
pointer is not moved. This eventually lead to null pointer deref in
ttm_lru_bulk_move_del()
Severity ?
5.5 (Medium)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
fee2ede155423b0f7a559050a39750b98fe9db69 , < 70a3015683b007a0db4a1e858791b69afd45fc83
(git)
Affected: fee2ede155423b0f7a559050a39750b98fe9db69 , < e7cf50e41bdc2d574056ebbfeaafc5f0e2562d5b (git) Affected: fee2ede155423b0f7a559050a39750b98fe9db69 , < 4481913607e58196c48a4fef5e6f45350684ec3c (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53444",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T19:19:01.482255Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T19:23:11.377Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/ttm/ttm_resource.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "70a3015683b007a0db4a1e858791b69afd45fc83",
"status": "affected",
"version": "fee2ede155423b0f7a559050a39750b98fe9db69",
"versionType": "git"
},
{
"lessThan": "e7cf50e41bdc2d574056ebbfeaafc5f0e2562d5b",
"status": "affected",
"version": "fee2ede155423b0f7a559050a39750b98fe9db69",
"versionType": "git"
},
{
"lessThan": "4481913607e58196c48a4fef5e6f45350684ec3c",
"status": "affected",
"version": "fee2ede155423b0f7a559050a39750b98fe9db69",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/ttm/ttm_resource.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/ttm: fix bulk_move corruption when adding a entry\n\nWhen the resource is the first in the bulk_move range, adding it again\n(thus moving it to the tail) will corrupt the list since the first\npointer is not moved. This eventually lead to null pointer deref in\nttm_lru_bulk_move_del()"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T16:04:20.572Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/70a3015683b007a0db4a1e858791b69afd45fc83"
},
{
"url": "https://git.kernel.org/stable/c/e7cf50e41bdc2d574056ebbfeaafc5f0e2562d5b"
},
{
"url": "https://git.kernel.org/stable/c/4481913607e58196c48a4fef5e6f45350684ec3c"
}
],
"title": "drm/ttm: fix bulk_move corruption when adding a entry",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53444",
"datePublished": "2025-09-18T16:04:20.572Z",
"dateReserved": "2025-09-17T14:54:09.752Z",
"dateUpdated": "2026-01-14T19:23:11.377Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38635 (GCVE-0-2025-38635)
Vulnerability from cvelistv5 – Published: 2025-08-22 16:00 – Updated: 2025-11-03 17:40
VLAI?
EPSS
Title
clk: davinci: Add NULL check in davinci_lpsc_clk_register()
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: davinci: Add NULL check in davinci_lpsc_clk_register()
devm_kasprintf() returns NULL when memory allocation fails. Currently,
davinci_lpsc_clk_register() does not check for this case, which results
in a NULL pointer dereference.
Add NULL check after devm_kasprintf() to prevent this issue and ensuring
no resources are left allocated.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c6ed4d734bc7f731709dab0ffd69eed499dd5277 , < 77e9ad7a2d0e2a771c9e0be04b9d1639413b5f13
(git)
Affected: c6ed4d734bc7f731709dab0ffd69eed499dd5277 , < 7843412e5927dafbb844782c56b6380564064109 (git) Affected: c6ed4d734bc7f731709dab0ffd69eed499dd5277 , < 2adc945b70c4d97e9491a6c0c9f3b217a9eecfba (git) Affected: c6ed4d734bc7f731709dab0ffd69eed499dd5277 , < 105e8115944a9f93e9412abe7bb07ed96725adf9 (git) Affected: c6ed4d734bc7f731709dab0ffd69eed499dd5277 , < 1d92608a29251278015f57f3572bc950db7519f0 (git) Affected: c6ed4d734bc7f731709dab0ffd69eed499dd5277 , < 7943ed1f05f5cb7372dca2aa227f848747a98791 (git) Affected: c6ed4d734bc7f731709dab0ffd69eed499dd5277 , < 6fb19cdcf040e1dec052a9032acb66cc2ad1d43f (git) Affected: c6ed4d734bc7f731709dab0ffd69eed499dd5277 , < 23f564326deaafacfd7adf6104755b15216d8320 (git) Affected: c6ed4d734bc7f731709dab0ffd69eed499dd5277 , < 13de464f445d42738fe18c9a28bab056ba3a290a (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:40:38.124Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/davinci/psc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "77e9ad7a2d0e2a771c9e0be04b9d1639413b5f13",
"status": "affected",
"version": "c6ed4d734bc7f731709dab0ffd69eed499dd5277",
"versionType": "git"
},
{
"lessThan": "7843412e5927dafbb844782c56b6380564064109",
"status": "affected",
"version": "c6ed4d734bc7f731709dab0ffd69eed499dd5277",
"versionType": "git"
},
{
"lessThan": "2adc945b70c4d97e9491a6c0c9f3b217a9eecfba",
"status": "affected",
"version": "c6ed4d734bc7f731709dab0ffd69eed499dd5277",
"versionType": "git"
},
{
"lessThan": "105e8115944a9f93e9412abe7bb07ed96725adf9",
"status": "affected",
"version": "c6ed4d734bc7f731709dab0ffd69eed499dd5277",
"versionType": "git"
},
{
"lessThan": "1d92608a29251278015f57f3572bc950db7519f0",
"status": "affected",
"version": "c6ed4d734bc7f731709dab0ffd69eed499dd5277",
"versionType": "git"
},
{
"lessThan": "7943ed1f05f5cb7372dca2aa227f848747a98791",
"status": "affected",
"version": "c6ed4d734bc7f731709dab0ffd69eed499dd5277",
"versionType": "git"
},
{
"lessThan": "6fb19cdcf040e1dec052a9032acb66cc2ad1d43f",
"status": "affected",
"version": "c6ed4d734bc7f731709dab0ffd69eed499dd5277",
"versionType": "git"
},
{
"lessThan": "23f564326deaafacfd7adf6104755b15216d8320",
"status": "affected",
"version": "c6ed4d734bc7f731709dab0ffd69eed499dd5277",
"versionType": "git"
},
{
"lessThan": "13de464f445d42738fe18c9a28bab056ba3a290a",
"status": "affected",
"version": "c6ed4d734bc7f731709dab0ffd69eed499dd5277",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/davinci/psc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: davinci: Add NULL check in davinci_lpsc_clk_register()\n\ndevm_kasprintf() returns NULL when memory allocation fails. Currently,\ndavinci_lpsc_clk_register() does not check for this case, which results\nin a NULL pointer dereference.\n\nAdd NULL check after devm_kasprintf() to prevent this issue and ensuring\nno resources are left allocated."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:55:14.546Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/77e9ad7a2d0e2a771c9e0be04b9d1639413b5f13"
},
{
"url": "https://git.kernel.org/stable/c/7843412e5927dafbb844782c56b6380564064109"
},
{
"url": "https://git.kernel.org/stable/c/2adc945b70c4d97e9491a6c0c9f3b217a9eecfba"
},
{
"url": "https://git.kernel.org/stable/c/105e8115944a9f93e9412abe7bb07ed96725adf9"
},
{
"url": "https://git.kernel.org/stable/c/1d92608a29251278015f57f3572bc950db7519f0"
},
{
"url": "https://git.kernel.org/stable/c/7943ed1f05f5cb7372dca2aa227f848747a98791"
},
{
"url": "https://git.kernel.org/stable/c/6fb19cdcf040e1dec052a9032acb66cc2ad1d43f"
},
{
"url": "https://git.kernel.org/stable/c/23f564326deaafacfd7adf6104755b15216d8320"
},
{
"url": "https://git.kernel.org/stable/c/13de464f445d42738fe18c9a28bab056ba3a290a"
}
],
"title": "clk: davinci: Add NULL check in davinci_lpsc_clk_register()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38635",
"datePublished": "2025-08-22T16:00:43.181Z",
"dateReserved": "2025-04-16T04:51:24.030Z",
"dateUpdated": "2025-11-03T17:40:38.124Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39790 (GCVE-0-2025-39790)
Vulnerability from cvelistv5 – Published: 2025-09-11 16:56 – Updated: 2025-11-03 17:43
VLAI?
EPSS
Title
bus: mhi: host: Detect events pointing to unexpected TREs
Summary
In the Linux kernel, the following vulnerability has been resolved:
bus: mhi: host: Detect events pointing to unexpected TREs
When a remote device sends a completion event to the host, it contains a
pointer to the consumed TRE. The host uses this pointer to process all of
the TREs between it and the host's local copy of the ring's read pointer.
This works when processing completion for chained transactions, but can
lead to nasty results if the device sends an event for a single-element
transaction with a read pointer that is multiple elements ahead of the
host's read pointer.
For instance, if the host accesses an event ring while the device is
updating it, the pointer inside of the event might still point to an old
TRE. If the host uses the channel's xfer_cb() to directly free the buffer
pointed to by the TRE, the buffer will be double-freed.
This behavior was observed on an ep that used upstream EP stack without
'commit 6f18d174b73d ("bus: mhi: ep: Update read pointer only after buffer
is written")'. Where the device updated the events ring pointer before
updating the event contents, so it left a window where the host was able to
access the stale data the event pointed to, before the device had the
chance to update them. The usual pattern was that the host received an
event pointing to a TRE that is not immediately after the last processed
one, so it got treated as if it was a chained transaction, processing all
of the TREs in between the two read pointers.
This commit aims to harden the host by ensuring transactions where the
event points to a TRE that isn't local_rp + 1 are chained.
[mani: added stable tag and reworded commit message]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1d3173a3bae7039b765a0956e3e4bf846dbaacb8 , < 7b3f0e3b60c27f4fcb69927d84987e5fd6240530
(git)
Affected: 1d3173a3bae7039b765a0956e3e4bf846dbaacb8 , < 4079c6c59705b96285219b9efc63cab870d757b7 (git) Affected: 1d3173a3bae7039b765a0956e3e4bf846dbaacb8 , < 5e17429679a8545afe438ce7a82a13a54e8ceabb (git) Affected: 1d3173a3bae7039b765a0956e3e4bf846dbaacb8 , < 2ec99b922f4661521927eeada76f431eebfbabc4 (git) Affected: 1d3173a3bae7039b765a0956e3e4bf846dbaacb8 , < 44e1a079e18f78d6594a715b0c6d7e18c656f7b9 (git) Affected: 1d3173a3bae7039b765a0956e3e4bf846dbaacb8 , < 5bd398e20f0833ae8a1267d4f343591a2dd20185 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:24.145Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bus/mhi/host/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7b3f0e3b60c27f4fcb69927d84987e5fd6240530",
"status": "affected",
"version": "1d3173a3bae7039b765a0956e3e4bf846dbaacb8",
"versionType": "git"
},
{
"lessThan": "4079c6c59705b96285219b9efc63cab870d757b7",
"status": "affected",
"version": "1d3173a3bae7039b765a0956e3e4bf846dbaacb8",
"versionType": "git"
},
{
"lessThan": "5e17429679a8545afe438ce7a82a13a54e8ceabb",
"status": "affected",
"version": "1d3173a3bae7039b765a0956e3e4bf846dbaacb8",
"versionType": "git"
},
{
"lessThan": "2ec99b922f4661521927eeada76f431eebfbabc4",
"status": "affected",
"version": "1d3173a3bae7039b765a0956e3e4bf846dbaacb8",
"versionType": "git"
},
{
"lessThan": "44e1a079e18f78d6594a715b0c6d7e18c656f7b9",
"status": "affected",
"version": "1d3173a3bae7039b765a0956e3e4bf846dbaacb8",
"versionType": "git"
},
{
"lessThan": "5bd398e20f0833ae8a1267d4f343591a2dd20185",
"status": "affected",
"version": "1d3173a3bae7039b765a0956e3e4bf846dbaacb8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bus/mhi/host/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: mhi: host: Detect events pointing to unexpected TREs\n\nWhen a remote device sends a completion event to the host, it contains a\npointer to the consumed TRE. The host uses this pointer to process all of\nthe TREs between it and the host\u0027s local copy of the ring\u0027s read pointer.\nThis works when processing completion for chained transactions, but can\nlead to nasty results if the device sends an event for a single-element\ntransaction with a read pointer that is multiple elements ahead of the\nhost\u0027s read pointer.\n\nFor instance, if the host accesses an event ring while the device is\nupdating it, the pointer inside of the event might still point to an old\nTRE. If the host uses the channel\u0027s xfer_cb() to directly free the buffer\npointed to by the TRE, the buffer will be double-freed.\n\nThis behavior was observed on an ep that used upstream EP stack without\n\u0027commit 6f18d174b73d (\"bus: mhi: ep: Update read pointer only after buffer\nis written\")\u0027. Where the device updated the events ring pointer before\nupdating the event contents, so it left a window where the host was able to\naccess the stale data the event pointed to, before the device had the\nchance to update them. The usual pattern was that the host received an\nevent pointing to a TRE that is not immediately after the last processed\none, so it got treated as if it was a chained transaction, processing all\nof the TREs in between the two read pointers.\n\nThis commit aims to harden the host by ensuring transactions where the\nevent points to a TRE that isn\u0027t local_rp + 1 are chained.\n\n[mani: added stable tag and reworded commit message]"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:59:28.627Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7b3f0e3b60c27f4fcb69927d84987e5fd6240530"
},
{
"url": "https://git.kernel.org/stable/c/4079c6c59705b96285219b9efc63cab870d757b7"
},
{
"url": "https://git.kernel.org/stable/c/5e17429679a8545afe438ce7a82a13a54e8ceabb"
},
{
"url": "https://git.kernel.org/stable/c/2ec99b922f4661521927eeada76f431eebfbabc4"
},
{
"url": "https://git.kernel.org/stable/c/44e1a079e18f78d6594a715b0c6d7e18c656f7b9"
},
{
"url": "https://git.kernel.org/stable/c/5bd398e20f0833ae8a1267d4f343591a2dd20185"
}
],
"title": "bus: mhi: host: Detect events pointing to unexpected TREs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39790",
"datePublished": "2025-09-11T16:56:38.643Z",
"dateReserved": "2025-04-16T07:20:57.131Z",
"dateUpdated": "2025-11-03T17:43:24.145Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39682 (GCVE-0-2025-39682)
Vulnerability from cvelistv5 – Published: 2025-09-05 17:20 – Updated: 2025-11-03 17:42
VLAI?
EPSS
Title
tls: fix handling of zero-length records on the rx_list
Summary
In the Linux kernel, the following vulnerability has been resolved:
tls: fix handling of zero-length records on the rx_list
Each recvmsg() call must process either
- only contiguous DATA records (any number of them)
- one non-DATA record
If the next record has different type than what has already been
processed we break out of the main processing loop. If the record
has already been decrypted (which may be the case for TLS 1.3 where
we don't know type until decryption) we queue the pending record
to the rx_list. Next recvmsg() will pick it up from there.
Queuing the skb to rx_list after zero-copy decrypt is not possible,
since in that case we decrypted directly to the user space buffer,
and we don't have an skb to queue (darg.skb points to the ciphertext
skb for access to metadata like length).
Only data records are allowed zero-copy, and we break the processing
loop after each non-data record. So we should never zero-copy and
then find out that the record type has changed. The corner case
we missed is when the initial record comes from rx_list, and it's
zero length.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < 2902c3ebcca52ca845c03182000e8d71d3a5196f
(git)
Affected: 84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < c09dd3773b5950e9cfb6c9b9a5f6e36d06c62677 (git) Affected: 84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < 3439c15ae91a517cf3c650ea15a8987699416ad9 (git) Affected: 84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < 29c0ce3c8cdb6dc5d61139c937f34cb888a6f42e (git) Affected: 84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < 62708b9452f8eb77513115b17c4f8d1a22ebf843 (git) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:42:13.673Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/tls/tls_sw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2902c3ebcca52ca845c03182000e8d71d3a5196f",
"status": "affected",
"version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
"versionType": "git"
},
{
"lessThan": "c09dd3773b5950e9cfb6c9b9a5f6e36d06c62677",
"status": "affected",
"version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
"versionType": "git"
},
{
"lessThan": "3439c15ae91a517cf3c650ea15a8987699416ad9",
"status": "affected",
"version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
"versionType": "git"
},
{
"lessThan": "29c0ce3c8cdb6dc5d61139c937f34cb888a6f42e",
"status": "affected",
"version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
"versionType": "git"
},
{
"lessThan": "62708b9452f8eb77513115b17c4f8d1a22ebf843",
"status": "affected",
"version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/tls/tls_sw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix handling of zero-length records on the rx_list\n\nEach recvmsg() call must process either\n - only contiguous DATA records (any number of them)\n - one non-DATA record\n\nIf the next record has different type than what has already been\nprocessed we break out of the main processing loop. If the record\nhas already been decrypted (which may be the case for TLS 1.3 where\nwe don\u0027t know type until decryption) we queue the pending record\nto the rx_list. Next recvmsg() will pick it up from there.\n\nQueuing the skb to rx_list after zero-copy decrypt is not possible,\nsince in that case we decrypted directly to the user space buffer,\nand we don\u0027t have an skb to queue (darg.skb points to the ciphertext\nskb for access to metadata like length).\n\nOnly data records are allowed zero-copy, and we break the processing\nloop after each non-data record. So we should never zero-copy and\nthen find out that the record type has changed. The corner case\nwe missed is when the initial record comes from rx_list, and it\u0027s\nzero length."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:57:19.459Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2902c3ebcca52ca845c03182000e8d71d3a5196f"
},
{
"url": "https://git.kernel.org/stable/c/c09dd3773b5950e9cfb6c9b9a5f6e36d06c62677"
},
{
"url": "https://git.kernel.org/stable/c/3439c15ae91a517cf3c650ea15a8987699416ad9"
},
{
"url": "https://git.kernel.org/stable/c/29c0ce3c8cdb6dc5d61139c937f34cb888a6f42e"
},
{
"url": "https://git.kernel.org/stable/c/62708b9452f8eb77513115b17c4f8d1a22ebf843"
}
],
"title": "tls: fix handling of zero-length records on the rx_list",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39682",
"datePublished": "2025-09-05T17:20:48.657Z",
"dateReserved": "2025-04-16T07:20:57.113Z",
"dateUpdated": "2025-11-03T17:42:13.673Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50437 (GCVE-0-2022-50437)
Vulnerability from cvelistv5 – Published: 2025-10-01 11:42 – Updated: 2025-10-01 11:42
VLAI?
EPSS
Title
drm/msm/hdmi: fix memory corruption with too many bridges
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/hdmi: fix memory corruption with too many bridges
Add the missing sanity check on the bridge counter to avoid corrupting
data beyond the fixed-sized bridge array in case there are ever more
than eight bridges.
Patchwork: https://patchwork.freedesktop.org/patch/502670/
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a3376e3ec81c5dd0622cbc187db76d2824d31c1c , < a9c1a6991a9b5aa6d0f2cbc9b8c3bf6c4d094dfa
(git)
Affected: a3376e3ec81c5dd0622cbc187db76d2824d31c1c , < e8f916b84e4b028ecad6c6472eaad543cc7df806 (git) Affected: a3376e3ec81c5dd0622cbc187db76d2824d31c1c , < 3c43f3ec731c233eb84b66199ee76dbf3ec6ecae (git) Affected: a3376e3ec81c5dd0622cbc187db76d2824d31c1c , < ed7f1ff87a4afea1bc220d2ff00a7ce8e61f0b53 (git) Affected: a3376e3ec81c5dd0622cbc187db76d2824d31c1c , < 08c7375fa27a8ceee028868e03ffb3a0db919d44 (git) Affected: a3376e3ec81c5dd0622cbc187db76d2824d31c1c , < b48949ab451eaf1e2c04c272c8a9a96a2b56546f (git) Affected: a3376e3ec81c5dd0622cbc187db76d2824d31c1c , < 9efb45b45ff6254bfd1f1997a06725cb3fc998a5 (git) Affected: a3376e3ec81c5dd0622cbc187db76d2824d31c1c , < 4c1294da6aed1f16d47a417dcfe6602833c3c95c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/hdmi/hdmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a9c1a6991a9b5aa6d0f2cbc9b8c3bf6c4d094dfa",
"status": "affected",
"version": "a3376e3ec81c5dd0622cbc187db76d2824d31c1c",
"versionType": "git"
},
{
"lessThan": "e8f916b84e4b028ecad6c6472eaad543cc7df806",
"status": "affected",
"version": "a3376e3ec81c5dd0622cbc187db76d2824d31c1c",
"versionType": "git"
},
{
"lessThan": "3c43f3ec731c233eb84b66199ee76dbf3ec6ecae",
"status": "affected",
"version": "a3376e3ec81c5dd0622cbc187db76d2824d31c1c",
"versionType": "git"
},
{
"lessThan": "ed7f1ff87a4afea1bc220d2ff00a7ce8e61f0b53",
"status": "affected",
"version": "a3376e3ec81c5dd0622cbc187db76d2824d31c1c",
"versionType": "git"
},
{
"lessThan": "08c7375fa27a8ceee028868e03ffb3a0db919d44",
"status": "affected",
"version": "a3376e3ec81c5dd0622cbc187db76d2824d31c1c",
"versionType": "git"
},
{
"lessThan": "b48949ab451eaf1e2c04c272c8a9a96a2b56546f",
"status": "affected",
"version": "a3376e3ec81c5dd0622cbc187db76d2824d31c1c",
"versionType": "git"
},
{
"lessThan": "9efb45b45ff6254bfd1f1997a06725cb3fc998a5",
"status": "affected",
"version": "a3376e3ec81c5dd0622cbc187db76d2824d31c1c",
"versionType": "git"
},
{
"lessThan": "4c1294da6aed1f16d47a417dcfe6602833c3c95c",
"status": "affected",
"version": "a3376e3ec81c5dd0622cbc187db76d2824d31c1c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/hdmi/hdmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.332",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.298",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.264",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.223",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.332",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.298",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.264",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.223",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.153",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.77",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.7",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/hdmi: fix memory corruption with too many bridges\n\nAdd the missing sanity check on the bridge counter to avoid corrupting\ndata beyond the fixed-sized bridge array in case there are ever more\nthan eight bridges.\n\nPatchwork: https://patchwork.freedesktop.org/patch/502670/"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:14.400Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a9c1a6991a9b5aa6d0f2cbc9b8c3bf6c4d094dfa"
},
{
"url": "https://git.kernel.org/stable/c/e8f916b84e4b028ecad6c6472eaad543cc7df806"
},
{
"url": "https://git.kernel.org/stable/c/3c43f3ec731c233eb84b66199ee76dbf3ec6ecae"
},
{
"url": "https://git.kernel.org/stable/c/ed7f1ff87a4afea1bc220d2ff00a7ce8e61f0b53"
},
{
"url": "https://git.kernel.org/stable/c/08c7375fa27a8ceee028868e03ffb3a0db919d44"
},
{
"url": "https://git.kernel.org/stable/c/b48949ab451eaf1e2c04c272c8a9a96a2b56546f"
},
{
"url": "https://git.kernel.org/stable/c/9efb45b45ff6254bfd1f1997a06725cb3fc998a5"
},
{
"url": "https://git.kernel.org/stable/c/4c1294da6aed1f16d47a417dcfe6602833c3c95c"
}
],
"title": "drm/msm/hdmi: fix memory corruption with too many bridges",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50437",
"datePublished": "2025-10-01T11:42:14.400Z",
"dateReserved": "2025-09-17T14:53:07.010Z",
"dateUpdated": "2025-10-01T11:42:14.400Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53420 (GCVE-0-2023-53420)
Vulnerability from cvelistv5 – Published: 2025-09-18 16:04 – Updated: 2026-01-14 19:13
VLAI?
EPSS
Title
ntfs: Fix panic about slab-out-of-bounds caused by ntfs_listxattr()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ntfs: Fix panic about slab-out-of-bounds caused by ntfs_listxattr()
Here is a BUG report from syzbot:
BUG: KASAN: slab-out-of-bounds in ntfs_list_ea fs/ntfs3/xattr.c:191 [inline]
BUG: KASAN: slab-out-of-bounds in ntfs_listxattr+0x401/0x570 fs/ntfs3/xattr.c:710
Read of size 1 at addr ffff888021acaf3d by task syz-executor128/3632
Call Trace:
ntfs_list_ea fs/ntfs3/xattr.c:191 [inline]
ntfs_listxattr+0x401/0x570 fs/ntfs3/xattr.c:710
vfs_listxattr fs/xattr.c:457 [inline]
listxattr+0x293/0x2d0 fs/xattr.c:804
Fix the logic of ea_all iteration. When the ea->name_len is 0,
return immediately, or Add2Ptr() would visit invalid memory
in the next loop.
[almaz.alexandrovich@paragon-software.com: lines of the patch have changed]
Severity ?
7.1 (High)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
be71b5cba2e6485e8959da7a9f9a44461a1bb074 , < f3380d895e28a32632eb3609f5bd515adee4e5a1
(git)
Affected: be71b5cba2e6485e8959da7a9f9a44461a1bb074 , < c86a2517df6c9304db8fb12b77136ec7a5d85994 (git) Affected: be71b5cba2e6485e8959da7a9f9a44461a1bb074 , < 721b75ea2dfce53a8890dff92ae01afca8e74f88 (git) Affected: be71b5cba2e6485e8959da7a9f9a44461a1bb074 , < 3c675ddffb17a8b1e32efad5c983254af18b12c2 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53420",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T19:11:54.225188Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T19:13:10.492Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f3380d895e28a32632eb3609f5bd515adee4e5a1",
"status": "affected",
"version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074",
"versionType": "git"
},
{
"lessThan": "c86a2517df6c9304db8fb12b77136ec7a5d85994",
"status": "affected",
"version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074",
"versionType": "git"
},
{
"lessThan": "721b75ea2dfce53a8890dff92ae01afca8e74f88",
"status": "affected",
"version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074",
"versionType": "git"
},
{
"lessThan": "3c675ddffb17a8b1e32efad5c983254af18b12c2",
"status": "affected",
"version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nntfs: Fix panic about slab-out-of-bounds caused by ntfs_listxattr()\n\nHere is a BUG report from syzbot:\n\nBUG: KASAN: slab-out-of-bounds in ntfs_list_ea fs/ntfs3/xattr.c:191 [inline]\nBUG: KASAN: slab-out-of-bounds in ntfs_listxattr+0x401/0x570 fs/ntfs3/xattr.c:710\nRead of size 1 at addr ffff888021acaf3d by task syz-executor128/3632\n\nCall Trace:\n ntfs_list_ea fs/ntfs3/xattr.c:191 [inline]\n ntfs_listxattr+0x401/0x570 fs/ntfs3/xattr.c:710\n vfs_listxattr fs/xattr.c:457 [inline]\n listxattr+0x293/0x2d0 fs/xattr.c:804\n\nFix the logic of ea_all iteration. When the ea-\u003ename_len is 0,\nreturn immediately, or Add2Ptr() would visit invalid memory\nin the next loop.\n\n[almaz.alexandrovich@paragon-software.com: lines of the patch have changed]"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T16:04:03.754Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f3380d895e28a32632eb3609f5bd515adee4e5a1"
},
{
"url": "https://git.kernel.org/stable/c/c86a2517df6c9304db8fb12b77136ec7a5d85994"
},
{
"url": "https://git.kernel.org/stable/c/721b75ea2dfce53a8890dff92ae01afca8e74f88"
},
{
"url": "https://git.kernel.org/stable/c/3c675ddffb17a8b1e32efad5c983254af18b12c2"
}
],
"title": "ntfs: Fix panic about slab-out-of-bounds caused by ntfs_listxattr()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53420",
"datePublished": "2025-09-18T16:04:03.754Z",
"dateReserved": "2025-09-17T14:54:09.741Z",
"dateUpdated": "2026-01-14T19:13:10.492Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53168 (GCVE-0-2023-53168)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:03 – Updated: 2025-09-15 14:03
VLAI?
EPSS
Title
usb: ucsi_acpi: Increase the command completion timeout
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: ucsi_acpi: Increase the command completion timeout
Commit 130a96d698d7 ("usb: typec: ucsi: acpi: Increase command
completion timeout value") increased the timeout from 5 seconds
to 60 seconds due to issues related to alternate mode discovery.
After the alternate mode discovery switch to polled mode
the timeout was reduced, but instead of being set back to
5 seconds it was reduced to 1 second.
This is causing problems when using a Lenovo ThinkPad X1 yoga gen7
connected over Type-C to a LG 27UL850-W (charging DP over Type-C).
When the monitor is already connected at boot the following error
is logged: "PPM init failed (-110)", /sys/class/typec is empty and
on unplugging the NULL pointer deref fixed earlier in this series
happens.
When the monitor is connected after boot the following error
is logged instead: "GET_CONNECTOR_STATUS failed (-110)".
Setting the timeout back to 5 seconds fixes both cases.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e08065069fc7b074712378a95a3522d557e9bbe1 , < 1e8525f37871741a52370627633962f8bdcab15a
(git)
Affected: e08065069fc7b074712378a95a3522d557e9bbe1 , < 8346d21d1d8a63f46f60e6899f4f80b1306acf32 (git) Affected: e08065069fc7b074712378a95a3522d557e9bbe1 , < 02d210f434249a7edbc160969b75df030dc6934d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/typec/ucsi/ucsi_acpi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1e8525f37871741a52370627633962f8bdcab15a",
"status": "affected",
"version": "e08065069fc7b074712378a95a3522d557e9bbe1",
"versionType": "git"
},
{
"lessThan": "8346d21d1d8a63f46f60e6899f4f80b1306acf32",
"status": "affected",
"version": "e08065069fc7b074712378a95a3522d557e9bbe1",
"versionType": "git"
},
{
"lessThan": "02d210f434249a7edbc160969b75df030dc6934d",
"status": "affected",
"version": "e08065069fc7b074712378a95a3522d557e9bbe1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/typec/ucsi/ucsi_acpi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.22",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.9",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: ucsi_acpi: Increase the command completion timeout\n\nCommit 130a96d698d7 (\"usb: typec: ucsi: acpi: Increase command\ncompletion timeout value\") increased the timeout from 5 seconds\nto 60 seconds due to issues related to alternate mode discovery.\n\nAfter the alternate mode discovery switch to polled mode\nthe timeout was reduced, but instead of being set back to\n5 seconds it was reduced to 1 second.\n\nThis is causing problems when using a Lenovo ThinkPad X1 yoga gen7\nconnected over Type-C to a LG 27UL850-W (charging DP over Type-C).\n\nWhen the monitor is already connected at boot the following error\nis logged: \"PPM init failed (-110)\", /sys/class/typec is empty and\non unplugging the NULL pointer deref fixed earlier in this series\nhappens.\n\nWhen the monitor is connected after boot the following error\nis logged instead: \"GET_CONNECTOR_STATUS failed (-110)\".\n\nSetting the timeout back to 5 seconds fixes both cases."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:03:59.766Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1e8525f37871741a52370627633962f8bdcab15a"
},
{
"url": "https://git.kernel.org/stable/c/8346d21d1d8a63f46f60e6899f4f80b1306acf32"
},
{
"url": "https://git.kernel.org/stable/c/02d210f434249a7edbc160969b75df030dc6934d"
}
],
"title": "usb: ucsi_acpi: Increase the command completion timeout",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53168",
"datePublished": "2025-09-15T14:03:59.766Z",
"dateReserved": "2025-09-15T13:59:19.063Z",
"dateUpdated": "2025-09-15T14:03:59.766Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39721 (GCVE-0-2025-39721)
Vulnerability from cvelistv5 – Published: 2025-09-05 17:21 – Updated: 2025-09-29 05:58
VLAI?
EPSS
Title
crypto: qat - flush misc workqueue during device shutdown
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: qat - flush misc workqueue during device shutdown
Repeated loading and unloading of a device specific QAT driver, for
example qat_4xxx, in a tight loop can lead to a crash due to a
use-after-free scenario. This occurs when a power management (PM)
interrupt triggers just before the device-specific driver (e.g.,
qat_4xxx.ko) is unloaded, while the core driver (intel_qat.ko) remains
loaded.
Since the driver uses a shared workqueue (`qat_misc_wq`) across all
devices and owned by intel_qat.ko, a deferred routine from the
device-specific driver may still be pending in the queue. If this
routine executes after the driver is unloaded, it can dereference freed
memory, resulting in a page fault and kernel crash like the following:
BUG: unable to handle page fault for address: ffa000002e50a01c
#PF: supervisor read access in kernel mode
RIP: 0010:pm_bh_handler+0x1d2/0x250 [intel_qat]
Call Trace:
pm_bh_handler+0x1d2/0x250 [intel_qat]
process_one_work+0x171/0x340
worker_thread+0x277/0x3a0
kthread+0xf0/0x120
ret_from_fork+0x2d/0x50
To prevent this, flush the misc workqueue during device shutdown to
ensure that all pending work items are completed before the driver is
unloaded.
Note: This approach may slightly increase shutdown latency if the
workqueue contains jobs from other devices, but it ensures correctness
and stability.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e5745f34113b758b45d134dec04a7df94dc67131 , < 5858448a6c65d8ee3f8600570d3ce19febcb33be
(git)
Affected: e5745f34113b758b45d134dec04a7df94dc67131 , < fe546f5c50fc474daca6bee72caa7ab68a74c33d (git) Affected: e5745f34113b758b45d134dec04a7df94dc67131 , < e59a52e429e13df3feb34f4853a8e36d121ed937 (git) Affected: e5745f34113b758b45d134dec04a7df94dc67131 , < 3d4df408ba9bad2b205c7fb8afc1836a6a4ca88a (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/intel/qat/qat_common/adf_common_drv.h",
"drivers/crypto/intel/qat/qat_common/adf_init.c",
"drivers/crypto/intel/qat/qat_common/adf_isr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5858448a6c65d8ee3f8600570d3ce19febcb33be",
"status": "affected",
"version": "e5745f34113b758b45d134dec04a7df94dc67131",
"versionType": "git"
},
{
"lessThan": "fe546f5c50fc474daca6bee72caa7ab68a74c33d",
"status": "affected",
"version": "e5745f34113b758b45d134dec04a7df94dc67131",
"versionType": "git"
},
{
"lessThan": "e59a52e429e13df3feb34f4853a8e36d121ed937",
"status": "affected",
"version": "e5745f34113b758b45d134dec04a7df94dc67131",
"versionType": "git"
},
{
"lessThan": "3d4df408ba9bad2b205c7fb8afc1836a6a4ca88a",
"status": "affected",
"version": "e5745f34113b758b45d134dec04a7df94dc67131",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/intel/qat/qat_common/adf_common_drv.h",
"drivers/crypto/intel/qat/qat_common/adf_init.c",
"drivers/crypto/intel/qat/qat_common/adf_isr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - flush misc workqueue during device shutdown\n\nRepeated loading and unloading of a device specific QAT driver, for\nexample qat_4xxx, in a tight loop can lead to a crash due to a\nuse-after-free scenario. This occurs when a power management (PM)\ninterrupt triggers just before the device-specific driver (e.g.,\nqat_4xxx.ko) is unloaded, while the core driver (intel_qat.ko) remains\nloaded.\n\nSince the driver uses a shared workqueue (`qat_misc_wq`) across all\ndevices and owned by intel_qat.ko, a deferred routine from the\ndevice-specific driver may still be pending in the queue. If this\nroutine executes after the driver is unloaded, it can dereference freed\nmemory, resulting in a page fault and kernel crash like the following:\n\n BUG: unable to handle page fault for address: ffa000002e50a01c\n #PF: supervisor read access in kernel mode\n RIP: 0010:pm_bh_handler+0x1d2/0x250 [intel_qat]\n Call Trace:\n pm_bh_handler+0x1d2/0x250 [intel_qat]\n process_one_work+0x171/0x340\n worker_thread+0x277/0x3a0\n kthread+0xf0/0x120\n ret_from_fork+0x2d/0x50\n\nTo prevent this, flush the misc workqueue during device shutdown to\nensure that all pending work items are completed before the driver is\nunloaded.\n\nNote: This approach may slightly increase shutdown latency if the\nworkqueue contains jobs from other devices, but it ensures correctness\nand stability."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:58:07.985Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5858448a6c65d8ee3f8600570d3ce19febcb33be"
},
{
"url": "https://git.kernel.org/stable/c/fe546f5c50fc474daca6bee72caa7ab68a74c33d"
},
{
"url": "https://git.kernel.org/stable/c/e59a52e429e13df3feb34f4853a8e36d121ed937"
},
{
"url": "https://git.kernel.org/stable/c/3d4df408ba9bad2b205c7fb8afc1836a6a4ca88a"
}
],
"title": "crypto: qat - flush misc workqueue during device shutdown",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39721",
"datePublished": "2025-09-05T17:21:28.911Z",
"dateReserved": "2025-04-16T07:20:57.117Z",
"dateUpdated": "2025-09-29T05:58:07.985Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39754 (GCVE-0-2025-39754)
Vulnerability from cvelistv5 – Published: 2025-09-11 16:52 – Updated: 2025-09-29 05:58
VLAI?
EPSS
Title
mm/smaps: fix race between smaps_hugetlb_range and migration
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/smaps: fix race between smaps_hugetlb_range and migration
smaps_hugetlb_range() handles the pte without holdling ptl, and may be
concurrenct with migration, leaing to BUG_ON in pfn_swap_entry_to_page().
The race is as follows.
smaps_hugetlb_range migrate_pages
huge_ptep_get
remove_migration_ptes
folio_unlock
pfn_swap_entry_folio
BUG_ON
To fix it, hold ptl lock in smaps_hugetlb_range().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
25ee01a2fca02dfb5a3ce316e77910c468108199 , < 2a1f3663974162b8f1e098196f557cfc1d160138
(git)
Affected: 25ee01a2fca02dfb5a3ce316e77910c468108199 , < 09fc018f48871123ad5dbd7b03c956580232ed76 (git) Affected: 25ee01a2fca02dfb5a3ce316e77910c468108199 , < b625883ccbcc2b57808db51d1375b1d7b9bcb3e5 (git) Affected: 25ee01a2fca02dfb5a3ce316e77910c468108199 , < 45d19b4b6c2d422771c29b83462d84afcbb33f01 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/proc/task_mmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2a1f3663974162b8f1e098196f557cfc1d160138",
"status": "affected",
"version": "25ee01a2fca02dfb5a3ce316e77910c468108199",
"versionType": "git"
},
{
"lessThan": "09fc018f48871123ad5dbd7b03c956580232ed76",
"status": "affected",
"version": "25ee01a2fca02dfb5a3ce316e77910c468108199",
"versionType": "git"
},
{
"lessThan": "b625883ccbcc2b57808db51d1375b1d7b9bcb3e5",
"status": "affected",
"version": "25ee01a2fca02dfb5a3ce316e77910c468108199",
"versionType": "git"
},
{
"lessThan": "45d19b4b6c2d422771c29b83462d84afcbb33f01",
"status": "affected",
"version": "25ee01a2fca02dfb5a3ce316e77910c468108199",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/proc/task_mmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/smaps: fix race between smaps_hugetlb_range and migration\n\nsmaps_hugetlb_range() handles the pte without holdling ptl, and may be\nconcurrenct with migration, leaing to BUG_ON in pfn_swap_entry_to_page(). \nThe race is as follows.\n\nsmaps_hugetlb_range migrate_pages\n huge_ptep_get\n remove_migration_ptes\n\t\t\t\t folio_unlock\n pfn_swap_entry_folio\n BUG_ON\n\nTo fix it, hold ptl lock in smaps_hugetlb_range()."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:58:44.690Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2a1f3663974162b8f1e098196f557cfc1d160138"
},
{
"url": "https://git.kernel.org/stable/c/09fc018f48871123ad5dbd7b03c956580232ed76"
},
{
"url": "https://git.kernel.org/stable/c/b625883ccbcc2b57808db51d1375b1d7b9bcb3e5"
},
{
"url": "https://git.kernel.org/stable/c/45d19b4b6c2d422771c29b83462d84afcbb33f01"
}
],
"title": "mm/smaps: fix race between smaps_hugetlb_range and migration",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39754",
"datePublished": "2025-09-11T16:52:24.763Z",
"dateReserved": "2025-04-16T07:20:57.125Z",
"dateUpdated": "2025-09-29T05:58:44.690Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39713 (GCVE-0-2025-39713)
Vulnerability from cvelistv5 – Published: 2025-09-05 17:21 – Updated: 2025-11-03 17:42
VLAI?
EPSS
Title
media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt()
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt()
In the interrupt handler rain_interrupt(), the buffer full check on
rain->buf_len is performed before acquiring rain->buf_lock. This
creates a Time-of-Check to Time-of-Use (TOCTOU) race condition, as
rain->buf_len is concurrently accessed and modified in the work
handler rain_irq_work_handler() under the same lock.
Multiple interrupt invocations can race, with each reading buf_len
before it becomes full and then proceeding. This can lead to both
interrupts attempting to write to the buffer, incrementing buf_len
beyond its capacity (DATA_SIZE) and causing a buffer overflow.
Fix this bug by moving the spin_lock() to before the buffer full
check. This ensures that the check and the subsequent buffer modification
are performed atomically, preventing the race condition. An corresponding
spin_unlock() is added to the overflow path to correctly release the
lock.
This possible bug was found by an experimental static analysis tool
developed by our team.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0f314f6c2e77beb1a232be21dd6be4e1849ba5ac , < 2964dbe631fd21ad7873b1752b895548d3c12496
(git)
Affected: 0f314f6c2e77beb1a232be21dd6be4e1849ba5ac , < 6aaef1a75985865d8c6c5b65fb54152060faba48 (git) Affected: 0f314f6c2e77beb1a232be21dd6be4e1849ba5ac , < fbc81e78d75bf28972bc22b1599559557b1a1b83 (git) Affected: 0f314f6c2e77beb1a232be21dd6be4e1849ba5ac , < 3c3e33b7edca7a2d6a96801f287f9faeb684d655 (git) Affected: 0f314f6c2e77beb1a232be21dd6be4e1849ba5ac , < 1c2769dc80255824542ea5a4ff1a07dcdeb1603f (git) Affected: 0f314f6c2e77beb1a232be21dd6be4e1849ba5ac , < ed905fe7cba03cf22ae0b84cf1b73cd1c070423a (git) Affected: 0f314f6c2e77beb1a232be21dd6be4e1849ba5ac , < ff9dd3db6cd4c6b54a2ecbc58151bea4ec63bc59 (git) Affected: 0f314f6c2e77beb1a232be21dd6be4e1849ba5ac , < 7af160aea26c7dc9e6734d19306128cce156ec40 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:42:39.229Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/cec/usb/rainshadow/rainshadow-cec.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2964dbe631fd21ad7873b1752b895548d3c12496",
"status": "affected",
"version": "0f314f6c2e77beb1a232be21dd6be4e1849ba5ac",
"versionType": "git"
},
{
"lessThan": "6aaef1a75985865d8c6c5b65fb54152060faba48",
"status": "affected",
"version": "0f314f6c2e77beb1a232be21dd6be4e1849ba5ac",
"versionType": "git"
},
{
"lessThan": "fbc81e78d75bf28972bc22b1599559557b1a1b83",
"status": "affected",
"version": "0f314f6c2e77beb1a232be21dd6be4e1849ba5ac",
"versionType": "git"
},
{
"lessThan": "3c3e33b7edca7a2d6a96801f287f9faeb684d655",
"status": "affected",
"version": "0f314f6c2e77beb1a232be21dd6be4e1849ba5ac",
"versionType": "git"
},
{
"lessThan": "1c2769dc80255824542ea5a4ff1a07dcdeb1603f",
"status": "affected",
"version": "0f314f6c2e77beb1a232be21dd6be4e1849ba5ac",
"versionType": "git"
},
{
"lessThan": "ed905fe7cba03cf22ae0b84cf1b73cd1c070423a",
"status": "affected",
"version": "0f314f6c2e77beb1a232be21dd6be4e1849ba5ac",
"versionType": "git"
},
{
"lessThan": "ff9dd3db6cd4c6b54a2ecbc58151bea4ec63bc59",
"status": "affected",
"version": "0f314f6c2e77beb1a232be21dd6be4e1849ba5ac",
"versionType": "git"
},
{
"lessThan": "7af160aea26c7dc9e6734d19306128cce156ec40",
"status": "affected",
"version": "0f314f6c2e77beb1a232be21dd6be4e1849ba5ac",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/cec/usb/rainshadow/rainshadow-cec.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rainshadow-cec: fix TOCTOU race condition in rain_interrupt()\n\nIn the interrupt handler rain_interrupt(), the buffer full check on\nrain-\u003ebuf_len is performed before acquiring rain-\u003ebuf_lock. This\ncreates a Time-of-Check to Time-of-Use (TOCTOU) race condition, as\nrain-\u003ebuf_len is concurrently accessed and modified in the work\nhandler rain_irq_work_handler() under the same lock.\n\nMultiple interrupt invocations can race, with each reading buf_len\nbefore it becomes full and then proceeding. This can lead to both\ninterrupts attempting to write to the buffer, incrementing buf_len\nbeyond its capacity (DATA_SIZE) and causing a buffer overflow.\n\nFix this bug by moving the spin_lock() to before the buffer full\ncheck. This ensures that the check and the subsequent buffer modification\nare performed atomically, preventing the race condition. An corresponding\nspin_unlock() is added to the overflow path to correctly release the\nlock.\n\nThis possible bug was found by an experimental static analysis tool\ndeveloped by our team."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:57:57.855Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2964dbe631fd21ad7873b1752b895548d3c12496"
},
{
"url": "https://git.kernel.org/stable/c/6aaef1a75985865d8c6c5b65fb54152060faba48"
},
{
"url": "https://git.kernel.org/stable/c/fbc81e78d75bf28972bc22b1599559557b1a1b83"
},
{
"url": "https://git.kernel.org/stable/c/3c3e33b7edca7a2d6a96801f287f9faeb684d655"
},
{
"url": "https://git.kernel.org/stable/c/1c2769dc80255824542ea5a4ff1a07dcdeb1603f"
},
{
"url": "https://git.kernel.org/stable/c/ed905fe7cba03cf22ae0b84cf1b73cd1c070423a"
},
{
"url": "https://git.kernel.org/stable/c/ff9dd3db6cd4c6b54a2ecbc58151bea4ec63bc59"
},
{
"url": "https://git.kernel.org/stable/c/7af160aea26c7dc9e6734d19306128cce156ec40"
}
],
"title": "media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39713",
"datePublished": "2025-09-05T17:21:20.459Z",
"dateReserved": "2025-04-16T07:20:57.116Z",
"dateUpdated": "2025-11-03T17:42:39.229Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39695 (GCVE-0-2025-39695)
Vulnerability from cvelistv5 – Published: 2025-09-05 17:21 – Updated: 2025-09-29 05:57
VLAI?
EPSS
Title
RDMA/rxe: Flush delayed SKBs while releasing RXE resources
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Flush delayed SKBs while releasing RXE resources
When skb packets are sent out, these skb packets still depends on
the rxe resources, for example, QP, sk, when these packets are
destroyed.
If these rxe resources are released when the skb packets are destroyed,
the call traces will appear.
To avoid skb packets hang too long time in some network devices,
a timestamp is added when these skb packets are created. If these
skb packets hang too long time in network devices, these network
devices can free these skb packets to release rxe resources.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1a633bdc8fd9e9e4a9f9a668ae122edfc5aacc86 , < 732d4bd7b78a2752ad43cc39287ef41893c5eee2
(git)
Affected: 1a633bdc8fd9e9e4a9f9a668ae122edfc5aacc86 , < 8ead139a8edef485cc36d3a792e2ae5dd538339a (git) Affected: 1a633bdc8fd9e9e4a9f9a668ae122edfc5aacc86 , < 3c3e9a9f2972b364e8c2cfbfdeb23c6d6be4f87f (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_net.c",
"drivers/infiniband/sw/rxe/rxe_qp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "732d4bd7b78a2752ad43cc39287ef41893c5eee2",
"status": "affected",
"version": "1a633bdc8fd9e9e4a9f9a668ae122edfc5aacc86",
"versionType": "git"
},
{
"lessThan": "8ead139a8edef485cc36d3a792e2ae5dd538339a",
"status": "affected",
"version": "1a633bdc8fd9e9e4a9f9a668ae122edfc5aacc86",
"versionType": "git"
},
{
"lessThan": "3c3e9a9f2972b364e8c2cfbfdeb23c6d6be4f87f",
"status": "affected",
"version": "1a633bdc8fd9e9e4a9f9a668ae122edfc5aacc86",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_net.c",
"drivers/infiniband/sw/rxe/rxe_qp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Flush delayed SKBs while releasing RXE resources\n\nWhen skb packets are sent out, these skb packets still depends on\nthe rxe resources, for example, QP, sk, when these packets are\ndestroyed.\n\nIf these rxe resources are released when the skb packets are destroyed,\nthe call traces will appear.\n\nTo avoid skb packets hang too long time in some network devices,\na timestamp is added when these skb packets are created. If these\nskb packets hang too long time in network devices, these network\ndevices can free these skb packets to release rxe resources."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:57:35.112Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/732d4bd7b78a2752ad43cc39287ef41893c5eee2"
},
{
"url": "https://git.kernel.org/stable/c/8ead139a8edef485cc36d3a792e2ae5dd538339a"
},
{
"url": "https://git.kernel.org/stable/c/3c3e9a9f2972b364e8c2cfbfdeb23c6d6be4f87f"
}
],
"title": "RDMA/rxe: Flush delayed SKBs while releasing RXE resources",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39695",
"datePublished": "2025-09-05T17:21:01.198Z",
"dateReserved": "2025-04-16T07:20:57.114Z",
"dateUpdated": "2025-09-29T05:57:35.112Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39677 (GCVE-0-2025-39677)
Vulnerability from cvelistv5 – Published: 2025-09-05 17:20 – Updated: 2025-09-29 05:57
VLAI?
EPSS
Title
net/sched: Fix backlog accounting in qdisc_dequeue_internal
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: Fix backlog accounting in qdisc_dequeue_internal
This issue applies for the following qdiscs: hhf, fq, fq_codel, and
fq_pie, and occurs in their change handlers when adjusting to the new
limit. The problem is the following in the values passed to the
subsequent qdisc_tree_reduce_backlog call given a tbf parent:
When the tbf parent runs out of tokens, skbs of these qdiscs will
be placed in gso_skb. Their peek handlers are qdisc_peek_dequeued,
which accounts for both qlen and backlog. However, in the case of
qdisc_dequeue_internal, ONLY qlen is accounted for when pulling
from gso_skb. This means that these qdiscs are missing a
qdisc_qstats_backlog_dec when dropping packets to satisfy the
new limit in their change handlers.
One can observe this issue with the following (with tc patched to
support a limit of 0):
export TARGET=fq
tc qdisc del dev lo root
tc qdisc add dev lo root handle 1: tbf rate 8bit burst 100b latency 1ms
tc qdisc replace dev lo handle 3: parent 1:1 $TARGET limit 1000
echo ''; echo 'add child'; tc -s -d qdisc show dev lo
ping -I lo -f -c2 -s32 -W0.001 127.0.0.1 2>&1 >/dev/null
echo ''; echo 'after ping'; tc -s -d qdisc show dev lo
tc qdisc change dev lo handle 3: parent 1:1 $TARGET limit 0
echo ''; echo 'after limit drop'; tc -s -d qdisc show dev lo
tc qdisc replace dev lo handle 2: parent 1:1 sfq
echo ''; echo 'post graft'; tc -s -d qdisc show dev lo
The second to last show command shows 0 packets but a positive
number (74) of backlog bytes. The problem becomes clearer in the
last show command, where qdisc_purge_queue triggers
qdisc_tree_reduce_backlog with the positive backlog and causes an
underflow in the tbf parent's backlog (4096 Mb instead of 0).
To fix this issue, the codepath for all clients of qdisc_dequeue_internal
has been simplified: codel, pie, hhf, fq, fq_pie, and fq_codel.
qdisc_dequeue_internal handles the backlog adjustments for all cases that
do not directly use the dequeue handler.
The old fq_codel_change limit adjustment loop accumulated the arguments to
the subsequent qdisc_tree_reduce_backlog call through the cstats field.
However, this is confusing and error prone as fq_codel_dequeue could also
potentially mutate this field (which qdisc_dequeue_internal calls in the
non gso_skb case), so we have unified the code here with other qdiscs.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/sch_generic.h",
"net/sched/sch_codel.c",
"net/sched/sch_fq.c",
"net/sched/sch_fq_codel.c",
"net/sched/sch_fq_pie.c",
"net/sched/sch_hhf.c",
"net/sched/sch_pie.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a225f44d84b8900d679c5f5a9ea46fe9c0cc7802",
"status": "affected",
"version": "4b549a2ef4bef9965d97cbd992ba67930cd3e0fe",
"versionType": "git"
},
{
"lessThan": "52bf272636bda69587952b35ae97690b8dc89941",
"status": "affected",
"version": "4b549a2ef4bef9965d97cbd992ba67930cd3e0fe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/sch_generic.h",
"net/sched/sch_codel.c",
"net/sched/sch_fq.c",
"net/sched/sch_fq_codel.c",
"net/sched/sch_fq_pie.c",
"net/sched/sch_hhf.c",
"net/sched/sch_pie.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.5"
},
{
"lessThan": "3.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Fix backlog accounting in qdisc_dequeue_internal\n\nThis issue applies for the following qdiscs: hhf, fq, fq_codel, and\nfq_pie, and occurs in their change handlers when adjusting to the new\nlimit. The problem is the following in the values passed to the\nsubsequent qdisc_tree_reduce_backlog call given a tbf parent:\n\n When the tbf parent runs out of tokens, skbs of these qdiscs will\n be placed in gso_skb. Their peek handlers are qdisc_peek_dequeued,\n which accounts for both qlen and backlog. However, in the case of\n qdisc_dequeue_internal, ONLY qlen is accounted for when pulling\n from gso_skb. This means that these qdiscs are missing a\n qdisc_qstats_backlog_dec when dropping packets to satisfy the\n new limit in their change handlers.\n\n One can observe this issue with the following (with tc patched to\n support a limit of 0):\n\n export TARGET=fq\n tc qdisc del dev lo root\n tc qdisc add dev lo root handle 1: tbf rate 8bit burst 100b latency 1ms\n tc qdisc replace dev lo handle 3: parent 1:1 $TARGET limit 1000\n echo \u0027\u0027; echo \u0027add child\u0027; tc -s -d qdisc show dev lo\n ping -I lo -f -c2 -s32 -W0.001 127.0.0.1 2\u003e\u00261 \u003e/dev/null\n echo \u0027\u0027; echo \u0027after ping\u0027; tc -s -d qdisc show dev lo\n tc qdisc change dev lo handle 3: parent 1:1 $TARGET limit 0\n echo \u0027\u0027; echo \u0027after limit drop\u0027; tc -s -d qdisc show dev lo\n tc qdisc replace dev lo handle 2: parent 1:1 sfq\n echo \u0027\u0027; echo \u0027post graft\u0027; tc -s -d qdisc show dev lo\n\n The second to last show command shows 0 packets but a positive\n number (74) of backlog bytes. The problem becomes clearer in the\n last show command, where qdisc_purge_queue triggers\n qdisc_tree_reduce_backlog with the positive backlog and causes an\n underflow in the tbf parent\u0027s backlog (4096 Mb instead of 0).\n\nTo fix this issue, the codepath for all clients of qdisc_dequeue_internal\nhas been simplified: codel, pie, hhf, fq, fq_pie, and fq_codel.\nqdisc_dequeue_internal handles the backlog adjustments for all cases that\ndo not directly use the dequeue handler.\n\nThe old fq_codel_change limit adjustment loop accumulated the arguments to\nthe subsequent qdisc_tree_reduce_backlog call through the cstats field.\nHowever, this is confusing and error prone as fq_codel_dequeue could also\npotentially mutate this field (which qdisc_dequeue_internal calls in the\nnon gso_skb case), so we have unified the code here with other qdiscs."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:57:13.148Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a225f44d84b8900d679c5f5a9ea46fe9c0cc7802"
},
{
"url": "https://git.kernel.org/stable/c/52bf272636bda69587952b35ae97690b8dc89941"
}
],
"title": "net/sched: Fix backlog accounting in qdisc_dequeue_internal",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39677",
"datePublished": "2025-09-05T17:20:43.145Z",
"dateReserved": "2025-04-16T07:20:57.112Z",
"dateUpdated": "2025-09-29T05:57:13.148Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50233 (GCVE-0-2022-50233)
Vulnerability from cvelistv5 – Published: 2025-08-09 14:30 – Updated: 2025-10-29 10:50
VLAI?
EPSS
Title
Bluetooth: eir: Fix using strlen with hdev->{dev_name,short_name}
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: eir: Fix using strlen with hdev->{dev_name,short_name}
Both dev_name and short_name are not guaranteed to be NULL terminated so
this instead use strnlen and then attempt to determine if the resulting
string needs to be truncated or not.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/eir.c",
"net/bluetooth/mgmt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dd7b8cdde098cf9f7c8de409b5b7bbb98f97be80",
"status": "affected",
"version": "4c3dbb2c312c9fafbac30d98c523b8b1f3455d78",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/eir.c",
"net/bluetooth/mgmt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: eir: Fix using strlen with hdev-\u003e{dev_name,short_name}\n\nBoth dev_name and short_name are not guaranteed to be NULL terminated so\nthis instead use strnlen and then attempt to determine if the resulting\nstring needs to be truncated or not."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T10:50:07.782Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dd7b8cdde098cf9f7c8de409b5b7bbb98f97be80"
}
],
"title": "Bluetooth: eir: Fix using strlen with hdev-\u003e{dev_name,short_name}",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50233",
"datePublished": "2025-08-09T14:30:51.639Z",
"dateReserved": "2025-06-18T10:57:27.432Z",
"dateUpdated": "2025-10-29T10:50:07.782Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53249 (GCVE-0-2023-53249)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:46 – Updated: 2026-01-14 18:02
VLAI?
EPSS
Title
clk: imx: clk-imx8mn: fix memory leak in imx8mn_clocks_probe
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: imx: clk-imx8mn: fix memory leak in imx8mn_clocks_probe
Use devm_of_iomap() instead of of_iomap() to automatically handle
the unused ioremap region.
If any error occurs, regions allocated by kzalloc() will leak,
but using devm_kzalloc() instead will automatically free the memory
using devm_kfree().
Severity ?
5.5 (Medium)
CWE
- CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
96d6392b54dbb1ff2b39448a2516fa6abb33114b , < 294321349bd3b0680847fc2bbe66b9ab3e522fea
(git)
Affected: 96d6392b54dbb1ff2b39448a2516fa6abb33114b , < 50b5ddde8fad5f0ffd239029d0956af633a0f9b1 (git) Affected: 96d6392b54dbb1ff2b39448a2516fa6abb33114b , < 9ba3693b0350b154fdd7830559bbc7b04c067096 (git) Affected: 96d6392b54dbb1ff2b39448a2516fa6abb33114b , < 9428cf0fbf4be9a24f3e15a0c166b861b12666af (git) Affected: 96d6392b54dbb1ff2b39448a2516fa6abb33114b , < d4fa5e47af1e7bb2bbcaac062b14216c00e92148 (git) Affected: 96d6392b54dbb1ff2b39448a2516fa6abb33114b , < 188d070de9132667956f5aadd98d2bd87d3eac89 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53249",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T17:59:47.312431Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:02:51.823Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/imx/clk-imx8mn.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "294321349bd3b0680847fc2bbe66b9ab3e522fea",
"status": "affected",
"version": "96d6392b54dbb1ff2b39448a2516fa6abb33114b",
"versionType": "git"
},
{
"lessThan": "50b5ddde8fad5f0ffd239029d0956af633a0f9b1",
"status": "affected",
"version": "96d6392b54dbb1ff2b39448a2516fa6abb33114b",
"versionType": "git"
},
{
"lessThan": "9ba3693b0350b154fdd7830559bbc7b04c067096",
"status": "affected",
"version": "96d6392b54dbb1ff2b39448a2516fa6abb33114b",
"versionType": "git"
},
{
"lessThan": "9428cf0fbf4be9a24f3e15a0c166b861b12666af",
"status": "affected",
"version": "96d6392b54dbb1ff2b39448a2516fa6abb33114b",
"versionType": "git"
},
{
"lessThan": "d4fa5e47af1e7bb2bbcaac062b14216c00e92148",
"status": "affected",
"version": "96d6392b54dbb1ff2b39448a2516fa6abb33114b",
"versionType": "git"
},
{
"lessThan": "188d070de9132667956f5aadd98d2bd87d3eac89",
"status": "affected",
"version": "96d6392b54dbb1ff2b39448a2516fa6abb33114b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/imx/clk-imx8mn.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: imx: clk-imx8mn: fix memory leak in imx8mn_clocks_probe\n\nUse devm_of_iomap() instead of of_iomap() to automatically handle\nthe unused ioremap region.\n\nIf any error occurs, regions allocated by kzalloc() will leak,\nbut using devm_kzalloc() instead will automatically free the memory\nusing devm_kfree()."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:46:19.184Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/294321349bd3b0680847fc2bbe66b9ab3e522fea"
},
{
"url": "https://git.kernel.org/stable/c/50b5ddde8fad5f0ffd239029d0956af633a0f9b1"
},
{
"url": "https://git.kernel.org/stable/c/9ba3693b0350b154fdd7830559bbc7b04c067096"
},
{
"url": "https://git.kernel.org/stable/c/9428cf0fbf4be9a24f3e15a0c166b861b12666af"
},
{
"url": "https://git.kernel.org/stable/c/d4fa5e47af1e7bb2bbcaac062b14216c00e92148"
},
{
"url": "https://git.kernel.org/stable/c/188d070de9132667956f5aadd98d2bd87d3eac89"
}
],
"title": "clk: imx: clk-imx8mn: fix memory leak in imx8mn_clocks_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53249",
"datePublished": "2025-09-15T14:46:19.184Z",
"dateReserved": "2025-09-15T14:19:21.849Z",
"dateUpdated": "2026-01-14T18:02:51.823Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38537 (GCVE-0-2025-38537)
Vulnerability from cvelistv5 – Published: 2025-08-16 11:12 – Updated: 2025-08-16 11:12
VLAI?
EPSS
Title
net: phy: Don't register LEDs for genphy
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: phy: Don't register LEDs for genphy
If a PHY has no driver, the genphy driver is probed/removed directly in
phy_attach/detach. If the PHY's ofnode has an "leds" subnode, then the
LEDs will be (un)registered when probing/removing the genphy driver.
This could occur if the leds are for a non-generic driver that isn't
loaded for whatever reason. Synchronously removing the PHY device in
phy_detach leads to the following deadlock:
rtnl_lock()
ndo_close()
...
phy_detach()
phy_remove()
phy_leds_unregister()
led_classdev_unregister()
led_trigger_set()
netdev_trigger_deactivate()
unregister_netdevice_notifier()
rtnl_lock()
There is a corresponding deadlock on the open/register side of things
(and that one is reported by lockdep), but it requires a race while this
one is deterministic.
Generic PHYs do not support LEDs anyway, so don't bother registering
them.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
01e5b728e9e43ae444e0369695a5f72209906464 , < ec158d05eaa91b2809cab65f8068290e3c05ebdd
(git)
Affected: 01e5b728e9e43ae444e0369695a5f72209906464 , < fd6493533af9e5d73d0d42ff2a8ded978a701dc6 (git) Affected: 01e5b728e9e43ae444e0369695a5f72209906464 , < 75e1b2079ef0653a2f7aa69be515d86b7faf1908 (git) Affected: 01e5b728e9e43ae444e0369695a5f72209906464 , < f0f2b992d8185a0366be951685e08643aae17d6d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/phy/phy_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ec158d05eaa91b2809cab65f8068290e3c05ebdd",
"status": "affected",
"version": "01e5b728e9e43ae444e0369695a5f72209906464",
"versionType": "git"
},
{
"lessThan": "fd6493533af9e5d73d0d42ff2a8ded978a701dc6",
"status": "affected",
"version": "01e5b728e9e43ae444e0369695a5f72209906464",
"versionType": "git"
},
{
"lessThan": "75e1b2079ef0653a2f7aa69be515d86b7faf1908",
"status": "affected",
"version": "01e5b728e9e43ae444e0369695a5f72209906464",
"versionType": "git"
},
{
"lessThan": "f0f2b992d8185a0366be951685e08643aae17d6d",
"status": "affected",
"version": "01e5b728e9e43ae444e0369695a5f72209906464",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/phy/phy_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.100",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.40",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.8",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: Don\u0027t register LEDs for genphy\n\nIf a PHY has no driver, the genphy driver is probed/removed directly in\nphy_attach/detach. If the PHY\u0027s ofnode has an \"leds\" subnode, then the\nLEDs will be (un)registered when probing/removing the genphy driver.\nThis could occur if the leds are for a non-generic driver that isn\u0027t\nloaded for whatever reason. Synchronously removing the PHY device in\nphy_detach leads to the following deadlock:\n\nrtnl_lock()\nndo_close()\n ...\n phy_detach()\n phy_remove()\n phy_leds_unregister()\n led_classdev_unregister()\n led_trigger_set()\n netdev_trigger_deactivate()\n unregister_netdevice_notifier()\n rtnl_lock()\n\nThere is a corresponding deadlock on the open/register side of things\n(and that one is reported by lockdep), but it requires a race while this\none is deterministic.\n\nGeneric PHYs do not support LEDs anyway, so don\u0027t bother registering\nthem."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-16T11:12:29.432Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ec158d05eaa91b2809cab65f8068290e3c05ebdd"
},
{
"url": "https://git.kernel.org/stable/c/fd6493533af9e5d73d0d42ff2a8ded978a701dc6"
},
{
"url": "https://git.kernel.org/stable/c/75e1b2079ef0653a2f7aa69be515d86b7faf1908"
},
{
"url": "https://git.kernel.org/stable/c/f0f2b992d8185a0366be951685e08643aae17d6d"
}
],
"title": "net: phy: Don\u0027t register LEDs for genphy",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38537",
"datePublished": "2025-08-16T11:12:29.432Z",
"dateReserved": "2025-04-16T04:51:24.024Z",
"dateUpdated": "2025-08-16T11:12:29.432Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38692 (GCVE-0-2025-38692)
Vulnerability from cvelistv5 – Published: 2025-09-04 15:32 – Updated: 2025-09-29 05:56
VLAI?
EPSS
Title
exfat: add cluster chain loop check for dir
Summary
In the Linux kernel, the following vulnerability has been resolved:
exfat: add cluster chain loop check for dir
An infinite loop may occur if the following conditions occur due to
file system corruption.
(1) Condition for exfat_count_dir_entries() to loop infinitely.
- The cluster chain includes a loop.
- There is no UNUSED entry in the cluster chain.
(2) Condition for exfat_create_upcase_table() to loop infinitely.
- The cluster chain of the root directory includes a loop.
- There are no UNUSED entry and up-case table entry in the cluster
chain of the root directory.
(3) Condition for exfat_load_bitmap() to loop infinitely.
- The cluster chain of the root directory includes a loop.
- There are no UNUSED entry and bitmap entry in the cluster chain
of the root directory.
(4) Condition for exfat_find_dir_entry() to loop infinitely.
- The cluster chain includes a loop.
- The unused directory entries were exhausted by some operation.
(5) Condition for exfat_check_dir_empty() to loop infinitely.
- The cluster chain includes a loop.
- The unused directory entries were exhausted by some operation.
- All files and sub-directories under the directory are deleted.
This commit adds checks to break the above infinite loop.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003 , < 868f23286c1a13162330fa6c614fe350f78e3f82
(git)
Affected: 1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003 , < aa8fe7b7b73d4c9a41bb96cb3fb3092f794ecb33 (git) Affected: 1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003 , < e2066ca3ef49a30920d8536fa366b2a183a808ee (git) Affected: 1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003 , < 4c3cda20c4cf1871e27868d08fda06b79bc7d568 (git) Affected: 1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003 , < 99f9a97dce39ad413c39b92c90393bbd6778f3fd (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/exfat/dir.c",
"fs/exfat/fatent.c",
"fs/exfat/namei.c",
"fs/exfat/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "868f23286c1a13162330fa6c614fe350f78e3f82",
"status": "affected",
"version": "1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003",
"versionType": "git"
},
{
"lessThan": "aa8fe7b7b73d4c9a41bb96cb3fb3092f794ecb33",
"status": "affected",
"version": "1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003",
"versionType": "git"
},
{
"lessThan": "e2066ca3ef49a30920d8536fa366b2a183a808ee",
"status": "affected",
"version": "1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003",
"versionType": "git"
},
{
"lessThan": "4c3cda20c4cf1871e27868d08fda06b79bc7d568",
"status": "affected",
"version": "1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003",
"versionType": "git"
},
{
"lessThan": "99f9a97dce39ad413c39b92c90393bbd6778f3fd",
"status": "affected",
"version": "1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/exfat/dir.c",
"fs/exfat/fatent.c",
"fs/exfat/namei.c",
"fs/exfat/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: add cluster chain loop check for dir\n\nAn infinite loop may occur if the following conditions occur due to\nfile system corruption.\n\n(1) Condition for exfat_count_dir_entries() to loop infinitely.\n - The cluster chain includes a loop.\n - There is no UNUSED entry in the cluster chain.\n\n(2) Condition for exfat_create_upcase_table() to loop infinitely.\n - The cluster chain of the root directory includes a loop.\n - There are no UNUSED entry and up-case table entry in the cluster\n chain of the root directory.\n\n(3) Condition for exfat_load_bitmap() to loop infinitely.\n - The cluster chain of the root directory includes a loop.\n - There are no UNUSED entry and bitmap entry in the cluster chain\n of the root directory.\n\n(4) Condition for exfat_find_dir_entry() to loop infinitely.\n - The cluster chain includes a loop.\n - The unused directory entries were exhausted by some operation.\n\n(5) Condition for exfat_check_dir_empty() to loop infinitely.\n - The cluster chain includes a loop.\n - The unused directory entries were exhausted by some operation.\n - All files and sub-directories under the directory are deleted.\n\nThis commit adds checks to break the above infinite loop."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:56:08.225Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/868f23286c1a13162330fa6c614fe350f78e3f82"
},
{
"url": "https://git.kernel.org/stable/c/aa8fe7b7b73d4c9a41bb96cb3fb3092f794ecb33"
},
{
"url": "https://git.kernel.org/stable/c/e2066ca3ef49a30920d8536fa366b2a183a808ee"
},
{
"url": "https://git.kernel.org/stable/c/4c3cda20c4cf1871e27868d08fda06b79bc7d568"
},
{
"url": "https://git.kernel.org/stable/c/99f9a97dce39ad413c39b92c90393bbd6778f3fd"
}
],
"title": "exfat: add cluster chain loop check for dir",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38692",
"datePublished": "2025-09-04T15:32:46.004Z",
"dateReserved": "2025-04-16T04:51:24.032Z",
"dateUpdated": "2025-09-29T05:56:08.225Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38729 (GCVE-0-2025-38729)
Vulnerability from cvelistv5 – Published: 2025-09-04 15:33 – Updated: 2025-11-03 17:41
VLAI?
EPSS
Title
ALSA: usb-audio: Validate UAC3 power domain descriptors, too
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Validate UAC3 power domain descriptors, too
UAC3 power domain descriptors need to be verified with its variable
bLength for avoiding the unexpected OOB accesses by malicious
firmware, too.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9a2fe9b801f585baccf8352d82839dcd54b300cf , < 1666207ba0a5973735ef010812536adde6174e81
(git)
Affected: 9a2fe9b801f585baccf8352d82839dcd54b300cf , < ebc9e06b6ea978a20abf9b87d41afc51b2d745ac (git) Affected: 9a2fe9b801f585baccf8352d82839dcd54b300cf , < f03418bb9d542f44df78eec2eff4ac83c0a8ac0d (git) Affected: 9a2fe9b801f585baccf8352d82839dcd54b300cf , < 40714daf4d0448e1692c78563faf0ed0f9d9b5c7 (git) Affected: 9a2fe9b801f585baccf8352d82839dcd54b300cf , < 07c8d78dbb5e0ff8b23f7fd69cd1d4e2ba22b3dc (git) Affected: 9a2fe9b801f585baccf8352d82839dcd54b300cf , < cd08d390d15b204cac1d3174f5f149a20c52e61a (git) Affected: 9a2fe9b801f585baccf8352d82839dcd54b300cf , < 29b415ec09f5b9d1dfa2423b826725a8c8796b9a (git) Affected: 9a2fe9b801f585baccf8352d82839dcd54b300cf , < 452ad54f432675982cc0d6eb6c40a6c86ac61dbd (git) Affected: 9a2fe9b801f585baccf8352d82839dcd54b300cf , < d832ccbc301fbd9e5a1d691bdcf461cdb514595f (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:41:59.112Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/usb/validate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1666207ba0a5973735ef010812536adde6174e81",
"status": "affected",
"version": "9a2fe9b801f585baccf8352d82839dcd54b300cf",
"versionType": "git"
},
{
"lessThan": "ebc9e06b6ea978a20abf9b87d41afc51b2d745ac",
"status": "affected",
"version": "9a2fe9b801f585baccf8352d82839dcd54b300cf",
"versionType": "git"
},
{
"lessThan": "f03418bb9d542f44df78eec2eff4ac83c0a8ac0d",
"status": "affected",
"version": "9a2fe9b801f585baccf8352d82839dcd54b300cf",
"versionType": "git"
},
{
"lessThan": "40714daf4d0448e1692c78563faf0ed0f9d9b5c7",
"status": "affected",
"version": "9a2fe9b801f585baccf8352d82839dcd54b300cf",
"versionType": "git"
},
{
"lessThan": "07c8d78dbb5e0ff8b23f7fd69cd1d4e2ba22b3dc",
"status": "affected",
"version": "9a2fe9b801f585baccf8352d82839dcd54b300cf",
"versionType": "git"
},
{
"lessThan": "cd08d390d15b204cac1d3174f5f149a20c52e61a",
"status": "affected",
"version": "9a2fe9b801f585baccf8352d82839dcd54b300cf",
"versionType": "git"
},
{
"lessThan": "29b415ec09f5b9d1dfa2423b826725a8c8796b9a",
"status": "affected",
"version": "9a2fe9b801f585baccf8352d82839dcd54b300cf",
"versionType": "git"
},
{
"lessThan": "452ad54f432675982cc0d6eb6c40a6c86ac61dbd",
"status": "affected",
"version": "9a2fe9b801f585baccf8352d82839dcd54b300cf",
"versionType": "git"
},
{
"lessThan": "d832ccbc301fbd9e5a1d691bdcf461cdb514595f",
"status": "affected",
"version": "9a2fe9b801f585baccf8352d82839dcd54b300cf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/usb/validate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Validate UAC3 power domain descriptors, too\n\nUAC3 power domain descriptors need to be verified with its variable\nbLength for avoiding the unexpected OOB accesses by malicious\nfirmware, too."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:56:56.125Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1666207ba0a5973735ef010812536adde6174e81"
},
{
"url": "https://git.kernel.org/stable/c/ebc9e06b6ea978a20abf9b87d41afc51b2d745ac"
},
{
"url": "https://git.kernel.org/stable/c/f03418bb9d542f44df78eec2eff4ac83c0a8ac0d"
},
{
"url": "https://git.kernel.org/stable/c/40714daf4d0448e1692c78563faf0ed0f9d9b5c7"
},
{
"url": "https://git.kernel.org/stable/c/07c8d78dbb5e0ff8b23f7fd69cd1d4e2ba22b3dc"
},
{
"url": "https://git.kernel.org/stable/c/cd08d390d15b204cac1d3174f5f149a20c52e61a"
},
{
"url": "https://git.kernel.org/stable/c/29b415ec09f5b9d1dfa2423b826725a8c8796b9a"
},
{
"url": "https://git.kernel.org/stable/c/452ad54f432675982cc0d6eb6c40a6c86ac61dbd"
},
{
"url": "https://git.kernel.org/stable/c/d832ccbc301fbd9e5a1d691bdcf461cdb514595f"
}
],
"title": "ALSA: usb-audio: Validate UAC3 power domain descriptors, too",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38729",
"datePublished": "2025-09-04T15:33:26.896Z",
"dateReserved": "2025-04-16T04:51:24.033Z",
"dateUpdated": "2025-11-03T17:41:59.112Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39719 (GCVE-0-2025-39719)
Vulnerability from cvelistv5 – Published: 2025-09-05 17:21 – Updated: 2025-11-03 17:42
VLAI?
EPSS
Title
iio: imu: bno055: fix OOB access of hw_xlate array
Summary
In the Linux kernel, the following vulnerability has been resolved:
iio: imu: bno055: fix OOB access of hw_xlate array
Fix a potential out-of-bounds array access of the hw_xlate array in
bno055.c.
In bno055_get_regmask(), hw_xlate was iterated over the length of the
vals array instead of the length of the hw_xlate array. In the case of
bno055_gyr_scale, the vals array is larger than the hw_xlate array,
so this could result in an out-of-bounds access. In practice, this
shouldn't happen though because a match should always be found which
breaks out of the for loop before it iterates beyond the end of the
hw_xlate array.
By adding a new hw_xlate_len field to the bno055_sysfs_attr, we can be
sure we are iterating over the correct length.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4aefe1c2bd0cb0223130671d459cd16efa3d3462 , < a0691ab6334f1769acc64ea9e319414a682ff45d
(git)
Affected: 4aefe1c2bd0cb0223130671d459cd16efa3d3462 , < 50e823a23816b792daf6e8405f8d6045952bb90e (git) Affected: 4aefe1c2bd0cb0223130671d459cd16efa3d3462 , < 4808ca3aa30ae857454d0b41d2d0bf161a312b45 (git) Affected: 4aefe1c2bd0cb0223130671d459cd16efa3d3462 , < 5c2b601922c064f7be70ae8621277f18d1ffec59 (git) Affected: 4aefe1c2bd0cb0223130671d459cd16efa3d3462 , < 399b883ec828e436f1a721bf8551b4da8727e65b (git) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:42:44.953Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iio/imu/bno055/bno055.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a0691ab6334f1769acc64ea9e319414a682ff45d",
"status": "affected",
"version": "4aefe1c2bd0cb0223130671d459cd16efa3d3462",
"versionType": "git"
},
{
"lessThan": "50e823a23816b792daf6e8405f8d6045952bb90e",
"status": "affected",
"version": "4aefe1c2bd0cb0223130671d459cd16efa3d3462",
"versionType": "git"
},
{
"lessThan": "4808ca3aa30ae857454d0b41d2d0bf161a312b45",
"status": "affected",
"version": "4aefe1c2bd0cb0223130671d459cd16efa3d3462",
"versionType": "git"
},
{
"lessThan": "5c2b601922c064f7be70ae8621277f18d1ffec59",
"status": "affected",
"version": "4aefe1c2bd0cb0223130671d459cd16efa3d3462",
"versionType": "git"
},
{
"lessThan": "399b883ec828e436f1a721bf8551b4da8727e65b",
"status": "affected",
"version": "4aefe1c2bd0cb0223130671d459cd16efa3d3462",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iio/imu/bno055/bno055.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: imu: bno055: fix OOB access of hw_xlate array\n\nFix a potential out-of-bounds array access of the hw_xlate array in\nbno055.c.\n\nIn bno055_get_regmask(), hw_xlate was iterated over the length of the\nvals array instead of the length of the hw_xlate array. In the case of\nbno055_gyr_scale, the vals array is larger than the hw_xlate array,\nso this could result in an out-of-bounds access. In practice, this\nshouldn\u0027t happen though because a match should always be found which\nbreaks out of the for loop before it iterates beyond the end of the\nhw_xlate array.\n\nBy adding a new hw_xlate_len field to the bno055_sysfs_attr, we can be\nsure we are iterating over the correct length."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:58:05.484Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a0691ab6334f1769acc64ea9e319414a682ff45d"
},
{
"url": "https://git.kernel.org/stable/c/50e823a23816b792daf6e8405f8d6045952bb90e"
},
{
"url": "https://git.kernel.org/stable/c/4808ca3aa30ae857454d0b41d2d0bf161a312b45"
},
{
"url": "https://git.kernel.org/stable/c/5c2b601922c064f7be70ae8621277f18d1ffec59"
},
{
"url": "https://git.kernel.org/stable/c/399b883ec828e436f1a721bf8551b4da8727e65b"
}
],
"title": "iio: imu: bno055: fix OOB access of hw_xlate array",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39719",
"datePublished": "2025-09-05T17:21:26.952Z",
"dateReserved": "2025-04-16T07:20:57.117Z",
"dateUpdated": "2025-11-03T17:42:44.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39885 (GCVE-0-2025-39885)
Vulnerability from cvelistv5 – Published: 2025-09-23 06:00 – Updated: 2025-11-03 17:44
VLAI?
EPSS
Title
ocfs2: fix recursive semaphore deadlock in fiemap call
Summary
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: fix recursive semaphore deadlock in fiemap call
syzbot detected a OCFS2 hang due to a recursive semaphore on a
FS_IOC_FIEMAP of the extent list on a specially crafted mmap file.
context_switch kernel/sched/core.c:5357 [inline]
__schedule+0x1798/0x4cc0 kernel/sched/core.c:6961
__schedule_loop kernel/sched/core.c:7043 [inline]
schedule+0x165/0x360 kernel/sched/core.c:7058
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7115
rwsem_down_write_slowpath+0x872/0xfe0 kernel/locking/rwsem.c:1185
__down_write_common kernel/locking/rwsem.c:1317 [inline]
__down_write kernel/locking/rwsem.c:1326 [inline]
down_write+0x1ab/0x1f0 kernel/locking/rwsem.c:1591
ocfs2_page_mkwrite+0x2ff/0xc40 fs/ocfs2/mmap.c:142
do_page_mkwrite+0x14d/0x310 mm/memory.c:3361
wp_page_shared mm/memory.c:3762 [inline]
do_wp_page+0x268d/0x5800 mm/memory.c:3981
handle_pte_fault mm/memory.c:6068 [inline]
__handle_mm_fault+0x1033/0x5440 mm/memory.c:6195
handle_mm_fault+0x40a/0x8e0 mm/memory.c:6364
do_user_addr_fault+0x764/0x1390 arch/x86/mm/fault.c:1387
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0010:copy_user_generic arch/x86/include/asm/uaccess_64.h:126 [inline]
RIP: 0010:raw_copy_to_user arch/x86/include/asm/uaccess_64.h:147 [inline]
RIP: 0010:_inline_copy_to_user include/linux/uaccess.h:197 [inline]
RIP: 0010:_copy_to_user+0x85/0xb0 lib/usercopy.c:26
Code: e8 00 bc f7 fc 4d 39 fc 72 3d 4d 39 ec 77 38 e8 91 b9 f7 fc 4c 89
f7 89 de e8 47 25 5b fd 0f 01 cb 4c 89 ff 48 89 d9 4c 89 f6 <f3> a4 0f
1f 00 48 89 cb 0f 01 ca 48 89 d8 5b 41 5c 41 5d 41 5e 41
RSP: 0018:ffffc9000403f950 EFLAGS: 00050256
RAX: ffffffff84c7f101 RBX: 0000000000000038 RCX: 0000000000000038
RDX: 0000000000000000 RSI: ffffc9000403f9e0 RDI: 0000200000000060
RBP: ffffc9000403fa90 R08: ffffc9000403fa17 R09: 1ffff92000807f42
R10: dffffc0000000000 R11: fffff52000807f43 R12: 0000200000000098
R13: 00007ffffffff000 R14: ffffc9000403f9e0 R15: 0000200000000060
copy_to_user include/linux/uaccess.h:225 [inline]
fiemap_fill_next_extent+0x1c0/0x390 fs/ioctl.c:145
ocfs2_fiemap+0x888/0xc90 fs/ocfs2/extent_map.c:806
ioctl_fiemap fs/ioctl.c:220 [inline]
do_vfs_ioctl+0x1173/0x1430 fs/ioctl.c:532
__do_sys_ioctl fs/ioctl.c:596 [inline]
__se_sys_ioctl+0x82/0x170 fs/ioctl.c:584
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5f13850fd9
RSP: 002b:00007ffe3b3518b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000200000000000 RCX: 00007f5f13850fd9
RDX: 0000200000000040 RSI: 00000000c020660b RDI: 0000000000000004
RBP: 6165627472616568 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe3b3518f0
R13: 00007ffe3b351b18 R14: 431bde82d7b634db R15: 00007f5f1389a03b
ocfs2_fiemap() takes a read lock of the ip_alloc_sem semaphore (since
v2.6.22-527-g7307de80510a) and calls fiemap_fill_next_extent() to read the
extent list of this running mmap executable. The user supplied buffer to
hold the fiemap information page faults calling ocfs2_page_mkwrite() which
will take a write lock (since v2.6.27-38-g00dc417fa3e7) of the same
semaphore. This recursive semaphore will hold filesystem locks and causes
a hang of the fileystem.
The ip_alloc_sem protects the inode extent list and size. Release the
read semphore before calling fiemap_fill_next_extent() in ocfs2_fiemap()
and ocfs2_fiemap_inline(). This does an unnecessary semaphore lock/unlock
on the last extent but simplifies the error path.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
00dc417fa3e763345b34ccb6034d72de76eea0a1 , < 16e518ca84dfe860c20a62f3615e14e8af0ace57
(git)
Affected: 00dc417fa3e763345b34ccb6034d72de76eea0a1 , < 7e1514bd44ef68007703c752c99ff7319f35bce6 (git) Affected: 00dc417fa3e763345b34ccb6034d72de76eea0a1 , < ef30404980e4c832ef9bba1b10c08f67fa77a9ec (git) Affected: 00dc417fa3e763345b34ccb6034d72de76eea0a1 , < 36054554772f95d090eb45793faf6aa3c0254b02 (git) Affected: 00dc417fa3e763345b34ccb6034d72de76eea0a1 , < 0709bc11b942870fc0a7be150e42aea42321093a (git) Affected: 00dc417fa3e763345b34ccb6034d72de76eea0a1 , < 1d3c96547ee2ddeaddf8f19a3ef99ea06cc8115e (git) Affected: 00dc417fa3e763345b34ccb6034d72de76eea0a1 , < 9efcb7a8b97310efed995397941a292cf89fa94f (git) Affected: 00dc417fa3e763345b34ccb6034d72de76eea0a1 , < 04100f775c2ea501927f508f17ad824ad1f23c8d (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:25.898Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/extent_map.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "16e518ca84dfe860c20a62f3615e14e8af0ace57",
"status": "affected",
"version": "00dc417fa3e763345b34ccb6034d72de76eea0a1",
"versionType": "git"
},
{
"lessThan": "7e1514bd44ef68007703c752c99ff7319f35bce6",
"status": "affected",
"version": "00dc417fa3e763345b34ccb6034d72de76eea0a1",
"versionType": "git"
},
{
"lessThan": "ef30404980e4c832ef9bba1b10c08f67fa77a9ec",
"status": "affected",
"version": "00dc417fa3e763345b34ccb6034d72de76eea0a1",
"versionType": "git"
},
{
"lessThan": "36054554772f95d090eb45793faf6aa3c0254b02",
"status": "affected",
"version": "00dc417fa3e763345b34ccb6034d72de76eea0a1",
"versionType": "git"
},
{
"lessThan": "0709bc11b942870fc0a7be150e42aea42321093a",
"status": "affected",
"version": "00dc417fa3e763345b34ccb6034d72de76eea0a1",
"versionType": "git"
},
{
"lessThan": "1d3c96547ee2ddeaddf8f19a3ef99ea06cc8115e",
"status": "affected",
"version": "00dc417fa3e763345b34ccb6034d72de76eea0a1",
"versionType": "git"
},
{
"lessThan": "9efcb7a8b97310efed995397941a292cf89fa94f",
"status": "affected",
"version": "00dc417fa3e763345b34ccb6034d72de76eea0a1",
"versionType": "git"
},
{
"lessThan": "04100f775c2ea501927f508f17ad824ad1f23c8d",
"status": "affected",
"version": "00dc417fa3e763345b34ccb6034d72de76eea0a1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/extent_map.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.28"
},
{
"lessThan": "2.6.28",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix recursive semaphore deadlock in fiemap call\n\nsyzbot detected a OCFS2 hang due to a recursive semaphore on a\nFS_IOC_FIEMAP of the extent list on a specially crafted mmap file.\n\ncontext_switch kernel/sched/core.c:5357 [inline]\n __schedule+0x1798/0x4cc0 kernel/sched/core.c:6961\n __schedule_loop kernel/sched/core.c:7043 [inline]\n schedule+0x165/0x360 kernel/sched/core.c:7058\n schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7115\n rwsem_down_write_slowpath+0x872/0xfe0 kernel/locking/rwsem.c:1185\n __down_write_common kernel/locking/rwsem.c:1317 [inline]\n __down_write kernel/locking/rwsem.c:1326 [inline]\n down_write+0x1ab/0x1f0 kernel/locking/rwsem.c:1591\n ocfs2_page_mkwrite+0x2ff/0xc40 fs/ocfs2/mmap.c:142\n do_page_mkwrite+0x14d/0x310 mm/memory.c:3361\n wp_page_shared mm/memory.c:3762 [inline]\n do_wp_page+0x268d/0x5800 mm/memory.c:3981\n handle_pte_fault mm/memory.c:6068 [inline]\n __handle_mm_fault+0x1033/0x5440 mm/memory.c:6195\n handle_mm_fault+0x40a/0x8e0 mm/memory.c:6364\n do_user_addr_fault+0x764/0x1390 arch/x86/mm/fault.c:1387\n handle_page_fault arch/x86/mm/fault.c:1476 [inline]\n exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532\n asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623\nRIP: 0010:copy_user_generic arch/x86/include/asm/uaccess_64.h:126 [inline]\nRIP: 0010:raw_copy_to_user arch/x86/include/asm/uaccess_64.h:147 [inline]\nRIP: 0010:_inline_copy_to_user include/linux/uaccess.h:197 [inline]\nRIP: 0010:_copy_to_user+0x85/0xb0 lib/usercopy.c:26\nCode: e8 00 bc f7 fc 4d 39 fc 72 3d 4d 39 ec 77 38 e8 91 b9 f7 fc 4c 89\nf7 89 de e8 47 25 5b fd 0f 01 cb 4c 89 ff 48 89 d9 4c 89 f6 \u003cf3\u003e a4 0f\n1f 00 48 89 cb 0f 01 ca 48 89 d8 5b 41 5c 41 5d 41 5e 41\nRSP: 0018:ffffc9000403f950 EFLAGS: 00050256\nRAX: ffffffff84c7f101 RBX: 0000000000000038 RCX: 0000000000000038\nRDX: 0000000000000000 RSI: ffffc9000403f9e0 RDI: 0000200000000060\nRBP: ffffc9000403fa90 R08: ffffc9000403fa17 R09: 1ffff92000807f42\nR10: dffffc0000000000 R11: fffff52000807f43 R12: 0000200000000098\nR13: 00007ffffffff000 R14: ffffc9000403f9e0 R15: 0000200000000060\n copy_to_user include/linux/uaccess.h:225 [inline]\n fiemap_fill_next_extent+0x1c0/0x390 fs/ioctl.c:145\n ocfs2_fiemap+0x888/0xc90 fs/ocfs2/extent_map.c:806\n ioctl_fiemap fs/ioctl.c:220 [inline]\n do_vfs_ioctl+0x1173/0x1430 fs/ioctl.c:532\n __do_sys_ioctl fs/ioctl.c:596 [inline]\n __se_sys_ioctl+0x82/0x170 fs/ioctl.c:584\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f5f13850fd9\nRSP: 002b:00007ffe3b3518b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 0000200000000000 RCX: 00007f5f13850fd9\nRDX: 0000200000000040 RSI: 00000000c020660b RDI: 0000000000000004\nRBP: 6165627472616568 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe3b3518f0\nR13: 00007ffe3b351b18 R14: 431bde82d7b634db R15: 00007f5f1389a03b\n\nocfs2_fiemap() takes a read lock of the ip_alloc_sem semaphore (since\nv2.6.22-527-g7307de80510a) and calls fiemap_fill_next_extent() to read the\nextent list of this running mmap executable. The user supplied buffer to\nhold the fiemap information page faults calling ocfs2_page_mkwrite() which\nwill take a write lock (since v2.6.27-38-g00dc417fa3e7) of the same\nsemaphore. This recursive semaphore will hold filesystem locks and causes\na hang of the fileystem.\n\nThe ip_alloc_sem protects the inode extent list and size. Release the\nread semphore before calling fiemap_fill_next_extent() in ocfs2_fiemap()\nand ocfs2_fiemap_inline(). This does an unnecessary semaphore lock/unlock\non the last extent but simplifies the error path."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:26:32.512Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/16e518ca84dfe860c20a62f3615e14e8af0ace57"
},
{
"url": "https://git.kernel.org/stable/c/7e1514bd44ef68007703c752c99ff7319f35bce6"
},
{
"url": "https://git.kernel.org/stable/c/ef30404980e4c832ef9bba1b10c08f67fa77a9ec"
},
{
"url": "https://git.kernel.org/stable/c/36054554772f95d090eb45793faf6aa3c0254b02"
},
{
"url": "https://git.kernel.org/stable/c/0709bc11b942870fc0a7be150e42aea42321093a"
},
{
"url": "https://git.kernel.org/stable/c/1d3c96547ee2ddeaddf8f19a3ef99ea06cc8115e"
},
{
"url": "https://git.kernel.org/stable/c/9efcb7a8b97310efed995397941a292cf89fa94f"
},
{
"url": "https://git.kernel.org/stable/c/04100f775c2ea501927f508f17ad824ad1f23c8d"
}
],
"title": "ocfs2: fix recursive semaphore deadlock in fiemap call",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39885",
"datePublished": "2025-09-23T06:00:52.584Z",
"dateReserved": "2025-04-16T07:20:57.145Z",
"dateUpdated": "2025-11-03T17:44:25.898Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39718 (GCVE-0-2025-39718)
Vulnerability from cvelistv5 – Published: 2025-09-05 17:21 – Updated: 2025-11-03 17:42
VLAI?
EPSS
Title
vsock/virtio: Validate length in packet header before skb_put()
Summary
In the Linux kernel, the following vulnerability has been resolved:
vsock/virtio: Validate length in packet header before skb_put()
When receiving a vsock packet in the guest, only the virtqueue buffer
size is validated prior to virtio_vsock_skb_rx_put(). Unfortunately,
virtio_vsock_skb_rx_put() uses the length from the packet header as the
length argument to skb_put(), potentially resulting in SKB overflow if
the host has gone wonky.
Validate the length as advertised by the packet header before calling
virtio_vsock_skb_rx_put().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
baddcc2c71572968cdaeee1c4ab3dc0ad90fa765 , < 969b06bd8b7560efb100a34227619e7d318fbe05
(git)
Affected: 71dc9ec9ac7d3eee785cdc986c3daeb821381e20 , < ee438c492b2e0705d819ac0e25d04fae758d8f8f (git) Affected: 71dc9ec9ac7d3eee785cdc986c3daeb821381e20 , < faf332a10372390ce65d0b803888f4b25a388335 (git) Affected: 71dc9ec9ac7d3eee785cdc986c3daeb821381e20 , < 676f03760ca1d69c2470cef36c44dc152494b47c (git) Affected: 71dc9ec9ac7d3eee785cdc986c3daeb821381e20 , < 0dab92484474587b82e8e0455839eaf5ac7bf894 (git) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:42:44.024Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/vmw_vsock/virtio_transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "969b06bd8b7560efb100a34227619e7d318fbe05",
"status": "affected",
"version": "baddcc2c71572968cdaeee1c4ab3dc0ad90fa765",
"versionType": "git"
},
{
"lessThan": "ee438c492b2e0705d819ac0e25d04fae758d8f8f",
"status": "affected",
"version": "71dc9ec9ac7d3eee785cdc986c3daeb821381e20",
"versionType": "git"
},
{
"lessThan": "faf332a10372390ce65d0b803888f4b25a388335",
"status": "affected",
"version": "71dc9ec9ac7d3eee785cdc986c3daeb821381e20",
"versionType": "git"
},
{
"lessThan": "676f03760ca1d69c2470cef36c44dc152494b47c",
"status": "affected",
"version": "71dc9ec9ac7d3eee785cdc986c3daeb821381e20",
"versionType": "git"
},
{
"lessThan": "0dab92484474587b82e8e0455839eaf5ac7bf894",
"status": "affected",
"version": "71dc9ec9ac7d3eee785cdc986c3daeb821381e20",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/vmw_vsock/virtio_transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "6.1.63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock/virtio: Validate length in packet header before skb_put()\n\nWhen receiving a vsock packet in the guest, only the virtqueue buffer\nsize is validated prior to virtio_vsock_skb_rx_put(). Unfortunately,\nvirtio_vsock_skb_rx_put() uses the length from the packet header as the\nlength argument to skb_put(), potentially resulting in SKB overflow if\nthe host has gone wonky.\n\nValidate the length as advertised by the packet header before calling\nvirtio_vsock_skb_rx_put()."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:58:04.224Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/969b06bd8b7560efb100a34227619e7d318fbe05"
},
{
"url": "https://git.kernel.org/stable/c/ee438c492b2e0705d819ac0e25d04fae758d8f8f"
},
{
"url": "https://git.kernel.org/stable/c/faf332a10372390ce65d0b803888f4b25a388335"
},
{
"url": "https://git.kernel.org/stable/c/676f03760ca1d69c2470cef36c44dc152494b47c"
},
{
"url": "https://git.kernel.org/stable/c/0dab92484474587b82e8e0455839eaf5ac7bf894"
}
],
"title": "vsock/virtio: Validate length in packet header before skb_put()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39718",
"datePublished": "2025-09-05T17:21:25.959Z",
"dateReserved": "2025-04-16T07:20:57.117Z",
"dateUpdated": "2025-11-03T17:42:44.024Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39749 (GCVE-0-2025-39749)
Vulnerability from cvelistv5 – Published: 2025-09-11 16:52 – Updated: 2026-01-02 15:32
VLAI?
EPSS
Title
rcu: Protect ->defer_qs_iw_pending from data race
Summary
In the Linux kernel, the following vulnerability has been resolved:
rcu: Protect ->defer_qs_iw_pending from data race
On kernels built with CONFIG_IRQ_WORK=y, when rcu_read_unlock() is
invoked within an interrupts-disabled region of code [1], it will invoke
rcu_read_unlock_special(), which uses an irq-work handler to force the
system to notice when the RCU read-side critical section actually ends.
That end won't happen until interrupts are enabled at the soonest.
In some kernels, such as those booted with rcutree.use_softirq=y, the
irq-work handler is used unconditionally.
The per-CPU rcu_data structure's ->defer_qs_iw_pending field is
updated by the irq-work handler and is both read and updated by
rcu_read_unlock_special(). This resulted in the following KCSAN splat:
------------------------------------------------------------------------
BUG: KCSAN: data-race in rcu_preempt_deferred_qs_handler / rcu_read_unlock_special
read to 0xffff96b95f42d8d8 of 1 bytes by task 90 on cpu 8:
rcu_read_unlock_special+0x175/0x260
__rcu_read_unlock+0x92/0xa0
rt_spin_unlock+0x9b/0xc0
__local_bh_enable+0x10d/0x170
__local_bh_enable_ip+0xfb/0x150
rcu_do_batch+0x595/0xc40
rcu_cpu_kthread+0x4e9/0x830
smpboot_thread_fn+0x24d/0x3b0
kthread+0x3bd/0x410
ret_from_fork+0x35/0x40
ret_from_fork_asm+0x1a/0x30
write to 0xffff96b95f42d8d8 of 1 bytes by task 88 on cpu 8:
rcu_preempt_deferred_qs_handler+0x1e/0x30
irq_work_single+0xaf/0x160
run_irq_workd+0x91/0xc0
smpboot_thread_fn+0x24d/0x3b0
kthread+0x3bd/0x410
ret_from_fork+0x35/0x40
ret_from_fork_asm+0x1a/0x30
no locks held by irq_work/8/88.
irq event stamp: 200272
hardirqs last enabled at (200272): [<ffffffffb0f56121>] finish_task_switch+0x131/0x320
hardirqs last disabled at (200271): [<ffffffffb25c7859>] __schedule+0x129/0xd70
softirqs last enabled at (0): [<ffffffffb0ee093f>] copy_process+0x4df/0x1cc0
softirqs last disabled at (0): [<0000000000000000>] 0x0
------------------------------------------------------------------------
The problem is that irq-work handlers run with interrupts enabled, which
means that rcu_preempt_deferred_qs_handler() could be interrupted,
and that interrupt handler might contain an RCU read-side critical
section, which might invoke rcu_read_unlock_special(). In the strict
KCSAN mode of operation used by RCU, this constitutes a data race on
the ->defer_qs_iw_pending field.
This commit therefore disables interrupts across the portion of the
rcu_preempt_deferred_qs_handler() that updates the ->defer_qs_iw_pending
field. This suffices because this handler is not a fast path.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0864f057b050bc6dd68106b3185e02db5140012d , < 74f58f382a7c8333f8d09701aefaa25913bdbe0e
(git)
Affected: 0864f057b050bc6dd68106b3185e02db5140012d , < f937759c7432d6151b73e1393b6517661813d506 (git) Affected: 0864f057b050bc6dd68106b3185e02db5140012d , < 0ad84d62217488e679ecc90e8628980dcc003de3 (git) Affected: 0864f057b050bc6dd68106b3185e02db5140012d , < b5de8d80b5d049f051b95d9b1ee50ae4ab656124 (git) Affected: 0864f057b050bc6dd68106b3185e02db5140012d , < b55947b725f190396f475d5d0c59aa855a4d8895 (git) Affected: 0864f057b050bc6dd68106b3185e02db5140012d , < e35e711c78c8a4c43330c0dcb1c4d507a19c20f4 (git) Affected: 0864f057b050bc6dd68106b3185e02db5140012d , < 90de9c94ea72327cfa9c2c9f6113c23a513af60b (git) Affected: 0864f057b050bc6dd68106b3185e02db5140012d , < 55e11f6776798b27cf09a7aa0d718415d4fc9cf5 (git) Affected: 0864f057b050bc6dd68106b3185e02db5140012d , < 90c09d57caeca94e6f3f87c49e96a91edd40cbfd (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:01.289Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/rcu/tree_plugin.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "74f58f382a7c8333f8d09701aefaa25913bdbe0e",
"status": "affected",
"version": "0864f057b050bc6dd68106b3185e02db5140012d",
"versionType": "git"
},
{
"lessThan": "f937759c7432d6151b73e1393b6517661813d506",
"status": "affected",
"version": "0864f057b050bc6dd68106b3185e02db5140012d",
"versionType": "git"
},
{
"lessThan": "0ad84d62217488e679ecc90e8628980dcc003de3",
"status": "affected",
"version": "0864f057b050bc6dd68106b3185e02db5140012d",
"versionType": "git"
},
{
"lessThan": "b5de8d80b5d049f051b95d9b1ee50ae4ab656124",
"status": "affected",
"version": "0864f057b050bc6dd68106b3185e02db5140012d",
"versionType": "git"
},
{
"lessThan": "b55947b725f190396f475d5d0c59aa855a4d8895",
"status": "affected",
"version": "0864f057b050bc6dd68106b3185e02db5140012d",
"versionType": "git"
},
{
"lessThan": "e35e711c78c8a4c43330c0dcb1c4d507a19c20f4",
"status": "affected",
"version": "0864f057b050bc6dd68106b3185e02db5140012d",
"versionType": "git"
},
{
"lessThan": "90de9c94ea72327cfa9c2c9f6113c23a513af60b",
"status": "affected",
"version": "0864f057b050bc6dd68106b3185e02db5140012d",
"versionType": "git"
},
{
"lessThan": "55e11f6776798b27cf09a7aa0d718415d4fc9cf5",
"status": "affected",
"version": "0864f057b050bc6dd68106b3185e02db5140012d",
"versionType": "git"
},
{
"lessThan": "90c09d57caeca94e6f3f87c49e96a91edd40cbfd",
"status": "affected",
"version": "0864f057b050bc6dd68106b3185e02db5140012d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/rcu/tree_plugin.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu: Protect -\u003edefer_qs_iw_pending from data race\n\nOn kernels built with CONFIG_IRQ_WORK=y, when rcu_read_unlock() is\ninvoked within an interrupts-disabled region of code [1], it will invoke\nrcu_read_unlock_special(), which uses an irq-work handler to force the\nsystem to notice when the RCU read-side critical section actually ends.\nThat end won\u0027t happen until interrupts are enabled at the soonest.\n\nIn some kernels, such as those booted with rcutree.use_softirq=y, the\nirq-work handler is used unconditionally.\n\nThe per-CPU rcu_data structure\u0027s -\u003edefer_qs_iw_pending field is\nupdated by the irq-work handler and is both read and updated by\nrcu_read_unlock_special(). This resulted in the following KCSAN splat:\n\n------------------------------------------------------------------------\n\nBUG: KCSAN: data-race in rcu_preempt_deferred_qs_handler / rcu_read_unlock_special\n\nread to 0xffff96b95f42d8d8 of 1 bytes by task 90 on cpu 8:\n rcu_read_unlock_special+0x175/0x260\n __rcu_read_unlock+0x92/0xa0\n rt_spin_unlock+0x9b/0xc0\n __local_bh_enable+0x10d/0x170\n __local_bh_enable_ip+0xfb/0x150\n rcu_do_batch+0x595/0xc40\n rcu_cpu_kthread+0x4e9/0x830\n smpboot_thread_fn+0x24d/0x3b0\n kthread+0x3bd/0x410\n ret_from_fork+0x35/0x40\n ret_from_fork_asm+0x1a/0x30\n\nwrite to 0xffff96b95f42d8d8 of 1 bytes by task 88 on cpu 8:\n rcu_preempt_deferred_qs_handler+0x1e/0x30\n irq_work_single+0xaf/0x160\n run_irq_workd+0x91/0xc0\n smpboot_thread_fn+0x24d/0x3b0\n kthread+0x3bd/0x410\n ret_from_fork+0x35/0x40\n ret_from_fork_asm+0x1a/0x30\n\nno locks held by irq_work/8/88.\nirq event stamp: 200272\nhardirqs last enabled at (200272): [\u003cffffffffb0f56121\u003e] finish_task_switch+0x131/0x320\nhardirqs last disabled at (200271): [\u003cffffffffb25c7859\u003e] __schedule+0x129/0xd70\nsoftirqs last enabled at (0): [\u003cffffffffb0ee093f\u003e] copy_process+0x4df/0x1cc0\nsoftirqs last disabled at (0): [\u003c0000000000000000\u003e] 0x0\n\n------------------------------------------------------------------------\n\nThe problem is that irq-work handlers run with interrupts enabled, which\nmeans that rcu_preempt_deferred_qs_handler() could be interrupted,\nand that interrupt handler might contain an RCU read-side critical\nsection, which might invoke rcu_read_unlock_special(). In the strict\nKCSAN mode of operation used by RCU, this constitutes a data race on\nthe -\u003edefer_qs_iw_pending field.\n\nThis commit therefore disables interrupts across the portion of the\nrcu_preempt_deferred_qs_handler() that updates the -\u003edefer_qs_iw_pending\nfield. This suffices because this handler is not a fast path."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:32:06.091Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/74f58f382a7c8333f8d09701aefaa25913bdbe0e"
},
{
"url": "https://git.kernel.org/stable/c/f937759c7432d6151b73e1393b6517661813d506"
},
{
"url": "https://git.kernel.org/stable/c/0ad84d62217488e679ecc90e8628980dcc003de3"
},
{
"url": "https://git.kernel.org/stable/c/b5de8d80b5d049f051b95d9b1ee50ae4ab656124"
},
{
"url": "https://git.kernel.org/stable/c/b55947b725f190396f475d5d0c59aa855a4d8895"
},
{
"url": "https://git.kernel.org/stable/c/e35e711c78c8a4c43330c0dcb1c4d507a19c20f4"
},
{
"url": "https://git.kernel.org/stable/c/90de9c94ea72327cfa9c2c9f6113c23a513af60b"
},
{
"url": "https://git.kernel.org/stable/c/55e11f6776798b27cf09a7aa0d718415d4fc9cf5"
},
{
"url": "https://git.kernel.org/stable/c/90c09d57caeca94e6f3f87c49e96a91edd40cbfd"
}
],
"title": "rcu: Protect -\u003edefer_qs_iw_pending from data race",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39749",
"datePublished": "2025-09-11T16:52:21.228Z",
"dateReserved": "2025-04-16T07:20:57.125Z",
"dateUpdated": "2026-01-02T15:32:06.091Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39865 (GCVE-0-2025-39865)
Vulnerability from cvelistv5 – Published: 2025-09-19 15:26 – Updated: 2025-11-03 17:44
VLAI?
EPSS
Title
tee: fix NULL pointer dereference in tee_shm_put
Summary
In the Linux kernel, the following vulnerability has been resolved:
tee: fix NULL pointer dereference in tee_shm_put
tee_shm_put have NULL pointer dereference:
__optee_disable_shm_cache -->
shm = reg_pair_to_ptr(...);//shm maybe return NULL
tee_shm_free(shm); -->
tee_shm_put(shm);//crash
Add check in tee_shm_put to fix it.
panic log:
Unable to handle kernel paging request at virtual address 0000000000100cca
Mem abort info:
ESR = 0x0000000096000004
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x04: level 0 translation fault
Data abort info:
ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
CM = 0, WnR = 0, TnD = 0, TagAccess = 0
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
user pgtable: 4k pages, 48-bit VAs, pgdp=0000002049d07000
[0000000000100cca] pgd=0000000000000000, p4d=0000000000000000
Internal error: Oops: 0000000096000004 [#1] SMP
CPU: 2 PID: 14442 Comm: systemd-sleep Tainted: P OE ------- ----
6.6.0-39-generic #38
Source Version: 938b255f6cb8817c95b0dd5c8c2944acfce94b07
Hardware name: greatwall GW-001Y1A-FTH, BIOS Great Wall BIOS V3.0
10/26/2022
pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : tee_shm_put+0x24/0x188
lr : tee_shm_free+0x14/0x28
sp : ffff001f98f9faf0
x29: ffff001f98f9faf0 x28: ffff0020df543cc0 x27: 0000000000000000
x26: ffff001f811344a0 x25: ffff8000818dac00 x24: ffff800082d8d048
x23: ffff001f850fcd18 x22: 0000000000000001 x21: ffff001f98f9fb88
x20: ffff001f83e76218 x19: ffff001f83e761e0 x18: 000000000000ffff
x17: 303a30303a303030 x16: 0000000000000000 x15: 0000000000000003
x14: 0000000000000001 x13: 0000000000000000 x12: 0101010101010101
x11: 0000000000000001 x10: 0000000000000001 x9 : ffff800080e08d0c
x8 : ffff001f98f9fb88 x7 : 0000000000000000 x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
x2 : ffff001f83e761e0 x1 : 00000000ffff001f x0 : 0000000000100cca
Call trace:
tee_shm_put+0x24/0x188
tee_shm_free+0x14/0x28
__optee_disable_shm_cache+0xa8/0x108
optee_shutdown+0x28/0x38
platform_shutdown+0x28/0x40
device_shutdown+0x144/0x2b0
kernel_power_off+0x3c/0x80
hibernate+0x35c/0x388
state_store+0x64/0x80
kobj_attr_store+0x14/0x28
sysfs_kf_write+0x48/0x60
kernfs_fop_write_iter+0x128/0x1c0
vfs_write+0x270/0x370
ksys_write+0x6c/0x100
__arm64_sys_write+0x20/0x30
invoke_syscall+0x4c/0x120
el0_svc_common.constprop.0+0x44/0xf0
do_el0_svc+0x24/0x38
el0_svc+0x24/0x88
el0t_64_sync_handler+0x134/0x150
el0t_64_sync+0x14c/0x15
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c05d8f66ec3470e5212c4d08c46d6cb5738d600d , < f266188603c34e6e234fb0dfc3185f0ba98d71b7
(git)
Affected: 492eb7afe858d60408b2da09adc78540c4d16543 , < 4377eac565c297fdfccd2f8e9bf94ee84ff6172f (git) Affected: dfd0743f1d9ea76931510ed150334d571fbab49d , < 25e315bc8ad363bd1194e49062f183ad4011957e (git) Affected: dfd0743f1d9ea76931510ed150334d571fbab49d , < add1ecc8f3ad8df22e3599c5c88d7907cc2a3079 (git) Affected: dfd0743f1d9ea76931510ed150334d571fbab49d , < 963fca19fe34c496e04f7dd133b807b76a5434ca (git) Affected: dfd0743f1d9ea76931510ed150334d571fbab49d , < 5e07a4235bb85d9ef664411e4ff4ac34783c18ff (git) Affected: dfd0743f1d9ea76931510ed150334d571fbab49d , < e4a718a3a47e89805c3be9d46a84de1949a98d5d (git) Affected: 3d556a28bbfe34a80b014db49908b0f1bcb1ae80 (git) Affected: b4a661b4212b8fac8853ec3b68e4a909dccc88a1 (git) Affected: 940e68e57ab69248fabba5889e615305789db8a7 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:16.367Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tee/tee_shm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f266188603c34e6e234fb0dfc3185f0ba98d71b7",
"status": "affected",
"version": "c05d8f66ec3470e5212c4d08c46d6cb5738d600d",
"versionType": "git"
},
{
"lessThan": "4377eac565c297fdfccd2f8e9bf94ee84ff6172f",
"status": "affected",
"version": "492eb7afe858d60408b2da09adc78540c4d16543",
"versionType": "git"
},
{
"lessThan": "25e315bc8ad363bd1194e49062f183ad4011957e",
"status": "affected",
"version": "dfd0743f1d9ea76931510ed150334d571fbab49d",
"versionType": "git"
},
{
"lessThan": "add1ecc8f3ad8df22e3599c5c88d7907cc2a3079",
"status": "affected",
"version": "dfd0743f1d9ea76931510ed150334d571fbab49d",
"versionType": "git"
},
{
"lessThan": "963fca19fe34c496e04f7dd133b807b76a5434ca",
"status": "affected",
"version": "dfd0743f1d9ea76931510ed150334d571fbab49d",
"versionType": "git"
},
{
"lessThan": "5e07a4235bb85d9ef664411e4ff4ac34783c18ff",
"status": "affected",
"version": "dfd0743f1d9ea76931510ed150334d571fbab49d",
"versionType": "git"
},
{
"lessThan": "e4a718a3a47e89805c3be9d46a84de1949a98d5d",
"status": "affected",
"version": "dfd0743f1d9ea76931510ed150334d571fbab49d",
"versionType": "git"
},
{
"status": "affected",
"version": "3d556a28bbfe34a80b014db49908b0f1bcb1ae80",
"versionType": "git"
},
{
"status": "affected",
"version": "b4a661b4212b8fac8853ec3b68e4a909dccc88a1",
"versionType": "git"
},
{
"status": "affected",
"version": "940e68e57ab69248fabba5889e615305789db8a7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tee/tee_shm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.243",
"versionStartIncluding": "5.10.89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.192",
"versionStartIncluding": "5.15.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.261",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.224",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.170",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntee: fix NULL pointer dereference in tee_shm_put\n\ntee_shm_put have NULL pointer dereference:\n\n__optee_disable_shm_cache --\u003e\n\tshm = reg_pair_to_ptr(...);//shm maybe return NULL\n tee_shm_free(shm); --\u003e\n\t\ttee_shm_put(shm);//crash\n\nAdd check in tee_shm_put to fix it.\n\npanic log:\nUnable to handle kernel paging request at virtual address 0000000000100cca\nMem abort info:\nESR = 0x0000000096000004\nEC = 0x25: DABT (current EL), IL = 32 bits\nSET = 0, FnV = 0\nEA = 0, S1PTW = 0\nFSC = 0x04: level 0 translation fault\nData abort info:\nISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\nCM = 0, WnR = 0, TnD = 0, TagAccess = 0\nGCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\nuser pgtable: 4k pages, 48-bit VAs, pgdp=0000002049d07000\n[0000000000100cca] pgd=0000000000000000, p4d=0000000000000000\nInternal error: Oops: 0000000096000004 [#1] SMP\nCPU: 2 PID: 14442 Comm: systemd-sleep Tainted: P OE ------- ----\n6.6.0-39-generic #38\nSource Version: 938b255f6cb8817c95b0dd5c8c2944acfce94b07\nHardware name: greatwall GW-001Y1A-FTH, BIOS Great Wall BIOS V3.0\n10/26/2022\npstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : tee_shm_put+0x24/0x188\nlr : tee_shm_free+0x14/0x28\nsp : ffff001f98f9faf0\nx29: ffff001f98f9faf0 x28: ffff0020df543cc0 x27: 0000000000000000\nx26: ffff001f811344a0 x25: ffff8000818dac00 x24: ffff800082d8d048\nx23: ffff001f850fcd18 x22: 0000000000000001 x21: ffff001f98f9fb88\nx20: ffff001f83e76218 x19: ffff001f83e761e0 x18: 000000000000ffff\nx17: 303a30303a303030 x16: 0000000000000000 x15: 0000000000000003\nx14: 0000000000000001 x13: 0000000000000000 x12: 0101010101010101\nx11: 0000000000000001 x10: 0000000000000001 x9 : ffff800080e08d0c\nx8 : ffff001f98f9fb88 x7 : 0000000000000000 x6 : 0000000000000000\nx5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000\nx2 : ffff001f83e761e0 x1 : 00000000ffff001f x0 : 0000000000100cca\nCall trace:\ntee_shm_put+0x24/0x188\ntee_shm_free+0x14/0x28\n__optee_disable_shm_cache+0xa8/0x108\noptee_shutdown+0x28/0x38\nplatform_shutdown+0x28/0x40\ndevice_shutdown+0x144/0x2b0\nkernel_power_off+0x3c/0x80\nhibernate+0x35c/0x388\nstate_store+0x64/0x80\nkobj_attr_store+0x14/0x28\nsysfs_kf_write+0x48/0x60\nkernfs_fop_write_iter+0x128/0x1c0\nvfs_write+0x270/0x370\nksys_write+0x6c/0x100\n__arm64_sys_write+0x20/0x30\ninvoke_syscall+0x4c/0x120\nel0_svc_common.constprop.0+0x44/0xf0\ndo_el0_svc+0x24/0x38\nel0_svc+0x24/0x88\nel0t_64_sync_handler+0x134/0x150\nel0t_64_sync+0x14c/0x15"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:21.318Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f266188603c34e6e234fb0dfc3185f0ba98d71b7"
},
{
"url": "https://git.kernel.org/stable/c/4377eac565c297fdfccd2f8e9bf94ee84ff6172f"
},
{
"url": "https://git.kernel.org/stable/c/25e315bc8ad363bd1194e49062f183ad4011957e"
},
{
"url": "https://git.kernel.org/stable/c/add1ecc8f3ad8df22e3599c5c88d7907cc2a3079"
},
{
"url": "https://git.kernel.org/stable/c/963fca19fe34c496e04f7dd133b807b76a5434ca"
},
{
"url": "https://git.kernel.org/stable/c/5e07a4235bb85d9ef664411e4ff4ac34783c18ff"
},
{
"url": "https://git.kernel.org/stable/c/e4a718a3a47e89805c3be9d46a84de1949a98d5d"
}
],
"title": "tee: fix NULL pointer dereference in tee_shm_put",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39865",
"datePublished": "2025-09-19T15:26:34.853Z",
"dateReserved": "2025-04-16T07:20:57.143Z",
"dateUpdated": "2025-11-03T17:44:16.367Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50325 (GCVE-0-2022-50325)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:49 – Updated: 2025-09-15 14:49
VLAI?
EPSS
Title
ASoC: Intel: avs: Fix potential RX buffer overflow
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: Intel: avs: Fix potential RX buffer overflow
If an event caused firmware to return invalid RX size for
LARGE_CONFIG_GET, memcpy_fromio() could end up copying too many bytes.
Fix by utilizing min_t().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f14a1c5a9f830025dc8638303ddefd5f731ae4bc , < ec1f0c12cb2e614c3fa8e9402f7ffcf82166078a
(git)
Affected: f14a1c5a9f830025dc8638303ddefd5f731ae4bc , < 0bad12fee5ae16ab439d97c66c4238f5f4cc7f68 (git) Affected: f14a1c5a9f830025dc8638303ddefd5f731ae4bc , < 23ae34e033b2c0e5e88237af82b163b296fd6aa9 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/intel/avs/ipc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ec1f0c12cb2e614c3fa8e9402f7ffcf82166078a",
"status": "affected",
"version": "f14a1c5a9f830025dc8638303ddefd5f731ae4bc",
"versionType": "git"
},
{
"lessThan": "0bad12fee5ae16ab439d97c66c4238f5f4cc7f68",
"status": "affected",
"version": "f14a1c5a9f830025dc8638303ddefd5f731ae4bc",
"versionType": "git"
},
{
"lessThan": "23ae34e033b2c0e5e88237af82b163b296fd6aa9",
"status": "affected",
"version": "f14a1c5a9f830025dc8638303ddefd5f731ae4bc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/intel/avs/ipc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: Intel: avs: Fix potential RX buffer overflow\n\nIf an event caused firmware to return invalid RX size for\nLARGE_CONFIG_GET, memcpy_fromio() could end up copying too many bytes.\nFix by utilizing min_t()."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:49:19.788Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ec1f0c12cb2e614c3fa8e9402f7ffcf82166078a"
},
{
"url": "https://git.kernel.org/stable/c/0bad12fee5ae16ab439d97c66c4238f5f4cc7f68"
},
{
"url": "https://git.kernel.org/stable/c/23ae34e033b2c0e5e88237af82b163b296fd6aa9"
}
],
"title": "ASoC: Intel: avs: Fix potential RX buffer overflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50325",
"datePublished": "2025-09-15T14:49:19.788Z",
"dateReserved": "2025-09-15T14:18:36.815Z",
"dateUpdated": "2025-09-15T14:49:19.788Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38724 (GCVE-0-2025-38724)
Vulnerability from cvelistv5 – Published: 2025-09-04 15:33 – Updated: 2025-11-03 17:41
VLAI?
EPSS
Title
nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()
Lei Lu recently reported that nfsd4_setclientid_confirm() did not check
the return value from get_client_locked(). a SETCLIENTID_CONFIRM could
race with a confirmed client expiring and fail to get a reference. That
could later lead to a UAF.
Fix this by getting a reference early in the case where there is an
extant confirmed client. If that fails then treat it as if there were no
confirmed client found at all.
In the case where the unconfirmed client is expiring, just fail and
return the result from get_client_locked().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d20c11d86d8f821a64eac7d6c8f296f06d935f4f , < 3f252a73e81aa01660cb426735eab932e6182e8d
(git)
Affected: d20c11d86d8f821a64eac7d6c8f296f06d935f4f , < d35ac850410966010e92f401f4e21868a9ea4d8b (git) Affected: d20c11d86d8f821a64eac7d6c8f296f06d935f4f , < f3aac6cf390d8b80e1d82975faf4ac61175519c0 (git) Affected: d20c11d86d8f821a64eac7d6c8f296f06d935f4f , < 22f45cedf281e6171817c8a3432c44d788c550e1 (git) Affected: d20c11d86d8f821a64eac7d6c8f296f06d935f4f , < d71abd1ae4e0413707cd42b10c24a11d1aa71772 (git) Affected: d20c11d86d8f821a64eac7d6c8f296f06d935f4f , < 74ad36ed60df561a303a19ecef400c7096b20306 (git) Affected: d20c11d86d8f821a64eac7d6c8f296f06d935f4f , < 36e83eda90e0e4ac52f259f775b40b2841f8a0a3 (git) Affected: d20c11d86d8f821a64eac7d6c8f296f06d935f4f , < 571a5e46c71490285d2d8c06f6b5a7cbf6c7edd1 (git) Affected: d20c11d86d8f821a64eac7d6c8f296f06d935f4f , < 908e4ead7f757504d8b345452730636e298cbf68 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:41:53.468Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4state.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3f252a73e81aa01660cb426735eab932e6182e8d",
"status": "affected",
"version": "d20c11d86d8f821a64eac7d6c8f296f06d935f4f",
"versionType": "git"
},
{
"lessThan": "d35ac850410966010e92f401f4e21868a9ea4d8b",
"status": "affected",
"version": "d20c11d86d8f821a64eac7d6c8f296f06d935f4f",
"versionType": "git"
},
{
"lessThan": "f3aac6cf390d8b80e1d82975faf4ac61175519c0",
"status": "affected",
"version": "d20c11d86d8f821a64eac7d6c8f296f06d935f4f",
"versionType": "git"
},
{
"lessThan": "22f45cedf281e6171817c8a3432c44d788c550e1",
"status": "affected",
"version": "d20c11d86d8f821a64eac7d6c8f296f06d935f4f",
"versionType": "git"
},
{
"lessThan": "d71abd1ae4e0413707cd42b10c24a11d1aa71772",
"status": "affected",
"version": "d20c11d86d8f821a64eac7d6c8f296f06d935f4f",
"versionType": "git"
},
{
"lessThan": "74ad36ed60df561a303a19ecef400c7096b20306",
"status": "affected",
"version": "d20c11d86d8f821a64eac7d6c8f296f06d935f4f",
"versionType": "git"
},
{
"lessThan": "36e83eda90e0e4ac52f259f775b40b2841f8a0a3",
"status": "affected",
"version": "d20c11d86d8f821a64eac7d6c8f296f06d935f4f",
"versionType": "git"
},
{
"lessThan": "571a5e46c71490285d2d8c06f6b5a7cbf6c7edd1",
"status": "affected",
"version": "d20c11d86d8f821a64eac7d6c8f296f06d935f4f",
"versionType": "git"
},
{
"lessThan": "908e4ead7f757504d8b345452730636e298cbf68",
"status": "affected",
"version": "d20c11d86d8f821a64eac7d6c8f296f06d935f4f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4state.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()\n\nLei Lu recently reported that nfsd4_setclientid_confirm() did not check\nthe return value from get_client_locked(). a SETCLIENTID_CONFIRM could\nrace with a confirmed client expiring and fail to get a reference. That\ncould later lead to a UAF.\n\nFix this by getting a reference early in the case where there is an\nextant confirmed client. If that fails then treat it as if there were no\nconfirmed client found at all.\n\nIn the case where the unconfirmed client is expiring, just fail and\nreturn the result from get_client_locked()."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:56:49.927Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3f252a73e81aa01660cb426735eab932e6182e8d"
},
{
"url": "https://git.kernel.org/stable/c/d35ac850410966010e92f401f4e21868a9ea4d8b"
},
{
"url": "https://git.kernel.org/stable/c/f3aac6cf390d8b80e1d82975faf4ac61175519c0"
},
{
"url": "https://git.kernel.org/stable/c/22f45cedf281e6171817c8a3432c44d788c550e1"
},
{
"url": "https://git.kernel.org/stable/c/d71abd1ae4e0413707cd42b10c24a11d1aa71772"
},
{
"url": "https://git.kernel.org/stable/c/74ad36ed60df561a303a19ecef400c7096b20306"
},
{
"url": "https://git.kernel.org/stable/c/36e83eda90e0e4ac52f259f775b40b2841f8a0a3"
},
{
"url": "https://git.kernel.org/stable/c/571a5e46c71490285d2d8c06f6b5a7cbf6c7edd1"
},
{
"url": "https://git.kernel.org/stable/c/908e4ead7f757504d8b345452730636e298cbf68"
}
],
"title": "nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38724",
"datePublished": "2025-09-04T15:33:22.370Z",
"dateReserved": "2025-04-16T04:51:24.033Z",
"dateUpdated": "2025-11-03T17:41:53.468Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39714 (GCVE-0-2025-39714)
Vulnerability from cvelistv5 – Published: 2025-09-05 17:21 – Updated: 2025-11-03 17:42
VLAI?
EPSS
Title
media: usbtv: Lock resolution while streaming
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: usbtv: Lock resolution while streaming
When an program is streaming (ffplay) and another program (qv4l2)
changes the TV standard from NTSC to PAL, the kernel crashes due to trying
to copy to unmapped memory.
Changing from NTSC to PAL increases the resolution in the usbtv struct,
but the video plane buffer isn't adjusted, so it overflows.
[hverkuil: call vb2_is_busy instead of vb2_is_streaming]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0e0fe3958fdd13dbf55c3a787acafde6efd04272 , < c35e7c7a004ef379a1ae7c7486d4829419acad1d
(git)
Affected: 0e0fe3958fdd13dbf55c3a787acafde6efd04272 , < ee7bade8b9244834229b12b6e1e724939bedd484 (git) Affected: 0e0fe3958fdd13dbf55c3a787acafde6efd04272 , < 5427dda195d6baf23028196fd55a0c90f66ffa61 (git) Affected: 0e0fe3958fdd13dbf55c3a787acafde6efd04272 , < ef9b3c22405192afaa279077ddd45a51db90b83d (git) Affected: 0e0fe3958fdd13dbf55c3a787acafde6efd04272 , < 3d83d0b5ae5045a7a246ed116b5f6c688a12f9e9 (git) Affected: 0e0fe3958fdd13dbf55c3a787acafde6efd04272 , < c3d75524e10021aa5c223d94da4996640aed46c0 (git) Affected: 0e0fe3958fdd13dbf55c3a787acafde6efd04272 , < 9f886d21e235c4bd038cb20f6696084304197ab3 (git) Affected: 0e0fe3958fdd13dbf55c3a787acafde6efd04272 , < 7e40e0bb778907b2441bff68d73c3eb6b6cd319f (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:42:41.101Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/usbtv/usbtv-video.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c35e7c7a004ef379a1ae7c7486d4829419acad1d",
"status": "affected",
"version": "0e0fe3958fdd13dbf55c3a787acafde6efd04272",
"versionType": "git"
},
{
"lessThan": "ee7bade8b9244834229b12b6e1e724939bedd484",
"status": "affected",
"version": "0e0fe3958fdd13dbf55c3a787acafde6efd04272",
"versionType": "git"
},
{
"lessThan": "5427dda195d6baf23028196fd55a0c90f66ffa61",
"status": "affected",
"version": "0e0fe3958fdd13dbf55c3a787acafde6efd04272",
"versionType": "git"
},
{
"lessThan": "ef9b3c22405192afaa279077ddd45a51db90b83d",
"status": "affected",
"version": "0e0fe3958fdd13dbf55c3a787acafde6efd04272",
"versionType": "git"
},
{
"lessThan": "3d83d0b5ae5045a7a246ed116b5f6c688a12f9e9",
"status": "affected",
"version": "0e0fe3958fdd13dbf55c3a787acafde6efd04272",
"versionType": "git"
},
{
"lessThan": "c3d75524e10021aa5c223d94da4996640aed46c0",
"status": "affected",
"version": "0e0fe3958fdd13dbf55c3a787acafde6efd04272",
"versionType": "git"
},
{
"lessThan": "9f886d21e235c4bd038cb20f6696084304197ab3",
"status": "affected",
"version": "0e0fe3958fdd13dbf55c3a787acafde6efd04272",
"versionType": "git"
},
{
"lessThan": "7e40e0bb778907b2441bff68d73c3eb6b6cd319f",
"status": "affected",
"version": "0e0fe3958fdd13dbf55c3a787acafde6efd04272",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/usbtv/usbtv-video.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.14"
},
{
"lessThan": "3.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: usbtv: Lock resolution while streaming\n\nWhen an program is streaming (ffplay) and another program (qv4l2)\nchanges the TV standard from NTSC to PAL, the kernel crashes due to trying\nto copy to unmapped memory.\n\nChanging from NTSC to PAL increases the resolution in the usbtv struct,\nbut the video plane buffer isn\u0027t adjusted, so it overflows.\n\n[hverkuil: call vb2_is_busy instead of vb2_is_streaming]"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:57:59.084Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c35e7c7a004ef379a1ae7c7486d4829419acad1d"
},
{
"url": "https://git.kernel.org/stable/c/ee7bade8b9244834229b12b6e1e724939bedd484"
},
{
"url": "https://git.kernel.org/stable/c/5427dda195d6baf23028196fd55a0c90f66ffa61"
},
{
"url": "https://git.kernel.org/stable/c/ef9b3c22405192afaa279077ddd45a51db90b83d"
},
{
"url": "https://git.kernel.org/stable/c/3d83d0b5ae5045a7a246ed116b5f6c688a12f9e9"
},
{
"url": "https://git.kernel.org/stable/c/c3d75524e10021aa5c223d94da4996640aed46c0"
},
{
"url": "https://git.kernel.org/stable/c/9f886d21e235c4bd038cb20f6696084304197ab3"
},
{
"url": "https://git.kernel.org/stable/c/7e40e0bb778907b2441bff68d73c3eb6b6cd319f"
}
],
"title": "media: usbtv: Lock resolution while streaming",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39714",
"datePublished": "2025-09-05T17:21:21.435Z",
"dateReserved": "2025-04-16T07:20:57.117Z",
"dateUpdated": "2025-11-03T17:42:41.101Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53429 (GCVE-0-2023-53429)
Vulnerability from cvelistv5 – Published: 2025-09-18 16:04 – Updated: 2026-01-14 19:23
VLAI?
EPSS
Title
btrfs: don't check PageError in __extent_writepage
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: don't check PageError in __extent_writepage
__extent_writepage currenly sets PageError whenever any error happens,
and the also checks for PageError to decide if to call error handling.
This leads to very unclear responsibility for cleaning up on errors.
In the VM and generic writeback helpers the basic idea is that once
I/O is fired off all error handling responsibility is delegated to the
end I/O handler. But if that end I/O handler sets the PageError bit,
and the submitter checks it, the bit could in some cases leak into the
submission context for fast enough I/O.
Fix this by simply not checking PageError and just using the local
ret variable to check for submission errors. This also fundamentally
solves the long problem documented in a comment in __extent_writepage
by never leaking the error bit into the submission context.
Severity ?
5.5 (Medium)
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53429",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T19:14:32.022612Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T19:23:09.173Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/extent_io.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d40be032ecd8ee1ca033bee43c7755d21fb4d72a",
"status": "affected",
"version": "61391d562229ed94899ed4b4973dc2f0c015292a",
"versionType": "git"
},
{
"lessThan": "3e92499e3b004baffb479d61e191b41b604ece9a",
"status": "affected",
"version": "61391d562229ed94899ed4b4973dc2f0c015292a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/extent_io.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: don\u0027t check PageError in __extent_writepage\n\n__extent_writepage currenly sets PageError whenever any error happens,\nand the also checks for PageError to decide if to call error handling.\nThis leads to very unclear responsibility for cleaning up on errors.\nIn the VM and generic writeback helpers the basic idea is that once\nI/O is fired off all error handling responsibility is delegated to the\nend I/O handler. But if that end I/O handler sets the PageError bit,\nand the submitter checks it, the bit could in some cases leak into the\nsubmission context for fast enough I/O.\n\nFix this by simply not checking PageError and just using the local\nret variable to check for submission errors. This also fundamentally\nsolves the long problem documented in a comment in __extent_writepage\nby never leaking the error bit into the submission context."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:20:18.417Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d40be032ecd8ee1ca033bee43c7755d21fb4d72a"
},
{
"url": "https://git.kernel.org/stable/c/3e92499e3b004baffb479d61e191b41b604ece9a"
}
],
"title": "btrfs: don\u0027t check PageError in __extent_writepage",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53429",
"datePublished": "2025-09-18T16:04:10.298Z",
"dateReserved": "2025-09-17T14:54:09.745Z",
"dateUpdated": "2026-01-14T19:23:09.173Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38572 (GCVE-0-2025-38572)
Vulnerability from cvelistv5 – Published: 2025-08-19 17:02 – Updated: 2025-11-03 17:39
VLAI?
EPSS
Title
ipv6: reject malicious packets in ipv6_gso_segment()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: reject malicious packets in ipv6_gso_segment()
syzbot was able to craft a packet with very long IPv6 extension headers
leading to an overflow of skb->transport_header.
This 16bit field has a limited range.
Add skb_reset_transport_header_careful() helper and use it
from ipv6_gso_segment()
WARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 skb_reset_transport_header include/linux/skbuff.h:3032 [inline]
WARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151
Modules linked in:
CPU: 0 UID: 0 PID: 5871 Comm: syz-executor211 Not tainted 6.16.0-rc6-syzkaller-g7abc678e3084 #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:skb_reset_transport_header include/linux/skbuff.h:3032 [inline]
RIP: 0010:ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151
Call Trace:
<TASK>
skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53
nsh_gso_segment+0x54a/0xe10 net/nsh/nsh.c:110
skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53
__skb_gso_segment+0x342/0x510 net/core/gso.c:124
skb_gso_segment include/net/gso.h:83 [inline]
validate_xmit_skb+0x857/0x11b0 net/core/dev.c:3950
validate_xmit_skb_list+0x84/0x120 net/core/dev.c:4000
sch_direct_xmit+0xd3/0x4b0 net/sched/sch_generic.c:329
__dev_xmit_skb net/core/dev.c:4102 [inline]
__dev_queue_xmit+0x17b6/0x3a70 net/core/dev.c:4679
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d1da932ed4ecad2a14cbcc01ed589d617d0f0f09 , < 5dc60b2a00ed7629214ac0c48e43f40af2078703
(git)
Affected: d1da932ed4ecad2a14cbcc01ed589d617d0f0f09 , < 3f638e0b28bde7c3354a0df938ab3a96739455d1 (git) Affected: d1da932ed4ecad2a14cbcc01ed589d617d0f0f09 , < 09ff062b89d8e48165247d677d1ca23d6d607e9b (git) Affected: d1da932ed4ecad2a14cbcc01ed589d617d0f0f09 , < de322cdf600fc9433845a9e944d1ca6b31cfb67e (git) Affected: d1da932ed4ecad2a14cbcc01ed589d617d0f0f09 , < ef05007b403dcc21e701cb1f30d4572ac0a9da20 (git) Affected: d1da932ed4ecad2a14cbcc01ed589d617d0f0f09 , < 5489e7fc6f8be3062f8cb7e49406de4bfd94db67 (git) Affected: d1da932ed4ecad2a14cbcc01ed589d617d0f0f09 , < 573b8250fc2554761db3bc2bbdbab23789d52d4e (git) Affected: d1da932ed4ecad2a14cbcc01ed589d617d0f0f09 , < ee851768e4b8371ce151fd446d24bf3ae2d18789 (git) Affected: d1da932ed4ecad2a14cbcc01ed589d617d0f0f09 , < d45cf1e7d7180256e17c9ce88e32e8061a7887fe (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:39:59.107Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/skbuff.h",
"net/ipv6/ip6_offload.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5dc60b2a00ed7629214ac0c48e43f40af2078703",
"status": "affected",
"version": "d1da932ed4ecad2a14cbcc01ed589d617d0f0f09",
"versionType": "git"
},
{
"lessThan": "3f638e0b28bde7c3354a0df938ab3a96739455d1",
"status": "affected",
"version": "d1da932ed4ecad2a14cbcc01ed589d617d0f0f09",
"versionType": "git"
},
{
"lessThan": "09ff062b89d8e48165247d677d1ca23d6d607e9b",
"status": "affected",
"version": "d1da932ed4ecad2a14cbcc01ed589d617d0f0f09",
"versionType": "git"
},
{
"lessThan": "de322cdf600fc9433845a9e944d1ca6b31cfb67e",
"status": "affected",
"version": "d1da932ed4ecad2a14cbcc01ed589d617d0f0f09",
"versionType": "git"
},
{
"lessThan": "ef05007b403dcc21e701cb1f30d4572ac0a9da20",
"status": "affected",
"version": "d1da932ed4ecad2a14cbcc01ed589d617d0f0f09",
"versionType": "git"
},
{
"lessThan": "5489e7fc6f8be3062f8cb7e49406de4bfd94db67",
"status": "affected",
"version": "d1da932ed4ecad2a14cbcc01ed589d617d0f0f09",
"versionType": "git"
},
{
"lessThan": "573b8250fc2554761db3bc2bbdbab23789d52d4e",
"status": "affected",
"version": "d1da932ed4ecad2a14cbcc01ed589d617d0f0f09",
"versionType": "git"
},
{
"lessThan": "ee851768e4b8371ce151fd446d24bf3ae2d18789",
"status": "affected",
"version": "d1da932ed4ecad2a14cbcc01ed589d617d0f0f09",
"versionType": "git"
},
{
"lessThan": "d45cf1e7d7180256e17c9ce88e32e8061a7887fe",
"status": "affected",
"version": "d1da932ed4ecad2a14cbcc01ed589d617d0f0f09",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/skbuff.h",
"net/ipv6/ip6_offload.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: reject malicious packets in ipv6_gso_segment()\n\nsyzbot was able to craft a packet with very long IPv6 extension headers\nleading to an overflow of skb-\u003etransport_header.\n\nThis 16bit field has a limited range.\n\nAdd skb_reset_transport_header_careful() helper and use it\nfrom ipv6_gso_segment()\n\nWARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 skb_reset_transport_header include/linux/skbuff.h:3032 [inline]\nWARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151\nModules linked in:\nCPU: 0 UID: 0 PID: 5871 Comm: syz-executor211 Not tainted 6.16.0-rc6-syzkaller-g7abc678e3084 #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025\n RIP: 0010:skb_reset_transport_header include/linux/skbuff.h:3032 [inline]\n RIP: 0010:ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151\nCall Trace:\n \u003cTASK\u003e\n skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53\n nsh_gso_segment+0x54a/0xe10 net/nsh/nsh.c:110\n skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53\n __skb_gso_segment+0x342/0x510 net/core/gso.c:124\n skb_gso_segment include/net/gso.h:83 [inline]\n validate_xmit_skb+0x857/0x11b0 net/core/dev.c:3950\n validate_xmit_skb_list+0x84/0x120 net/core/dev.c:4000\n sch_direct_xmit+0xd3/0x4b0 net/sched/sch_generic.c:329\n __dev_xmit_skb net/core/dev.c:4102 [inline]\n __dev_queue_xmit+0x17b6/0x3a70 net/core/dev.c:4679"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:54:03.372Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5dc60b2a00ed7629214ac0c48e43f40af2078703"
},
{
"url": "https://git.kernel.org/stable/c/3f638e0b28bde7c3354a0df938ab3a96739455d1"
},
{
"url": "https://git.kernel.org/stable/c/09ff062b89d8e48165247d677d1ca23d6d607e9b"
},
{
"url": "https://git.kernel.org/stable/c/de322cdf600fc9433845a9e944d1ca6b31cfb67e"
},
{
"url": "https://git.kernel.org/stable/c/ef05007b403dcc21e701cb1f30d4572ac0a9da20"
},
{
"url": "https://git.kernel.org/stable/c/5489e7fc6f8be3062f8cb7e49406de4bfd94db67"
},
{
"url": "https://git.kernel.org/stable/c/573b8250fc2554761db3bc2bbdbab23789d52d4e"
},
{
"url": "https://git.kernel.org/stable/c/ee851768e4b8371ce151fd446d24bf3ae2d18789"
},
{
"url": "https://git.kernel.org/stable/c/d45cf1e7d7180256e17c9ce88e32e8061a7887fe"
}
],
"title": "ipv6: reject malicious packets in ipv6_gso_segment()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38572",
"datePublished": "2025-08-19T17:02:52.340Z",
"dateReserved": "2025-04-16T04:51:24.025Z",
"dateUpdated": "2025-11-03T17:39:59.107Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53352 (GCVE-0-2023-53352)
Vulnerability from cvelistv5 – Published: 2025-09-17 14:56 – Updated: 2026-01-14 18:43
VLAI?
EPSS
Title
drm/ttm: check null pointer before accessing when swapping
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/ttm: check null pointer before accessing when swapping
Add a check to avoid null pointer dereference as below:
[ 90.002283] general protection fault, probably for non-canonical
address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
[ 90.002292] KASAN: null-ptr-deref in range
[0x0000000000000000-0x0000000000000007]
[ 90.002346] ? exc_general_protection+0x159/0x240
[ 90.002352] ? asm_exc_general_protection+0x26/0x30
[ 90.002357] ? ttm_bo_evict_swapout_allowable+0x322/0x5e0 [ttm]
[ 90.002365] ? ttm_bo_evict_swapout_allowable+0x42e/0x5e0 [ttm]
[ 90.002373] ttm_bo_swapout+0x134/0x7f0 [ttm]
[ 90.002383] ? __pfx_ttm_bo_swapout+0x10/0x10 [ttm]
[ 90.002391] ? lock_acquire+0x44d/0x4f0
[ 90.002398] ? ttm_device_swapout+0xa5/0x260 [ttm]
[ 90.002412] ? lock_acquired+0x355/0xa00
[ 90.002416] ? do_raw_spin_trylock+0xb6/0x190
[ 90.002421] ? __pfx_lock_acquired+0x10/0x10
[ 90.002426] ? ttm_global_swapout+0x25/0x210 [ttm]
[ 90.002442] ttm_device_swapout+0x198/0x260 [ttm]
[ 90.002456] ? __pfx_ttm_device_swapout+0x10/0x10 [ttm]
[ 90.002472] ttm_global_swapout+0x75/0x210 [ttm]
[ 90.002486] ttm_tt_populate+0x187/0x3f0 [ttm]
[ 90.002501] ttm_bo_handle_move_mem+0x437/0x590 [ttm]
[ 90.002517] ttm_bo_validate+0x275/0x430 [ttm]
[ 90.002530] ? __pfx_ttm_bo_validate+0x10/0x10 [ttm]
[ 90.002544] ? kasan_save_stack+0x33/0x60
[ 90.002550] ? kasan_set_track+0x25/0x30
[ 90.002554] ? __kasan_kmalloc+0x8f/0xa0
[ 90.002558] ? amdgpu_gtt_mgr_new+0x81/0x420 [amdgpu]
[ 90.003023] ? ttm_resource_alloc+0xf6/0x220 [ttm]
[ 90.003038] amdgpu_bo_pin_restricted+0x2dd/0x8b0 [amdgpu]
[ 90.003210] ? __x64_sys_ioctl+0x131/0x1a0
[ 90.003210] ? do_syscall_64+0x60/0x90
Severity ?
5.5 (Medium)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8996b13051f0c211aaaf243dfd270003f1b67431 , < d39971d902d067b4dc366981b75b17c8c57ed5d1
(git)
Affected: da60170558b956c1b45dee1c4423da2425037426 , < 8089eb93d6787dbf348863e935698b4610d90321 (git) Affected: 17e188e0feb008bab5f4b083083dff7cdc633ca1 , < 1fdd16d89c01336d9a942b5f03673c17d401da87 (git) Affected: c24d051e6b48015e32f1361cdf67e1784dd14a9f , < 49b3b979e79faef129605018ad82aa0f2258f2f7 (git) Affected: a2848d08742c8e8494675892c02c0d22acbe3cf8 , < 2dedcf414bb01b8d966eb445db1d181d92304fb2 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53352",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:41:46.702479Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:43:03.742Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/ttm/ttm_bo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d39971d902d067b4dc366981b75b17c8c57ed5d1",
"status": "affected",
"version": "8996b13051f0c211aaaf243dfd270003f1b67431",
"versionType": "git"
},
{
"lessThan": "8089eb93d6787dbf348863e935698b4610d90321",
"status": "affected",
"version": "da60170558b956c1b45dee1c4423da2425037426",
"versionType": "git"
},
{
"lessThan": "1fdd16d89c01336d9a942b5f03673c17d401da87",
"status": "affected",
"version": "17e188e0feb008bab5f4b083083dff7cdc633ca1",
"versionType": "git"
},
{
"lessThan": "49b3b979e79faef129605018ad82aa0f2258f2f7",
"status": "affected",
"version": "c24d051e6b48015e32f1361cdf67e1784dd14a9f",
"versionType": "git"
},
{
"lessThan": "2dedcf414bb01b8d966eb445db1d181d92304fb2",
"status": "affected",
"version": "a2848d08742c8e8494675892c02c0d22acbe3cf8",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/ttm/ttm_bo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5.15.126",
"status": "affected",
"version": "5.15.124",
"versionType": "semver"
},
{
"lessThan": "6.1.45",
"status": "affected",
"version": "6.1.43",
"versionType": "semver"
},
{
"lessThan": "6.4.10",
"status": "affected",
"version": "6.4.8",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.126",
"versionStartIncluding": "5.15.124",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.45",
"versionStartIncluding": "6.1.43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.10",
"versionStartIncluding": "6.4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/ttm: check null pointer before accessing when swapping\n\nAdd a check to avoid null pointer dereference as below:\n\n[ 90.002283] general protection fault, probably for non-canonical\naddress 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI\n[ 90.002292] KASAN: null-ptr-deref in range\n[0x0000000000000000-0x0000000000000007]\n[ 90.002346] ? exc_general_protection+0x159/0x240\n[ 90.002352] ? asm_exc_general_protection+0x26/0x30\n[ 90.002357] ? ttm_bo_evict_swapout_allowable+0x322/0x5e0 [ttm]\n[ 90.002365] ? ttm_bo_evict_swapout_allowable+0x42e/0x5e0 [ttm]\n[ 90.002373] ttm_bo_swapout+0x134/0x7f0 [ttm]\n[ 90.002383] ? __pfx_ttm_bo_swapout+0x10/0x10 [ttm]\n[ 90.002391] ? lock_acquire+0x44d/0x4f0\n[ 90.002398] ? ttm_device_swapout+0xa5/0x260 [ttm]\n[ 90.002412] ? lock_acquired+0x355/0xa00\n[ 90.002416] ? do_raw_spin_trylock+0xb6/0x190\n[ 90.002421] ? __pfx_lock_acquired+0x10/0x10\n[ 90.002426] ? ttm_global_swapout+0x25/0x210 [ttm]\n[ 90.002442] ttm_device_swapout+0x198/0x260 [ttm]\n[ 90.002456] ? __pfx_ttm_device_swapout+0x10/0x10 [ttm]\n[ 90.002472] ttm_global_swapout+0x75/0x210 [ttm]\n[ 90.002486] ttm_tt_populate+0x187/0x3f0 [ttm]\n[ 90.002501] ttm_bo_handle_move_mem+0x437/0x590 [ttm]\n[ 90.002517] ttm_bo_validate+0x275/0x430 [ttm]\n[ 90.002530] ? __pfx_ttm_bo_validate+0x10/0x10 [ttm]\n[ 90.002544] ? kasan_save_stack+0x33/0x60\n[ 90.002550] ? kasan_set_track+0x25/0x30\n[ 90.002554] ? __kasan_kmalloc+0x8f/0xa0\n[ 90.002558] ? amdgpu_gtt_mgr_new+0x81/0x420 [amdgpu]\n[ 90.003023] ? ttm_resource_alloc+0xf6/0x220 [ttm]\n[ 90.003038] amdgpu_bo_pin_restricted+0x2dd/0x8b0 [amdgpu]\n[ 90.003210] ? __x64_sys_ioctl+0x131/0x1a0\n[ 90.003210] ? do_syscall_64+0x60/0x90"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T14:56:42.698Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d39971d902d067b4dc366981b75b17c8c57ed5d1"
},
{
"url": "https://git.kernel.org/stable/c/8089eb93d6787dbf348863e935698b4610d90321"
},
{
"url": "https://git.kernel.org/stable/c/1fdd16d89c01336d9a942b5f03673c17d401da87"
},
{
"url": "https://git.kernel.org/stable/c/49b3b979e79faef129605018ad82aa0f2258f2f7"
},
{
"url": "https://git.kernel.org/stable/c/2dedcf414bb01b8d966eb445db1d181d92304fb2"
}
],
"title": "drm/ttm: check null pointer before accessing when swapping",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53352",
"datePublished": "2025-09-17T14:56:42.698Z",
"dateReserved": "2025-09-16T16:08:59.567Z",
"dateUpdated": "2026-01-14T18:43:03.742Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39827 (GCVE-0-2025-39827)
Vulnerability from cvelistv5 – Published: 2025-09-16 13:00 – Updated: 2025-11-03 17:43
VLAI?
EPSS
Title
net: rose: include node references in rose_neigh refcount
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: rose: include node references in rose_neigh refcount
Current implementation maintains two separate reference counting
mechanisms: the 'count' field in struct rose_neigh tracks references from
rose_node structures, while the 'use' field (now refcount_t) tracks
references from rose_sock.
This patch merges these two reference counting systems using 'use' field
for proper reference management. Specifically, this patch adds incrementing
and decrementing of rose_neigh->use when rose_neigh->count is incremented
or decremented.
This patch also modifies rose_rt_free(), rose_rt_device_down() and
rose_clear_route() to properly release references to rose_neigh objects
before freeing a rose_node through rose_remove_node().
These changes ensure rose_neigh structures are properly freed only when
all references, including those from rose_node structures, are released.
As a result, this resolves a slab-use-after-free issue reported by Syzbot.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4cce478c3e82a5fc788d72adb2f4c4e983997639
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9c547c8eee9d1cf6e744611d688b9f725cf9a115 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d7563b456ed44151e1a82091d96f60166daea89b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 384210cceb1873a4c8218b27ba0745444436b728 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < da9c9c877597170b929a6121a68dcd3dd9a80f45 (git) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:48.138Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rose/rose_route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4cce478c3e82a5fc788d72adb2f4c4e983997639",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9c547c8eee9d1cf6e744611d688b9f725cf9a115",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d7563b456ed44151e1a82091d96f60166daea89b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "384210cceb1873a4c8218b27ba0745444436b728",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "da9c9c877597170b929a6121a68dcd3dd9a80f45",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rose/rose_route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.150",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rose: include node references in rose_neigh refcount\n\nCurrent implementation maintains two separate reference counting\nmechanisms: the \u0027count\u0027 field in struct rose_neigh tracks references from\nrose_node structures, while the \u0027use\u0027 field (now refcount_t) tracks\nreferences from rose_sock.\n\nThis patch merges these two reference counting systems using \u0027use\u0027 field\nfor proper reference management. Specifically, this patch adds incrementing\nand decrementing of rose_neigh-\u003euse when rose_neigh-\u003ecount is incremented\nor decremented.\n\nThis patch also modifies rose_rt_free(), rose_rt_device_down() and\nrose_clear_route() to properly release references to rose_neigh objects\nbefore freeing a rose_node through rose_remove_node().\n\nThese changes ensure rose_neigh structures are properly freed only when\nall references, including those from rose_node structures, are released.\nAs a result, this resolves a slab-use-after-free issue reported by Syzbot."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:28.915Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4cce478c3e82a5fc788d72adb2f4c4e983997639"
},
{
"url": "https://git.kernel.org/stable/c/9c547c8eee9d1cf6e744611d688b9f725cf9a115"
},
{
"url": "https://git.kernel.org/stable/c/d7563b456ed44151e1a82091d96f60166daea89b"
},
{
"url": "https://git.kernel.org/stable/c/384210cceb1873a4c8218b27ba0745444436b728"
},
{
"url": "https://git.kernel.org/stable/c/da9c9c877597170b929a6121a68dcd3dd9a80f45"
}
],
"title": "net: rose: include node references in rose_neigh refcount",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39827",
"datePublished": "2025-09-16T13:00:25.555Z",
"dateReserved": "2025-04-16T07:20:57.140Z",
"dateUpdated": "2025-11-03T17:43:48.138Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39811 (GCVE-0-2025-39811)
Vulnerability from cvelistv5 – Published: 2025-09-16 13:00 – Updated: 2026-01-14 18:22
VLAI?
EPSS
Title
drm/xe/vm: Clear the scratch_pt pointer on error
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/xe/vm: Clear the scratch_pt pointer on error
Avoid triggering a dereference of an error pointer on cleanup in
xe_vm_free_scratch() by clearing any scratch_pt error pointer.
(cherry picked from commit 358ee50ab565f3c8ea32480e9d03127a81ba32f8)
Severity ?
5.5 (Medium)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
06951c2ee72df2f53b71e7cf2b504d4fa6bba453 , < c8277d229c7840e8090d4704e50f2ca014d194c7
(git)
Affected: 06951c2ee72df2f53b71e7cf2b504d4fa6bba453 , < 84603ed1d73ebb8de856dc11f4f5d3541c48f7a2 (git) Affected: 06951c2ee72df2f53b71e7cf2b504d4fa6bba453 , < 2b55ddf36229e0278c956215784ab1feeff510aa (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-39811",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:15:08.427254Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:22:55.307Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_vm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c8277d229c7840e8090d4704e50f2ca014d194c7",
"status": "affected",
"version": "06951c2ee72df2f53b71e7cf2b504d4fa6bba453",
"versionType": "git"
},
{
"lessThan": "84603ed1d73ebb8de856dc11f4f5d3541c48f7a2",
"status": "affected",
"version": "06951c2ee72df2f53b71e7cf2b504d4fa6bba453",
"versionType": "git"
},
{
"lessThan": "2b55ddf36229e0278c956215784ab1feeff510aa",
"status": "affected",
"version": "06951c2ee72df2f53b71e7cf2b504d4fa6bba453",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_vm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/vm: Clear the scratch_pt pointer on error\n\nAvoid triggering a dereference of an error pointer on cleanup in\nxe_vm_free_scratch() by clearing any scratch_pt error pointer.\n\n(cherry picked from commit 358ee50ab565f3c8ea32480e9d03127a81ba32f8)"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:59:54.870Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c8277d229c7840e8090d4704e50f2ca014d194c7"
},
{
"url": "https://git.kernel.org/stable/c/84603ed1d73ebb8de856dc11f4f5d3541c48f7a2"
},
{
"url": "https://git.kernel.org/stable/c/2b55ddf36229e0278c956215784ab1feeff510aa"
}
],
"title": "drm/xe/vm: Clear the scratch_pt pointer on error",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39811",
"datePublished": "2025-09-16T13:00:13.395Z",
"dateReserved": "2025-04-16T07:20:57.137Z",
"dateUpdated": "2026-01-14T18:22:55.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50266 (GCVE-0-2022-50266)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:21 – Updated: 2025-09-15 14:21
VLAI?
EPSS
Title
kprobes: Fix check for probe enabled in kill_kprobe()
Summary
In the Linux kernel, the following vulnerability has been resolved:
kprobes: Fix check for probe enabled in kill_kprobe()
In kill_kprobe(), the check whether disarm_kprobe_ftrace() needs to be
called always fails. This is because before that we set the
KPROBE_FLAG_GONE flag for kprobe so that "!kprobe_disabled(p)" is always
false.
The disarm_kprobe_ftrace() call introduced by commit:
0cb2f1372baa ("kprobes: Fix NULL pointer dereference at kprobe_ftrace_handler")
to fix the NULL pointer reference problem. When the probe is enabled, if
we do not disarm it, this problem still exists.
Fix it by putting the probe enabled check before setting the
KPROBE_FLAG_GONE flag.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3031313eb3d549b7ad6f9fbcc52ba04412e3eb9e , < f20a067f13106565816b4b6a6b665b2088a63824
(git)
Affected: 3031313eb3d549b7ad6f9fbcc52ba04412e3eb9e , < c909985dd0c0f74b61e3f8f0e04bf8aa9c8b97c7 (git) Affected: 3031313eb3d549b7ad6f9fbcc52ba04412e3eb9e , < 0c76ef3f26d5ef2ac2c21b47e7620cff35809fbb (git) Affected: 3c5f8d371b7fef3e3714c4a062c7f3b4aa41d122 (git) Affected: 9b55d84deec88c02b053a819acf08a6d471dda02 (git) Affected: 2295608b44c91df767a5c68027f9c9e52ecb28e7 (git) Affected: ce7ff920092130f249b75f9fe177edb3362fefe8 (git) Affected: 3995f7a60feceba6c8f762f4aff3184f90a1291d (git) Affected: 247c62ebdfae450bb76dd89cd4724df6be07df75 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/kprobes.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f20a067f13106565816b4b6a6b665b2088a63824",
"status": "affected",
"version": "3031313eb3d549b7ad6f9fbcc52ba04412e3eb9e",
"versionType": "git"
},
{
"lessThan": "c909985dd0c0f74b61e3f8f0e04bf8aa9c8b97c7",
"status": "affected",
"version": "3031313eb3d549b7ad6f9fbcc52ba04412e3eb9e",
"versionType": "git"
},
{
"lessThan": "0c76ef3f26d5ef2ac2c21b47e7620cff35809fbb",
"status": "affected",
"version": "3031313eb3d549b7ad6f9fbcc52ba04412e3eb9e",
"versionType": "git"
},
{
"status": "affected",
"version": "3c5f8d371b7fef3e3714c4a062c7f3b4aa41d122",
"versionType": "git"
},
{
"status": "affected",
"version": "9b55d84deec88c02b053a819acf08a6d471dda02",
"versionType": "git"
},
{
"status": "affected",
"version": "2295608b44c91df767a5c68027f9c9e52ecb28e7",
"versionType": "git"
},
{
"status": "affected",
"version": "ce7ff920092130f249b75f9fe177edb3362fefe8",
"versionType": "git"
},
{
"status": "affected",
"version": "3995f7a60feceba6c8f762f4aff3184f90a1291d",
"versionType": "git"
},
{
"status": "affected",
"version": "247c62ebdfae450bb76dd89cd4724df6be07df75",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/kprobes.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.238",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.238",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.200",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.69",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.8.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkprobes: Fix check for probe enabled in kill_kprobe()\n\nIn kill_kprobe(), the check whether disarm_kprobe_ftrace() needs to be\ncalled always fails. This is because before that we set the\nKPROBE_FLAG_GONE flag for kprobe so that \"!kprobe_disabled(p)\" is always\nfalse.\n\nThe disarm_kprobe_ftrace() call introduced by commit:\n\n 0cb2f1372baa (\"kprobes: Fix NULL pointer dereference at kprobe_ftrace_handler\")\n\nto fix the NULL pointer reference problem. When the probe is enabled, if\nwe do not disarm it, this problem still exists.\n\nFix it by putting the probe enabled check before setting the\nKPROBE_FLAG_GONE flag."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:21:02.529Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f20a067f13106565816b4b6a6b665b2088a63824"
},
{
"url": "https://git.kernel.org/stable/c/c909985dd0c0f74b61e3f8f0e04bf8aa9c8b97c7"
},
{
"url": "https://git.kernel.org/stable/c/0c76ef3f26d5ef2ac2c21b47e7620cff35809fbb"
}
],
"title": "kprobes: Fix check for probe enabled in kill_kprobe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50266",
"datePublished": "2025-09-15T14:21:02.529Z",
"dateReserved": "2025-09-15T13:58:00.975Z",
"dateUpdated": "2025-09-15T14:21:02.529Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53272 (GCVE-0-2023-53272)
Vulnerability from cvelistv5 – Published: 2025-09-16 08:07 – Updated: 2026-01-14 18:12
VLAI?
EPSS
Title
net: ena: fix shift-out-of-bounds in exponential backoff
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: ena: fix shift-out-of-bounds in exponential backoff
The ENA adapters on our instances occasionally reset. Once recently
logged a UBSAN failure to console in the process:
UBSAN: shift-out-of-bounds in build/linux/drivers/net/ethernet/amazon/ena/ena_com.c:540:13
shift exponent 32 is too large for 32-bit type 'unsigned int'
CPU: 28 PID: 70012 Comm: kworker/u72:2 Kdump: loaded not tainted 5.15.117
Hardware name: Amazon EC2 c5d.9xlarge/, BIOS 1.0 10/16/2017
Workqueue: ena ena_fw_reset_device [ena]
Call Trace:
<TASK>
dump_stack_lvl+0x4a/0x63
dump_stack+0x10/0x16
ubsan_epilogue+0x9/0x36
__ubsan_handle_shift_out_of_bounds.cold+0x61/0x10e
? __const_udelay+0x43/0x50
ena_delay_exponential_backoff_us.cold+0x16/0x1e [ena]
wait_for_reset_state+0x54/0xa0 [ena]
ena_com_dev_reset+0xc8/0x110 [ena]
ena_down+0x3fe/0x480 [ena]
ena_destroy_device+0xeb/0xf0 [ena]
ena_fw_reset_device+0x30/0x50 [ena]
process_one_work+0x22b/0x3d0
worker_thread+0x4d/0x3f0
? process_one_work+0x3d0/0x3d0
kthread+0x12a/0x150
? set_kthread_struct+0x50/0x50
ret_from_fork+0x22/0x30
</TASK>
Apparently, the reset delays are getting so large they can trigger a
UBSAN panic.
Looking at the code, the current timeout is capped at 5000us. Using a
base value of 100us, the current code will overflow after (1<<29). Even
at values before 32, this function wraps around, perhaps
unintentionally.
Cap the value of the exponent used for this backoff at (1<<16) which is
larger than currently necessary, but large enough to support bigger
values in the future.
Severity ?
7.1 (High)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4bb7f4cf60e38a00965d22aa5979ab143193d41f , < 1e760b2d18bf129b3da052c2946c02758e97d15e
(git)
Affected: 4bb7f4cf60e38a00965d22aa5979ab143193d41f , < 3e36cc94d6e60a27f27498adf1c71eeba769ab33 (git) Affected: 4bb7f4cf60e38a00965d22aa5979ab143193d41f , < 90947ebf8794e3c229fb2e16e37f1bfea6877f14 (git) Affected: 4bb7f4cf60e38a00965d22aa5979ab143193d41f , < 0939c264729d4a081ff88efce2ffdf85dc5331e0 (git) Affected: 4bb7f4cf60e38a00965d22aa5979ab143193d41f , < 1e9cb763e9bacf0c932aa948f50dcfca6f519a26 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53272",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:05:54.932143Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:12:53.573Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/amazon/ena/ena_com.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1e760b2d18bf129b3da052c2946c02758e97d15e",
"status": "affected",
"version": "4bb7f4cf60e38a00965d22aa5979ab143193d41f",
"versionType": "git"
},
{
"lessThan": "3e36cc94d6e60a27f27498adf1c71eeba769ab33",
"status": "affected",
"version": "4bb7f4cf60e38a00965d22aa5979ab143193d41f",
"versionType": "git"
},
{
"lessThan": "90947ebf8794e3c229fb2e16e37f1bfea6877f14",
"status": "affected",
"version": "4bb7f4cf60e38a00965d22aa5979ab143193d41f",
"versionType": "git"
},
{
"lessThan": "0939c264729d4a081ff88efce2ffdf85dc5331e0",
"status": "affected",
"version": "4bb7f4cf60e38a00965d22aa5979ab143193d41f",
"versionType": "git"
},
{
"lessThan": "1e9cb763e9bacf0c932aa948f50dcfca6f519a26",
"status": "affected",
"version": "4bb7f4cf60e38a00965d22aa5979ab143193d41f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/amazon/ena/ena_com.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ena: fix shift-out-of-bounds in exponential backoff\n\nThe ENA adapters on our instances occasionally reset. Once recently\nlogged a UBSAN failure to console in the process:\n\n UBSAN: shift-out-of-bounds in build/linux/drivers/net/ethernet/amazon/ena/ena_com.c:540:13\n shift exponent 32 is too large for 32-bit type \u0027unsigned int\u0027\n CPU: 28 PID: 70012 Comm: kworker/u72:2 Kdump: loaded not tainted 5.15.117\n Hardware name: Amazon EC2 c5d.9xlarge/, BIOS 1.0 10/16/2017\n Workqueue: ena ena_fw_reset_device [ena]\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x4a/0x63\n dump_stack+0x10/0x16\n ubsan_epilogue+0x9/0x36\n __ubsan_handle_shift_out_of_bounds.cold+0x61/0x10e\n ? __const_udelay+0x43/0x50\n ena_delay_exponential_backoff_us.cold+0x16/0x1e [ena]\n wait_for_reset_state+0x54/0xa0 [ena]\n ena_com_dev_reset+0xc8/0x110 [ena]\n ena_down+0x3fe/0x480 [ena]\n ena_destroy_device+0xeb/0xf0 [ena]\n ena_fw_reset_device+0x30/0x50 [ena]\n process_one_work+0x22b/0x3d0\n worker_thread+0x4d/0x3f0\n ? process_one_work+0x3d0/0x3d0\n kthread+0x12a/0x150\n ? set_kthread_struct+0x50/0x50\n ret_from_fork+0x22/0x30\n \u003c/TASK\u003e\n\nApparently, the reset delays are getting so large they can trigger a\nUBSAN panic.\n\nLooking at the code, the current timeout is capped at 5000us. Using a\nbase value of 100us, the current code will overflow after (1\u003c\u003c29). Even\nat values before 32, this function wraps around, perhaps\nunintentionally.\n\nCap the value of the exponent used for this backoff at (1\u003c\u003c16) which is\nlarger than currently necessary, but large enough to support bigger\nvalues in the future."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T08:07:01.589Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1e760b2d18bf129b3da052c2946c02758e97d15e"
},
{
"url": "https://git.kernel.org/stable/c/3e36cc94d6e60a27f27498adf1c71eeba769ab33"
},
{
"url": "https://git.kernel.org/stable/c/90947ebf8794e3c229fb2e16e37f1bfea6877f14"
},
{
"url": "https://git.kernel.org/stable/c/0939c264729d4a081ff88efce2ffdf85dc5331e0"
},
{
"url": "https://git.kernel.org/stable/c/1e9cb763e9bacf0c932aa948f50dcfca6f519a26"
}
],
"title": "net: ena: fix shift-out-of-bounds in exponential backoff",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53272",
"datePublished": "2025-09-16T08:07:01.589Z",
"dateReserved": "2025-09-16T08:05:12.516Z",
"dateUpdated": "2026-01-14T18:12:53.573Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50432 (GCVE-0-2022-50432)
Vulnerability from cvelistv5 – Published: 2025-10-01 11:42 – Updated: 2025-12-23 13:29
VLAI?
EPSS
Title
kernfs: fix use-after-free in __kernfs_remove
Summary
In the Linux kernel, the following vulnerability has been resolved:
kernfs: fix use-after-free in __kernfs_remove
Syzkaller managed to trigger concurrent calls to
kernfs_remove_by_name_ns() for the same file resulting in
a KASAN detected use-after-free. The race occurs when the root
node is freed during kernfs_drain().
To prevent this acquire an additional reference for the root
of the tree that is removed before calling __kernfs_remove().
Found by syzkaller with the following reproducer (slab_nomerge is
required):
syz_mount_image$ext4(0x0, &(0x7f0000000100)='./file0\x00', 0x100000, 0x0, 0x0, 0x0, 0x0)
r0 = openat(0xffffffffffffff9c, &(0x7f0000000080)='/proc/self/exe\x00', 0x0, 0x0)
close(r0)
pipe2(&(0x7f0000000140)={0xffffffffffffffff, <r1=>0xffffffffffffffff}, 0x800)
mount$9p_fd(0x0, &(0x7f0000000040)='./file0\x00', &(0x7f00000000c0), 0x408, &(0x7f0000000280)={'trans=fd,', {'rfdno', 0x3d, r0}, 0x2c, {'wfdno', 0x3d, r1}, 0x2c, {[{@cache_loose}, {@mmap}, {@loose}, {@loose}, {@mmap}], [{@mask={'mask', 0x3d, '^MAY_EXEC'}}, {@fsmagic={'fsmagic', 0x3d, 0x10001}}, {@dont_hash}]}})
Sample report:
==================================================================
BUG: KASAN: use-after-free in kernfs_type include/linux/kernfs.h:335 [inline]
BUG: KASAN: use-after-free in kernfs_leftmost_descendant fs/kernfs/dir.c:1261 [inline]
BUG: KASAN: use-after-free in __kernfs_remove.part.0+0x843/0x960 fs/kernfs/dir.c:1369
Read of size 2 at addr ffff8880088807f0 by task syz-executor.2/857
CPU: 0 PID: 857 Comm: syz-executor.2 Not tainted 6.0.0-rc3-00363-g7726d4c3e60b #5
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x6e/0x91 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:317 [inline]
print_report.cold+0x5e/0x5e5 mm/kasan/report.c:433
kasan_report+0xa3/0x130 mm/kasan/report.c:495
kernfs_type include/linux/kernfs.h:335 [inline]
kernfs_leftmost_descendant fs/kernfs/dir.c:1261 [inline]
__kernfs_remove.part.0+0x843/0x960 fs/kernfs/dir.c:1369
__kernfs_remove fs/kernfs/dir.c:1356 [inline]
kernfs_remove_by_name_ns+0x108/0x190 fs/kernfs/dir.c:1589
sysfs_slab_add+0x133/0x1e0 mm/slub.c:5943
__kmem_cache_create+0x3e0/0x550 mm/slub.c:4899
create_cache mm/slab_common.c:229 [inline]
kmem_cache_create_usercopy+0x167/0x2a0 mm/slab_common.c:335
p9_client_create+0xd4d/0x1190 net/9p/client.c:993
v9fs_session_init+0x1e6/0x13c0 fs/9p/v9fs.c:408
v9fs_mount+0xb9/0xbd0 fs/9p/vfs_super.c:126
legacy_get_tree+0xf1/0x200 fs/fs_context.c:610
vfs_get_tree+0x85/0x2e0 fs/super.c:1530
do_new_mount fs/namespace.c:3040 [inline]
path_mount+0x675/0x1d00 fs/namespace.c:3370
do_mount fs/namespace.c:3383 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__se_sys_mount fs/namespace.c:3568 [inline]
__x64_sys_mount+0x282/0x300 fs/namespace.c:3568
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f725f983aed
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f725f0f7028 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f725faa3f80 RCX: 00007f725f983aed
RDX: 00000000200000c0 RSI: 0000000020000040 RDI: 0000000000000000
RBP: 00007f725f9f419c R08: 0000000020000280 R09: 0000000000000000
R10: 0000000000000408 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000006 R14: 00007f725faa3f80 R15: 00007f725f0d7000
</TASK>
Allocated by task 855:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:437 [inline]
__kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:470
kasan_slab_alloc include/linux/kasan.h:224 [inline]
slab_post_alloc_hook mm/slab.h:7
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
45a140e587f3d32d8d424ed940dffb61e1739047 , < 4dfd6a477a1525773469feaf3c514b2c0fef76b5
(git)
Affected: 45a140e587f3d32d8d424ed940dffb61e1739047 , < 02eb35131050735332658029082f61515b7dfe38 (git) Affected: 45a140e587f3d32d8d424ed940dffb61e1739047 , < 028cf780743eea79abffa7206b9dcfc080ad3546 (git) Affected: 45a140e587f3d32d8d424ed940dffb61e1739047 , < c78b0dc6fb7fb389d674e491fd376388cdfb1d53 (git) Affected: 45a140e587f3d32d8d424ed940dffb61e1739047 , < 6f72a3977ba9d0e5491a5c01315204272e7f9c44 (git) Affected: 45a140e587f3d32d8d424ed940dffb61e1739047 , < 94d2643df1e70a4c310ebb5e2c493eec33df1a06 (git) Affected: 45a140e587f3d32d8d424ed940dffb61e1739047 , < af1b57cc39beca203559576b3046094fc9e5eb32 (git) Affected: 45a140e587f3d32d8d424ed940dffb61e1739047 , < 4abc99652812a2ddf932f137515d5c5a04723538 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/kernfs/dir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4dfd6a477a1525773469feaf3c514b2c0fef76b5",
"status": "affected",
"version": "45a140e587f3d32d8d424ed940dffb61e1739047",
"versionType": "git"
},
{
"lessThan": "02eb35131050735332658029082f61515b7dfe38",
"status": "affected",
"version": "45a140e587f3d32d8d424ed940dffb61e1739047",
"versionType": "git"
},
{
"lessThan": "028cf780743eea79abffa7206b9dcfc080ad3546",
"status": "affected",
"version": "45a140e587f3d32d8d424ed940dffb61e1739047",
"versionType": "git"
},
{
"lessThan": "c78b0dc6fb7fb389d674e491fd376388cdfb1d53",
"status": "affected",
"version": "45a140e587f3d32d8d424ed940dffb61e1739047",
"versionType": "git"
},
{
"lessThan": "6f72a3977ba9d0e5491a5c01315204272e7f9c44",
"status": "affected",
"version": "45a140e587f3d32d8d424ed940dffb61e1739047",
"versionType": "git"
},
{
"lessThan": "94d2643df1e70a4c310ebb5e2c493eec33df1a06",
"status": "affected",
"version": "45a140e587f3d32d8d424ed940dffb61e1739047",
"versionType": "git"
},
{
"lessThan": "af1b57cc39beca203559576b3046094fc9e5eb32",
"status": "affected",
"version": "45a140e587f3d32d8d424ed940dffb61e1739047",
"versionType": "git"
},
{
"lessThan": "4abc99652812a2ddf932f137515d5c5a04723538",
"status": "affected",
"version": "45a140e587f3d32d8d424ed940dffb61e1739047",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/kernfs/dir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.14"
},
{
"lessThan": "3.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.332",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.298",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.264",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.223",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.332",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.298",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.264",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.223",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.153",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.77",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.7",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "3.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkernfs: fix use-after-free in __kernfs_remove\n\nSyzkaller managed to trigger concurrent calls to\nkernfs_remove_by_name_ns() for the same file resulting in\na KASAN detected use-after-free. The race occurs when the root\nnode is freed during kernfs_drain().\n\nTo prevent this acquire an additional reference for the root\nof the tree that is removed before calling __kernfs_remove().\n\nFound by syzkaller with the following reproducer (slab_nomerge is\nrequired):\n\nsyz_mount_image$ext4(0x0, \u0026(0x7f0000000100)=\u0027./file0\\x00\u0027, 0x100000, 0x0, 0x0, 0x0, 0x0)\nr0 = openat(0xffffffffffffff9c, \u0026(0x7f0000000080)=\u0027/proc/self/exe\\x00\u0027, 0x0, 0x0)\nclose(r0)\npipe2(\u0026(0x7f0000000140)={0xffffffffffffffff, \u003cr1=\u003e0xffffffffffffffff}, 0x800)\nmount$9p_fd(0x0, \u0026(0x7f0000000040)=\u0027./file0\\x00\u0027, \u0026(0x7f00000000c0), 0x408, \u0026(0x7f0000000280)={\u0027trans=fd,\u0027, {\u0027rfdno\u0027, 0x3d, r0}, 0x2c, {\u0027wfdno\u0027, 0x3d, r1}, 0x2c, {[{@cache_loose}, {@mmap}, {@loose}, {@loose}, {@mmap}], [{@mask={\u0027mask\u0027, 0x3d, \u0027^MAY_EXEC\u0027}}, {@fsmagic={\u0027fsmagic\u0027, 0x3d, 0x10001}}, {@dont_hash}]}})\n\nSample report:\n\n==================================================================\nBUG: KASAN: use-after-free in kernfs_type include/linux/kernfs.h:335 [inline]\nBUG: KASAN: use-after-free in kernfs_leftmost_descendant fs/kernfs/dir.c:1261 [inline]\nBUG: KASAN: use-after-free in __kernfs_remove.part.0+0x843/0x960 fs/kernfs/dir.c:1369\nRead of size 2 at addr ffff8880088807f0 by task syz-executor.2/857\n\nCPU: 0 PID: 857 Comm: syz-executor.2 Not tainted 6.0.0-rc3-00363-g7726d4c3e60b #5\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x6e/0x91 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:317 [inline]\n print_report.cold+0x5e/0x5e5 mm/kasan/report.c:433\n kasan_report+0xa3/0x130 mm/kasan/report.c:495\n kernfs_type include/linux/kernfs.h:335 [inline]\n kernfs_leftmost_descendant fs/kernfs/dir.c:1261 [inline]\n __kernfs_remove.part.0+0x843/0x960 fs/kernfs/dir.c:1369\n __kernfs_remove fs/kernfs/dir.c:1356 [inline]\n kernfs_remove_by_name_ns+0x108/0x190 fs/kernfs/dir.c:1589\n sysfs_slab_add+0x133/0x1e0 mm/slub.c:5943\n __kmem_cache_create+0x3e0/0x550 mm/slub.c:4899\n create_cache mm/slab_common.c:229 [inline]\n kmem_cache_create_usercopy+0x167/0x2a0 mm/slab_common.c:335\n p9_client_create+0xd4d/0x1190 net/9p/client.c:993\n v9fs_session_init+0x1e6/0x13c0 fs/9p/v9fs.c:408\n v9fs_mount+0xb9/0xbd0 fs/9p/vfs_super.c:126\n legacy_get_tree+0xf1/0x200 fs/fs_context.c:610\n vfs_get_tree+0x85/0x2e0 fs/super.c:1530\n do_new_mount fs/namespace.c:3040 [inline]\n path_mount+0x675/0x1d00 fs/namespace.c:3370\n do_mount fs/namespace.c:3383 [inline]\n __do_sys_mount fs/namespace.c:3591 [inline]\n __se_sys_mount fs/namespace.c:3568 [inline]\n __x64_sys_mount+0x282/0x300 fs/namespace.c:3568\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7f725f983aed\nCode: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f725f0f7028 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5\nRAX: ffffffffffffffda RBX: 00007f725faa3f80 RCX: 00007f725f983aed\nRDX: 00000000200000c0 RSI: 0000000020000040 RDI: 0000000000000000\nRBP: 00007f725f9f419c R08: 0000000020000280 R09: 0000000000000000\nR10: 0000000000000408 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000006 R14: 00007f725faa3f80 R15: 00007f725f0d7000\n \u003c/TASK\u003e\n\nAllocated by task 855:\n kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38\n kasan_set_track mm/kasan/common.c:45 [inline]\n set_alloc_info mm/kasan/common.c:437 [inline]\n __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:470\n kasan_slab_alloc include/linux/kasan.h:224 [inline]\n slab_post_alloc_hook mm/slab.h:7\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:29:25.735Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4dfd6a477a1525773469feaf3c514b2c0fef76b5"
},
{
"url": "https://git.kernel.org/stable/c/02eb35131050735332658029082f61515b7dfe38"
},
{
"url": "https://git.kernel.org/stable/c/028cf780743eea79abffa7206b9dcfc080ad3546"
},
{
"url": "https://git.kernel.org/stable/c/c78b0dc6fb7fb389d674e491fd376388cdfb1d53"
},
{
"url": "https://git.kernel.org/stable/c/6f72a3977ba9d0e5491a5c01315204272e7f9c44"
},
{
"url": "https://git.kernel.org/stable/c/94d2643df1e70a4c310ebb5e2c493eec33df1a06"
},
{
"url": "https://git.kernel.org/stable/c/af1b57cc39beca203559576b3046094fc9e5eb32"
},
{
"url": "https://git.kernel.org/stable/c/4abc99652812a2ddf932f137515d5c5a04723538"
}
],
"title": "kernfs: fix use-after-free in __kernfs_remove",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50432",
"datePublished": "2025-10-01T11:42:10.573Z",
"dateReserved": "2025-09-17T14:53:07.009Z",
"dateUpdated": "2025-12-23T13:29:25.735Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38543 (GCVE-0-2025-38543)
Vulnerability from cvelistv5 – Published: 2025-08-16 11:22 – Updated: 2025-11-03 17:39
VLAI?
EPSS
Title
drm/tegra: nvdec: Fix dma_alloc_coherent error check
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/tegra: nvdec: Fix dma_alloc_coherent error check
Check for NULL return value with dma_alloc_coherent, in line with
Robin's fix for vic.c in 'drm/tegra: vic: Fix DMA API misuse'.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
46f226c93d35b936aeec6eb31da932dc2e86f413 , < 61b8d20962d00b7df117011c52f97cbb9c76a669
(git)
Affected: 46f226c93d35b936aeec6eb31da932dc2e86f413 , < d1240029f97ac8c06db4dd4407bbbf83e8d08570 (git) Affected: 46f226c93d35b936aeec6eb31da932dc2e86f413 , < a560de522374af931fa994d161db3667b0bb2545 (git) Affected: 46f226c93d35b936aeec6eb31da932dc2e86f413 , < 2e0812eedccd0629d73c9d0b1184a5db055df1da (git) Affected: 46f226c93d35b936aeec6eb31da932dc2e86f413 , < 44306a684cd1699b8562a54945ddc43e2abc9eab (git) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:39:39.114Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/tegra/nvdec.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "61b8d20962d00b7df117011c52f97cbb9c76a669",
"status": "affected",
"version": "46f226c93d35b936aeec6eb31da932dc2e86f413",
"versionType": "git"
},
{
"lessThan": "d1240029f97ac8c06db4dd4407bbbf83e8d08570",
"status": "affected",
"version": "46f226c93d35b936aeec6eb31da932dc2e86f413",
"versionType": "git"
},
{
"lessThan": "a560de522374af931fa994d161db3667b0bb2545",
"status": "affected",
"version": "46f226c93d35b936aeec6eb31da932dc2e86f413",
"versionType": "git"
},
{
"lessThan": "2e0812eedccd0629d73c9d0b1184a5db055df1da",
"status": "affected",
"version": "46f226c93d35b936aeec6eb31da932dc2e86f413",
"versionType": "git"
},
{
"lessThan": "44306a684cd1699b8562a54945ddc43e2abc9eab",
"status": "affected",
"version": "46f226c93d35b936aeec6eb31da932dc2e86f413",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/tegra/nvdec.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.146",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.146",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.99",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.39",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.7",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/tegra: nvdec: Fix dma_alloc_coherent error check\n\nCheck for NULL return value with dma_alloc_coherent, in line with\nRobin\u0027s fix for vic.c in \u0027drm/tegra: vic: Fix DMA API misuse\u0027."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-16T11:22:17.619Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/61b8d20962d00b7df117011c52f97cbb9c76a669"
},
{
"url": "https://git.kernel.org/stable/c/d1240029f97ac8c06db4dd4407bbbf83e8d08570"
},
{
"url": "https://git.kernel.org/stable/c/a560de522374af931fa994d161db3667b0bb2545"
},
{
"url": "https://git.kernel.org/stable/c/2e0812eedccd0629d73c9d0b1184a5db055df1da"
},
{
"url": "https://git.kernel.org/stable/c/44306a684cd1699b8562a54945ddc43e2abc9eab"
}
],
"title": "drm/tegra: nvdec: Fix dma_alloc_coherent error check",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38543",
"datePublished": "2025-08-16T11:22:17.619Z",
"dateReserved": "2025-04-16T04:51:24.024Z",
"dateUpdated": "2025-11-03T17:39:39.114Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38710 (GCVE-0-2025-38710)
Vulnerability from cvelistv5 – Published: 2025-09-04 15:33 – Updated: 2026-01-02 15:31
VLAI?
EPSS
Title
gfs2: Validate i_depth for exhash directories
Summary
In the Linux kernel, the following vulnerability has been resolved:
gfs2: Validate i_depth for exhash directories
A fuzzer test introduced corruption that ends up with a depth of 0 in
dir_e_read(), causing an undefined shift by 32 at:
index = hash >> (32 - dip->i_depth);
As calculated in an open-coded way in dir_make_exhash(), the minimum
depth for an exhash directory is ilog2(sdp->sd_hash_ptrs) and 0 is
invalid as sdp->sd_hash_ptrs is fixed as sdp->bsize / 16 at mount time.
So we can avoid the undefined behaviour by checking for depth values
lower than the minimum in gfs2_dinode_in(). Values greater than the
maximum are already being checked for there.
Also switch the calculation in dir_make_exhash() to use ilog2() to
clarify how the depth is calculated.
Tested with the syzkaller repro.c and xfstests '-g quick'.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
9a0045088d888c9c539c8c626a366cb52c0fbdab , < 53a0249d68a210c16e961b83adfa82f94ee0a53d
(git)
Affected: 9a0045088d888c9c539c8c626a366cb52c0fbdab , < b5f46951e62377b6e406fadc18bc3c5bdf1632a7 (git) Affected: 9a0045088d888c9c539c8c626a366cb52c0fbdab , < 9680c58675b82348ab84d387e4fa727f7587e1a0 (git) Affected: 9a0045088d888c9c539c8c626a366cb52c0fbdab , < 557c024ca7250bb65ae60f16c02074106c2f197b (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/gfs2/dir.c",
"fs/gfs2/glops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "53a0249d68a210c16e961b83adfa82f94ee0a53d",
"status": "affected",
"version": "9a0045088d888c9c539c8c626a366cb52c0fbdab",
"versionType": "git"
},
{
"lessThan": "b5f46951e62377b6e406fadc18bc3c5bdf1632a7",
"status": "affected",
"version": "9a0045088d888c9c539c8c626a366cb52c0fbdab",
"versionType": "git"
},
{
"lessThan": "9680c58675b82348ab84d387e4fa727f7587e1a0",
"status": "affected",
"version": "9a0045088d888c9c539c8c626a366cb52c0fbdab",
"versionType": "git"
},
{
"lessThan": "557c024ca7250bb65ae60f16c02074106c2f197b",
"status": "affected",
"version": "9a0045088d888c9c539c8c626a366cb52c0fbdab",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/gfs2/dir.c",
"fs/gfs2/glops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.26"
},
{
"lessThan": "2.6.26",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Validate i_depth for exhash directories\n\nA fuzzer test introduced corruption that ends up with a depth of 0 in\ndir_e_read(), causing an undefined shift by 32 at:\n\n index = hash \u003e\u003e (32 - dip-\u003ei_depth);\n\nAs calculated in an open-coded way in dir_make_exhash(), the minimum\ndepth for an exhash directory is ilog2(sdp-\u003esd_hash_ptrs) and 0 is\ninvalid as sdp-\u003esd_hash_ptrs is fixed as sdp-\u003ebsize / 16 at mount time.\n\nSo we can avoid the undefined behaviour by checking for depth values\nlower than the minimum in gfs2_dinode_in(). Values greater than the\nmaximum are already being checked for there.\n\nAlso switch the calculation in dir_make_exhash() to use ilog2() to\nclarify how the depth is calculated.\n\nTested with the syzkaller repro.c and xfstests \u0027-g quick\u0027."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:31:38.415Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/53a0249d68a210c16e961b83adfa82f94ee0a53d"
},
{
"url": "https://git.kernel.org/stable/c/b5f46951e62377b6e406fadc18bc3c5bdf1632a7"
},
{
"url": "https://git.kernel.org/stable/c/9680c58675b82348ab84d387e4fa727f7587e1a0"
},
{
"url": "https://git.kernel.org/stable/c/557c024ca7250bb65ae60f16c02074106c2f197b"
}
],
"title": "gfs2: Validate i_depth for exhash directories",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38710",
"datePublished": "2025-09-04T15:33:00.629Z",
"dateReserved": "2025-04-16T04:51:24.033Z",
"dateUpdated": "2026-01-02T15:31:38.415Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38701 (GCVE-0-2025-38701)
Vulnerability from cvelistv5 – Published: 2025-09-04 15:32 – Updated: 2026-01-02 15:31
VLAI?
EPSS
Title
ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr
A syzbot fuzzed image triggered a BUG_ON in ext4_update_inline_data()
when an inode had the INLINE_DATA_FL flag set but was missing the
system.data extended attribute.
Since this can happen due to a maiciouly fuzzed file system, we
shouldn't BUG, but rather, report it as a corrupted file system.
Add similar replacements of BUG_ON with EXT4_ERROR_INODE() ii
ext4_create_inline_data() and ext4_inline_data_truncate().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
67cf5b09a46f72e048501b84996f2f77bc42e947 , < 8085a7324d8ec448c4a764af7853e19bbd64e17a
(git)
Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < 1199a6399895f4767f0b9a68a6ff47c3f799b7c7 (git) Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < 7f322c12df7aeed1755acd3c6fab48c7807795fb (git) Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < 2817ac83cb4732597bf36853fe13ca616f4ee4e2 (git) Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < d960f4b793912f35e9d72bd9d1e90553063fcbf1 (git) Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < 81e7e2e7ba07e7c8cdce43ccad2f91adbc5a919c (git) Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < 279c87ef7b9da34f65c2e4db586e730b667a6fb9 (git) Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < 8a6f89d42e61788605722dd9faf98797c958a7e5 (git) Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < 099b847ccc6c1ad2f805d13cfbcc83f5b6d4bc42 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:41:33.622Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/inline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8085a7324d8ec448c4a764af7853e19bbd64e17a",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "1199a6399895f4767f0b9a68a6ff47c3f799b7c7",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "7f322c12df7aeed1755acd3c6fab48c7807795fb",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "2817ac83cb4732597bf36853fe13ca616f4ee4e2",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "d960f4b793912f35e9d72bd9d1e90553063fcbf1",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "81e7e2e7ba07e7c8cdce43ccad2f91adbc5a919c",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "279c87ef7b9da34f65c2e4db586e730b667a6fb9",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "8a6f89d42e61788605722dd9faf98797c958a7e5",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "099b847ccc6c1ad2f805d13cfbcc83f5b6d4bc42",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/inline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: do not BUG when INLINE_DATA_FL lacks system.data xattr\n\nA syzbot fuzzed image triggered a BUG_ON in ext4_update_inline_data()\nwhen an inode had the INLINE_DATA_FL flag set but was missing the\nsystem.data extended attribute.\n\nSince this can happen due to a maiciouly fuzzed file system, we\nshouldn\u0027t BUG, but rather, report it as a corrupted file system.\n\nAdd similar replacements of BUG_ON with EXT4_ERROR_INODE() ii\next4_create_inline_data() and ext4_inline_data_truncate()."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:31:18.248Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8085a7324d8ec448c4a764af7853e19bbd64e17a"
},
{
"url": "https://git.kernel.org/stable/c/1199a6399895f4767f0b9a68a6ff47c3f799b7c7"
},
{
"url": "https://git.kernel.org/stable/c/7f322c12df7aeed1755acd3c6fab48c7807795fb"
},
{
"url": "https://git.kernel.org/stable/c/2817ac83cb4732597bf36853fe13ca616f4ee4e2"
},
{
"url": "https://git.kernel.org/stable/c/d960f4b793912f35e9d72bd9d1e90553063fcbf1"
},
{
"url": "https://git.kernel.org/stable/c/81e7e2e7ba07e7c8cdce43ccad2f91adbc5a919c"
},
{
"url": "https://git.kernel.org/stable/c/279c87ef7b9da34f65c2e4db586e730b667a6fb9"
},
{
"url": "https://git.kernel.org/stable/c/8a6f89d42e61788605722dd9faf98797c958a7e5"
},
{
"url": "https://git.kernel.org/stable/c/099b847ccc6c1ad2f805d13cfbcc83f5b6d4bc42"
}
],
"title": "ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38701",
"datePublished": "2025-09-04T15:32:53.071Z",
"dateReserved": "2025-04-16T04:51:24.032Z",
"dateUpdated": "2026-01-02T15:31:18.248Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53391 (GCVE-0-2023-53391)
Vulnerability from cvelistv5 – Published: 2025-09-18 13:33 – Updated: 2026-01-14 19:03
VLAI?
EPSS
Title
shmem: use ramfs_kill_sb() for kill_sb method of ramfs-based tmpfs
Summary
In the Linux kernel, the following vulnerability has been resolved:
shmem: use ramfs_kill_sb() for kill_sb method of ramfs-based tmpfs
As the ramfs-based tmpfs uses ramfs_init_fs_context() for the
init_fs_context method, which allocates fc->s_fs_info, use ramfs_kill_sb()
to free it and avoid a memory leak.
Severity ?
5.5 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c3b1b1cbf002e65a3cabd479e68b5f35886a26db , < 5fada375113767b3b57f1b04f7a4fe64ffaa626f
(git)
Affected: c3b1b1cbf002e65a3cabd479e68b5f35886a26db , < 487f229efea80c00dd7397547ec4f25fb8999d99 (git) Affected: c3b1b1cbf002e65a3cabd479e68b5f35886a26db , < 1f34bf8b442c6d720e7fa6f15e8702427e48aea9 (git) Affected: c3b1b1cbf002e65a3cabd479e68b5f35886a26db , < ebe07db840992a3886694ac3d303b06f4b70ce00 (git) Affected: c3b1b1cbf002e65a3cabd479e68b5f35886a26db , < 36ce9d76b0a93bae799e27e4f5ac35478c676592 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53391",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:59:10.291580Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T19:03:05.597Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ramfs/inode.c",
"include/linux/ramfs.h",
"mm/shmem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5fada375113767b3b57f1b04f7a4fe64ffaa626f",
"status": "affected",
"version": "c3b1b1cbf002e65a3cabd479e68b5f35886a26db",
"versionType": "git"
},
{
"lessThan": "487f229efea80c00dd7397547ec4f25fb8999d99",
"status": "affected",
"version": "c3b1b1cbf002e65a3cabd479e68b5f35886a26db",
"versionType": "git"
},
{
"lessThan": "1f34bf8b442c6d720e7fa6f15e8702427e48aea9",
"status": "affected",
"version": "c3b1b1cbf002e65a3cabd479e68b5f35886a26db",
"versionType": "git"
},
{
"lessThan": "ebe07db840992a3886694ac3d303b06f4b70ce00",
"status": "affected",
"version": "c3b1b1cbf002e65a3cabd479e68b5f35886a26db",
"versionType": "git"
},
{
"lessThan": "36ce9d76b0a93bae799e27e4f5ac35478c676592",
"status": "affected",
"version": "c3b1b1cbf002e65a3cabd479e68b5f35886a26db",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ramfs/inode.c",
"include/linux/ramfs.h",
"mm/shmem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.30"
},
{
"lessThan": "2.6.30",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "2.6.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nshmem: use ramfs_kill_sb() for kill_sb method of ramfs-based tmpfs\n\nAs the ramfs-based tmpfs uses ramfs_init_fs_context() for the\ninit_fs_context method, which allocates fc-\u003es_fs_info, use ramfs_kill_sb()\nto free it and avoid a memory leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T13:33:33.602Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5fada375113767b3b57f1b04f7a4fe64ffaa626f"
},
{
"url": "https://git.kernel.org/stable/c/487f229efea80c00dd7397547ec4f25fb8999d99"
},
{
"url": "https://git.kernel.org/stable/c/1f34bf8b442c6d720e7fa6f15e8702427e48aea9"
},
{
"url": "https://git.kernel.org/stable/c/ebe07db840992a3886694ac3d303b06f4b70ce00"
},
{
"url": "https://git.kernel.org/stable/c/36ce9d76b0a93bae799e27e4f5ac35478c676592"
}
],
"title": "shmem: use ramfs_kill_sb() for kill_sb method of ramfs-based tmpfs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53391",
"datePublished": "2025-09-18T13:33:33.602Z",
"dateReserved": "2025-09-17T14:54:09.737Z",
"dateUpdated": "2026-01-14T19:03:05.597Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53493 (GCVE-0-2023-53493)
Vulnerability from cvelistv5 – Published: 2025-10-01 11:45 – Updated: 2025-10-01 11:45
VLAI?
EPSS
Title
accel/qaic: tighten bounds checking in decode_message()
Summary
In the Linux kernel, the following vulnerability has been resolved:
accel/qaic: tighten bounds checking in decode_message()
Copy the bounds checking from encode_message() to decode_message().
This patch addresses the following concerns. Ensure that there is
enough space for at least one header so that we don't have a negative
size later.
if (msg_hdr_len < sizeof(*trans_hdr))
Ensure that we have enough space to read the next header from the
msg->data.
if (msg_len > msg_hdr_len - sizeof(*trans_hdr))
return -EINVAL;
Check that the trans_hdr->len is not below the minimum size:
if (hdr_len < sizeof(*trans_hdr))
This minimum check ensures that we don't corrupt memory in
decode_passthrough() when we do.
memcpy(out_trans->data, in_trans->data, len - sizeof(in_trans->hdr));
And finally, use size_add() to prevent an integer overflow:
if (size_add(msg_len, hdr_len) > msg_hdr_len)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/accel/qaic/qaic_control.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "57d14cb3bae4619ce2fb5235cb318c3d5d8f53fd",
"status": "affected",
"version": "129776ac2e38231fa9c02ce20e116c99de291666",
"versionType": "git"
},
{
"lessThan": "51b56382ed2a2b03347372272362b3baa623ed1e",
"status": "affected",
"version": "129776ac2e38231fa9c02ce20e116c99de291666",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/accel/qaic/qaic_control.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/qaic: tighten bounds checking in decode_message()\n\nCopy the bounds checking from encode_message() to decode_message().\n\nThis patch addresses the following concerns. Ensure that there is\nenough space for at least one header so that we don\u0027t have a negative\nsize later.\n\n\tif (msg_hdr_len \u003c sizeof(*trans_hdr))\n\nEnsure that we have enough space to read the next header from the\nmsg-\u003edata.\n\n\tif (msg_len \u003e msg_hdr_len - sizeof(*trans_hdr))\n\t\treturn -EINVAL;\n\nCheck that the trans_hdr-\u003elen is not below the minimum size:\n\n\tif (hdr_len \u003c sizeof(*trans_hdr))\n\nThis minimum check ensures that we don\u0027t corrupt memory in\ndecode_passthrough() when we do.\n\n\tmemcpy(out_trans-\u003edata, in_trans-\u003edata, len - sizeof(in_trans-\u003ehdr));\n\nAnd finally, use size_add() to prevent an integer overflow:\n\n\tif (size_add(msg_len, hdr_len) \u003e msg_hdr_len)"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:44.939Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/57d14cb3bae4619ce2fb5235cb318c3d5d8f53fd"
},
{
"url": "https://git.kernel.org/stable/c/51b56382ed2a2b03347372272362b3baa623ed1e"
}
],
"title": "accel/qaic: tighten bounds checking in decode_message()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53493",
"datePublished": "2025-10-01T11:45:44.939Z",
"dateReserved": "2025-10-01T11:39:39.403Z",
"dateUpdated": "2025-10-01T11:45:44.939Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38216 (GCVE-0-2025-38216)
Vulnerability from cvelistv5 – Published: 2025-07-04 13:37 – Updated: 2025-07-28 04:15
VLAI?
EPSS
Title
iommu/vt-d: Restore context entry setup order for aliased devices
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu/vt-d: Restore context entry setup order for aliased devices
Commit 2031c469f816 ("iommu/vt-d: Add support for static identity domain")
changed the context entry setup during domain attachment from a
set-and-check policy to a clear-and-reset approach. This inadvertently
introduced a regression affecting PCI aliased devices behind PCIe-to-PCI
bridges.
Specifically, keyboard and touchpad stopped working on several Apple
Macbooks with below messages:
kernel: platform pxa2xx-spi.3: Adding to iommu group 20
kernel: input: Apple SPI Keyboard as
/devices/pci0000:00/0000:00:1e.3/pxa2xx-spi.3/spi_master/spi2/spi-APP000D:00/input/input0
kernel: DMAR: DRHD: handling fault status reg 3
kernel: DMAR: [DMA Read NO_PASID] Request device [00:1e.3] fault addr
0xffffa000 [fault reason 0x06] PTE Read access is not set
kernel: DMAR: DRHD: handling fault status reg 3
kernel: DMAR: [DMA Read NO_PASID] Request device [00:1e.3] fault addr
0xffffa000 [fault reason 0x06] PTE Read access is not set
kernel: applespi spi-APP000D:00: Error writing to device: 01 0e 00 00
kernel: DMAR: DRHD: handling fault status reg 3
kernel: DMAR: [DMA Read NO_PASID] Request device [00:1e.3] fault addr
0xffffa000 [fault reason 0x06] PTE Read access is not set
kernel: DMAR: DRHD: handling fault status reg 3
kernel: applespi spi-APP000D:00: Error writing to device: 01 0e 00 00
Fix this by restoring the previous context setup order.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2031c469f8161abe74189cb74f50da224f340b71 , < fb5873b779dd5858123c19bbd6959566771e2e83
(git)
Affected: 2031c469f8161abe74189cb74f50da224f340b71 , < d43c81b691813e16a2d08208ce8947aebdab83cd (git) Affected: 2031c469f8161abe74189cb74f50da224f340b71 , < 320302baed05c6456164652541f23d2a96522c06 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/intel/iommu.c",
"drivers/iommu/intel/iommu.h",
"drivers/iommu/intel/nested.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fb5873b779dd5858123c19bbd6959566771e2e83",
"status": "affected",
"version": "2031c469f8161abe74189cb74f50da224f340b71",
"versionType": "git"
},
{
"lessThan": "d43c81b691813e16a2d08208ce8947aebdab83cd",
"status": "affected",
"version": "2031c469f8161abe74189cb74f50da224f340b71",
"versionType": "git"
},
{
"lessThan": "320302baed05c6456164652541f23d2a96522c06",
"status": "affected",
"version": "2031c469f8161abe74189cb74f50da224f340b71",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/intel/iommu.c",
"drivers/iommu/intel/iommu.h",
"drivers/iommu/intel/nested.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.35",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.4",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Restore context entry setup order for aliased devices\n\nCommit 2031c469f816 (\"iommu/vt-d: Add support for static identity domain\")\nchanged the context entry setup during domain attachment from a\nset-and-check policy to a clear-and-reset approach. This inadvertently\nintroduced a regression affecting PCI aliased devices behind PCIe-to-PCI\nbridges.\n\nSpecifically, keyboard and touchpad stopped working on several Apple\nMacbooks with below messages:\n\n kernel: platform pxa2xx-spi.3: Adding to iommu group 20\n kernel: input: Apple SPI Keyboard as\n /devices/pci0000:00/0000:00:1e.3/pxa2xx-spi.3/spi_master/spi2/spi-APP000D:00/input/input0\n kernel: DMAR: DRHD: handling fault status reg 3\n kernel: DMAR: [DMA Read NO_PASID] Request device [00:1e.3] fault addr\n 0xffffa000 [fault reason 0x06] PTE Read access is not set\n kernel: DMAR: DRHD: handling fault status reg 3\n kernel: DMAR: [DMA Read NO_PASID] Request device [00:1e.3] fault addr\n 0xffffa000 [fault reason 0x06] PTE Read access is not set\n kernel: applespi spi-APP000D:00: Error writing to device: 01 0e 00 00\n kernel: DMAR: DRHD: handling fault status reg 3\n kernel: DMAR: [DMA Read NO_PASID] Request device [00:1e.3] fault addr\n 0xffffa000 [fault reason 0x06] PTE Read access is not set\n kernel: DMAR: DRHD: handling fault status reg 3\n kernel: applespi spi-APP000D:00: Error writing to device: 01 0e 00 00\n\nFix this by restoring the previous context setup order."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:15:25.128Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fb5873b779dd5858123c19bbd6959566771e2e83"
},
{
"url": "https://git.kernel.org/stable/c/d43c81b691813e16a2d08208ce8947aebdab83cd"
},
{
"url": "https://git.kernel.org/stable/c/320302baed05c6456164652541f23d2a96522c06"
}
],
"title": "iommu/vt-d: Restore context entry setup order for aliased devices",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38216",
"datePublished": "2025-07-04T13:37:33.906Z",
"dateReserved": "2025-04-16T04:51:23.995Z",
"dateUpdated": "2025-07-28T04:15:25.128Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53304 (GCVE-0-2023-53304)
Vulnerability from cvelistv5 – Published: 2025-09-16 16:11 – Updated: 2026-01-14 18:22
VLAI?
EPSS
Title
netfilter: nft_set_rbtree: fix overlap expiration walk
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_set_rbtree: fix overlap expiration walk
The lazy gc on insert that should remove timed-out entries fails to release
the other half of the interval, if any.
Can be reproduced with tests/shell/testcases/sets/0044interval_overlap_0
in nftables.git and kmemleak enabled kernel.
Second bug is the use of rbe_prev vs. prev pointer.
If rbe_prev() returns NULL after at least one iteration, rbe_prev points
to element that is not an end interval, hence it should not be removed.
Lastly, check the genmask of the end interval if this is active in the
current generation.
Severity ?
5.5 (Medium)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
7ab87a326f20c52ff4d9972052d085be951c704b , < 8284a79136c384059e85e278da2210b809730287
(git)
Affected: 181859bdfb9734aca449512fccaee4cacce64aed , < acaee227cf79c45a5d2d49c3e9a66333a462802c (git) Affected: 4aacf3d78424293e318c616016865380b37b9cc5 , < 893cb3c3513cf661a0ff45fe0cfa83fe27131f76 (git) Affected: 2bf1435fa19d2c58054391b3bba40d5510a5758c , < 50cbb9d195c197af671869c8cadce3bd483735a0 (git) Affected: 318cb24a4c3fce8140afaf84e4d45fcb76fb280b , < 89a4d1a89751a0fbd520e64091873e19cc0979e8 (git) Affected: c9e6978e2725a7d4b6cd23b2facd3f11422c0643 , < cd66733932399475fe933cb3ec03e687ed401462 (git) Affected: c9e6978e2725a7d4b6cd23b2facd3f11422c0643 , < f718863aca469a109895cb855e6b81fff4827d71 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53304",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:22:49.464474Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:22:59.263Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_set_rbtree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8284a79136c384059e85e278da2210b809730287",
"status": "affected",
"version": "7ab87a326f20c52ff4d9972052d085be951c704b",
"versionType": "git"
},
{
"lessThan": "acaee227cf79c45a5d2d49c3e9a66333a462802c",
"status": "affected",
"version": "181859bdfb9734aca449512fccaee4cacce64aed",
"versionType": "git"
},
{
"lessThan": "893cb3c3513cf661a0ff45fe0cfa83fe27131f76",
"status": "affected",
"version": "4aacf3d78424293e318c616016865380b37b9cc5",
"versionType": "git"
},
{
"lessThan": "50cbb9d195c197af671869c8cadce3bd483735a0",
"status": "affected",
"version": "2bf1435fa19d2c58054391b3bba40d5510a5758c",
"versionType": "git"
},
{
"lessThan": "89a4d1a89751a0fbd520e64091873e19cc0979e8",
"status": "affected",
"version": "318cb24a4c3fce8140afaf84e4d45fcb76fb280b",
"versionType": "git"
},
{
"lessThan": "cd66733932399475fe933cb3ec03e687ed401462",
"status": "affected",
"version": "c9e6978e2725a7d4b6cd23b2facd3f11422c0643",
"versionType": "git"
},
{
"lessThan": "f718863aca469a109895cb855e6b81fff4827d71",
"status": "affected",
"version": "c9e6978e2725a7d4b6cd23b2facd3f11422c0643",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_set_rbtree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.190",
"versionStartIncluding": "5.10.166",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.124",
"versionStartIncluding": "5.15.91",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.43",
"versionStartIncluding": "6.1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.8",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_rbtree: fix overlap expiration walk\n\nThe lazy gc on insert that should remove timed-out entries fails to release\nthe other half of the interval, if any.\n\nCan be reproduced with tests/shell/testcases/sets/0044interval_overlap_0\nin nftables.git and kmemleak enabled kernel.\n\nSecond bug is the use of rbe_prev vs. prev pointer.\nIf rbe_prev() returns NULL after at least one iteration, rbe_prev points\nto element that is not an end interval, hence it should not be removed.\n\nLastly, check the genmask of the end interval if this is active in the\ncurrent generation."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:44.147Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8284a79136c384059e85e278da2210b809730287"
},
{
"url": "https://git.kernel.org/stable/c/acaee227cf79c45a5d2d49c3e9a66333a462802c"
},
{
"url": "https://git.kernel.org/stable/c/893cb3c3513cf661a0ff45fe0cfa83fe27131f76"
},
{
"url": "https://git.kernel.org/stable/c/50cbb9d195c197af671869c8cadce3bd483735a0"
},
{
"url": "https://git.kernel.org/stable/c/89a4d1a89751a0fbd520e64091873e19cc0979e8"
},
{
"url": "https://git.kernel.org/stable/c/cd66733932399475fe933cb3ec03e687ed401462"
},
{
"url": "https://git.kernel.org/stable/c/f718863aca469a109895cb855e6b81fff4827d71"
}
],
"title": "netfilter: nft_set_rbtree: fix overlap expiration walk",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53304",
"datePublished": "2025-09-16T16:11:44.147Z",
"dateReserved": "2025-09-16T08:09:37.994Z",
"dateUpdated": "2026-01-14T18:22:59.263Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-2978 (GCVE-0-2022-2978)
Vulnerability from cvelistv5 – Published: 2022-08-24 00:00 – Updated: 2024-08-03 00:53
VLAI?
EPSS
Summary
A flaw use after free in the Linux kernel NILFS file system was found in the way user triggers function security_inode_alloc to fail with following call to function nilfs_mdt_destroy. A local user could use this flaw to crash the system or potentially escalate their privileges on the system.
Severity ?
No CVSS data available.
CWE
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:53:00.619Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://lore.kernel.org/linux-fsdevel/20220816040859.659129-1-dzm91%40hust.edu.cn/T/#u"
},
{
"name": "[debian-lts-announce] 20221223 [SECURITY] [DLA 3245-1] linux security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00034.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Kernel",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Linux kernel 6.0-rc3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw use after free in the Linux kernel NILFS file system was found in the way user triggers function security_inode_alloc to fail with following call to function nilfs_mdt_destroy. A local user could use this flaw to crash the system or potentially escalate their privileges on the system."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-24T00:00:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"url": "https://lore.kernel.org/linux-fsdevel/20220816040859.659129-1-dzm91%40hust.edu.cn/T/#u"
},
{
"name": "[debian-lts-announce] 20221223 [SECURITY] [DLA 3245-1] linux security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00034.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2022-2978",
"datePublished": "2022-08-24T00:00:00",
"dateReserved": "2022-08-24T00:00:00",
"dateUpdated": "2024-08-03T00:53:00.619Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50297 (GCVE-0-2022-50297)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:45 – Updated: 2025-10-29 10:50
VLAI?
EPSS
Title
wifi: ath9k: verify the expected usb_endpoints are present
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath9k: verify the expected usb_endpoints are present
The bug arises when a USB device claims to be an ATH9K but doesn't
have the expected endpoints. (In this case there was an interrupt
endpoint where the driver expected a bulk endpoint.) The kernel
needs to be able to handle such devices without getting an internal error.
usb 1-1: BOGUS urb xfer, pipe 3 != type 1
WARNING: CPU: 3 PID: 500 at drivers/usb/core/urb.c:493 usb_submit_urb+0xce2/0x1430 drivers/usb/core/urb.c:493
Modules linked in:
CPU: 3 PID: 500 Comm: kworker/3:2 Not tainted 5.10.135-syzkaller #0
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Workqueue: events request_firmware_work_func
RIP: 0010:usb_submit_urb+0xce2/0x1430 drivers/usb/core/urb.c:493
Call Trace:
ath9k_hif_usb_alloc_rx_urbs drivers/net/wireless/ath/ath9k/hif_usb.c:908 [inline]
ath9k_hif_usb_alloc_urbs+0x75e/0x1010 drivers/net/wireless/ath/ath9k/hif_usb.c:1019
ath9k_hif_usb_dev_init drivers/net/wireless/ath/ath9k/hif_usb.c:1109 [inline]
ath9k_hif_usb_firmware_cb+0x142/0x530 drivers/net/wireless/ath/ath9k/hif_usb.c:1242
request_firmware_work_func+0x12e/0x240 drivers/base/firmware_loader/main.c:1097
process_one_work+0x9af/0x1600 kernel/workqueue.c:2279
worker_thread+0x61d/0x12f0 kernel/workqueue.c:2425
kthread+0x3b4/0x4a0 kernel/kthread.c:313
ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:299
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
fb9987d0f748c983bb795a86f47522313f701a08 , < 932f0a5e829fb0b823f96d7fa9a0f4fc96660b77
(git)
Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < d008a202a0528a058bac658e657c010ce8534f4a (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < d64436af0bc3c9e579be761d7684f228fb95f3bb (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < ca57748593ddd8e46d033fbaeb9d01ec533a6bfe (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < 1824ccabee5445347b83642e4087cc2eca070343 (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < c319196a0e34ed2e66d6f876f58d8d446335c2a7 (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < 2d2eccf52ea0215c8d386b62af0b5fd4fc122bd5 (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < 0b7e6d681e00a96cde2b32a15ffa70e1be2e3209 (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < 16ef02bad239f11f322df8425d302be62f0443ce (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath9k/hif_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "932f0a5e829fb0b823f96d7fa9a0f4fc96660b77",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "d008a202a0528a058bac658e657c010ce8534f4a",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "d64436af0bc3c9e579be761d7684f228fb95f3bb",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "ca57748593ddd8e46d033fbaeb9d01ec533a6bfe",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "1824ccabee5445347b83642e4087cc2eca070343",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "c319196a0e34ed2e66d6f876f58d8d446335c2a7",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "2d2eccf52ea0215c8d386b62af0b5fd4fc122bd5",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "0b7e6d681e00a96cde2b32a15ffa70e1be2e3209",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "16ef02bad239f11f322df8425d302be62f0443ce",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath9k/hif_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: verify the expected usb_endpoints are present\n\nThe bug arises when a USB device claims to be an ATH9K but doesn\u0027t\nhave the expected endpoints. (In this case there was an interrupt\nendpoint where the driver expected a bulk endpoint.) The kernel\nneeds to be able to handle such devices without getting an internal error.\n\nusb 1-1: BOGUS urb xfer, pipe 3 != type 1\nWARNING: CPU: 3 PID: 500 at drivers/usb/core/urb.c:493 usb_submit_urb+0xce2/0x1430 drivers/usb/core/urb.c:493\nModules linked in:\nCPU: 3 PID: 500 Comm: kworker/3:2 Not tainted 5.10.135-syzkaller #0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\nWorkqueue: events request_firmware_work_func\nRIP: 0010:usb_submit_urb+0xce2/0x1430 drivers/usb/core/urb.c:493\nCall Trace:\n ath9k_hif_usb_alloc_rx_urbs drivers/net/wireless/ath/ath9k/hif_usb.c:908 [inline]\n ath9k_hif_usb_alloc_urbs+0x75e/0x1010 drivers/net/wireless/ath/ath9k/hif_usb.c:1019\n ath9k_hif_usb_dev_init drivers/net/wireless/ath/ath9k/hif_usb.c:1109 [inline]\n ath9k_hif_usb_firmware_cb+0x142/0x530 drivers/net/wireless/ath/ath9k/hif_usb.c:1242\n request_firmware_work_func+0x12e/0x240 drivers/base/firmware_loader/main.c:1097\n process_one_work+0x9af/0x1600 kernel/workqueue.c:2279\n worker_thread+0x61d/0x12f0 kernel/workqueue.c:2425\n kthread+0x3b4/0x4a0 kernel/kthread.c:313\n ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:299\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T10:50:10.393Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/932f0a5e829fb0b823f96d7fa9a0f4fc96660b77"
},
{
"url": "https://git.kernel.org/stable/c/d008a202a0528a058bac658e657c010ce8534f4a"
},
{
"url": "https://git.kernel.org/stable/c/d64436af0bc3c9e579be761d7684f228fb95f3bb"
},
{
"url": "https://git.kernel.org/stable/c/ca57748593ddd8e46d033fbaeb9d01ec533a6bfe"
},
{
"url": "https://git.kernel.org/stable/c/1824ccabee5445347b83642e4087cc2eca070343"
},
{
"url": "https://git.kernel.org/stable/c/c319196a0e34ed2e66d6f876f58d8d446335c2a7"
},
{
"url": "https://git.kernel.org/stable/c/2d2eccf52ea0215c8d386b62af0b5fd4fc122bd5"
},
{
"url": "https://git.kernel.org/stable/c/0b7e6d681e00a96cde2b32a15ffa70e1be2e3209"
},
{
"url": "https://git.kernel.org/stable/c/16ef02bad239f11f322df8425d302be62f0443ce"
}
],
"title": "wifi: ath9k: verify the expected usb_endpoints are present",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50297",
"datePublished": "2025-09-15T14:45:53.146Z",
"dateReserved": "2025-09-15T14:18:36.812Z",
"dateUpdated": "2025-10-29T10:50:10.393Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53480 (GCVE-0-2023-53480)
Vulnerability from cvelistv5 – Published: 2025-10-01 11:42 – Updated: 2026-01-05 10:20
VLAI?
EPSS
Title
kobject: Add sanity check for kset->kobj.ktype in kset_register()
Summary
In the Linux kernel, the following vulnerability has been resolved:
kobject: Add sanity check for kset->kobj.ktype in kset_register()
When I register a kset in the following way:
static struct kset my_kset;
kobject_set_name(&my_kset.kobj, "my_kset");
ret = kset_register(&my_kset);
A null pointer dereference exception is occurred:
[ 4453.568337] Unable to handle kernel NULL pointer dereference at \
virtual address 0000000000000028
... ...
[ 4453.810361] Call trace:
[ 4453.813062] kobject_get_ownership+0xc/0x34
[ 4453.817493] kobject_add_internal+0x98/0x274
[ 4453.822005] kset_register+0x5c/0xb4
[ 4453.825820] my_kobj_init+0x44/0x1000 [my_kset]
... ...
Because I didn't initialize my_kset.kobj.ktype.
According to the description in Documentation/core-api/kobject.rst:
- A ktype is the type of object that embeds a kobject. Every structure
that embeds a kobject needs a corresponding ktype.
So add sanity check to make sure kset->kobj.ktype is not NULL.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5f81880d5204ee2388fd9a75bb850ccd526885b7 , < 039ec9db2d30032eafa365f5f89b30eca5322b05
(git)
Affected: 5f81880d5204ee2388fd9a75bb850ccd526885b7 , < 964e025ceefdf75da46b0133d0c2790de451aeec (git) Affected: 5f81880d5204ee2388fd9a75bb850ccd526885b7 , < 5df5829158513134ddcaf2184d9286eda7b0bb18 (git) Affected: 5f81880d5204ee2388fd9a75bb850ccd526885b7 , < f3f6bf22a4f5ba649cf26ae4670de5c7f861bdef (git) Affected: 5f81880d5204ee2388fd9a75bb850ccd526885b7 , < 48aebbe801e78a8932404c122ed0e880ccedc220 (git) Affected: 5f81880d5204ee2388fd9a75bb850ccd526885b7 , < 1a772881bc059c596d8ca587cbd2a233edce3d3b (git) Affected: 5f81880d5204ee2388fd9a75bb850ccd526885b7 , < 4d0fe8c52bb3029d83e323c961221156ab98680b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"lib/kobject.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "039ec9db2d30032eafa365f5f89b30eca5322b05",
"status": "affected",
"version": "5f81880d5204ee2388fd9a75bb850ccd526885b7",
"versionType": "git"
},
{
"lessThan": "964e025ceefdf75da46b0133d0c2790de451aeec",
"status": "affected",
"version": "5f81880d5204ee2388fd9a75bb850ccd526885b7",
"versionType": "git"
},
{
"lessThan": "5df5829158513134ddcaf2184d9286eda7b0bb18",
"status": "affected",
"version": "5f81880d5204ee2388fd9a75bb850ccd526885b7",
"versionType": "git"
},
{
"lessThan": "f3f6bf22a4f5ba649cf26ae4670de5c7f861bdef",
"status": "affected",
"version": "5f81880d5204ee2388fd9a75bb850ccd526885b7",
"versionType": "git"
},
{
"lessThan": "48aebbe801e78a8932404c122ed0e880ccedc220",
"status": "affected",
"version": "5f81880d5204ee2388fd9a75bb850ccd526885b7",
"versionType": "git"
},
{
"lessThan": "1a772881bc059c596d8ca587cbd2a233edce3d3b",
"status": "affected",
"version": "5f81880d5204ee2388fd9a75bb850ccd526885b7",
"versionType": "git"
},
{
"lessThan": "4d0fe8c52bb3029d83e323c961221156ab98680b",
"status": "affected",
"version": "5f81880d5204ee2388fd9a75bb850ccd526885b7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"lib/kobject.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.133",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.197",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.133",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkobject: Add sanity check for kset-\u003ekobj.ktype in kset_register()\n\nWhen I register a kset in the following way:\n\tstatic struct kset my_kset;\n\tkobject_set_name(\u0026my_kset.kobj, \"my_kset\");\n ret = kset_register(\u0026my_kset);\n\nA null pointer dereference exception is occurred:\n[ 4453.568337] Unable to handle kernel NULL pointer dereference at \\\nvirtual address 0000000000000028\n... ...\n[ 4453.810361] Call trace:\n[ 4453.813062] kobject_get_ownership+0xc/0x34\n[ 4453.817493] kobject_add_internal+0x98/0x274\n[ 4453.822005] kset_register+0x5c/0xb4\n[ 4453.825820] my_kobj_init+0x44/0x1000 [my_kset]\n... ...\n\nBecause I didn\u0027t initialize my_kset.kobj.ktype.\n\nAccording to the description in Documentation/core-api/kobject.rst:\n - A ktype is the type of object that embeds a kobject. Every structure\n that embeds a kobject needs a corresponding ktype.\n\nSo add sanity check to make sure kset-\u003ekobj.ktype is not NULL."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:20:53.251Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/039ec9db2d30032eafa365f5f89b30eca5322b05"
},
{
"url": "https://git.kernel.org/stable/c/964e025ceefdf75da46b0133d0c2790de451aeec"
},
{
"url": "https://git.kernel.org/stable/c/5df5829158513134ddcaf2184d9286eda7b0bb18"
},
{
"url": "https://git.kernel.org/stable/c/f3f6bf22a4f5ba649cf26ae4670de5c7f861bdef"
},
{
"url": "https://git.kernel.org/stable/c/48aebbe801e78a8932404c122ed0e880ccedc220"
},
{
"url": "https://git.kernel.org/stable/c/1a772881bc059c596d8ca587cbd2a233edce3d3b"
},
{
"url": "https://git.kernel.org/stable/c/4d0fe8c52bb3029d83e323c961221156ab98680b"
}
],
"title": "kobject: Add sanity check for kset-\u003ekobj.ktype in kset_register()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53480",
"datePublished": "2025-10-01T11:42:48.919Z",
"dateReserved": "2025-10-01T11:39:39.402Z",
"dateUpdated": "2026-01-05T10:20:53.251Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39782 (GCVE-0-2025-39782)
Vulnerability from cvelistv5 – Published: 2025-09-11 16:56 – Updated: 2026-01-02 15:32
VLAI?
EPSS
Title
jbd2: prevent softlockup in jbd2_log_do_checkpoint()
Summary
In the Linux kernel, the following vulnerability has been resolved:
jbd2: prevent softlockup in jbd2_log_do_checkpoint()
Both jbd2_log_do_checkpoint() and jbd2_journal_shrink_checkpoint_list()
periodically release j_list_lock after processing a batch of buffers to
avoid long hold times on the j_list_lock. However, since both functions
contend for j_list_lock, the combined time spent waiting and processing
can be significant.
jbd2_journal_shrink_checkpoint_list() explicitly calls cond_resched() when
need_resched() is true to avoid softlockups during prolonged operations.
But jbd2_log_do_checkpoint() only exits its loop when need_resched() is
true, relying on potentially sleeping functions like __flush_batch() or
wait_on_buffer() to trigger rescheduling. If those functions do not sleep,
the kernel may hit a softlockup.
watchdog: BUG: soft lockup - CPU#3 stuck for 156s! [kworker/u129:2:373]
CPU: 3 PID: 373 Comm: kworker/u129:2 Kdump: loaded Not tainted 6.6.0+ #10
Hardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.27 06/13/2017
Workqueue: writeback wb_workfn (flush-7:2)
pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : native_queued_spin_lock_slowpath+0x358/0x418
lr : jbd2_log_do_checkpoint+0x31c/0x438 [jbd2]
Call trace:
native_queued_spin_lock_slowpath+0x358/0x418
jbd2_log_do_checkpoint+0x31c/0x438 [jbd2]
__jbd2_log_wait_for_space+0xfc/0x2f8 [jbd2]
add_transaction_credits+0x3bc/0x418 [jbd2]
start_this_handle+0xf8/0x560 [jbd2]
jbd2__journal_start+0x118/0x228 [jbd2]
__ext4_journal_start_sb+0x110/0x188 [ext4]
ext4_do_writepages+0x3dc/0x740 [ext4]
ext4_writepages+0xa4/0x190 [ext4]
do_writepages+0x94/0x228
__writeback_single_inode+0x48/0x318
writeback_sb_inodes+0x204/0x590
__writeback_inodes_wb+0x54/0xf8
wb_writeback+0x2cc/0x3d8
wb_do_writeback+0x2e0/0x2f8
wb_workfn+0x80/0x2a8
process_one_work+0x178/0x3e8
worker_thread+0x234/0x3b8
kthread+0xf0/0x108
ret_from_fork+0x10/0x20
So explicitly call cond_resched() in jbd2_log_do_checkpoint() to avoid
softlockup.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f93ea411b73594f7d144855fd34278bcf34a9afc , < f683d611518d30334813eecf9a8c687453e2800e
(git)
Affected: f93ea411b73594f7d144855fd34278bcf34a9afc , < f7ee8fd689e6d534f9fd2494b9266f7998082e65 (git) Affected: f93ea411b73594f7d144855fd34278bcf34a9afc , < 84ff98c1ea19acd3f9389e4bb6061364e943f85e (git) Affected: f93ea411b73594f7d144855fd34278bcf34a9afc , < 26cb9aad94cb1811d8fae115594cc71fa3d91ab0 (git) Affected: f93ea411b73594f7d144855fd34278bcf34a9afc , < 41f40038de62e8306897cf6840791b268996432a (git) Affected: f93ea411b73594f7d144855fd34278bcf34a9afc , < 429d50cbaff45090d52a1ea850d5de8c14881ee7 (git) Affected: f93ea411b73594f7d144855fd34278bcf34a9afc , < 3faac5e1d14c63260fd1bf789d96bde3ab3d9e54 (git) Affected: f93ea411b73594f7d144855fd34278bcf34a9afc , < 9d98cf4632258720f18265a058e62fde120c0151 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:17.511Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/jbd2/checkpoint.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f683d611518d30334813eecf9a8c687453e2800e",
"status": "affected",
"version": "f93ea411b73594f7d144855fd34278bcf34a9afc",
"versionType": "git"
},
{
"lessThan": "f7ee8fd689e6d534f9fd2494b9266f7998082e65",
"status": "affected",
"version": "f93ea411b73594f7d144855fd34278bcf34a9afc",
"versionType": "git"
},
{
"lessThan": "84ff98c1ea19acd3f9389e4bb6061364e943f85e",
"status": "affected",
"version": "f93ea411b73594f7d144855fd34278bcf34a9afc",
"versionType": "git"
},
{
"lessThan": "26cb9aad94cb1811d8fae115594cc71fa3d91ab0",
"status": "affected",
"version": "f93ea411b73594f7d144855fd34278bcf34a9afc",
"versionType": "git"
},
{
"lessThan": "41f40038de62e8306897cf6840791b268996432a",
"status": "affected",
"version": "f93ea411b73594f7d144855fd34278bcf34a9afc",
"versionType": "git"
},
{
"lessThan": "429d50cbaff45090d52a1ea850d5de8c14881ee7",
"status": "affected",
"version": "f93ea411b73594f7d144855fd34278bcf34a9afc",
"versionType": "git"
},
{
"lessThan": "3faac5e1d14c63260fd1bf789d96bde3ab3d9e54",
"status": "affected",
"version": "f93ea411b73594f7d144855fd34278bcf34a9afc",
"versionType": "git"
},
{
"lessThan": "9d98cf4632258720f18265a058e62fde120c0151",
"status": "affected",
"version": "f93ea411b73594f7d144855fd34278bcf34a9afc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/jbd2/checkpoint.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.16"
},
{
"lessThan": "2.6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\njbd2: prevent softlockup in jbd2_log_do_checkpoint()\n\nBoth jbd2_log_do_checkpoint() and jbd2_journal_shrink_checkpoint_list()\nperiodically release j_list_lock after processing a batch of buffers to\navoid long hold times on the j_list_lock. However, since both functions\ncontend for j_list_lock, the combined time spent waiting and processing\ncan be significant.\n\njbd2_journal_shrink_checkpoint_list() explicitly calls cond_resched() when\nneed_resched() is true to avoid softlockups during prolonged operations.\nBut jbd2_log_do_checkpoint() only exits its loop when need_resched() is\ntrue, relying on potentially sleeping functions like __flush_batch() or\nwait_on_buffer() to trigger rescheduling. If those functions do not sleep,\nthe kernel may hit a softlockup.\n\nwatchdog: BUG: soft lockup - CPU#3 stuck for 156s! [kworker/u129:2:373]\nCPU: 3 PID: 373 Comm: kworker/u129:2 Kdump: loaded Not tainted 6.6.0+ #10\nHardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.27 06/13/2017\nWorkqueue: writeback wb_workfn (flush-7:2)\npstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : native_queued_spin_lock_slowpath+0x358/0x418\nlr : jbd2_log_do_checkpoint+0x31c/0x438 [jbd2]\nCall trace:\n native_queued_spin_lock_slowpath+0x358/0x418\n jbd2_log_do_checkpoint+0x31c/0x438 [jbd2]\n __jbd2_log_wait_for_space+0xfc/0x2f8 [jbd2]\n add_transaction_credits+0x3bc/0x418 [jbd2]\n start_this_handle+0xf8/0x560 [jbd2]\n jbd2__journal_start+0x118/0x228 [jbd2]\n __ext4_journal_start_sb+0x110/0x188 [ext4]\n ext4_do_writepages+0x3dc/0x740 [ext4]\n ext4_writepages+0xa4/0x190 [ext4]\n do_writepages+0x94/0x228\n __writeback_single_inode+0x48/0x318\n writeback_sb_inodes+0x204/0x590\n __writeback_inodes_wb+0x54/0xf8\n wb_writeback+0x2cc/0x3d8\n wb_do_writeback+0x2e0/0x2f8\n wb_workfn+0x80/0x2a8\n process_one_work+0x178/0x3e8\n worker_thread+0x234/0x3b8\n kthread+0xf0/0x108\n ret_from_fork+0x10/0x20\n\nSo explicitly call cond_resched() in jbd2_log_do_checkpoint() to avoid\nsoftlockup."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:32:20.233Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f683d611518d30334813eecf9a8c687453e2800e"
},
{
"url": "https://git.kernel.org/stable/c/f7ee8fd689e6d534f9fd2494b9266f7998082e65"
},
{
"url": "https://git.kernel.org/stable/c/84ff98c1ea19acd3f9389e4bb6061364e943f85e"
},
{
"url": "https://git.kernel.org/stable/c/26cb9aad94cb1811d8fae115594cc71fa3d91ab0"
},
{
"url": "https://git.kernel.org/stable/c/41f40038de62e8306897cf6840791b268996432a"
},
{
"url": "https://git.kernel.org/stable/c/429d50cbaff45090d52a1ea850d5de8c14881ee7"
},
{
"url": "https://git.kernel.org/stable/c/3faac5e1d14c63260fd1bf789d96bde3ab3d9e54"
},
{
"url": "https://git.kernel.org/stable/c/9d98cf4632258720f18265a058e62fde120c0151"
}
],
"title": "jbd2: prevent softlockup in jbd2_log_do_checkpoint()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39782",
"datePublished": "2025-09-11T16:56:32.616Z",
"dateReserved": "2025-04-16T07:20:57.130Z",
"dateUpdated": "2026-01-02T15:32:20.233Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}